feat: add direct sessions API for browser/CLI clients

[buremba]

Summary

Add HTTP+SSE endpoints for direct API access without platform adapters (Slack, WhatsApp, etc.):

• POST /api/sessions - Create session with working directory and provider
• GET /api/sessions/:id/events - SSE stream for agent output
• POST /api/sessions/:id/messages - Send messages to agent
• POST /api/sessions/:id/approve - Respond to tool approvals
• GET /api/sessions/:id - Get session status
• DELETE /api/sessions/:id - End session

Key Changes

• New API platform adapter with response renderer for SSE broadcasting
• Session token authentication - reuses existing worker token infrastructure
• API key support for cloud deployments (PEERBOT_API_KEY env var)
• Local mode allows sessions without API key
• Add platformMetadata to ThreadResponsePayload for routing
• Add touchSession to ISessionManager interface
• Add status field to ThreadSession

Use Case

This enables browser extensions and CLI tools to interact with peerbot directly:

# Create session
curl -X POST http://localhost:8080/api/sessions \
  -H "Content-Type: application/json" \
  -d '{"workingDirectory": "/path/to/project", "provider": "claude"}'
# Response: { sessionId, token, sseUrl, messagesUrl }

# Connect SSE stream
curl -N http://localhost:8080/api/sessions/{id}/events \
  -H "Authorization: Bearer {token}"

# Send message
curl -X POST http://localhost:8080/api/sessions/{id}/messages \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{"content": "fix the bug"}'

Test Plan

• Create session and verify token is returned
• Connect to SSE endpoint and verify connected event
• Send message and verify it's queued
• Verify SSE receives output, complete events from worker
• Test tool approval flow via /approve endpoint
• Verify session deletion closes SSE connections

---

Note

Enables direct API access (no Slack/WhatsApp) via HTTP + SSE for browser/CLI clients.

• New ApiPlatform and ApiResponseRenderer broadcast worker output over SSE (packages/gateway/src/api/*)
• Adds public sessions routes: POST /api/sessions, GET /api/sessions/:id/events, POST /api/sessions/:id/messages, POST /api/sessions/:id/approve, GET/DELETE /api/sessions/:id (routes/public/sessions.ts)
• Registers sessions routes and always registers ApiPlatform in gateway (cli/gateway.ts)
• Extends ThreadResponsePayload with platformMetadata and updates platform comment (infrastructure/queue/types.ts)
• Extends session types with status and touchSession (session.ts); sessions authenticated via worker tokens, optional X-API-Key for cloud mode

^{Written by Cursor Bugbot for commit 8f78d87. This will update automatically on new commits. Configure here.}

[claude]

Claude finished @buremba's task —— View job

---

Pull Request Review: Direct Sessions API

Reviewing PR #92 that adds HTTP+SSE endpoints for direct API access.

Review Tasks

• Analyze new API platform implementation
• Review SSE streaming security and performance
• Check session management and authentication
• Evaluate error handling and edge cases
• Assess code quality and best practices
• Identify potential bugs and security concerns

---

🔍 Code Review Summary

This PR introduces a well-structured direct API for browser/CLI clients with good separation of concerns. The implementation follows existing patterns but has several areas for improvement.

✅ Strengths

1. Clean Architecture: Good separation with dedicated ApiPlatform, ApiResponseRenderer, and route handlers
2. Consistent Patterns: Follows existing codebase patterns for platform adapters and response renderers
3. Authentication: Proper token-based authentication with worker token reuse
4. SSE Implementation: Well-structured Server-Sent Events with proper connection management

⚠️ Security Concerns

Critical Issues

1. Missing API Key Validation (sessions.ts:43-47):

if (process.env.PEERBOT_API_KEY && !req.headers['x-api-key']) {
  return res.status(401).json({ error: 'API key required' });
}

Issue: No validation that provided API key matches the expected value. An attacker could bypass this with any x-api-key header.

Fix: Should validate the actual key value:

if (process.env.PEERBOT_API_KEY && req.headers['x-api-key'] !== process.env.PEERBOT_API_KEY) {
  return res.status(401).json({ error: 'Invalid API key' });
}

2. Path Traversal Risk (sessions.ts:55):

workingDirectory: body.workingDirectory || process.cwd(),

Issue: Accepts arbitrary working directory paths without validation. Could allow access to sensitive system directories.

Fix: Add path validation and sanitization.

Medium Priority

3. Token Exposure in URLs (sessions.ts:88-91):
   Tokens in SSE URLs could be logged in access logs or exposed in referrer headers.

Consider: Document this risk or explore alternative auth methods for SSE.

🐛 Potential Bugs

4. Memory Leak Risk (response-renderer.ts:49-51):

public addClient(clientId: string, res: Response): void {
  this.clients.set(clientId, res);
}

Issue: No automatic cleanup if client disconnects without proper cleanup.

