npm - @automagik/omni - Versions diffs - 2.260430.3 → 2.260430.5 - Mend

@automagik/omni 2.260430.3 → 2.260430.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/commands/trust.d.ts +19 -0
package/dist/commands/trust.d.ts.map +1 -0
package/dist/index.js +98 -1
package/dist/server/index.js +68 -3
package/package.json +10 -10

package/dist/commands/trust.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Trust Commands — manage genie host fingerprint registrations.
+ *
+ *   omni trust list                            List active genie hosts
+ *   omni trust get <id>                        Show one host (active or revoked)
+ *   omni trust update <id> --scope <a,b,c>     Replace host scopes wholesale
+ *   omni trust revoke <id>                     Soft-delete (stamps revoked_at)
+ *
+ * Wish: omni-host-fingerprint-trust, Group 1.2. Talks to the
+ * `/api/v2/trust/hosts` endpoints landed in Group 1.1 (#556).
+ *
+ * Why raw fetch instead of the OmniClient SDK: trust types aren't in the
+ * OpenAPI spec yet (the SDK is generated from there). Adding them requires
+ * a regen + version bump; out of scope for this PR. We use the same
+ * baseUrl / apiKey the SDK uses, so behavior is identical.
+ */
+import { Command } from 'commander';
+export declare function createTrustCommand(): Command;
+//# sourceMappingURL=trust.d.ts.map

package/dist/commands/trust.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"trust.d.ts","sourceRoot":"","sources":["../../src/commands/trust.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAwHpC,wBAAgB,kBAAkB,IAAI,OAAO,CAmB5C"}

package/dist/index.js CHANGED Viewed

@@ -113981,7 +113981,7 @@ import { fileURLToPath } from "url";
 // package.json
 var package_default = {
   name: "@automagik/omni",
-  version: "2.260430.3",
+  version: "2.260430.5",
   description: "LLM-optimized CLI for Omni",
   type: "module",
   bin: {
@@ -124980,6 +124980,97 @@ function createStopCommand() {
   return new Command("stop").description("Stop all omni PM2 processes").action(runStop);
 }
+// src/commands/trust.ts
+init_config();
+init_output();
+function trustEndpoint(path) {
+  if (!hasAuth()) {
+    error("Not authenticated. Run: omni auth login --api-key <key>", undefined, 2);
+  }
+  const config2 = loadConfig();
+  const baseUrl = (config2.apiUrl ?? "http://localhost:8882").replace(/\/+$/, "");
+  return `${baseUrl}/api/v2/trust${path}`;
+}
+function authHeaders() {
+  const config2 = loadConfig();
+  const headers = { "Content-Type": "application/json" };
+  if (config2.apiKey) {
+    headers.Authorization = `Bearer ${config2.apiKey}`;
+  }
+  return headers;
+}
+async function callApi(method, path, body) {
+  const res = await fetch(trustEndpoint(path), {
+    method,
+    headers: authHeaders(),
+    body: body === undefined ? undefined : JSON.stringify(body)
+  });
+  if (!res.ok) {
+    const text3 = await res.text().catch(() => "");
+    throw new Error(`HTTP ${res.status} ${res.statusText}${text3 ? `: ${text3}` : ""}`);
+  }
+  return await res.json();
+}
+function formatHostRow(host) {
+  return {
+    id: host.id.slice(0, 8),
+    hostname: host.hostname,
+    scopes: host.scopes.join(", ") || "(none)",
+    pubkeyPrefix: `${host.pubkey.slice(0, 12)}\u2026`,
+    lastSeen: host.lastSeenAt ? new Date(host.lastSeenAt).toISOString().replace("T", " ").slice(0, 16) : "never",
+    status: host.revokedAt ? "revoked" : "active"
+  };
+}
+async function handleList4() {
+  try {
+    const { items } = await callApi("GET", "/hosts");
+    list(items.map(formatHostRow), {
+      emptyMessage: "No genie hosts registered. Run `genie omni handshake` from a genie installation to register one.",
+      rawData: items
+    });
+  } catch (err2) {
+    error(`Failed to list genie hosts: ${err2 instanceof Error ? err2.message : "Unknown error"}`);
+  }
+}
+async function handleGet3(id) {
+  try {
+    const { data: data2 } = await callApi("GET", `/hosts/${encodeURIComponent(id)}`);
+    data(data2);
+  } catch (err2) {
+    error(`Failed to get genie host: ${err2 instanceof Error ? err2.message : "Unknown error"}`);
+  }
+}
+async function handleUpdate3(id, options3) {
+  const scopes = options3.scope.split(",").map((s2) => s2.trim()).filter(Boolean);
+  if (scopes.length === 0) {
+    error("--scope must contain at least one scope (use `omni trust revoke <id>` to deny everything).");
+  }
+  try {
+    const { data: data2 } = await callApi("PATCH", `/hosts/${encodeURIComponent(id)}`, { scopes });
+    success(`Updated genie host ${data2.id} scopes: ${data2.scopes.join(", ")}`);
+    data(data2);
+  } catch (err2) {
+    error(`Failed to update genie host: ${err2 instanceof Error ? err2.message : "Unknown error"}`);
+  }
+}
+async function handleRevoke2(id) {
+  try {
+    const { data: data2 } = await callApi("DELETE", `/hosts/${encodeURIComponent(id)}`);
+    success(`Revoked genie host ${data2.id} (${data2.hostname}). Tombstone kept for audit.`);
+    data(data2);
+  } catch (err2) {
+    error(`Failed to revoke genie host: ${err2 instanceof Error ? err2.message : "Unknown error"}`);
+  }
+}
+function createTrustCommand() {
+  const trust = new Command("trust").description("Manage genie host fingerprint registrations");
+  trust.command("list").description("List active (non-revoked) genie hosts").action(handleList4);
+  trust.command("get <id>").description("Show details for one genie host (active or revoked)").action(handleGet3);
+  trust.command("update <id>").description("Replace a genie host scopes (comma-separated)").requiredOption("--scope <list>", 'Comma-separated scope list, e.g. "agents:write,providers:write"').action(handleUpdate3);
+  trust.command("revoke <id>").description("Revoke a genie host (irreversible \u2014 re-register with a fresh keypair to restore trust)").action(handleRevoke2);
+  return trust;
+}
 // src/commands/tts.ts
 init_output();
 function createTtsCommand() {
@@ -126213,6 +126304,12 @@ var COMMANDS = [
     helpGroup: "Management",
     helpDescription: "API key management"
   },
+  {
+    create: createTrustCommand,
+    category: "advanced",
+    helpGroup: "Management",
+    helpDescription: "Genie host fingerprint trust (omni-host-fingerprint-trust wish)"
+  },
   {
     create: createAccessCommand,
     category: "advanced",

