Upload folder using huggingface_hub

AGENTS.md

@@ -1,17 +1,85 @@
-# Instructions
-- Review the codebase and enhance this working code.
-- Convert the UI code to reactjs.
-- Include vim, git, codex, gemini-cli and claude-cli too in the container.
-- Embedd one web browser too, put it as tab. 
-- Fix markdown rendering.
-- Include one @agent agent_name for triggering n8n workflow. Figure-out authentications.
-- Include multimodal input options.
-- Include one autonomous agent mode for running the code in terminal and in brouser. While running in agent mode split the chat and terminal/web browser window side-by-side.
-- Include feature to provide agent feedback and screenshots for autonomous agent mode. 
-- Include options to integrate the app as MCP host Add admin panel for MCP server configuration. 
-- Include some default MCP servers inbuilt such as n8n-mcp docs, n8n-mcp api, filesystem, gemini, claude, codex, canva, github as mcp servers, include admin panel too for MCP server configuration. 
-
-such as https://github.com/czlonkowski/n8n-mcp, https://n8n.mcp.kapa.ai/
-
-INclude any other enhancement you feel interesting. 
-Make the UI attractive too.
+# Autonomy Labs — Agent Notes
+
+This repo powers a FastAPI web app deployed to Hugging Face Spaces (Docker). It includes:
+- a Supabase-backed login + user data
+- a chat UI (OpenAI-compatible providers)
+- a PTY-backed web terminal over WebSockets
+- optional Codex CLI/SDK integration
+- optional MCP tooling integration
+
+## Non-negotiables
+- **Never commit secrets** (API keys, tokens, cookies, private SSH keys). Use env vars / HF Spaces Secrets.
+- **Assume hostile clients**: UI checks are not security. Dangerous endpoints must be protected server-side.
+- **Prefer minimal, reversible changes** with clear validation steps.
+
+## Repo map
+- `main.py`: FastAPI backend (currently a single large file).
+- `static/index.html`: login page (Supabase Auth).
+- `static/dashboard.html`: main UI (chat, terminal, agent mode, notes, settings UI).
+- `docker-entrypoint.sh`: runtime setup (persistence under `/data`, writes Codex auth files from env if provided).
+- `Dockerfile`: image build (Python + Node + CLIs).
+- `codex_agent.mjs`: Node wrapper around `@openai/codex-sdk`.
+- `.github/workflows/deploy.yml`: deploy to Hugging Face Space.
+- `.github/workflows/codex-autofix.yml`: optional GitHub Action to run Codex for autofixes.
+
+## How to run (local)
+- Python deps: `pip install -r requirements.txt`
+- Start: `uvicorn main:app --host 0.0.0.0 --port 7860`
+- Open: `http://localhost:7860`
+
+## Key environment variables
+### Supabase
+- `SUPABASE_URL`
+- `SUPABASE_KEY` (anon key used by the frontend)
+
+### Chat defaults (UI convenience)
+- `DEFAULT_BASE_URL` (e.g. `https://router.huggingface.co/v1`)
+- `DEFAULT_API_KEY` (avoid using in production; don’t commit)
+- `DEFAULT_MODEL`
+
+### Codex (HF Spaces Secrets recommended)
+Supported token env names (either set works):
+- `CODEX_ID_TOKEN` or `ID_TOKEN`
+- `CODEX_ACCESS_TOKEN` or `ACCESS_TOKEN`
+- `CODEX_REFRESH_TOKEN` or `REFRESH_TOKEN`
+- optional: `CODEX_ACCOUNT_ID` or `ACCOUNT_ID`
+
+At runtime, the container writes:
+- `~/.codex/.auth.json`
+- `~/.codex/auth.json`
+
+### Gemini / Claude
+Prefer env-based auth (keep tokens out of the UI and git):
+- Gemini: typically `GEMINI_API_KEY` (or Google GenAI envs, depending on mode)
+- Claude: typically `ANTHROPIC_API_KEY`
+
+If adding “Codex-like” auth files for these CLIs, document **exact paths + formats** and keep them **generated at runtime** from Secrets.
+
+### SSH (optional)
+Default behavior: container may generate `~/.ssh/id_ed25519` and persist to `/data/.ssh` (Spaces).
+If adding SSH-from-secrets support, prefer:
+- `SSH_PRIVATE_KEY` (+ optional `SSH_PUBLIC_KEY`, `SSH_KNOWN_HOSTS`)
+and ensure files are `0600`, never logged.
+
+## Security posture (important)
+The web terminal and any agent/Codex/MCP execution is effectively remote code execution if exposed.
+
+Before shipping features, ensure:
+- server-side auth checks for `/ws/terminal` and all `/api/codex*` + `/api/mcp*` endpoints
+- explicit capability flags (e.g. `ENABLE_TERMINAL`, `ENABLE_CODEX`, `ENABLE_MCP`) with safe defaults
+- rate limiting / abuse controls if public
+
+## Development hygiene
+- Prefer extracting modules from `main.py` rather than growing it further.
+- Prefer moving large inline JS/CSS out of `static/dashboard.html` into `static/*.js` + `static/*.css`.
+- Keep UI theme tokens consistent between login and dashboard.
+
+## Quick validation
+- Python syntax: `python3 -m py_compile main.py`
+- Basic endpoint check: `curl -sSf http://localhost:7860/health`
+
+## Deployment notes (HF Spaces)
+- Port: `7860`
+- Persistence: `/data` is used for `~/.codex`, `~/.ssh`, and a default workspace directory when available.
+- Web terminals often require device auth flows; avoid localhost callback assumptions.
+