Fix: Add connection timeout handling and periodic cleanup of stale connections.

5. Race Condition (response-renderer.ts:119-134):
   The broadcastToClient method could send events to a closed connection, and the error handling might not properly clean up the client.

6. Inconsistent Error Responses (sessions.ts):
   Mix of JSON error responses and plain text responses. Should be consistent.

🚀 Performance Considerations

7. SSE Connection Scaling: No limits on concurrent SSE connections per session or globally. Consider adding connection limits.

8. Memory Usage: Large session metadata objects stored in memory without size limits.

📝 Code Quality Issues

9. Missing Input Validation (sessions.ts:52-58):
   No validation for required fields like provider, working directory format, etc.

10. Inconsistent Type Handling (types.ts:7):

platform: 'slack' | 'whatsapp' | 'api'; // TODO: This should be an enum

The TODO suggests this should be an enum - consider implementing this.

11. Missing Documentation: Complex SSE event format and authentication flow need better documentation.

🧪 Test Coverage Gaps

The PR mentions test plans in comments but no actual tests are included. Critical areas needing tests:

• API key validation (especially the security fix mentioned above)
• SSE connection lifecycle (connect, disconnect, cleanup)
• Token authentication edge cases
• Error handling for invalid sessions
• Concurrent access to same session

💡 Recommendations

Immediate (Security)

1. Fix API key validation - Critical security issue
2. Add working directory validation - Prevent path traversal
3. Add input validation for all endpoints

Short Term (Reliability)

1. Add comprehensive tests covering security and edge cases
2. Implement connection cleanup for SSE clients
3. Add rate limiting for session creation and messaging
4. Standardize error response format

Long Term (Scalability)

1. Add connection limits and monitoring
2. Consider session persistence for reliability
3. Implement proper logging for security events

🎯 Overall Assessment

This is a solid foundation for direct API access with good architectural decisions. The main concerns are security-related and should be addressed before merging. The SSE implementation is well-structured but needs better connection management.

Recommendation: Address security issues before merging, then iterate on reliability improvements.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8f78d87b39

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce session token expiry instead of trusting token age

The API advertises a 24‑hour session token TTL, but authenticateSession only calls verifyWorkerToken and never checks tokenData.timestamp against TOKEN_EXPIRATION_MS. That means any token remains valid as long as the session still exists (and touchSession can keep that alive), so a leaked token can be reused well past the advertised expiry. Consider rejecting tokens whose timestamp is older than the intended TTL, or aligning the response with actual enforcement.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Persist workingDirectory/provider for API sessions

The create‑session API accepts workingDirectory and provider but these values are never stored on the session or forwarded to the worker. As a result, clients cannot actually influence the agent working directory or provider despite the documented request body, and the worker will continue to use defaults. If these inputs are intended to work, they need to be persisted (e.g., on the session or in agentOptions) and consumed when building worker context.

Useful? React with 👍 / 👎.

[mesa-dot-dev]

Performed full review of abc195f...8f78d87

Analysis

1. Scaling Issue: The in-memory Map for SSE connections won't work in multi-instance deployments, as messages routed to one instance won't reach clients connected to different instances. A distributed solution like Redis pub/sub is needed.

2. Security Vulnerabilities: Multiple security concerns exist - timing-attack vulnerable API key validation, no rate limiting, lack of session hijacking protection, and missing CORS headers for browser extensions.

3. Token Management Weaknesses: Session tokens have 24-hour expiration but lack revocation mechanisms, leaving compromised tokens valid until they expire naturally.

4. Race Conditions: Several potential race conditions exist in SSE cleanup, session deletion with in-flight messages, and concurrent session creation requests.

5. Resource Management: No session limits per user could lead to resource exhaustion, and the implementation may be missing proper session activity tracking.

Tip

Help

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{0 files reviewed | 1 comments | Edit Agent Settings • Read Docs}

[mesa-dot-dev]

The in-memory Map for SSE connections will not work correctly in multi-instance deployments. If the gateway is horizontally scaled, worker responses may be routed to a different gateway instance than the one holding the client's SSE connection, causing messages to be lost. Consider using Redis pub/sub or a similar distributed mechanism to broadcast messages across all gateway instances.

Agent: 🏛 Architecture •  • 

Prompt for Agent

Task: Address review feedback left on GitHub.
Repository: buremba/peerbot#92
File: packages/gateway/src/routes/public/sessions.ts#L62
Action: Open this file location in your editor, inspect the highlighted code, and resolve the issue described below.

