@a-company/paradigm 3.44.0 → 3.46.0

package/dist/symphony-relay-GTAJRCVF.js

@@ -0,0 +1,683 @@
+#!/usr/bin/env node
+import {
+  addPeer,
+  computeHmacProof,
+  generatePairing,
+  loadPeers,
+  updatePeerAgents,
+  updatePeerLastSeen,
+  verifyHmacProof,
+  verifyPairingCode
+} from "./chunk-KVDYJLTC.js";
+import {
+  appendToInbox,
+  isAgentAsleep,
+  listAgents,
+  readOutbox
+} from "./chunk-S2HO5MLR.js";
+import "./chunk-ZXMDA7VB.js";
+
+// ../paradigm-mcp/src/utils/symphony-relay.ts
+import * as path from "path";
+import * as os from "os";
+import * as crypto from "crypto";
+import { WebSocketServer, WebSocket } from "ws";
+var SCORE_DIR = path.join(os.homedir(), ".paradigm", "score");
+var OUTBOX_POLL_INTERVAL_MS = 2e3;
+var KEEPALIVE_INTERVAL_MS = 3e4;
+var PONG_TIMEOUT_MS = 1e4;
+var MAX_AUTH_ATTEMPTS = 3;
+var AUTH_COOLDOWN_MS = 6e4;
+var RECONNECT_MIN_MS = 1e3;
+var RECONNECT_MAX_MS = 3e4;
+function sendFrame(ws, frame) {
+  if (ws.readyState === WebSocket.OPEN) {
+    ws.send(JSON.stringify(frame));
+  }
+}
+function parseFrame(data) {
+  try {
+    const text = typeof data === "string" ? data : String(data);
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+var SymphonyRelay = class _SymphonyRelay {
+  wss = null;
+  wsClient = null;
+  mode;
+  pairingState = null;
+  /** peerId → WebSocket for authenticated connections. */
+  connectedPeers = /* @__PURE__ */ new Map();
+  /** Bounded dedup set of message IDs already processed. */
+  seenMessageIds = /* @__PURE__ */ new Set();
+  outboxWatchInterval = null;
+  keepaliveInterval = null;
+  reconnectTimer = null;
+  reconnectDelay = RECONNECT_MIN_MS;
+  /** agentId → count of outbox lines already forwarded. */
+  outboxPositions = /* @__PURE__ */ new Map();
+  events;
+  myPeerId;
+  port;
+  stopped = false;
+  /** IP/address → { count, cooldownUntil } for rate limiting. */
+  failedAuthAttempts = /* @__PURE__ */ new Map();
+  /** Per-connection pong tracking: peerId → pending timeout handle. */
+  pongTimers = /* @__PURE__ */ new Map();
+  /** Server-side address stored for client reconnect. */
+  serverAddress = null;
+  /** Pairing code stored for client reconnect. */
+  serverCode = null;
+  /** Maximum number of message IDs to keep for dedup. */
+  static MAX_SEEN_IDS = 1e4;
+  constructor(options) {
+    this.mode = options.mode;
+    this.myPeerId = options.peerId;
+    this.port = options.port ?? 3939;
+    this.events = options.events ?? {};
+  }
+  // ────────────────────────────────────────────────────────
+  // Server Mode
+  // ────────────────────────────────────────────────────────
+  /**
+   * Start a WebSocket relay server (hub mode).
+   *
+   * Generates a fresh pairing state, binds to `this.port`, and begins
+   * accepting peer connections.  Returns the pairing state so the caller
+   * can display the code to the user.
+   */
+  async startServer() {
+    if (this.mode !== "server") {
+      throw new Error('startServer() requires mode "server"');
+    }
+    this.pairingState = generatePairing();
+    this.wss = new WebSocketServer({ port: this.port });
+    this.wss.on("connection", (ws, req) => {
+      const remoteAddress = req.socket.remoteAddress ?? "unknown";
+      if (this.isRateLimited(remoteAddress)) {
+        sendFrame(ws, { type: "auth_fail", reason: "Too many failed attempts \u2014 try again later" });
+        ws.close();
+        return;
+      }
+      const challenge = crypto.randomBytes(32).toString("hex");
+      sendFrame(ws, {
+        type: "hello",
+        version: "1.0",
+        peerId: this.myPeerId,
+        challenge
+      });
+      let authenticated = false;
+      ws.on("message", (raw) => {
+        const frame = parseFrame(raw);
+        if (!frame) return;
+        if (!authenticated) {
+          this.handleServerAuth(ws, frame, challenge, remoteAddress).then((peerId) => {
+            if (peerId) {
+              authenticated = true;
+              this.registerPeerConnection(peerId, ws);
+            }
+          }).catch((err) => {
+            this.events.onError?.(err instanceof Error ? err : new Error(String(err)));
+          });
+          return;
+        }
+        this.handleAuthenticatedFrame(ws, frame);
+      });
+      ws.on("close", () => {
+        if (authenticated) {
+          this.handlePeerDisconnect(ws);
+        }
+      });
+      ws.on("error", (err) => {
+        this.events.onError?.(err);
+      });
+    });
+    this.wss.on("error", (err) => {
+      this.events.onError?.(err);
+    });
+    await new Promise((resolve, reject) => {
+      this.wss.on("listening", resolve);
+      this.wss.on("error", reject);
+    });
+    this.startOutboxWatcher();
+    this.startKeepalive();
+    return this.pairingState;
+  }
+  /**
+   * Process an auth frame from an incoming client connection.
