@automagik/omni 2.260430.1 → 2.260430.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.js +1 -1
  2. package/dist/server/index.js +35 -4
  3. package/package.json +10 -10
package/dist/index.js CHANGED
@@ -113980,7 +113980,7 @@ import { fileURLToPath } from "url";
113980
113980
  // package.json
113981
113981
  var package_default = {
113982
113982
  name: "@automagik/omni",
113983
- version: "2.260430.1",
113983
+ version: "2.260430.2",
113984
113984
  description: "LLM-optimized CLI for Omni",
113985
113985
  type: "module",
113986
113986
  bin: {
package/dist/server/index.js CHANGED
@@ -224556,7 +224556,7 @@ var init_sentry_scrub = __esm(() => {
224556
224556
  var require_package8 = __commonJS((exports, module) => {
224557
224557
  module.exports = {
224558
224558
  name: "@omni/api",
224559
- version: "2.260430.1",
224559
+ version: "2.260430.2",
224560
224560
  type: "module",
224561
224561
  exports: {
224562
224562
  ".": {
@@ -240566,7 +240566,7 @@ async function verifySignature3(opts) {
240566
240566
  if (!ok) {
240567
240567
  return { status: "invalid", reason: "signature does not verify under registered pubkey" };
240568
240568
  }
240569
- return { status: "verified", hostId: host.id };
240569
+ return { status: "verified", hostId: host.id, hostScopes: host.scopes };
240570
240570
  }
240571
240571
  function pathFromRequest(url) {
240572
240572
  return `${url.pathname}${url.search}`;
@@ -240603,7 +240603,7 @@ var init_genie_signature = __esm(() => {
240603
240603
  now: Date.now(),
240604
240604
  findHost: async (id) => {
240605
240605
  const host = await services.genieHosts.findById(id);
240606
- return host ? { id: host.id, pubkey: host.pubkey, revokedAt: host.revokedAt } : null;
240606
+ return host ? { id: host.id, pubkey: host.pubkey, revokedAt: host.revokedAt, scopes: host.scopes ?? ["*"] } : null;
240607
240607
  }
240608
240608
  });
240609
240609
  if (outcome.status === "invalid") {
@@ -240622,6 +240622,9 @@ var init_genie_signature = __esm(() => {
240622
240622
  }
240623
240623
  if (outcome.status === "verified" && outcome.hostId) {
240624
240624
  c.set("signedBy", outcome.hostId);
240625
+ if (outcome.hostScopes) {
240626
+ c.set("signedByScopes", outcome.hostScopes);
240627
+ }
240625
240628
  services.genieHosts.touchLastSeen(outcome.hostId).catch((err) => {
240626
240629
  log58.warn("touchLastSeen failed (non-fatal)", { hostId: outcome.hostId, err: String(err) });
240627
240630
  });
@@ -241341,9 +241344,12 @@ var init_scope_enforcer = __esm(() => {
241341
241344
  }
241342
241345
  const method = c.req.method.toUpperCase();
241343
241346
  const path3 = c.req.path;
241347
+ const signedBy = c.get("signedBy");
241348
+ const signedByScopes = c.get("signedByScopes");
241344
241349
  const wildcard = ApiKeyService.scopeAllows(apiKey.scopes, "*");
241350
+ let requiredScope;
241345
241351
  if (!wildcard) {
241346
- const requiredScope = findRequiredScope(method, path3);
241352
+ requiredScope = findRequiredScope(method, path3);
241347
241353
  if (!requiredScope) {
241348
241354
  log60.warn(`DENIED: key=${apiKey.id} route=${method} ${path3} required=UNMAPPED`);
241349
241355
  return c.json({
@@ -241363,6 +241369,31 @@ var init_scope_enforcer = __esm(() => {
241363
241369
  }, 403);
241364
241370
  }
241365
241371
  }
241372
+ if (signedBy && signedByScopes) {
241373
+ const hostWildcard = ApiKeyService.scopeAllows(signedByScopes, "*");
241374
+ if (!hostWildcard) {
241375
+ const needed = requiredScope ?? findRequiredScope(method, path3);
241376
+ if (!needed) {
241377
+ log60.warn(`DENIED: signedBy=${signedBy} route=${method} ${path3} required=UNMAPPED`);
241378
+ return c.json({
241379
+ error: {
241380
+ code: "FORBIDDEN",
241381
+ message: "Insufficient permissions. Route not mapped in scope policy."
241382
+ }
241383
+ }, 403);
241384
+ }
241385
+ if (!ApiKeyService.scopeAllows(signedByScopes, needed)) {
241386
+ log60.warn(`DENIED: signedBy=${signedBy} route=${method} ${path3} required=${needed} host-scopes=${signedByScopes.join(",")}`);
241387
+ return c.json({
241388
+ error: {
241389
+ code: "FORBIDDEN",
241390
+ message: `Insufficient permissions for signing host. Required scope: ${needed}`,
241391
+ host: signedBy
241392
+ }
241393
+ }, 403);
241394
+ }
241395
+ }
241396
+ }
241366
241397
  const body = await safeReadJsonBody(c);
241367
241398
  const targets = extractLockTargets(method, path3, body);
241368
241399
  const instanceResult = enforceInstanceAllowlist(apiKey, targets.instance);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@automagik/omni",
3
- "version": "2.260430.1",
3
+ "version": "2.260430.2",
4
4
  "description": "LLM-optimized CLI for Omni",
5
5
  "type": "module",
6
6
  "bin": {
@@ -50,15 +50,15 @@
50
50
  "qrcode-terminal": "^0.12.0"
51
51
  },
52
52
  "devDependencies": {
53
- "@omni/api": "2.260429.5",
54
- "@omni/channel-discord": "2.260429.5",
55
- "@omni/channel-gupshup": "2.260429.5",
56
- "@omni/channel-sdk": "2.260429.5",
57
- "@omni/channel-slack": "2.260429.5",
58
- "@omni/channel-telegram": "2.260429.5",
59
- "@omni/channel-whatsapp": "2.260429.5",
60
- "@omni/core": "2.260429.5",
61
- "@omni/sdk": "2.260429.5",
53
+ "@omni/api": "2.260430.1",
54
+ "@omni/channel-discord": "2.260430.1",
55
+ "@omni/channel-gupshup": "2.260430.1",
56
+ "@omni/channel-sdk": "2.260430.1",
57
+ "@omni/channel-slack": "2.260430.1",
58
+ "@omni/channel-telegram": "2.260430.1",
59
+ "@omni/channel-whatsapp": "2.260430.1",
60
+ "@omni/core": "2.260430.1",
61
+ "@omni/sdk": "2.260430.1",
62
62
  "@types/node": "^22.10.3",
63
63
  "@types/qrcode-terminal": "^0.12.2",
64
64
  "typescript": "^5.7.3"