@arbidocs/sdk 0.3.64 → 0.3.66

package/dist/index.cjs

@@ -3602,7 +3602,7 @@ var FileConfigStore = class {
   sessionFile;
   metadataFile;
   constructor(configDir) {
-    const arbiBase = process.env.ARBI_CONFIG_DIR ?? path2__default.default.join(os2__default.default.homedir(), ".arbi");
+    const arbiBase = process.env.ARBI_CONFIG_DIR ?? (fs2__default.default.existsSync(path2__default.default.join(process.cwd(), ".arbi", "credentials.json")) ? path2__default.default.join(process.cwd(), ".arbi") : path2__default.default.join(os2__default.default.homedir(), ".arbi"));
     const arbiId = process.env.ARBI_ID;
     this.configDir = configDir ?? (arbiId ? path2__default.default.join(arbiBase, arbiId) : arbiBase);
     this.configFile = path2__default.default.join(this.configDir, "config.json");
@@ -3700,12 +3700,12 @@ var FileConfigStore = class {
           ...existing,
           signingPrivateKeyBase64: b64encode(data.signingPrivateKey),
           serverSessionKeyBase64: data.serverSessionKey ? b64encode(data.serverSessionKey) : existing.serverSessionKeyBase64,
-          // A fresh server session key invalidates any cached
-          // workspace-scoped token, so wipe those so the next request
-          // re-derives them from the new session.
+          // A fresh server session = a fresh ``session.workspaces``
+          // dict. The previous session's deposits do not transfer, so
+          // wipe the client mirror to force re-deposit on next touch.
           accessToken: void 0,
-          sealedWorkspaceKey: void 0,
-          tokenTimestamp: void 0
+          tokenTimestamp: void 0,
+          openedWorkspaces: void 0
         });
       }
     };
@@ -3904,6 +3904,7 @@ function sleep(ms) {
 }
 