package/dist/server/index.js CHANGED Viewed

@@ -224556,7 +224556,7 @@ var init_sentry_scrub = __esm(() => {
 var require_package8 = __commonJS((exports, module) => {
   module.exports = {
     name: "@omni/api",
-    version: "2.260430.3",
+    version: "2.260430.5",
     type: "module",
     exports: {
       ".": {
@@ -241417,6 +241417,17 @@ var init_scope_enforcer = __esm(() => {
 });
 // ../api/src/middleware/require-signed-instance.ts
+function isUnlockOnlyBody(body) {
+  if (!body || typeof body !== "object" || Array.isArray(body))
+    return false;
+  const obj = body;
+  const keys = Object.keys(obj);
+  if (keys.length !== 1)
+    return false;
+  if (keys[0] !== "requireGenieSignature")
+    return false;
+  return obj.requireGenieSignature === false;
+}
 async function safeReadJsonBody2(c) {
   const method = c.req.method.toUpperCase();
   if (method === "GET" || method === "DELETE" || method === "HEAD" || method === "OPTIONS")
@@ -241462,6 +241473,13 @@ var init_require_signed_instance = __esm(() => {
     if (signedBy) {
       return next();
     }
+    if (method === "PATCH" && isUnlockOnlyBody(body)) {
+      log61.info("allowing unlock-only PATCH on require_genie_signature instance", {
+        instanceId: instance4.id,
+        apiKeyId: c.get("apiKey")?.id
+      });
+      return next();
+    }
     const apiKey = c.get("apiKey");
     log61.warn("rejecting unsigned request to require_genie_signature instance", {
       instanceId: instance4.id,
@@ -241472,7 +241490,7 @@ var init_require_signed_instance = __esm(() => {
     return c.json({
       error: {
         code: "GENIE_SIGNATURE_REQUIRED",
-        message: `Instance ${instance4.id} requires a verified X-Genie-Signature; bearer-only requests are rejected. Sign with \`genie omni handshake\` + per-request signing, or remove the requirement via \`omni instances update ${instance4.id} --no-require-genie-signature\`.`,
+        message: `Instance ${instance4.id} requires a verified X-Genie-Signature; bearer-only requests are rejected. Sign with \`genie omni handshake\` + per-request signing, or unlock with PATCH /api/v2/instances/${instance4.id} body {"requireGenieSignature": false} (always allowed via bearer to prevent operator lockout).`,
         instance: instance4.id
       }
     }, 401);
@@ -281176,6 +281194,21 @@ class GenieHostsService {
   async touchLastSeen(id) {
     await this.db.update(genieHosts).set({ lastSeenAt: new Date, updatedAt: new Date }).where(and2(eq(genieHosts.id, id), isNull2(genieHosts.revokedAt)));
   }
+  async updateScopes(id, scopes) {
+    const [updated] = await this.db.update(genieHosts).set({ scopes, updatedAt: new Date }).where(and2(eq(genieHosts.id, id), isNull2(genieHosts.revokedAt))).returning();
+    if (updated) {
+      log87.info("genie host scopes updated", { hostId: updated.id, scopes });
+    }
+    return updated ?? null;
+  }
+  async revoke(id) {
+    const now = new Date;
+    const [revoked] = await this.db.update(genieHosts).set({ revokedAt: now, updatedAt: now }).where(and2(eq(genieHosts.id, id), isNull2(genieHosts.revokedAt))).returning();
+    if (revoked) {
+      log87.info("genie host revoked", { hostId: revoked.id, hostname: revoked.hostname });