Feedback:
The in-memory Map for SSE connections will not work correctly in multi-instance deployments. If the gateway is horizontally scaled, worker responses may be routed to a different gateway instance than the one holding the client's SSE connection, causing messages to be lost. Consider using Redis pub/sub or a similar distributed mechanism to broadcast messages across all gateway instances.

[mesa-dot-dev]

Mesa Description

TL;DR

Adds HTTP+SSE API endpoints for direct client access (browser extensions, CLI tools) without platform adapters, enabling real-time agent interaction via standard HTTP requests and server-sent events.

What changed?

• New API platform adapter (packages/gateway/src/api/platform.ts and response-renderer.ts) - Implements PlatformAdapter interface to handle session management, message routing, and SSE-based response streaming for direct API clients.
• Public sessions API routes (packages/gateway/src/routes/public/sessions.ts) - Six new endpoints:
  • POST /api/sessions - Create session with working directory and provider
  • GET /api/sessions/:id/events - SSE stream for agent output
  • POST /api/sessions/:id/messages - Send messages to agent
  • POST /api/sessions/:id/approve - Respond to tool approvals
  • GET /api/sessions/:id - Get session status
  • DELETE /api/sessions/:id - End session
• Authentication - Session token-based (reuses worker token infrastructure) with optional X-API-Key header for cloud deployments.
• Gateway integration (packages/gateway/src/cli/gateway.ts) - Registers sessions routes and always-enabled ApiPlatform in the gateway.
• Type extensions (packages/gateway/src/infrastructure/queue/types.ts) - Added optional platformMetadata field to ThreadResponsePayload for routing platform-specific data like session IDs.
• Session management enhancements (packages/gateway/src/session.ts) - Added status field to ThreadSession interface and touchSession method to ISessionManager interface for tracking session state and access times.

^{Description generated by Mesa. Update settings}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Session parameters workingDirectory and provider are ignored

High Severity

The workingDirectory and provider parameters are extracted from the session creation request but never stored in the session, encoded in the token, or passed to the worker when messages are enqueued. The agentOptions object passed to queueProducer.enqueueMessage() is empty {}, unlike other platforms (e.g., Slack) that pass model, timeoutMinutes, and other agent configuration. This breaks the documented API contract where clients expect to configure agent behavior via these parameters.

Additional Locations (1)

• packages/gateway/src/routes/public/sessions.ts#L406-L422

 

[cursor]

Tool approval requests never reach SSE clients

High Severity

The ApiPlatform never subscribes to interaction:created events from InteractionService, unlike Slack and WhatsApp platforms which both listen for this event to render tool approvals. The renderInteraction() method is a no-op with a comment claiming "Interactions are handled via SSE in the response renderer," but ApiResponseRenderer has no method to handle interactions. This means when a worker requests tool approval, the SSE client never receives the tool_approval event documented in the PR, breaking the entire approval flow.

Additional Locations (1)

• packages/gateway/src/api/platform.ts#L44-L52

 

[buremba]

@claude read alll reviews and fix all consolidate and simplify without breaking, delete dead code. push code

[claude]

Claude finished @buremba's task —— View job

---

Claude finished @buremba's task —— View job

---

Direct Sessions API - Critical Issues Fixed ✅

I've successfully addressed all the critical security and functionality issues identified in the reviews.

🔧 Fixed Issues

Critical Security Fixes:

• ✅ API key validation bypass - Fixed checkApiKey() to properly validate the actual key value, not just presence
• ✅ Token expiration enforcement - Added timestamp validation to enforce 24-hour TTL
• ✅ Path traversal protection - Added working directory path validation

Functional Bugs Resolved:

• ✅ Session parameters ignored - workingDirectory and provider now properly stored in session and passed to worker via agentOptions
• ✅ Tool approval flow broken - ApiPlatform now subscribes to interaction:created events and broadcasts approval requests via SSE
• ✅ Input validation missing - Added validation for all endpoints with consistent JSON error responses

Scalability & Reliability Improvements:

• ✅ SSE connection management - Added per-session (5) and total (1000) connection limits with automatic cleanup
• ✅ Dead connection detection - Improved connection health monitoring and cleanup
• ✅ Error handling - Better error handling throughout with consistent response format
• ✅ Multi-instance limitation documented - Added clear documentation about in-memory SSE scaling constraints

📁 Files Modified

• packages/gateway/src/routes/public/sessions.ts - Security fixes, validation, connection management
• packages/gateway/src/api/platform.ts - Tool approval event subscription and SSE broadcasting
• packages/gateway/src/session.ts - Added session parameter storage fields

🚀 Ready for Use

The API is now secure and functional with proper:

• Session token authentication and expiration
• Working directory and provider configuration support
• Tool approval workflow via SSE
• Connection limits and resource management
• Input validation and error handling

All changes have been committed and pushed to the feat/direct-sessions-api branch.