feat: route desktop control to authorized devices

2026-05-12 12:15:43 +08:00
parent bc199dcf5c
commit 4de64ac01c
8 changed files with 407 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,7 @@ apps/boss-admin-web/node_modules/
 .playwright-mcp/
 .superpowers/
 output/
+outputs/
 admin-redesign*.png
 main-*.js
 android/.project
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -11,6 +11,7 @@ const eslintConfig = defineConfig([
    ".next/**",
    "out/**",
    "build/**",
+    "outputs/**",
    "main-*.js",
    "android/.gradle/**",
    "android/**/build/**",
--- a/scripts/deploy-server.sh
+++ b/scripts/deploy-server.sh
@@ -77,6 +77,7 @@ RSYNC_EXCLUDES=(
  --exclude ".git"
  --exclude "node_modules"
  --exclude "data/"
+  --exclude "outputs/"
  --exclude "android/app/build"
  --exclude ".project"
  --exclude ".classpath"
--- a/scripts/ssh-computer-use-smoke.mjs
+++ b/scripts/ssh-computer-use-smoke.mjs
@@ -0,0 +1,202 @@
+#!/usr/bin/env node
+
+import { spawn } from "node:child_process";
+
+function writeJson(payload) {
+  process.stdout.write(`${JSON.stringify(payload)}\n`);
+}
+
+async function readStdin() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(typeof chunk === "string" ? chunk : chunk.toString("utf8"));
+  }
+  return chunks.join("").trim();
+}
+
+function parsePayload(raw) {
+  try {
+    const parsed = JSON.parse(raw || "{}");
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error("expected object");
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+function envString(name) {
+  return String(process.env[name] || "").trim();
+}
+
+function envBoolean(name) {
+  return envString(name).toLowerCase() === "true";
+}
+
+function detectTargetApp(objective) {
+  const text = String(objective || "").toLowerCase();
+  const candidates = [
+    ["Chrome", ["chrome", "谷歌浏览器"]],
+    ["Safari", ["safari"]],
+    ["Finder", ["finder", "访达"]],
+    ["System Settings", ["system settings", "系统设置", "设置"]],
+    ["QQ", ["qq"]],
+    ["WeChat", ["wechat", "微信"]],
+    ["Telegram", ["telegram"]],
+  ];
+  for (const [name, aliases] of candidates) {
+    if (aliases.some((alias) => text.includes(alias.toLowerCase()))) {
+      return name;
+    }
+  }
+  return "Finder";
+}
+
+function extractQuotedText(objective) {
+  const text = String(objective || "");
+  const patterns = [
+    /[“"]([^“”"]+)[”"]/,
+    /[「『]([^」』]+)[」』]/,
+    /输入[:：]\s*([^\n。；;]+)/,
+    /打字[:：]\s*([^\n。；;]+)/,
+  ];
+  for (const pattern of patterns) {
+    const match = text.match(pattern);
+    const value = match?.[1]?.trim();
+    if (value) return value;
+  }
+  return undefined;
+}
+
+function shouldSubmitAfterTyping(objective) {
+  const text = String(objective || "").toLowerCase();
+  return text.includes("发送") || text.includes("提交") || text.includes("回车") || text.includes("enter");
+}
+
+function escapeAppleScriptString(value) {
+  return String(value || "").replaceAll("\\", "\\\\").replaceAll('"', '\\"');
+}
+
+function buildAppleScript(targetApp, objective) {
+  const lines = [
+    `tell application "${escapeAppleScriptString(targetApp)}"`,
+    "activate",
+    "end tell",
+  ];
+  const typedText = extractQuotedText(objective);
+  if (typedText) {
+    lines.push("delay 0.2");
+    lines.push('tell application "System Events"');
+    lines.push(`keystroke "${escapeAppleScriptString(typedText)}"`);
+    if (shouldSubmitAfterTyping(objective)) {
+      lines.push("key code 36");
+    }
+    lines.push("end tell");
+  }
+  return lines.join("\n");
+}
+
+function runCommand(command, args, env = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      env: {
+        ...process.env,
+        ...env,
+      },
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.setEncoding("utf8");
+    child.stderr.setEncoding("utf8");
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk;
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(new Error(stderr.trim() || `ssh computer use exited with ${code}`));
+        return;
+      }
