@bli-cockpit/cli 0.1.1 → 0.1.3

package/README.md

@@ -26,17 +26,25 @@ What happens:
 1. npm downloads the public `@bli-cockpit/cli` package.
 2. `cockpit onboard` writes local user config.
 3. Cockpit prints a dashboard pairing URL and code.
-4. An Admin approves that exact code.
+4. Admin approves the pending request from Ambient -> Collector approvals, or
+   pastes the printed code there. The signed-in intern can still use the
+   printed URL.
 5. The CLI starts general ambient capture, uploads private raw evidence objects
    when present, then uploads one safe metadata/ref envelope.
 6. The CLI prints `PASS: Cockpit collector is ready for harvest.`
 
 `--device-name` is just a readable label in Cockpit. It can be
 `"Savina MacBook"`, `"Box VM 42"`, or the auto-filled macOS computer name.
+On reused laptops or VMs, keep `--email <APPROVED_EMAIL>` in the command.
+`cockpit onboard` skips pairing only when the existing valid session belongs to
+that same email and dashboard URL; a different email or dashboard forces a new
+approval.
 
 Before the command runs, an Admin must create or approve the email in the
 private dashboard. Default launch path is email + temporary password, handed
 over out of band. Magic link remains available as fallback.
+For temporary-password accounts, the intern signs in directly; there is no
+separate invite acceptance step.
 
 When ticket work starts later:
 
@@ -80,3 +88,5 @@ or deployment tokens to this CLI. The collector must never read env files.
 
 This public package intentionally excludes Cockpit admin bootstrap commands,
 service-role credential handling, source maps, tests, and internal runbooks.
+Clean `npm pack` and `npm publish` run the public CLI build before packaging so
+`dist/cli.js` is present in emergency releases.