+   * Returns the authenticated peerId on success, null on failure.
+   */
+  async handleServerAuth(ws, frame, challenge, remoteAddress) {
+    if (frame.type !== "auth") {
+      sendFrame(ws, { type: "auth_fail", reason: "Expected auth frame" });
+      ws.close();
+      return null;
+    }
+    if (!this.pairingState || !verifyPairingCode(this.pairingState, frame.code)) {
+      this.recordFailedAuth(remoteAddress);
+      const reason = "Invalid or expired pairing code";
+      sendFrame(ws, { type: "auth_fail", reason });
+      this.events.onPeerAuthFailed?.(remoteAddress, reason);
+      ws.close();
+      return null;
+    }
+    const codeHash = this.pairingState.codeHash;
+    if (!verifyHmacProof(challenge, codeHash, frame.proof)) {
+      this.recordFailedAuth(remoteAddress);
+      const reason = "HMAC proof verification failed";
+      sendFrame(ws, { type: "auth_fail", reason });
+      this.events.onPeerAuthFailed?.(remoteAddress, reason);
+      ws.close();
+      return null;
+    }
+    const localAgents = this.getLocalAgentSummaries();
+    const displayName = this.myPeerId;
+    sendFrame(ws, {
+      type: "auth_ok",
+      peerId: this.myPeerId,
+      displayName,
+      agents: localAgents
+    });
+    addPeer({
+      id: frame.peerId,
+      displayName: frame.peerId,
+      address: remoteAddress,
+      sharedSecret: this.pairingState.sharedSecret,
+      connectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+      revoked: false,
+      agents: []
+    });
+    return frame.peerId;
+  }
+  // ────────────────────────────────────────────────────────
+  // Client Mode
+  // ────────────────────────────────────────────────────────
+  /**
+   * Connect to a remote relay server as a spoke.
+   *
+   * Resolves once authentication completes successfully.
+   * Rejects if the connection fails or auth is denied.
+   */
+  async connectToServer(address, code) {
+    if (this.mode !== "client") {
+      throw new Error('connectToServer() requires mode "client"');
+    }
+    this.serverAddress = address;
+    this.serverCode = code;
+    await this.attemptConnection(address, code);
+  }
+  /**
+   * Inner connection attempt — used for both initial connect and reconnects.