+      resolve({ stdout: stdout.trim(), stderr: stderr.trim() });
+    });
+  });
+}
+
+async function runRemoteAppleScript(script) {
+  const host = envString("BOSS_SSH_CONTROL_HOST");
+  const user = envString("BOSS_SSH_CONTROL_USER");
+  const port = envString("BOSS_SSH_CONTROL_PORT") || "22";
+  const password = envString("BOSS_SSH_CONTROL_PASSWORD");
+  if (!host) throw new Error("SSH_CONTROL_HOST_REQUIRED");
+  if (!user) throw new Error("SSH_CONTROL_USER_REQUIRED");
+
+  const sshTarget = `${user}@${host}`;
+  const encodedScript = Buffer.from(script, "utf8").toString("base64");
+  const remoteCommand = `printf '%s' '${encodedScript}' | base64 -D | osascript`;
+  const sshArgs = [
+    "-o",
+    "StrictHostKeyChecking=no",
+    "-o",
+    "ConnectTimeout=8",
+    "-o",
+    "PreferredAuthentications=password",
+    "-o",
+    "PubkeyAuthentication=no",
+    "-o",
+    "NumberOfPasswordPrompts=1",
+    "-p",
+    port,
+    sshTarget,
+    remoteCommand,
+  ];
+  if (password) {
+    await runCommand("sshpass", ["-e", "ssh", ...sshArgs], { SSHPASS: password });
+    return;
+  }
+  await runCommand("ssh", sshArgs);
+}
+
+const payload = parsePayload(await readStdin());
+if (!payload) {
+  writeJson({ status: "failed", error: "INVALID_SSH_COMPUTER_USE_PAYLOAD" });
+  process.exit(0);
+}
+
+const requestId = typeof payload.requestId === "string" ? payload.requestId : undefined;
+const objective = typeof payload.objective === "string" && payload.objective.trim()
+  ? payload.objective.trim()
+  : "远程桌面控制 smoke 链路测试";
+const targetApp = detectTargetApp(objective);
+const typedText = extractQuotedText(objective);
+
+try {
+  if (!envString("BOSS_SSH_CONTROL_HOST")) {
+    throw new Error("SSH_CONTROL_HOST_REQUIRED");
+  }
+  if (!envString("BOSS_SSH_CONTROL_USER")) {
+    throw new Error("SSH_CONTROL_USER_REQUIRED");
+  }
+  const appleScript = buildAppleScript(targetApp, objective);
+  if (!envBoolean("BOSS_SSH_CONTROL_DRY_RUN")) {
+    await runRemoteAppleScript(appleScript);
+  }
+  writeJson({
+    status: "completed",
+    requestId,
+    replyBody: `SSH 桌面控制已完成：${objective}`,
+    executionSummary: `ssh osascript ${envBoolean("BOSS_SSH_CONTROL_DRY_RUN") ? "dry-run" : "executed"} (${targetApp})`,
+    targetApp,
+    typedText,
+  });
+} catch (error) {
+  writeJson({
+    status: "failed",
+    requestId,
+    error: error instanceof Error ? error.message : "SSH_COMPUTER_USE_FAILED",
+  });
+}
--- a/src/lib/boss-master-agent.ts
+++ b/src/lib/boss-master-agent.ts
@@ -308,6 +308,62 @@ export function classifyMasterAgentControlIntent(

 export const classifyMasterAgentControlIntentForTesting = classifyMasterAgentControlIntent;

+type ControlTargetDeviceInput = {
+  replyProjectId: string;
+  intentCategory: "browser_control" | "desktop_control";
+  preferredDeviceId?: string;
+  authorizedDeviceIds: string[];
+  devices: Array<{
+    id: string;
+    status?: string;
+    capabilities?: {
+      browserAutomation?: { connected?: boolean };
+      computerUse?: { connected?: boolean };
+    };
+  }>;
+  projects: Array<{
+    id: string;
+    deviceIds?: string[];
+  }>;
+};
+
+function isControlDeviceCapable(
+  device: ControlTargetDeviceInput["devices"][number] | undefined,
+  intentCategory: ControlTargetDeviceInput["intentCategory"],
+) {
+  if (!device || device.status !== "online") return false;
+  if (intentCategory === "browser_control") {
+    return device.capabilities?.browserAutomation?.connected === true;
+  }
+  return device.capabilities?.computerUse?.connected === true;
+}
+
+function resolveMasterAgentControlTargetDeviceId(input: ControlTargetDeviceInput) {
+  const authorized = new Set(input.authorizedDeviceIds);
+  const deviceById = new Map(input.devices.map((device) => [device.id, device]));
+  const project = input.projects.find((item) => item.id === input.replyProjectId);
+  const projectDevice = project?.deviceIds
+    ?.find((deviceId) => authorized.has(deviceId) && isControlDeviceCapable(deviceById.get(deviceId), input.intentCategory));