package/dist/commands/local.js

@@ -1,5 +1,5 @@
 import { createCollectorServer } from "../server.js";
-import { DEFAULT_DASHBOARD_URL, inspectLocalCollectorStatus, installLocalCollector, logoutLocalCollector, pairLocalCollector, startLocalWorkContext, } from "../local-state.js";
+import { DEFAULT_DASHBOARD_URL, getCollectorRuntimePaths, inspectLocalCollectorStatus, installLocalCollector, logoutLocalCollector, pairLocalCollector, readLocalCollectorSessionFile, readLocalSessionReference, startLocalWorkContext, } from "../local-state.js";
 import { syncLocalAmbientEnvelope } from "../upload.js";
 export const rootCommandNames = new Set([
     "onboard",
@@ -13,6 +13,10 @@ export const rootCommandNames = new Set([
     "serve",
 ]);
 export async function runLocalCockpitCli(argv, io = defaultIo()) {
+    if (isLocalHelpRequest(argv)) {
+        writeLine(io.stdout, localCommandHelp(argv[0]));
+        return 0;
+    }
     let command;
     try {
         command = parseLocalArgs(argv);
@@ -48,19 +52,98 @@ export async function runLocalCockpitCli(argv, io = defaultIo()) {
         return 1;
     }
 }
-export function localCommandHelp() {
+export function localCommandHelp(command) {
+    if (command)
+        return localSubcommandHelp(command);
     return [
-        "  cockpit onboard [--ticket <id>] [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--repo <path>]",
-        "  cockpit install [--dashboard-url <url>] [--repo <path>]",
-        "  cockpit login [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>]",
-        "  cockpit pair [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>]",
+        "  cockpit onboard [--ticket <id>] [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--repo <path>] [--json]",
+        "  cockpit install [--dashboard-url <url>] [--repo <path>] [--json]",
+        "  cockpit login [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--json]",
+        "  cockpit pair [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--json]",
         "  cockpit logout",
-        "  cockpit start [--ticket <id>] [--repo <path>] [--branch <name>]",
-        "  cockpit sync [--repo <path>] [--dashboard-url <url>]",
-        "  cockpit status [--repo <path>]",
+        "  cockpit start [--ticket <id>] [--repo <path>] [--branch <name>] [--json]",
+        "  cockpit sync [--repo <path>] [--dashboard-url <url>] [--json]",
+        "  cockpit status [--repo <path>] [--json]",
         "  cockpit serve [--port <port>] [--repo <path>]",
     ].join("\n");
 }
+function localSubcommandHelp(command) {
+    const helpByCommand = new Map([
+        [
+            "onboard",
+            [
+                "Usage: cockpit onboard [--ticket <id>] [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--repo <path>] [--json]",
+                "",
+                "Installs, pairs, starts a work context, syncs once, and prints readiness proof.",
+                "Use --email on shared or reused machines; mismatched existing sessions are re-paired.",
+            ],
+        ],
+        [
+            "install",
+            [
+                "Usage: cockpit install [--dashboard-url <url>] [--repo <path>] [--json]",
+                "",
+                "Writes local collector config. Pair with `cockpit login`, then run `cockpit start` when work begins.",
+            ],
+        ],
+        [
+            "login",
+            [
+                "Usage: cockpit login [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--json]",
+                "",
+                "Starts dashboard device pairing and stores the approved local session.",
+            ],
+        ],
+        [
+            "pair",
+            [
+                "Usage: cockpit pair [--email <owner@email>] [--device-name <name>] [--dashboard-url <url>] [--json]",
+                "",
+                "Alias for `cockpit login`.",
+            ],
+        ],
+        ["logout", ["Usage: cockpit logout [--json]", "", "Removes the local device session."]],
+        [
+            "start",
+            [
+                "Usage: cockpit start [--ticket <id>] [--repo <path>] [--branch <name>] [--json]",
+                "",
+                "Starts local ambient capture. Add --ticket only when the work already has a visible ticket.",
+            ],
+        ],
+        [
+            "sync",
+            [
+                "Usage: cockpit sync [--repo <path>] [--dashboard-url <url>] [--json]",
+                "",
+                "Uploads the latest local ambient envelope or spools a safe retry if blocked.",
+            ],
+        ],
+        [
+            "status",
+            [
+                "Usage: cockpit status [--repo <path>] [--json]",
+                "",
+                "Prints install, pairing, active work, upload, and retry state.",
+            ],
+        ],
+        [
+            "serve",
+            [
+                "Usage: cockpit serve [--port <port>] [--repo <path>]",
+                "",
+                "Starts the local collector HTTP status server.",
+            ],
+        ],
+    ]);
+    return (helpByCommand.get(command) ?? [localCommandHelp()]).join("\n");
+}
+function isLocalHelpRequest(argv) {
+    const command = argv[0];
+    if (!command || !rootCommandNames.has(command))
+        return false;
+    return argv.length === 2 && (argv[1] === "--help" || argv[1] === "-h");
+}
 function parseLocalArgs(argv) {
     const command = argv[0];
     switch (command) {
@@ -311,7 +394,7 @@ async function runInstall(command, io) {
     writeLine(io.stdout, `Config: ${result.paths.config_file}`);
     writeLine(io.stdout, `Session: ${result.paths.session_file}`);
     writeLine(io.stdout, "Auth: missing; upload stays local-only until pairing/login.");
-    writeLine(io.stdout, "Next: run `cockpit login`, then `cockpit start --ticket <id>`.");
+    writeLine(io.stdout, "Next: run `cockpit login`, then `cockpit start` inside the repo; add `--ticket <id>` only when ticket work begins.");
     return 0;
 }
 async function runOnboard(command, io) {
@@ -340,12 +423,20 @@ async function runOnboard(command, io) {
             repoRoot: command.repoRoot,
             branch: command.branch,
         });
-        if (installedStatus.session_state === "valid") {
+        const installedSession = await readOnboardSessionReuseCandidate(command.homeDir);
+        const canReuseInstalledSession = canReuseOnboardSession(installedSession, command.claimedOwnerEmail, command.dashboardUrl);
+        if (installedStatus.session_state === "valid" && canReuseInstalledSession) {
             if (!command.json) {
                 writeLine(io.stdout, "2/5 Existing valid device session found; pairing skipped.");
             }
         }
         else {
+            if (installedStatus.session_state === "valid" && !canReuseInstalledSession) {
+                await logoutLocalCollector({ homeDir: command.homeDir });
+                if (!command.json) {
+                    writeLine(io.stdout, "2/5 Existing valid device session does not match requested owner or dashboard; pairing again.");
+                }
+            }
             pair = await pairLocalCollector({
                 homeDir: command.homeDir,
                 dashboardUrl: command.dashboardUrl,
@@ -439,6 +530,36 @@ async function runOnboard(command, io) {
         return 1;
     }
 }
+function canReuseOnboardSession(session, claimedOwnerEmail, dashboardUrl) {
+    if (session.session_state !== "valid")
+        return false;
+    const expectedEmail = normalizeEmailForComparison(claimedOwnerEmail);
+    if (expectedEmail && normalizeEmailForComparison(session.email) !== expectedEmail) {
+        return false;
+    }
+    const expectedDashboardUrl = normalizeUrlForComparison(dashboardUrl);
+    if (expectedDashboardUrl &&
+        normalizeUrlForComparison(session.dashboard_url) !== expectedDashboardUrl) {
+        return false;
+    }
+    return true;
+}
+function normalizeEmailForComparison(value) {
+    const normalized = value?.trim().toLowerCase();
+    return normalized ? normalized : null;
+}
+async function readOnboardSessionReuseCandidate(homeDir) {
+    const paths = getCollectorRuntimePaths(homeDir);
+    try {
+        return await readLocalCollectorSessionFile(paths);
+    }
+    catch {
+        return readLocalSessionReference(paths);
+    }
+}
+function normalizeUrlForComparison(value) {
+    return value ? normalizeUrl(value) : null;
+}
 async function runLogin(command, io) {
     const result = await pairLocalCollector({
         homeDir: command.homeDir,
@@ -515,7 +636,7 @@ function nextStepForOnboardBlocker(blocker) {
         case "ticket_binding":
             return "Run `cockpit start --ticket <id>` when actual ticket work begins, then run `cockpit sync`.";
         case "device_pairing":
-            return "Open the pairing URL, approve the exact code in Cockpit, then rerun `cockpit onboard`.";
+            return "Approve from Ambient -> Collector approvals, or paste the pairing code there, then rerun `cockpit onboard`.";
         case "network_or_ingest":
             return "Check dashboard URL/network, then run `cockpit sync --json` or rerun `cockpit onboard`.";
         case "install":