PLAN.md

@@ -0,0 +1,87 @@
+# Roadmap (P0–P3)
+
+This file is the repo-level roadmap for `autonomy-labs`. It’s intentionally opinionated and ordered by risk reduction first, then maintainability, then feature expansion.
+
+## P0 — Security + correctness (blockers)
+- Gate **all dangerous endpoints** server-side (not just UI):
+  - `/ws/terminal`
+  - `/api/codex*`
+  - `/api/mcp*`
+  - any indexing endpoints (docs/web/GitHub)
+- Define a clear auth transport for WebSockets (cookie or token) and verify on the server.
+- Add capability flags with safe defaults:
+  - `ENABLE_TERMINAL`, `ENABLE_CODEX`, `ENABLE_MCP`, `ENABLE_INDEXING`
+- Add `SECURITY.md` with threat model + safe deployment guidance.
+
+## P1 — Backend refactor + lifecycle
+- Split `main.py` into routers/services:
+  - `app/auth.py`, `app/chat.py`, `app/terminal.py`, `app/codex.py`, `app/mcp.py`, `app/settings.py`, `app/admin.py`, `app/indexing.py`
+- Add FastAPI lifespan management:
+  - subprocess lifecycle (Codex MCP server)
+  - cleanup policies (device-login attempts, job registries)
+- Unify Codex integration (prefer CLI-first for device-auth consistency; keep SDK only if needed).
+- Standardize API error schema (UI should not parse strings to detect failure modes).
+
+## P2 — UI/UX, settings, admin, landing
+- Split `static/dashboard.html` into modules:
+  - `static/dashboard.js`, `static/terminal.js`, `static/agent.js`, `static/settings.js`, `static/admin.js`, `static/mcp.js`, `static/rag.js`
+  - `static/theme.css`
+- Fix UI inconsistencies:
+  - theme tokens shared across login + dashboard
+  - consistent spacing, typography, button states, error banners
+  - terminal sizing/fit reliability (debounce + visible-only fitting)
+- Separate Settings vs Admin dashboard:
+  - Settings: provider configs, tokens status, terminal layout, workspace directory, MCP registry
+  - Admin: user/role management, global toggles, indexing jobs, audit logs
+- Create a “blazing” landing page:
+  - `/` marketing/intro + CTA
+  - keep `/login` and `/app` as dedicated routes (or similar)
+
+## P2 — Provider auth parity (Codex/Gemini/Claude)
+- Keep provider auth out of git; source from env/HF Secrets.
+- Support “Codex-like” auth file generation when a CLI requires it:
+  - Codex: `~/.codex/.auth.json` and `~/.codex/auth.json` from `CODEX_*` (or fallback envs).
+  - Gemini/Claude: prefer env (`GEMINI_API_KEY`, `ANTHROPIC_API_KEY`); add file-based auth only if required and documented.
+- Optional: SSH key support via Secrets:
+  - `SSH_PRIVATE_KEY` (+ optional `SSH_PUBLIC_KEY`, `SSH_KNOWN_HOSTS`)
+
+## P2 — Codex workspace directory (UI)
+- Add a per-user “workspace directory” setting.
+- Enforce an allowlisted root (e.g. `/data/codex/workspace/<user>`), prevent traversal, ensure it exists.
+
+## P2 — Stream Codex events in Agent mode
+- Use `/api/codex/cli/stream` for agent execution.
+- UI: render streaming events progressively (agent text, tool events, final summary + usage).
+- Add stop/reconnect handling.
+
+## P2/P3 — MCP registry
+- Add a first-class MCP registry:
+  - per-user servers + optional global templates
+  - “test connection”, “list tools”, allow/deny tool lists
+  - import/export `mcp.json`
+
+## P3 — RAG + indexing (docs/web/GitHub) + “password manager”
+- Clarify “password manager” scope:
+  - secure vault for secrets (high-risk; encryption + audit required), or
+  - indexed notes (lower-risk but still private)
+- Implement indexing connectors:
+  - document uploads
+  - website crawl (depth, allowlist, robots, rate limits)
+  - GitHub repo indexing (branch/path filters, token support via Secrets)
+- Build a jobs UI: progress, retries, errors, and access controls.
+
+## P3 — P2P pubsub chat + account manager
+- Implement account manager concepts:
+  - identities/devices, room/topic membership, permissions, moderation tools
+- Transport:
+  - WebRTC DataChannel (P2P) + server signaling
+  - fallback to server pubsub when P2P fails
+- UX:
+  - rooms, presence, delivery status, network mode indicators
+
+## Engineering hygiene (ongoing)
+- Add `.env.example`, `docs/TROUBLESHOOTING.md`, `docs/ARCHITECTURE.md`, `docs/SECURITY_DEPLOYMENT.md`
+- Add lint/tests + CI:
+  - Python: `ruff`, `pytest`
+  - basic security smoke tests for endpoint gating
+

README.md

@@ -70,9 +70,10 @@ This repo includes a manual workflow at `.github/workflows/codex-autofix.yml`.
 ## Notes
 