+   */
+  attemptConnection(address, code) {
+    return new Promise((resolve, reject) => {
+      if (this.stopped) {
+        reject(new Error("Relay has been stopped"));
+        return;
+      }
+      const wsUrl = address.includes("://") ? address : `ws://${address}`;
+      const ws = new WebSocket(wsUrl);
+      let settled = false;
+      ws.on("open", () => {
+        this.wsClient = ws;
+      });
+      ws.on("message", (raw) => {
+        const frame = parseFrame(raw);
+        if (!frame) return;
+        switch (frame.type) {
+          case "hello": {
+            const codeHash = crypto.createHash("sha256").update(code).digest("hex");
+            const proof = computeHmacProof(frame.challenge, codeHash);
+            sendFrame(ws, {
+              type: "auth",
+              peerId: this.myPeerId,
+              code,
+              proof
+            });
+            break;
+          }
+          case "auth_ok": {
+            addPeer({
+              id: frame.peerId,
+              displayName: frame.displayName,
+              address,
+              sharedSecret: code,
+              // Store code for reconnect
+              connectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+              lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+              revoked: false,
+              agents: frame.agents
+            });
+            sendFrame(ws, {
+              type: "agents_sync",
+              agents: this.getLocalAgentSummaries()
+            });
+            this.registerPeerConnection(frame.peerId, ws);
+            this.startOutboxWatcher();
+            this.startKeepalive();
+            this.reconnectDelay = RECONNECT_MIN_MS;
+            if (!settled) {
+              settled = true;
+              resolve();
+            }
+            break;
+          }
+          case "auth_fail": {
+            if (!settled) {
+              settled = true;
+              reject(new Error(`Auth failed: ${frame.reason}`));
+            }
+            ws.close();
+            break;
+          }
+          default:
+            this.handleAuthenticatedFrame(ws, frame);
+            break;
+        }
+      });
+      ws.on("close", () => {
+        this.handlePeerDisconnect(ws);
+        if (!settled) {
+          settled = true;
+          reject(new Error("Connection closed before auth completed"));
+        } else if (!this.stopped) {
+          this.scheduleReconnect();
+        }
+      });
+      ws.on("error", (err) => {
+        this.events.onError?.(err);
+        if (!settled) {
+          settled = true;
+          reject(err);
+        }
+      });
+    });
+  }
+  // ────────────────────────────────────────────────────────
+  // Authenticated Frame Handler
+  // ────────────────────────────────────────────────────────
+  /**
+   * Dispatch a frame received on an authenticated connection.
+   */
+  handleAuthenticatedFrame(ws, frame) {
+    switch (frame.type) {
+      case "message":
+        this.handleIncomingMessage(ws, frame.message, frame.origin);
+        break;
+      case "message_ack":
+        break;
+      case "agents_sync":
+        this.handleAgentsSync(ws, frame.agents);
+        break;
+      case "agent_joined": {
+        const peerId = this.peerIdForSocket(ws);
+        if (peerId) {
+          const peers = loadPeers();
+          const peer = peers.find((p) => p.id === peerId);
+          if (peer) {
+            const agents = [...peer.agents || [], frame.agent];
+            updatePeerAgents(peerId, agents);
+          }
+        }
+        break;
+      }
+      case "agent_left": {
+        const peerId = this.peerIdForSocket(ws);
+        if (peerId) {
+          const peers = loadPeers();
+          const peer = peers.find((p) => p.id === peerId);
+          if (peer) {
+            const agents = (peer.agents || []).filter((a) => a.id !== frame.agentId);
+            updatePeerAgents(peerId, agents);
+          }
+        }
+        break;
+      }
+      case "peer_leaving":
+        this.handlePeerDisconnect(ws);
+        ws.close();
+        break;
+      case "ping":
+        sendFrame(ws, { type: "pong" });
+        break;
+      case "pong":
+        this.handlePong(ws);
+        break;
+      default:
+        break;
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Message Handling
+  // ────────────────────────────────────────────────────────
+  /**
+   * Process an incoming relayed message.
+   *
+   * 1. Dedup check — skip if already seen
+   * 2. Deliver to matching local agents
+   * 3. In server mode, relay to other connected peers (not the sender)
+   * 4. Send ack back to the sender
+   */
+  handleIncomingMessage(senderWs, message, origin) {
+    if (this.seenMessageIds.has(message.id)) {
+      sendFrame(senderWs, { type: "message_ack", messageId: message.id });
+      return;
+    }
+    this.addToSeenIds(message.id);
+    const localAgents = listAgents();
+    if (message.recipients && message.recipients.length > 0) {
+      for (const recipient of message.recipients) {
+        const localMatch = localAgents.find((a) => a.id === recipient.id);
+        if (localMatch) {
+          appendToInbox(localMatch.id, message);
+          this.events.onMessageRelayed?.(message.id, origin, localMatch.id);
+        }
+      }
+    } else {
+      for (const agent of localAgents) {
+        appendToInbox(agent.id, message);
+        this.events.onMessageRelayed?.(message.id, origin, agent.id);
+      }
+    }
+    if (this.mode === "server") {
+      const senderPeerId = this.peerIdForSocket(senderWs);
+      for (const [peerId, peerWs] of this.connectedPeers) {
+        if (peerId !== senderPeerId && peerId !== origin) {
+          sendFrame(peerWs, { type: "message", message, origin });
+        }
+      }
+    }
+    sendFrame(senderWs, { type: "message_ack", messageId: message.id });
+  }
+  /**
+   * Update stored agent list for a peer after receiving agents_sync.
+   */
+  handleAgentsSync(ws, agents) {
+    const peerId = this.peerIdForSocket(ws);
+    if (peerId) {
+      updatePeerAgents(peerId, agents);
+      updatePeerLastSeen(peerId);
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Outbox Watcher
+  // ────────────────────────────────────────────────────────
+  /**
+   * Start polling local agent outboxes for new messages to relay.