+    }
+    return revoked ?? null;
+  }
 }
 var log87;
 var init_genie_hosts = __esm(() => {
@@ -302631,7 +302664,7 @@ var init_settings3 = __esm(() => {
 });
 // ../api/src/routes/v2/trust.ts
-var trustRoutes, PUBKEY_PATTERN, handshakeSchema;
+var trustRoutes, PUBKEY_PATTERN, handshakeSchema, idParamSchema6, updateScopesSchema;
 var init_trust = __esm(() => {
   init_dist6();
   init_dist2();
@@ -302658,6 +302691,38 @@ var init_trust = __esm(() => {
     const items = await services.genieHosts.listActive();
     return c.json({ items });
   });
+  idParamSchema6 = exports_external.object({ id: exports_external.string().uuid() });
+  trustRoutes.get("/hosts/:id", zValidator("param", idParamSchema6), async (c) => {
+    const { id } = c.req.valid("param");
+    const services = c.get("services");
+    const host = await services.genieHosts.findById(id);
+    if (!host) {
+      return c.json({ error: { code: "NOT_FOUND", message: `genie host ${id} not found` } }, 404);
+    }
+    return c.json({ data: host });
+  });
+  updateScopesSchema = exports_external.object({
+    scopes: exports_external.array(exports_external.string().min(1)).max(64)
+  });
+  trustRoutes.patch("/hosts/:id", zValidator("param", idParamSchema6), zValidator("json", updateScopesSchema), async (c) => {
+    const { id } = c.req.valid("param");
+    const { scopes } = c.req.valid("json");
+    const services = c.get("services");
+    const host = await services.genieHosts.updateScopes(id, scopes);
+    if (!host) {
+      return c.json({ error: { code: "NOT_FOUND", message: `genie host ${id} not found or revoked` } }, 404);
+    }
+    return c.json({ data: host });
+  });
+  trustRoutes.delete("/hosts/:id", zValidator("param", idParamSchema6), async (c) => {
+    const { id } = c.req.valid("param");
+    const services = c.get("services");
+    const host = await services.genieHosts.revoke(id);
+    if (!host) {
+      return c.json({ error: { code: "NOT_FOUND", message: `genie host ${id} not found or already revoked` } }, 404);
+    }
+    return c.json({ data: host });
+  });
 });
 // ../api/src/routes/v2/turns.ts

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@automagik/omni",
-  "version": "2.260430.3",
+  "version": "2.260430.5",
   "description": "LLM-optimized CLI for Omni",
   "type": "module",
   "bin": {
@@ -50,15 +50,15 @@
     "qrcode-terminal": "^0.12.0"
   },
   "devDependencies": {
-    "@omni/api": "2.260430.2",
-    "@omni/channel-discord": "2.260430.2",
-    "@omni/channel-gupshup": "2.260430.2",
-    "@omni/channel-sdk": "2.260430.2",
-    "@omni/channel-slack": "2.260430.2",
-    "@omni/channel-telegram": "2.260430.2",
-    "@omni/channel-whatsapp": "2.260430.2",
-    "@omni/core": "2.260430.2",
-    "@omni/sdk": "2.260430.2",
+    "@omni/api": "2.260430.4",
+    "@omni/channel-discord": "2.260430.4",
+    "@omni/channel-gupshup": "2.260430.4",
+    "@omni/channel-sdk": "2.260430.4",
+    "@omni/channel-slack": "2.260430.4",
+    "@omni/channel-telegram": "2.260430.4",
+    "@omni/channel-whatsapp": "2.260430.4",
+    "@omni/core": "2.260430.4",
+    "@omni/sdk": "2.260430.4",
     "@types/node": "^22.10.3",
     "@types/qrcode-terminal": "^0.12.2",
     "typescript": "^5.7.3"