 - **Secrets**: don’t hardcode API keys in source. GitHub push protection will block pushes containing tokens.
+- **Security**: the web terminal and agent/Codex endpoints are gated by Supabase auth. Keep Supabase configured and avoid exposing execution features publicly without auth.
 - **Terminal PTY**: the host/container must have PTY devices (`/dev/pts`) available for interactive terminals.
 - **Codex login (Hugging Face Spaces/web terminal)**: Spaces expose a single port, so localhost callback URLs (like `http://localhost:1455/auth/callback?...`) won’t work; use device auth: `codex login --device-auth` (alias: `codex-login`).
 - **Codex login persistence (Spaces)**: on startup the container will use `/data/.codex` (if available) for `~/.codex`, so device-auth stays logged in across restarts.
 - **Codex tokens (Spaces Secrets)**: if you already have tokens, set `CODEX_ID_TOKEN`, `CODEX_ACCESS_TOKEN`, `CODEX_REFRESH_TOKEN` (and optionally `CODEX_ACCOUNT_ID`) as Spaces Secrets; the container will write `~/.codex/.auth.json` (and `~/.codex/auth.json`) on startup.
 - **Gemini CLI**: installed as `gemini` via `npm i -g @google/gemini-cli`. Set one of `GEMINI_API_KEY`, `GOOGLE_GENAI_USE_VERTEXAI`, or `GOOGLE_GENAI_USE_GCA` (Spaces Secret recommended).
-- **Git over SSH (web terminal/Docker)**: the container auto-generates `~/.ssh/id_ed25519` on first start and prints the public key; add it to your Git provider, then use `git@github.com:ORG/REPO.git` URLs.
+- **Git over SSH (web terminal/Docker)**: the container auto-generates `~/.ssh/id_ed25519` on first start and prints the public key; add it to your Git provider, then use `git@github.com:ORG/REPO.git` URLs. To provide a key via Secrets instead, set `SSH_PRIVATE_KEY` (and optionally `SSH_PUBLIC_KEY`, `SSH_KNOWN_HOSTS`).

SECURITY.md

@@ -0,0 +1,24 @@
+# Security Notes
+
+This app includes features that can become remote-code-execution (RCE) if exposed publicly:
+- Web terminal (`/ws/terminal`)
+- Agent/Codex execution (`/api/codex*`)
+- MCP tool calls (`/api/mcp*`)
+
+## Current protections
+- The dashboard UI requires a Supabase session.
+- The backend also enforces Supabase authentication for terminal/Codex/MCP endpoints (server-side).
+
+## Deployment guidance
+- Do not run this app publicly without authentication.
+- Use Hugging Face Spaces Secrets (or env vars) for all credentials.
+- Consider disabling dangerous capabilities unless you explicitly need them:
+  - `ENABLE_TERMINAL`
+  - `ENABLE_CODEX`
+  - `ENABLE_MCP`
+  - `ENABLE_INDEXING`
+
+## Notes
+- Browser clients cannot set `Authorization` headers for WebSockets, so the terminal WebSocket uses a Supabase access token passed via a query param. Treat app access tokens as sensitive.
+- If you add RAG indexing, crawling, or repository ingestion, apply the same auth + rate limiting + allowlisting patterns.
+

docker-entrypoint.sh

@@ -154,6 +154,50 @@ EOF
   fi
 }
 
+ensure_ssh_from_env() {
+  local ssh_dir="${HOME}/.ssh"
+  local key_path="${ssh_dir}/id_ed25519"
+
+  if [[ -z "${SSH_PRIVATE_KEY:-}" ]]; then
+    return 0
+  fi
+
+  mkdir -p "${ssh_dir}"
+  chmod 700 "${ssh_dir}"
+
+  if [[ -f "${key_path}" ]] && [[ "${SSH_OVERWRITE:-}" != "1" ]]; then
+    echo "[ssh] SSH_PRIVATE_KEY provided but ${key_path} already exists; set SSH_OVERWRITE=1 to replace."
+    return 0
+  fi
+
+  printf '%s\n' "${SSH_PRIVATE_KEY}" >"${key_path}"
+  chmod 600 "${key_path}"
+
+  if [[ -n "${SSH_PUBLIC_KEY:-}" ]]; then
+    printf '%s\n' "${SSH_PUBLIC_KEY}" >"${key_path}.pub"
+    chmod 644 "${key_path}.pub" || true
+  elif command -v ssh-keygen >/dev/null 2>&1; then
+    ssh-keygen -y -f "${key_path}" >"${key_path}.pub" 2>/dev/null || true
+    chmod 644 "${key_path}.pub" || true
+  fi
+
+  if [[ -n "${SSH_KNOWN_HOSTS:-}" ]]; then
+    printf '%s\n' "${SSH_KNOWN_HOSTS}" >"${ssh_dir}/known_hosts"
+    chmod 600 "${ssh_dir}/known_hosts" || true
+  fi
+
+  cat >"${ssh_dir}/config" <<'EOF'
+Host *
+  AddKeysToAgent no
+  IdentitiesOnly yes
+  StrictHostKeyChecking accept-new
+EOF
+  chmod 600 "${ssh_dir}/config" || true
+  chown -R "$(id -u)":"$(id -g)" "${ssh_dir}" 2>/dev/null || true
+
+  echo "[ssh] Installed SSH key from env into ${key_path}"
+}
+
 persist_codex_dir_if_possible
 ensure_codex_home_permissions
 ensure_codex_auth_from_env
@@ -161,6 +205,7 @@ persist_ssh_dir_if_possible
 ensure_codex_workspace_dir
 
 if command -v ssh-keygen >/dev/null 2>&1; then
+  ensure_ssh_from_env
   ensure_ssh_keypair
 else
   echo "[git ssh] ssh-keygen not found; install openssh-client to enable SSH key generation." >&2

main.py

@@ -18,6 +18,8 @@ import json
 import uuid
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
+import time
+from fastapi import Request
 
 load_dotenv()
 