 // src/auth.ts
+var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
 function formatWorkspaceChoices(wsList) {
   return wsList.map((ws) => {
     const totalDocs = ws.shared_document_count + ws.private_document_count;
@@ -3934,11 +3935,11 @@ async function createAuthenticatedClient(config, creds, store) {
   });
   store.saveCredentials({
     ...creds,
+    userExtId: loginResult.userExtId ?? creds.userExtId,
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult };
 }
@@ -3948,13 +3949,18 @@ async function performPasswordLogin(config, email, password, store) {
   const loginResult = await arbi.auth.login({ email, password });
   store.saveCredentials({
     email,
+    userExtId: loginResult.userExtId,
     signingPrivateKeyBase64: arbi.crypto.bytesToBase64(loginResult.signingPrivateKey),
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
-    // Clear any cached workspace tokens — new session key invalidates them
+    // `parent_ext_id` is set for persistent agent accounts (the user is
+    // an Assistant owned by another user). Persisting it makes the CLI's
+    // `arbi listen` work — it requires this to confirm a real agent
+    // identity. Regular users get `null`, which we store as `undefined`.
+    parentExtId: loginResult.parentExtId ?? void 0,
+    // New session = no workspaces deposited yet.
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult, config };
 }
@@ -3965,12 +3971,13 @@ async function performSigningKeyLogin(config, email, signingPrivateKeyBase64, st
   const loginResult = await arbi.auth.loginWithKey({ email, signingPrivateKey });
   store.saveCredentials({
     email,
+    userExtId: loginResult.userExtId,
     signingPrivateKeyBase64,
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
+    parentExtId: loginResult.parentExtId ?? void 0,
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult, config };
 }
@@ -3994,13 +4001,14 @@ async function performSsoDeviceFlowLogin(config, email, password, store, callbac
   const loginResult = await arbi.auth.login({ email, password, ssoToken });
   store.saveCredentials({
     email,
+    userExtId: loginResult.userExtId,
     signingPrivateKeyBase64: arbi.crypto.bytesToBase64(loginResult.signingPrivateKey),
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
+    parentExtId: loginResult.parentExtId ?? void 0,
     ssoToken,
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult, config };
 }
@@ -4050,38 +4058,79 @@ async function getRawWorkspaceKey(arbi, workspaceId, signingPrivateKeyBase64) {
   });
   return client.sealedBoxDecrypt(ws.wrapped_key, encryptionKeyPair.secretKey);
 }
+async function openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64) {
+  if (ws.wrapped_key) {
+    const sealedKey = await selectWorkspace(
+      arbi,
+      ws.external_id,
+      ws.wrapped_key,
+      serverSessionKey,
+      signingPrivateKeyBase64
+    );
+    const { error: error2 } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+      params: { path: { workspace_ext_id: ws.external_id } },
+      body: { workspace_key: sealedKey }
+    });
+    if (error2) {
+      throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error2)}`);
+    }
+    return sealedKey;
+  }
+  arbi.session.setSelectedWorkspace(ws.external_id);
+  const { error } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+    params: { path: { workspace_ext_id: ws.external_id } },
+    body: {}
+  });
+  if (error) {
+    throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error)}`);
+  }
+  return null;
+}
 async function selectWorkspaceById(arbi, workspaceId, serverSessionKey, signingPrivateKeyBase64) {
   const { data: workspaces, error } = await arbi.fetch.GET("/v1/user/workspaces");
   if (error || !workspaces) {
     throw new ArbiError("Failed to fetch workspaces");
   }
   const ws = workspaces.find((w2) => w2.external_id === workspaceId);
-  if (!ws || !ws.wrapped_key) {
-    throw new ArbiError(`Workspace ${workspaceId} not found or has no encryption key`);
+  if (!ws) {
+    throw new ArbiError(`Workspace ${workspaceId} not found`);
   }
-  const sealedKey = await selectWorkspace(
-    arbi,
-    ws.external_id,
-    ws.wrapped_key,
-    serverSessionKey,
-    signingPrivateKeyBase64
-  );
-  await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
-    params: { path: { workspace_ext_id: ws.external_id } },
-    body: { workspace_key: sealedKey }
-  });
-  return { external_id: ws.external_id, name: ws.name, wrapped_key: ws.wrapped_key };
+  const sealedKey = await openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64);
+  return {
+    external_id: ws.external_id,
+    name: ws.name,
+    wrapped_key: ws.wrapped_key ?? null,
+    sealed_key: sealedKey
+  };
+}
+function isSessionAlive(creds) {
+  return !!(creds.accessToken && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
+}
+async function buildAuthFromCache(config, creds, store) {
+  const arbi = client.createArbiClient(buildClientOptions(config, store, creds.email));
+  await arbi.crypto.initSodium();
+  arbi.session.setUser(creds.email, creds.userExtId);
+  arbi.session.setAccessToken(creds.accessToken);
+  const signingPrivateKey = client.base64ToBytes(creds.signingPrivateKeyBase64);
+  const serverSessionKey = client.base64ToBytes(creds.serverSessionKeyBase64);
+  const loginResult = {
+    accessToken: creds.accessToken,
+    userExtId: creds.userExtId,
+    signingPrivateKey,
+    serverSessionKey
+  };
+  return { arbi, loginResult };
 }
 async function resolveAuth(store) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
+    return { arbi: arbi2, loginResult: loginResult2, config };
+  }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
   return { arbi, loginResult, config };
 }
-var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
-function isCachedTokenValid(creds, workspaceId) {
-  return !!(creds.accessToken && creds.sealedWorkspaceKey && creds.workspaceId === workspaceId && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
-}
 async function resolveWorkspace(store, workspaceOpt) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
@@ -4089,53 +4138,52 @@ async function resolveWorkspace(store, workspaceOpt) {
   if (!workspaceId) {
     throw new ArbiError("No workspace selected. Run: arbi workspace select <id>");
   }
-  if (isCachedTokenValid(creds, workspaceId)) {
-    const arbi2 = client.createArbiClient(buildClientOptions(config, store, creds.email));
-    await arbi2.crypto.initSodium();
-    arbi2.session.setUser(creds.email);
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
     arbi2.session.setSelectedWorkspace(workspaceId);
-    arbi2.session.setAccessToken(creds.accessToken);
-    const signingPrivateKey = client.base64ToBytes(creds.signingPrivateKeyBase64);
-    const serverSessionKey = client.base64ToBytes(creds.serverSessionKeyBase64);
-    const loginResult2 = {
-      accessToken: creds.accessToken,
-      signingPrivateKey,
-      serverSessionKey
-    };
+    await selectWorkspaceById(
+      arbi2,
+      workspaceId,
+      loginResult2.serverSessionKey,
+      creds.signingPrivateKeyBase64
+    );
+    const nextOpened = Array.from(/* @__PURE__ */ new Set([...creds.openedWorkspaces ?? [], workspaceId]));
+    store.saveCredentials({
+      ...store.requireCredentials(),
+      openedWorkspaces: nextOpened
+    });
     return {
       arbi: arbi2,
       loginResult: loginResult2,
       config,
       workspaceId,
-      accessToken: creds.accessToken,
-      sealedWorkspaceKey: creds.sealedWorkspaceKey
+      accessToken: creds.accessToken
     };
   }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
-  const wsInfo = await selectWorkspaceById(
+  await selectWorkspaceById(
     arbi,
     workspaceId,
     loginResult.serverSessionKey,
     creds.signingPrivateKeyBase64
   );
   const accessToken = arbi.session.getState().accessToken;
-  const sealedWorkspaceKey = await generateEncryptedWorkspaceKey(
-    arbi,
-    wsInfo.wrapped_key,
-    loginResult.serverSessionKey,
-    creds.signingPrivateKeyBase64
-  );
   if (!accessToken) {
     throw new ArbiError("Authentication error \u2014 missing token");
   }
   store.saveCredentials({
     ...store.requireCredentials(),
     accessToken,
-    sealedWorkspaceKey,
-    workspaceId,
-    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString()
+    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    openedWorkspaces: [workspaceId]
   });
-  return { arbi, loginResult, config, workspaceId, accessToken, sealedWorkspaceKey };
+  return {
+    arbi,
+    loginResult,
+    config,
+    workspaceId,
+    accessToken
+  };
 }
 
 // src/sse.ts