+   *
+   * Reads each outbox as an array, compares length against the stored
+   * position, and forwards any new entries to all connected peers.
+   */
+  startOutboxWatcher() {
+    if (this.outboxWatchInterval) return;
+    this.outboxWatchInterval = setInterval(() => {
+      if (this.connectedPeers.size === 0) return;
+      try {
+        const agents = listAgents();
+        for (const agent of agents) {
+          const messages = readOutbox(agent.id);
+          const lastPosition = this.outboxPositions.get(agent.id) ?? 0;
+          if (messages.length <= lastPosition) continue;
+          const newMessages = messages.slice(lastPosition);
+          for (const msg of newMessages) {
+            if (this.seenMessageIds.has(msg.id)) continue;
+            this.addToSeenIds(msg.id);
+            const frame = {
+              type: "message",
+              message: msg,
+              origin: this.myPeerId
+            };
+            for (const [_peerId, peerWs] of this.connectedPeers) {
+              sendFrame(peerWs, frame);
+            }
+          }
+          this.outboxPositions.set(agent.id, messages.length);
+        }
+      } catch (err) {
+        this.events.onError?.(err instanceof Error ? err : new Error(String(err)));
+      }
+    }, OUTBOX_POLL_INTERVAL_MS);
+  }
+  /**
+   * Stop the outbox watcher.
+   */
+  stopOutboxWatcher() {
+    if (this.outboxWatchInterval) {
+      clearInterval(this.outboxWatchInterval);
+      this.outboxWatchInterval = null;
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Keepalive
+  // ────────────────────────────────────────────────────────
+  /**
+   * Start periodic ping/pong keepalive for all connected peers.
+   */
+  startKeepalive() {
+    if (this.keepaliveInterval) return;
+    this.keepaliveInterval = setInterval(() => {
+      for (const [peerId, ws] of this.connectedPeers) {
+        sendFrame(ws, { type: "ping" });
+        const timer = setTimeout(() => {
+          this.handlePeerDisconnect(ws);
+          ws.terminate();
+        }, PONG_TIMEOUT_MS);
+        this.pongTimers.set(peerId, timer);
+      }
+    }, KEEPALIVE_INTERVAL_MS);
+  }
+  /**
+   * Stop keepalive pings.
+   */
+  stopKeepalive() {
+    if (this.keepaliveInterval) {
+      clearInterval(this.keepaliveInterval);
+      this.keepaliveInterval = null;
+    }
+    for (const timer of this.pongTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.pongTimers.clear();
+  }
+  /**
+   * Handle a pong response — clear the dead-connection timer.
+   */
+  handlePong(ws) {
+    const peerId = this.peerIdForSocket(ws);
+    if (peerId) {
+      const timer = this.pongTimers.get(peerId);
+      if (timer) {
+        clearTimeout(timer);
+        this.pongTimers.delete(peerId);
+      }
+      updatePeerLastSeen(peerId);
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Peer Lifecycle
+  // ────────────────────────────────────────────────────────
+  /**
+   * Register an authenticated peer connection.
+   */
+  registerPeerConnection(peerId, ws) {
+    const existing = this.connectedPeers.get(peerId);
+    if (existing && existing !== ws) {
+      existing.close();
+    }
+    this.connectedPeers.set(peerId, ws);
+    updatePeerLastSeen(peerId);
+    this.events.onPeerConnected?.(peerId, peerId);
+  }
+  /**
+   * Clean up after a peer disconnects (or is terminated).
+   */
+  handlePeerDisconnect(ws) {
+    const peerId = this.peerIdForSocket(ws);
+    if (!peerId) return;
+    this.connectedPeers.delete(peerId);
+    const timer = this.pongTimers.get(peerId);
+    if (timer) {
+      clearTimeout(timer);
+      this.pongTimers.delete(peerId);
+    }
+    this.events.onPeerDisconnected?.(peerId);
+  }
+  /**
+   * Find the peerId associated with a WebSocket connection.
+   */
+  peerIdForSocket(ws) {
+    for (const [peerId, peerWs] of this.connectedPeers) {
+      if (peerWs === ws) return peerId;
+    }
+    return null;
+  }
+  // ────────────────────────────────────────────────────────
+  // Reconnect (Client Mode)
+  // ────────────────────────────────────────────────────────
+  /**
+   * Schedule an automatic reconnect with exponential backoff.