@@ -33,6 +35,108 @@ app.add_middleware(
 
 app.mount("/static", StaticFiles(directory="static"), name="static")
 
+def _env_truthy(name: str, default: bool = False) -> bool:
+    raw = os.environ.get(name)
+    if raw is None:
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "on"}
+
+
+def _feature_enabled(feature: str) -> bool:
+    # Safe behavior: if Supabase isn't configured, disable dangerous features.
+    has_supabase = bool(os.environ.get("SUPABASE_URL") and os.environ.get("SUPABASE_KEY"))
+    defaults = {
+        "terminal": has_supabase,
+        "codex": has_supabase,
+        "mcp": has_supabase,
+        "indexing": False,
+    }
+    env_map = {
+        "terminal": "ENABLE_TERMINAL",
+        "codex": "ENABLE_CODEX",
+        "mcp": "ENABLE_MCP",
+        "indexing": "ENABLE_INDEXING",
+    }
+    return _env_truthy(env_map[feature], default=defaults[feature])
+
+
+_SUPABASE_TOKEN_CACHE: dict[str, tuple[float, dict]] = {}
+
+
+async def _verify_supabase_access_token(access_token: str) -> dict:
+    """
+    Verifies a Supabase access token by calling Supabase Auth `GET /auth/v1/user`.
+    Uses a small in-memory TTL cache to avoid calling Supabase on every request.
+    """
+    access_token = (access_token or "").strip()
+    if not access_token:
+        raise HTTPException(status_code=401, detail="Missing access token")
+
+    now = time.time()
+    cached = _SUPABASE_TOKEN_CACHE.get(access_token)
+    if cached and (now - cached[0]) < 30:
+        return cached[1]
+
+    supabase_url = os.environ.get("SUPABASE_URL")
+    supabase_key = os.environ.get("SUPABASE_KEY")
+    if not supabase_url or not supabase_key:
+        raise HTTPException(status_code=503, detail="Supabase is not configured")
+
+    import httpx
+
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "apikey": supabase_key,
+    }
+    url = f"{supabase_url.rstrip('/')}/auth/v1/user"
+    async with httpx.AsyncClient(timeout=10.0) as client:
+        resp = await client.get(url, headers=headers)
+        if resp.status_code != 200:
+            raise HTTPException(status_code=401, detail="Invalid or expired session")
+        user = resp.json()
+        _SUPABASE_TOKEN_CACHE[access_token] = (now, user)
+        # Best-effort cache bound
+        if len(_SUPABASE_TOKEN_CACHE) > 500:
+            for k in list(_SUPABASE_TOKEN_CACHE.keys())[:200]:
+                _SUPABASE_TOKEN_CACHE.pop(k, None)
+        return user
+
+
+async def _require_user_from_request(request: Request) -> dict:
+    auth = (request.headers.get("authorization") or "").strip()
+    if not auth.lower().startswith("bearer "):
+        raise HTTPException(status_code=401, detail="Missing Authorization bearer token")
+    token = auth.split(None, 1)[1].strip()
+    return await _verify_supabase_access_token(token)
+
+
+def _safe_user_workdir(user: dict, requested: Optional[str]) -> str:
+    """
+    Restrict Codex workdir to an allowlisted root to prevent traversal.
+    """
+    base_root = "/data/codex/workspace" if os.path.isdir("/data") else "/app"
+    user_id = (user.get("id") or "").strip() if isinstance(user, dict) else ""
+    user_root = os.path.join(base_root, user_id) if user_id else base_root
+
+    if requested:
+        req = requested.strip()
+        if req:
+            # Only allow inside base_root.
+            norm = os.path.normpath(req)
+            if os.path.isabs(norm):
+                candidate = norm
+            else:
+                candidate = os.path.join(user_root, norm)
+            candidate = os.path.normpath(candidate)
+            base_norm = os.path.normpath(base_root)
+            if candidate == base_norm or candidate.startswith(base_norm + os.sep):
+                os.makedirs(candidate, exist_ok=True)
+                return candidate
+
+    os.makedirs(user_root, exist_ok=True)
+    return user_root
+
+
 @app.get("/config")
 async def get_config():
     return {
@@ -137,6 +241,7 @@ class CodexRequest(BaseModel):
     apiKey: Optional[str] = None
     baseUrl: Optional[str] = None
     modelReasoningEffort: Optional[str] = "minimal"
+    workingDirectory: Optional[str] = None
 
 
 def _default_codex_workdir() -> str:
@@ -146,13 +251,17 @@ def _default_codex_workdir() -> str:
     return os.path.dirname(__file__)
 