+  if (projectDevice) return projectDevice;
+
+  const authorizedCapableDevices = input.authorizedDeviceIds.filter((deviceId) =>
+    isControlDeviceCapable(deviceById.get(deviceId), input.intentCategory),
+  );
+  if (authorizedCapableDevices.length === 1) return authorizedCapableDevices[0];
+
+  if (
+    input.preferredDeviceId &&
+    authorized.has(input.preferredDeviceId) &&
+    isControlDeviceCapable(deviceById.get(input.preferredDeviceId), input.intentCategory)
+  ) {
+    return input.preferredDeviceId;
+  }
+
+  return authorizedCapableDevices[0] ?? input.preferredDeviceId ?? input.authorizedDeviceIds[0] ?? "mac-studio";
+}
+
+export const resolveMasterAgentControlTargetDeviceIdForTesting = resolveMasterAgentControlTargetDeviceId;
+
 const GENERIC_COMPATIBLE_MODEL_OPTIONS = ["gpt-5.4-mini", "gpt-5.4", "gpt-5.1", "gpt-4.1"];

 type QueuedMasterAgentReplyEnvelope = {
@@ -3709,7 +3765,14 @@ export async function replyToMasterAgentUserMessage(params: {
  if (
    controlIntent.intentCategory === "browser_control" || controlIntent.intentCategory === "desktop_control"
  ) {
-    const deviceId = runtime.account.nodeId || state.user.boundDeviceId || "mac-studio";
+    const deviceId = resolveMasterAgentControlTargetDeviceId({
+      replyProjectId,
+      intentCategory: controlIntent.intentCategory,
+      preferredDeviceId: runtime.account.nodeId || state.user.boundDeviceId || "mac-studio",
+      authorizedDeviceIds: authorizedScope.authorizedDeviceIds,
+      devices: state.devices,
+      projects: state.projects,
+    });
    const taskType = controlIntent.intentCategory;
    const task = await queueMasterAgentTask({
      projectId: replyProjectId,
@@ -3803,6 +3866,14 @@ export async function replyToMasterAgentUserMessage(params: {
          ? "browser-automation-runtime"
          : "computer-use-runtime";
      const taskType = controlIntent.intentCategory;
+      const controlDeviceId = resolveMasterAgentControlTargetDeviceId({
+        replyProjectId,
+        intentCategory: controlIntent.intentCategory,
+        preferredDeviceId: deviceId,
+        authorizedDeviceIds: authorizedScope.authorizedDeviceIds,
+        devices: state.devices,
+        projects: state.projects,
+      });
      const task = await queueMasterAgentTask({
        projectId: replyProjectId,
        taskType,
@@ -3811,7 +3882,7 @@ export async function replyToMasterAgentUserMessage(params: {
        executionPrompt: masterExecutionPrompt,
        requestedBy: params.requestedBy,
        requestedByAccount: params.requestedByAccount,
-        deviceId,
+        deviceId: controlDeviceId,
        accountId: selectedMasterAccount.accountId,
        accountLabel: selectedMasterAccount.label || runtime.summary.roleLabel,
        ...masterTaskAuthorization(["master_agent.ask", "computer.control"]),
@@ -3820,7 +3891,7 @@ export async function replyToMasterAgentUserMessage(params: {
        riskLevel: controlIntent.riskLevel,
        confirmationPolicy: controlIntent.riskLevel === "high" ? "strong_confirm" : "light_confirm",
        requiresUserConfirmation: false,
-        confirmationScopeKey: `${deviceId}:${replyProjectId}`,
+        confirmationScopeKey: `${controlDeviceId}:${replyProjectId}`,
        externalReplyTarget: params.externalReplyTarget,
      });

--- a/tests/master-agent-control-intent-routing.test.ts
+++ b/tests/master-agent-control-intent-routing.test.ts
@@ -1,6 +1,9 @@
 import assert from "node:assert/strict";
 import test from "node:test";
-import { classifyMasterAgentControlIntentForTesting } from "@/lib/boss-master-agent";
+import {
+  classifyMasterAgentControlIntentForTesting,
+  resolveMasterAgentControlTargetDeviceIdForTesting,
+} from "@/lib/boss-master-agent";

 test("routes ordinary product discussion to discussion_only", () => {
  const result = classifyMasterAgentControlIntentForTesting("帮我总结一下这个项目当前目标");
@@ -27,3 +30,56 @@ test("routes desktop gui asks to desktop_control", () => {
  assert.equal(result.executionMode, "desktop");
