- Path:
/api/ws(seeBROWSERBOX_WS_PATHinlib/ws-path.ts). - Custom Node server upgrades this path in
server.ts; handlers attach vialib/server/ws-http-server.ts.
JSON messages include:
id— non-empty string, correlates to the reply.op— operation name; constants inlib/ws-ops.ts.payload— optional, op-specific.authToken— optional JWT; sent on each message when a session exists (seelib/ws-client.ts, keybrowserbox_session_tokeninsessionStorage).
- Success:
{ id, ok: true, data } - Failure:
{ id, ok: false, error, code }
Authoritative routing and per-op broadcastKind (none | todos | textFiles) live in lib/server/ws-ops-registry.ts. lib/server/ws-dispatch.ts resolves the session from authToken / socket state, dispatches the op, then—when broadcastKind is not none—calls broadcastAfterMutationForKind so subscribers receive the right push events after mutations.
String constants in lib/realtime-push-events.ts. The browser bridge is lib/realtime-bridge.ts.
The session JWT is stored in sessionStorage and is readable if script runs on your origin (XSS). Mitigate with CSP, input sanitization, and a sensible JWT TTL (SESSION_MAX_AGE_SEC in lib/auth-constants.ts).
Higher-level calls that wrap browserboxWsCall + DTO mapping:
Session token read/write helpers live in lib/ws-session-token.ts (re-exported from lib/ws-client.ts for convenience).