 @app.post("/api/codex")
-async def codex_agent(request: CodexRequest):
+async def codex_agent(request: CodexRequest, http_request: Request):
     """
     Runs the local Codex agent via the official @openai/codex-sdk wrapper (Node.js).
     Persists threads under ~/.codex/sessions (mapped to /data/.codex on Spaces by entrypoint).
     """
     if not request.message.strip():
         raise HTTPException(status_code=400, detail="Message is required")
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+
+    user = await _require_user_from_request(http_request)
 
     node = os.environ.get("NODE_BIN", "node")
     script_path = os.path.join(os.path.dirname(__file__), "codex_agent.mjs")
@@ -166,7 +275,7 @@ async def codex_agent(request: CodexRequest):
         "sandboxMode": request.sandboxMode,
         "approvalPolicy": request.approvalPolicy,
         "modelReasoningEffort": request.modelReasoningEffort,
-        "workingDirectory": _default_codex_workdir(),
+        "workingDirectory": _safe_user_workdir(user, request.workingDirectory),
     }
 
     try:
@@ -206,7 +315,7 @@ async def codex_agent(request: CodexRequest):
         raise HTTPException(status_code=500, detail=str(e))
 
 @app.post("/api/codex/cli")
-async def codex_agent_cli(request: CodexRequest):
+async def codex_agent_cli(request: CodexRequest, http_request: Request):
     """
     Runs Codex directly via the CLI (`codex exec --json`) and extracts the final agent message.
 
@@ -214,6 +323,10 @@ async def codex_agent_cli(request: CodexRequest):
     """
     if not request.message.strip():
         raise HTTPException(status_code=400, detail="Message is required")
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+
+    user = await _require_user_from_request(http_request)
 
     def _with_codex_agent_prefix(message: str) -> str:
         msg = message.strip()
@@ -232,7 +345,7 @@ async def codex_agent_cli(request: CodexRequest):
     if request.model:
         base_args += ["--model", request.model]
     # Run inside app dir; allow even if not a git repo (Spaces copies are git, but keep safe)
-    base_args += ["--cd", _default_codex_workdir(), "--skip-git-repo-check"]
+    base_args += ["--cd", _safe_user_workdir(user, request.workingDirectory), "--skip-git-repo-check"]
 
     # Provide the prompt as an argument (avoids "Reading prompt from stdin..." paths).
     if request.threadId:
@@ -309,7 +422,7 @@ async def codex_agent_cli(request: CodexRequest):
         raise HTTPException(status_code=500, detail=str(e))
 
 @app.post("/api/codex/cli/stream")
-async def codex_agent_cli_stream(request: CodexRequest):
+async def codex_agent_cli_stream(request: CodexRequest, http_request: Request):
     """
     Streams Codex CLI JSONL events (NDJSON) as the agent runs.
 
@@ -318,6 +431,10 @@ async def codex_agent_cli_stream(request: CodexRequest):
     """
     if not request.message.strip():
         raise HTTPException(status_code=400, detail="Message is required")
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+
+    user = await _require_user_from_request(http_request)
 
     def _with_codex_agent_prefix(message: str) -> str:
         msg = message.strip()
@@ -332,7 +449,7 @@ async def codex_agent_cli_stream(request: CodexRequest):
         base_args += ["--config", f'approval_policy=\"{request.approvalPolicy}\"']
     if request.model:
         base_args += ["--model", request.model]
-    base_args += ["--cd", _default_codex_workdir(), "--skip-git-repo-check"]
+    base_args += ["--cd", _safe_user_workdir(user, request.workingDirectory), "--skip-git-repo-check"]
 
     if request.threadId:
         base_args += ["resume", request.threadId, message]
@@ -410,10 +527,13 @@ async def codex_agent_cli_stream(request: CodexRequest):
 
 
 @app.get("/api/codex/mcp")
-async def codex_mcp_list():
+async def codex_mcp_list(http_request: Request):
     """
     Lists configured Codex MCP servers by shelling out to `codex mcp list`.
     """
+    if not _feature_enabled("mcp"):
+        raise HTTPException(status_code=403, detail="MCP is disabled")
+    _ = await _require_user_from_request(http_request)
     try:
         proc = await asyncio.create_subprocess_exec(
             "codex",
@@ -437,12 +557,15 @@ async def codex_mcp_list():
 
 
 @app.get("/api/codex/mcp/details")
-async def codex_mcp_details():
+async def codex_mcp_details(http_request: Request):
     """
     Returns `codex mcp get --json` for each configured server.
     """
+    if not _feature_enabled("mcp"):
+        raise HTTPException(status_code=403, detail="MCP is disabled")
+    _ = await _require_user_from_request(http_request)
     try:
-        servers_resp = await codex_mcp_list()
+        servers_resp = await codex_mcp_list(http_request)
         names = servers_resp.get("servers", []) if isinstance(servers_resp, dict) else []
         details = []
         for name in names:
@@ -468,10 +591,13 @@ async def codex_mcp_details():
 
 
 @app.get("/api/codex/login/status")
-async def codex_login_status():
+async def codex_login_status(http_request: Request):
     """
     Returns Codex CLI login status for device-auth based sessions.
     """
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+    _ = await _require_user_from_request(http_request)
     try:
         proc = await asyncio.create_subprocess_exec(
             "codex",
@@ -624,10 +750,13 @@ async def _read_device_login_output(attempt: DeviceLoginAttempt) -> None:
 