  assert.equal(result.riskLevel, "medium");
 });
+
+test("routes desktop control to the current project device before global master node", () => {
+  const deviceId = resolveMasterAgentControlTargetDeviceIdForTesting({
+    replyProjectId: "macbook-project",
+    intentCategory: "desktop_control",
+    preferredDeviceId: "mac-studio",
+    authorizedDeviceIds: ["macbook-air"],
+    devices: [
+      {
+        id: "mac-studio",
+        status: "online",
+        capabilities: { computerUse: { connected: true } },
+      },
+      {
+        id: "macbook-air",
+        status: "online",
+        capabilities: { computerUse: { connected: true } },
+      },
+    ],
+    projects: [
+      {
+        id: "macbook-project",
+        deviceIds: ["macbook-air"],
+      },
+    ],
+  });
+
+  assert.equal(deviceId, "macbook-air");
+});
+
+test("routes desktop control to the only authorized capable device for a subaccount", () => {
+  const deviceId = resolveMasterAgentControlTargetDeviceIdForTesting({
+    replyProjectId: "master-agent",
+    intentCategory: "desktop_control",
+    preferredDeviceId: "mac-studio",
+    authorizedDeviceIds: ["macbook-air"],
+    devices: [
+      {
+        id: "mac-studio",
+        status: "online",
+        capabilities: { computerUse: { connected: true } },
+      },
+      {
+        id: "macbook-air",
+        status: "online",
+        capabilities: { computerUse: { connected: true } },
+      },
+    ],
+    projects: [{ id: "master-agent", deviceIds: [] }],
+  });
+
+  assert.equal(deviceId, "macbook-air");
+});
--- a/tests/ssh-computer-use-smoke.test.mjs
+++ b/tests/ssh-computer-use-smoke.test.mjs
@@ -0,0 +1,70 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { spawn } from "node:child_process";
+import path from "node:path";
+
+const repoRoot = path.resolve(import.meta.dirname, "..");
+
+function runRuntime(payload, env = {}) {
+  return new Promise((resolve) => {
+    const child = spawn(process.execPath, ["scripts/ssh-computer-use-smoke.mjs"], {
+      cwd: repoRoot,
+      env: {
+        ...process.env,
+        ...env,
+      },
+      stdio: ["pipe", "pipe", "pipe"],
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.setEncoding("utf8");
+    child.stderr.setEncoding("utf8");
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk;
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk;
+    });
+    child.on("close", (status) => {
+      resolve({ status, stdout, stderr });
+    });
+    child.stdin.end(JSON.stringify(payload));
+  });
+}
+
+test("ssh computer use runtime returns a dry-run desktop control summary", async () => {
+  const result = await runRuntime(
+    {
+      requestKind: "desktop_control",
+      requestId: "ssh-dry-run-1",
+      objective: "打开 Chrome 输入“Boss 远程控制测试”",
+    },
+    {
+      BOSS_SSH_CONTROL_HOST: "192.168.31.114",
+      BOSS_SSH_CONTROL_USER: "jas",
+      BOSS_SSH_CONTROL_DRY_RUN: "true",
+    },
+  );
+
+  assert.equal(result.status, 0, result.stderr);
+  const payload = JSON.parse(result.stdout);
+  assert.equal(payload.status, "completed");
+  assert.equal(payload.requestId, "ssh-dry-run-1");
+  assert.equal(payload.targetApp, "Chrome");
+  assert.equal(payload.typedText, "Boss 远程控制测试");
+  assert.match(payload.replyBody, /SSH 桌面控制已完成/);
+});
+
+test("ssh computer use runtime fails closed when host is missing", async () => {
+  const result = await runRuntime({
+    requestKind: "desktop_control",
+    requestId: "ssh-missing-host",
+    objective: "打开 Finder",
+  });
+
+  assert.equal(result.status, 0, result.stderr);
+  const payload = JSON.parse(result.stdout);
+  assert.equal(payload.status, "failed");
+  assert.equal(payload.requestId, "ssh-missing-host");
+  assert.equal(payload.error, "SSH_CONTROL_HOST_REQUIRED");
+});
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -30,5 +30,5 @@
    ".next/dev/types/**/*.ts",
    "**/*.mts"
  ],
-  "exclude": ["node_modules", "apps/boss-admin-web/**"]
+  "exclude": ["node_modules", "apps/boss-admin-web/**", "outputs/**"]
 }