+   */
+  scheduleReconnect() {
+    if (this.stopped || this.mode !== "client") return;
+    if (!this.serverAddress || !this.serverCode) return;
+    this.stopOutboxWatcher();
+    this.stopKeepalive();
+    this.wsClient = null;
+    const delay = this.reconnectDelay;
+    this.reconnectDelay = Math.min(this.reconnectDelay * 2, RECONNECT_MAX_MS);
+    this.reconnectTimer = setTimeout(() => {
+      if (this.stopped) return;
+      this.attemptConnection(this.serverAddress, this.serverCode).catch((err) => {
+        this.events.onError?.(err instanceof Error ? err : new Error(String(err)));
+      });
+    }, delay);
+  }
+  // ────────────────────────────────────────────────────────
+  // Rate Limiting
+  // ────────────────────────────────────────────────────────
+  /**
+   * Check whether an address is currently rate-limited.
+   */
+  isRateLimited(address) {
+    const entry = this.failedAuthAttempts.get(address);
+    if (!entry) return false;
+    if (Date.now() < entry.cooldownUntil) return true;
+    if (entry.count >= MAX_AUTH_ATTEMPTS) {
+      entry.cooldownUntil = Date.now() + AUTH_COOLDOWN_MS;
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Record a failed auth attempt from a given address.
+   */
+  recordFailedAuth(address) {
+    const entry = this.failedAuthAttempts.get(address);
+    if (entry) {
+      entry.count++;
+    } else {
+      this.failedAuthAttempts.set(address, { count: 1, cooldownUntil: 0 });
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Dedup
+  // ────────────────────────────────────────────────────────
+  /**
+   * Add a message ID to the dedup set, evicting the oldest half when
+   * the set exceeds {@link MAX_SEEN_IDS}.
+   */
+  addToSeenIds(messageId) {
+    this.seenMessageIds.add(messageId);
+    if (this.seenMessageIds.size > _SymphonyRelay.MAX_SEEN_IDS) {
+      const entries = Array.from(this.seenMessageIds);
+      const keepFrom = Math.floor(entries.length / 2);
+      this.seenMessageIds = new Set(entries.slice(keepFrom));
+    }
+  }
+  // ────────────────────────────────────────────────────────
+  // Local Agent Helpers
+  // ────────────────────────────────────────────────────────
+  /**
+   * Build a summary list of all locally registered agents.
+   */
+  getLocalAgentSummaries() {
+    return listAgents().map((a) => ({
+      id: a.id,
+      project: a.project,
+      role: a.role,
+      status: isAgentAsleep(a) ? "asleep" : "awake"
+    }));
+  }
+  // ────────────────────────────────────────────────────────
+  // Public API
+  // ────────────────────────────────────────────────────────
+  /**
+   * Gracefully shut down the relay.
+   *
+   * Sends `peer_leaving` to all connected peers, closes every WebSocket,
+   * clears all timers, and shuts down the server (if running).
+   */
+  stop() {
+    this.stopped = true;
+    for (const [_peerId, ws] of this.connectedPeers) {
+      sendFrame(ws, { type: "peer_leaving" });
+      ws.close();
+    }
+    this.connectedPeers.clear();
+    if (this.wsClient) {
+      this.wsClient.close();
+      this.wsClient = null;
+    }
+    this.stopOutboxWatcher();
+    this.stopKeepalive();
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.wss) {
+      this.wss.close();
+      this.wss = null;
+    }
+  }
+  /**
+   * Return the list of currently connected peer IDs.
+   */
+  getConnectedPeers() {
+    return Array.from(this.connectedPeers.keys());
+  }
+  /**
+   * Return the aggregated agent summaries from all connected peers.
+   */
+  getRemoteAgents() {
+    const result = [];
+    const peers = loadPeers();
+    for (const peerId of this.connectedPeers.keys()) {
+      const peer = peers.find((p) => p.id === peerId);
+      if (peer?.agents) {
+        for (const agent of peer.agents) {
+          result.push({ ...agent, peerId });
+        }
+      }
+    }
+    return result;
+  }
+  /**
+   * Generate a new pairing code, invalidating the previous one.
+   *
+   * Only meaningful in server mode — clients don't generate pairing codes.
+   */
+  rotatePairingCode() {
+    if (this.mode !== "server") {
+      throw new Error('rotatePairingCode() requires mode "server"');
+    }
+    this.pairingState = generatePairing();
+    return this.pairingState;
+  }
+};
+export {
+  SCORE_DIR,
+  SymphonyRelay
+};