 
 @app.post("/api/codex/login/device/start")
-async def codex_login_device_start():
+async def codex_login_device_start(http_request: Request):
     """
     Starts `codex login --device-auth` and returns the device URL + code (when available).
     """
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+    _ = await _require_user_from_request(http_request)
     async with app.state.device_login_lock:
         proc = await asyncio.create_subprocess_exec(
             "codex",
@@ -648,7 +777,10 @@ async def codex_login_device_start():
 
 
 @app.get("/api/codex/login/device/status")
-async def codex_login_device_status(loginId: str):
+async def codex_login_device_status(loginId: str, http_request: Request):
+    if not _feature_enabled("codex"):
+        raise HTTPException(status_code=403, detail="Codex is disabled")
+    _ = await _require_user_from_request(http_request)
     attempt = app.state.device_login_attempts.get(loginId)
     if not attempt:
         raise HTTPException(status_code=404, detail="Unknown loginId")
@@ -669,10 +801,13 @@ async def codex_login_device_status(loginId: str):
 
 
 @app.get("/api/mcp/tools")
-async def mcp_tools_list():
+async def mcp_tools_list(http_request: Request):
     """
     List tools available from the local Codex MCP server (`codex mcp-server`).
     """
+    if not _feature_enabled("mcp"):
+        raise HTTPException(status_code=403, detail="MCP is disabled")
+    _ = await _require_user_from_request(http_request)
     try:
         result = await app.state.codex_mcp_client.list_tools()
         return result
@@ -686,10 +821,13 @@ class McpCallRequest(BaseModel):
 
 
 @app.post("/api/mcp/call")
-async def mcp_tools_call(request: McpCallRequest):
+async def mcp_tools_call(request: McpCallRequest, http_request: Request):
     """
     Call a tool on the local Codex MCP server (`codex mcp-server`).
     """
+    if not _feature_enabled("mcp"):
+        raise HTTPException(status_code=403, detail="MCP is disabled")
+    _ = await _require_user_from_request(http_request)
     try:
         return await app.state.codex_mcp_client.call_tool(request.name, request.arguments)
     except Exception as e:
@@ -699,6 +837,25 @@ async def mcp_tools_call(request: McpCallRequest):
 async def websocket_terminal(websocket: WebSocket):
     await websocket.accept()
 
+    if not _feature_enabled("terminal"):
+        await websocket.send_text("\r\n[terminal disabled]\r\n")
+        await websocket.close()
+        return
+
+    # Authenticate the WebSocket using a Supabase access token passed via query param.
+    # Browser WebSocket APIs do not allow setting Authorization headers directly.
+    token = (websocket.query_params.get("token") or "").strip()
+    if not token:
+        await websocket.send_text("\r\n[unauthorized: missing token]\r\n")
+        await websocket.close()
+        return
+    try:
+        user = await _verify_supabase_access_token(token)
+    except HTTPException as e:
+        await websocket.send_text(f"\r\n[unauthorized: {e.detail}]\r\n")
+        await websocket.close()
+        return
+
     # If token-based Codex auth is provided via env (HF Spaces Secrets), ensure the CLI auth file exists.
     # This makes `codex` work inside the web terminal even if the entrypoint didn't run (e.g., local dev).
     try:

static/dashboard.html

@@ -716,6 +716,13 @@
                                 </select>
                                 <div class="text-xs text-gray-500 mt-1">Use <code>danger-full-access</code> only if you fully trust the model and this environment.</div>
                             </div>
+                            <div class="mt-3">
+                                <label class="block text-xs font-semibold text-gray-400 mb-1 uppercase">Codex Workspace Directory (optional)</label>
+                                <input type="text" id="codex-workdir" placeholder="/data/codex/workspace"
+                                    class="w-full bg-gray-700 text-sm rounded border border-gray-600 p-2 text-white outline-none focus:border-blue-500"
+                                    onchange="saveCodexWorkdir()">
+                                <div class="text-xs text-gray-500 mt-1">Used as <code>--cd</code> for Codex runs. Restricted to <code>/data/codex/workspace</code> when available.</div>
+                            </div>
                             <div class="mt-3">
                                 <label class="flex items-center justify-between gap-3 bg-gray-800/40 border border-gray-700 rounded-lg px-3 py-2">
                                     <div>
@@ -1329,6 +1336,15 @@
             localStorage.setItem('codex_sandbox_mode_v1', mode);
         }
 
+        function getCodexWorkdir() {
+            return localStorage.getItem('codex_workdir_v1') || '';
+        }
+
+        function saveCodexWorkdir() {
+            const dir = document.getElementById('codex-workdir')?.value || '';
+            localStorage.setItem('codex_workdir_v1', dir.trim());
+        }
+
         function getAgentUseCodexCli() {
             return localStorage.getItem('agent_use_codex_cli_v1') === '1';
         }
@@ -1339,11 +1355,31 @@
             if (el) el.checked = !!enabled;
         }
 
