Persist dashboard admin key updates

Author: yelixir-dev

src/config.ts

@@ -81,6 +81,10 @@ function parseCsv(value: string | undefined): string[] {
     .filter(Boolean);
 }
 
+function stringValue(value: unknown): string | undefined {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+
 function uniq(values: string[]): string[] {
   return Array.from(new Set(values));
 }
@@ -174,7 +178,7 @@ export function loadBridgeConfig(options: LoadBridgeConfigOptions = {}): BridgeC
     defaultModel,
     allowedModels,
     allowUnknownModels: parseBoolean(env.COMMANDCODE_ALLOW_UNKNOWN_MODELS, false),
-    bridgeApiKey: env.BRIDGE_API_KEY?.trim() || undefined,
+    bridgeApiKey: stringValue(dashboardConfig.bridgeApiKey) || env.BRIDGE_API_KEY?.trim() || undefined,
     commandCodeApiKey: commandCodeCredentials[0]?.apiKey,
     commandCodeCredentials,
     commandCodeRoutingPolicy: routingPolicy,

src/dashboard-config.ts

@@ -16,6 +16,7 @@ export interface DashboardServerConfig {
 }
 
 export interface CommandCodeDashboardConfigFile {
+  bridgeApiKey?: string;
   server?: Partial<DashboardServerConfig>;
   routing?: Partial<CommandCodeRoutingConfig>;
   models?: Array<Partial<CommandCodeModelConfig>>;
@@ -45,6 +46,7 @@ export interface DashboardConfigView {
 }
 
 export interface DashboardConfigUpdate {
+  bridgeApiKey?: string;
   server?: Partial<DashboardServerConfig>;
   routing?: Partial<CommandCodeRoutingConfig>;
   models?: Array<Partial<CommandCodeModelConfig>>;
@@ -261,7 +263,9 @@ export function redactedCredentials(
 export function buildWritableDashboardConfig(
   update: DashboardConfigUpdate,
 ): CommandCodeDashboardConfigFile {
+  const bridgeApiKey = stringValue(update.bridgeApiKey);
   return {
+    ...(bridgeApiKey ? { bridgeApiKey } : {}),
     server: normalizeServerConfig(update.server),
     routing: normalizeRoutingConfig(update.routing),
     models: normalizeModelUpdate(update.models ?? []),