package/dist/local-state.js

@@ -4,7 +4,7 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { summarizeLocalUploadSpool } from "./spool/local-spool.js";
-export const LOCAL_COLLECTOR_VERSION = "0.1.0";
+export const LOCAL_COLLECTOR_VERSION = "0.1.3";
 export const DEFAULT_DASHBOARD_URL = "http://127.0.0.1:3100";
 export function getCollectorRuntimePaths(homeDir = os.homedir()) {
     const paths = getUserLocalCockpitPaths(homeDir);

package/dist/upload.js

@@ -212,18 +212,17 @@ function makeSourceScanCompletedEvent(options) {
     }
     const rawEvidencePointers = options.rawEvidenceFacts?.pointers ?? [];
     const hasRawEvidence = rawEvidencePointers.length > 0;
+    const eventPrivacyClassification = hasRawEvidence
+        ? "redacted_summary"
+        : "metadata";
     return TelemetryIngestEventDtoSchema.parse({
         event_id: `ambient-sync:${options.context.work_context_id}:${options.generatedAt}`,
         event_type: "source_scan_completed",
         occurred_at: options.generatedAt,
         provenance: options.context.provenance,
-        privacy_classification: hasRawEvidence
-            ? "remote_durable_raw_evidence"
-            : "metadata",
+        privacy_classification: eventPrivacyClassification,
         redaction: {
-            privacy_classification: hasRawEvidence
-                ? "remote_durable_raw_evidence"
-                : "metadata",
+            privacy_classification: eventPrivacyClassification,
             redaction_status: hasRawEvidence
                 ? "raw_remote_durable"
                 : "metadata_only",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bli-cockpit/cli",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "private": false,
   "type": "module",
   "bin": {
@@ -19,6 +19,7 @@
   "scripts": {
     "prebuild": "npm run build --workspace=@bli-cockpit/local-collector",
     "build": "node ../../scripts/build-public-cli.mjs",
+    "prepack": "npm run build",
     "pretypecheck": "npm run build",
     "typecheck": "node -e \"await import('./dist/commands/public-root.js')\"",
     "pretest": "npm run build",