+        async function getAccessToken() {
+            const direct = (window.__sbAccessToken || '').trim();
+            if (direct) return direct;
+            try {
+                const { data: { session } } = await supabase.auth.getSession();
+                const tok = (session?.access_token || '').trim();
+                if (tok) window.__sbAccessToken = tok;
+                return tok;
+            } catch {
+                return '';
+            }
+        }
+
+        async function authFetch(url, options = {}) {
+            const token = await getAccessToken();
+            const headers = new Headers(options.headers || {});
+            if (token && !headers.has('Authorization')) headers.set('Authorization', `Bearer ${token}`);
+            return fetch(url, { ...options, headers });
+        }
+
         async function refreshCodexMcpServers() {
             const out = document.getElementById('codex-mcp-list');
             if (out) out.textContent = 'Loading...';
             try {
-                const res = await fetch('/api/codex/mcp');
+                const res = await authFetch('/api/codex/mcp');
                 const data = await res.json();
                 const names = Array.isArray(data?.servers) ? data.servers : [];
                 if (out) out.textContent = names.length ? `Configured: ${names.join(', ')}` : 'No MCP servers configured.';
@@ -1361,6 +1397,10 @@
 
                 const { data: { session } } = await supabase.auth.getSession();
                 if (!session) { window.location.href = '/'; return; }
+                window.__sbAccessToken = (session.access_token || '').trim();
+                supabase.auth.onAuthStateChange((_event, nextSession) => {
+                    window.__sbAccessToken = (nextSession?.access_token || '').trim();
+                });
 
                 // Theme
                 const savedTheme = localStorage.getItem('theme_v1');
@@ -1394,6 +1434,9 @@
                 if (localStorage.getItem('codex_sandbox_mode_v1') == null) {
                     localStorage.setItem('codex_sandbox_mode_v1', 'danger-full-access');
                 }
+                if (localStorage.getItem('codex_workdir_v1') == null) {
+                    localStorage.setItem('codex_workdir_v1', '');
+                }
 
                 // Logged-in user badge (email + username)
                 try {
@@ -1438,10 +1481,12 @@
                 const codexKey = document.getElementById('codex-api-key');
                 const codexModel = document.getElementById('codex-model');
                 const codexSandbox = document.getElementById('codex-sandbox-mode');
+                const codexWorkdir = document.getElementById('codex-workdir');
                 if (codexBase) codexBase.value = codexSettings.baseUrl;
                 if (codexKey) codexKey.value = codexSettings.apiKey;
                 if (codexModel) codexModel.value = codexSettings.model;
                 if (codexSandbox) codexSandbox.value = getCodexSandboxMode();
+                if (codexWorkdir) codexWorkdir.value = getCodexWorkdir();
                 setCodexShowJsonl(getCodexShowJsonl());
                 setAgentUseCodexCli(getAgentUseCodexCli());
 
@@ -1618,7 +1663,9 @@
             term.loadAddon(fitAddon);
             term.open(termDiv);
 
-            const ws = new WebSocket(`${location.protocol === 'https:' ? 'wss' : 'ws'}://${location.host}/ws/terminal`);
+            const token = (window.__sbAccessToken || '').trim();
+            const wsUrl = `${location.protocol === 'https:' ? 'wss' : 'ws'}://${location.host}/ws/terminal` + (token ? `?token=${encodeURIComponent(token)}` : '');
+            const ws = new WebSocket(wsUrl);
             // Don't fit immediately here; terminals are often created while their view is hidden.
             ws.onopen = () => { setTimeout(() => fitTerm(id), 0); };
             ws.onmessage = (event) => { term.write(event.data); };
@@ -2454,7 +2501,7 @@
 
         async function getCodexLoginStatus() {
             try {
-                const res = await fetch('/api/codex/login/status');
+                const res = await authFetch('/api/codex/login/status');
                 if (!res.ok) return { loggedIn: false, statusText: `HTTP ${res.status}` };
                 return await res.json();
             } catch (e) {
@@ -2504,7 +2551,7 @@
             aiMsgEl.innerHTML = '';
 