src/dashboard.ts

@@ -70,10 +70,10 @@ $('creds').innerHTML=cfg.credentials.map((c,i)=>{c.originalId=c.originalId||c.id
 document.querySelectorAll('[data-cid]').forEach(e=>e.oninput=()=>{cfg.credentials[+e.dataset.cid].id=e.value;setDirty();}); document.querySelectorAll('[data-cenabled]').forEach(e=>e.onchange=()=>{cfg.credentials[+e.dataset.cenabled].enabled=e.checked;setDirty();}); document.querySelectorAll('[data-ckey]').forEach(e=>e.oninput=()=>{if(preventDuplicateVisibleKey(e))return; cfg.credentials[+e.dataset.ckey].apiKey=e.value;setDirty();}); document.querySelectorAll('[data-del]').forEach(e=>e.onclick=()=>{cfg.credentials.splice(+e.dataset.del,1);render();setDirty();});
 $('models').innerHTML=cfg.models.map((m,i)=>'<div class="model"><div class="model-head"><div><b>'+esc(m.label||m.id)+'</b><div class="small">'+esc(m.provider)+' · '+esc(m.id)+'</div></div><label class="switch"><input data-mid="'+i+'" type="checkbox" '+(m.enabled?'checked':'')+'><span class="slider"></span></label></div><div class="small">'+esc(m.notes||'')+'</div></div>').join(''); document.querySelectorAll('[data-mid]').forEach(e=>e.onchange=()=>{cfg.models[+e.dataset.mid].enabled=e.checked;setDirty();});}
 function randomBridgeKey(){const bytes=new Uint8Array(3); if(globalThis.crypto?.getRandomValues) crypto.getRandomValues(bytes); else for(let i=0;i<bytes.length;i++)bytes[i]=Math.floor(Math.random()*256); return 'sk-cmdbridge-'+Array.from(bytes,b=>b.toString(16).padStart(2,'0')).join('');}
-function generateBridgeKey(){const key=randomBridgeKey(); const el=$('bridgeApiKey'); if(el)el.value=displayBridgeKey(key); saveBridgeKey(key); setDirty(); toast('Random Admin API key generated. Save JSON and restart.');}
+function generateBridgeKey(){const key=randomBridgeKey(); const el=$('bridgeApiKey'); if(el)el.value=displayBridgeKey(key); setDirty(); toast('Random Admin API key generated. Save JSON, then restart to apply.');}
 $('bindHost').onchange=()=>{cfg.server.host=$('bindHost').value;syncBridgeKey();setDirty();}; $('bindPort').oninput=()=>{cfg.server.port=Number($('bindPort').value)||9992;setDirty();}; function saveBridgeKey(nextKey){const key=nextKey||fullBridgeKey(); if(key)localStorage.setItem('bridgeApiKey',key); else localStorage.removeItem('bridgeApiKey'); syncBridgeKey(); toast(key?'Admin API key saved in this browser.':'Admin API key cleared.');} async function copyBridgeKey(){const key=fullBridgeKey()||authKey(localStorage.getItem('bridgeApiKey'))||''; if(!key){toast('Admin API key is empty.');return;} try{await navigator.clipboard.writeText(key);toast('Admin API key copied.');}catch{toast('Copy failed. Select and copy manually.');}} $('generateBridgeKey').onclick=generateBridgeKey; $('saveBridgeKey').onclick=()=>saveBridgeKey(); $('copyBridgeKey').onclick=copyBridgeKey; $('bridgeApiKey').onkeydown=e=>{if(e.key==='Enter')saveBridgeKey();}; $('maxPer').oninput=()=>{cfg.routing.maxInFlightPerCredential=Number($('maxPer').value)||4; setDirty();}; $('refreshCreds').onclick=async()=>{try{const m=await api('/admin/commandcode/credentials?refresh=true'); const byId=new Map((m.credentials||[]).map(x=>[x.id,x])); cfg.credentials.forEach(c=>c.metrics=byId.get(c.id)); render(); toast('Credentials refreshed.');}catch(e){toast('Credential refresh failed.');}}; $('addCred').onclick=()=>{cfg.credentials.push({id:'key'+(cfg.credentials.length+1),apiKey:'',weight:1,enabled:true});render();setDirty();};
-$('save').onclick=async()=>{try{if(!cfg)throw new Error('config not loaded'); const payload={server:cfg.server,routing:cfg.routing,models:cfg.models,credentials:cfg.credentials.map(c=>({id:c.id,originalId:c.originalId,apiKey:c.apiKey||undefined,weight:c.weight||1,enabled:expiredIds.has(c.id)?undefined:c.enabled!==false,maxInFlight:c.maxInFlight,allowedModels:c.allowedModels}))}; cfg=await api('/admin/config',{method:'PUT',body:JSON.stringify(payload)}); render(); setDirty(true); toast('JSON saved. Restart required.');}catch(e){toast(duplicateCredentialMessage(e)||('Save failed: '+(e?.message||e)));}};
-$('restart').onclick=async()=>{try{await api('/admin/restart',{method:'POST',body:'{}'}); toast('Restart requested'); setTimeout(load,1800);}catch(e){toast('Restart failed: '+(e?.message||e));}};
+$('save').onclick=async()=>{try{if(!cfg)throw new Error('config not loaded'); const pendingBridgeKey=fullBridgeKey(); const payload={...(pendingBridgeKey?{bridgeApiKey:pendingBridgeKey}:{}),server:cfg.server,routing:cfg.routing,models:cfg.models,credentials:cfg.credentials.map(c=>({id:c.id,originalId:c.originalId,apiKey:c.apiKey||undefined,weight:c.weight||1,enabled:expiredIds.has(c.id)?undefined:c.enabled!==false,maxInFlight:c.maxInFlight,allowedModels:c.allowedModels}))}; cfg=await api('/admin/config',{method:'PUT',body:JSON.stringify(payload)}); render(); setDirty(true); toast('JSON saved. Restart required.');}catch(e){toast(duplicateCredentialMessage(e)||('Save failed: '+(e?.message||e)));}};
+$('restart').onclick=async()=>{const pendingBridgeKey=fullBridgeKey(); try{await api('/admin/restart',{method:'POST',body:'{}'}); if(pendingBridgeKey)localStorage.setItem('bridgeApiKey',pendingBridgeKey); toast('Restart requested'); setTimeout(load,1800);}catch(e){toast('Restart failed: '+(e?.message||e));}};
 load();
 </script>
 </body></html>`;

src/server.ts

@@ -426,6 +426,9 @@ export async function createApp(options: CreateAppOptions = {}): Promise<Fastify
       request.body as DashboardConfigUpdate,
       secretSourceConfig,
     );
+    if (!update.bridgeApiKey && secretSourceConfig.bridgeApiKey) {
+      update.bridgeApiKey = secretSourceConfig.bridgeApiKey;
+    }
     const duplicateIds = duplicateCommandCodeApiKeyIds(update);
     if (duplicateIds.length > 0) {
       return reply.code(409).send({

tests/admin-config.test.ts

@@ -52,6 +52,24 @@ describe("JSON dashboard configuration", () => {
     expect((statSync(file).mode & 0o777).toString(8)).toBe("600");
   });
 
+  it("persists and loads dashboard-managed admin API keys", () => {
+    const dir = mkdtempSync(join(tmpdir(), "commandcode-bridge-admin-key-"));
+    const file = join(dir, "credentials.json");
+    writeDashboardConfigFile(file, {
+      bridgeApiKey: "sk-cmdbridge-123abc",
+      credentials: [{ id: "alpha", apiKey: "alpha-secret" }],
+    });
+
+    const persisted = JSON.parse(readFileSync(file, "utf8")) as { bridgeApiKey?: string };
+    expect(persisted.bridgeApiKey).toBe("sk-cmdbridge-123abc");
+
+    const config = loadBridgeConfig({
+      env: { COMMANDCODE_CREDENTIALS_FILE: file, BRIDGE_API_KEY: "old-env-key" },
+      authPaths: [],
+    });
+    expect(config.bridgeApiKey).toBe("sk-cmdbridge-123abc");
+  });
+
   it("lets JSON routing policy drive dashboard-managed configuration over legacy env", () => {
     const file = tempConfigFile({
       routing: { policy: "round_robin", maxInFlightPerCredential: 4 },

tests/dashboard-ui.test.ts

@@ -150,6 +150,6 @@ describe("dashboard UI", () => {
     expect(html).toContain("function randomBridgeKey");
     expect(html).toContain("cmdbridge-");
     expect(html).toContain("generateBridgeKey");
-    expect(html).toContain("saveBridgeKey(key)");
+    expect(html).toContain("bridgeApiKey:pendingBridgeKey");
   });
 });