             try {
-                const res = await fetch('/api/codex/cli/stream', {
+                const res = await authFetch('/api/codex/cli/stream', {
                     method: 'POST',
                     headers: { 'Content-Type': 'application/json' },
                     body: JSON.stringify({
@@ -2514,6 +2561,7 @@
                         sandboxMode,
                         approvalPolicy: 'never',
                         modelReasoningEffort: 'minimal',
+                        workingDirectory: getCodexWorkdir() || null,
                         apiKey: apiKey || null,
                         baseUrl: baseUrl || null
                     })
@@ -2625,7 +2673,7 @@
                 addMessageToUI('user', '/mcp');
                 const ai = addMessageToUI('assistant', 'Loading MCP tools...');
                 try {
-                    const res = await fetch('/api/mcp/tools');
+                    const res = await authFetch('/api/mcp/tools');
                     const data = await res.json();
                     const tools = Array.isArray(data?.tools) ? data.tools : [];
                     if (!tools.length) {
@@ -2704,42 +2752,104 @@
             try {
                 agentAbortController = new AbortController();
                 setAgentGenerating(true);
-                const res = await (async () => {
-                    if (getAgentUseCodexCli()) {
-                        const ok = await ensureCodexAuthenticated();
-                        if (!ok) throw new Error('Codex not authenticated');
-                        const codex = getCodexSdkSettings();
-                        const codexModel = (codex.model || '').trim();
-                        return fetch('/api/codex/cli', {
-                            method: 'POST',
-                            headers: { 'Content-Type': 'application/json' },
-                            body: JSON.stringify({
-                                message: agentChatHistory.map(m => (typeof m.content === 'string' ? m.content : '')).join('\n\n'),
-                                threadId: null,
-                                model: codexModel || null,
-                                sandboxMode: 'workspace-write',
-                                approvalPolicy: 'never'
-                            }),
-                            signal: agentAbortController.signal
-                        });
+                if (getAgentUseCodexCli()) {
+                    const ok = await ensureCodexAuthenticated();
+                    if (!ok) throw new Error('Codex not authenticated');
+                    const codex = getCodexSdkSettings();
+                    const codexModel = (codex.model || '').trim();
+
+                    const res = await authFetch('/api/codex/cli/stream', {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        body: JSON.stringify({
+                            message: agentChatHistory.map(m => (typeof m.content === 'string' ? m.content : '')).join('\n\n'),
+                            threadId: null,
+                            model: codexModel || null,
+                            sandboxMode: 'workspace-write',
+                            approvalPolicy: 'never',
+                            modelReasoningEffort: 'minimal',
+                            workingDirectory: getCodexWorkdir() || null
+                        }),
+                        signal: agentAbortController.signal
+                    });
+
+                    if (!res.ok) {
+                        const txt = await res.text();
+                        throw new Error(txt || `HTTP ${res.status}`);
+                    }
+
+                    const reader = res.body.getReader();
+                    const decoder = new TextDecoder();
+                    let buffer = '';
+                    let finalText = '';
+                    const progress = [];
+
+                    const pushProgress = (line) => {
+                        if (!line) return;
+                        progress.push(line);
+                        if (progress.length > 200) progress.splice(0, progress.length - 200);
+                    };
+
+                    const summarizeEvent = (evt) => {
+                        const t = evt?.type || 'event';
+                        if (t === 'thread.started') return `thread.started: ${evt.thread_id || ''}`.trim();
+                        if (t === 'turn.completed') return `turn.completed: in=${evt.usage?.input_tokens || 0} out=${evt.usage?.output_tokens || 0}`;
+                        if (t === 'turn.failed') return `turn.failed: ${evt.error?.message || evt.message || ''}`.trim();
+                        if (t === 'stderr') return `stderr: ${evt.message || ''}`.trim();
+                        if (t === 'done') return `done: rc=${evt.returnCode ?? ''}`.trim();
+                        const itemType = evt?.item?.type;
+                        if (itemType && (t === 'item.started' || t === 'item.updated' || t === 'item.completed')) {
+                            const name = evt?.item?.name || evt?.item?.tool_name || '';
+                            const extra = name ? ` (${name})` : '';
+                            return `${t}: ${itemType}${extra}`;
+                        }
+                        return t;
+                    };
+
+                    const renderProgress = () => {
+                        const content = [
+                            progress.length ? 'Progress:' : '',
+                            progress.length ? '```text\n' + progress.slice(-18).join('\n') + '\n```' : '',
+                            finalText ? '\n\n' + finalText : ''
+                        ].filter(Boolean).join('\n');
+                        renderMarkdownInto(aiMsgEl, content || '...');
+                        scrollAgentToBottom();
+                    };
+
+                    while (true) {
+                        const { done, value } = await reader.read();
+                        if (done) break;
+                        buffer += decoder.decode(value, { stream: true });
+                        const lines = buffer.split('\n');
+                        buffer = lines.pop() || '';
+                        for (const line of lines) {
+                            if (!line.trim()) continue;
+                            let evt;
+                            try { evt = JSON.parse(line); } catch { continue; }
+                            pushProgress(summarizeEvent(evt));
+                            if (evt.type === 'item.updated' && evt.item?.type === 'agent_message' && evt.item?.text) {
+                                finalText = evt.item.text || finalText;
+                            } else if (evt.type === 'item.completed' && evt.item?.type === 'agent_message') {
+                                finalText = evt.item.text || finalText;
+                            } else if (evt.type === 'done') {
+                                if (evt.finalResponse) finalText = evt.finalResponse;
+                            }
+                            renderProgress();
+                        }
                     }
 
+                    aiContent = finalText;
+                    renderMarkdownInto(aiMsgEl, aiContent || (progress.length ? progress.slice(-18).join('\n') : ''));
+                    agentChatHistory.push({ role: 'assistant', content: aiContent || '' });
+                } else {
                     const apiKey = document.getElementById('chat-api-key').value;
                     const baseUrl = document.getElementById('chat-base-url').value;
-                    return fetch('/api/chat', {
+                    const res = await fetch('/api/chat', {
                         method: 'POST',
                         headers: { 'Content-Type': 'application/json' },
                         body: JSON.stringify({ messages: agentChatHistory, apiKey, baseUrl, model }),
                         signal: agentAbortController.signal
                     });
-                })();
-
-                if (getAgentUseCodexCli()) {
-                    const data = await res.json();
-                    aiContent = data?.finalResponse || '';
-                    renderMarkdownInto(aiMsgEl, aiContent);
-                    agentChatHistory.push({ role: 'assistant', content: aiContent });
-                } else {
                     const reader = res.body.getReader();
                     const decoder = new TextDecoder();
                     aiMsgEl.innerHTML = '';