npm - @dmsdc-ai/aigentry-telepty - Versions diffs - 0.1.53 → 0.1.55 - Mend

@dmsdc-ai/aigentry-telepty 0.1.53 → 0.1.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/BUS_EVENT_SCHEMA.md CHANGED Viewed

@@ -53,6 +53,13 @@ Every session is uniquely identified by a locator triple:
 - Override: `TELEPTY_MACHINE_ID` env var
 - Exposed in: `GET /api/meta` (`machine_id` field), session `locator` object, bus event `source_host`
+### Global Session ID Uniqueness (P4)
+- Convention: `{project}-{NNN}` (e.g. `aigentry-devkit-001`)
+- Cross-machine uniqueness: guaranteed by `locator.machine_id` prefix in bus events
+- Collision resolution: `resolveSessionAlias` returns local session only; remote sessions discovered via `source_host` field
+- If two machines have `aigentry-devkit-001`, inject uses `target@host` to disambiguate
+- Short form `aigentry-devkit-001` resolves to LOCAL session; remote requires explicit `@host`
 ### Peer Auth
 - Localhost: always trusted
 - Tailscale (100.x.y.z): trusted by default

package/cli.js CHANGED Viewed

@@ -208,6 +208,13 @@ function getDiscoveryHosts() {
     .filter(Boolean);
   extraHosts.forEach((host) => hosts.add(host));
+  // Also include relay peers for cross-machine session discovery
+  const relayPeers = String(process.env.TELEPTY_RELAY_PEERS || '')
+    .split(',')
+    .map((host) => host.trim())
+    .filter(Boolean);
+  relayPeers.forEach((host) => hosts.add(host));
   if (REMOTE_HOST && REMOTE_HOST !== '127.0.0.1') {
     return Array.from(hosts);
   }

package/daemon.js CHANGED Viewed

@@ -39,6 +39,54 @@ app.use(express.json());
 // Peer allowlist: comma-separated IPs/CIDRs in TELEPTY_PEER_ALLOWLIST env
 const PEER_ALLOWLIST = (process.env.TELEPTY_PEER_ALLOWLIST || '').split(',').map(s => s.trim()).filter(Boolean);
+// Cross-machine bus relay: forward bus events to peer daemons
+const RELAY_PEERS = (process.env.TELEPTY_RELAY_PEERS || '').split(',').map(s => s.trim()).filter(Boolean);
+const RELAY_SEEN = new Set(); // dedup by message_id
+function relayToPeers(msg) {
+  if (RELAY_PEERS.length === 0) return;
+  if (!msg.message_id) msg.message_id = crypto.randomUUID();
+  if (RELAY_SEEN.has(msg.message_id)) return; // already relayed
+  RELAY_SEEN.add(msg.message_id);
+  // Prevent unbounded growth
+  if (RELAY_SEEN.size > 10000) {
+    const arr = [...RELAY_SEEN];
+    arr.splice(0, 5000);
+    RELAY_SEEN.clear();
+    arr.forEach(id => RELAY_SEEN.add(id));
+  }
+  msg.source_host = msg.source_host || MACHINE_ID;
+  msg._relayed_from = MACHINE_ID;
+  for (const peer of RELAY_PEERS) {
+    fetch(`http://${peer}:${PORT}/api/bus/publish`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'x-telepty-token': EXPECTED_TOKEN },
+      body: JSON.stringify(msg),
+      signal: AbortSignal.timeout(3000)
+    }).catch(() => {}); // fire-and-forget
+  }
+}
+// JWT auth: set TELEPTY_JWT_SECRET to enable. Tokens in Authorization: Bearer <token>
+const JWT_SECRET = process.env.TELEPTY_JWT_SECRET || null;
+function verifyJwt(token) {
+  if (!JWT_SECRET || !token) return false;
+  try {
+    // Simple HS256 JWT verification (no external deps)
+    const [headerB64, payloadB64, sigB64] = token.split('.');
+    if (!headerB64 || !payloadB64 || !sigB64) return false;
+    const expected = crypto.createHmac('sha256', JWT_SECRET)
+      .update(`${headerB64}.${payloadB64}`).digest('base64url');
+    if (sigB64 !== expected) return false;
+    const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+    if (payload.exp && Date.now() / 1000 > payload.exp) return false;
+    return payload;
+  } catch { return false; }
+}
 function isAllowedPeer(ip) {
   if (!ip) return false;
   const cleanIp = ip.replace('::ffff:', '');
@@ -65,6 +113,12 @@ app.use((req, res, next) => {
     return next();
   }
+  // JWT Bearer token
+  const authHeader = req.headers['authorization'] || '';
+  if (authHeader.startsWith('Bearer ') && verifyJwt(authHeader.slice(7))) {
+    return next();
+  }
   console.warn(`[AUTH] Rejected unauthorized request from ${clientIp}`);
   res.status(401).json({ error: 'Unauthorized: Invalid or missing token.' });
 });
@@ -976,6 +1030,8 @@ app.post('/api/bus/publish', (req, res) => {
   // Auto-route if this is a turn_request
   busAutoRoute(payload);
+  // Relay to peer daemons (dedup prevents loops)
+  if (!payload._relayed_from) relayToPeers(payload);
   res.json({ success: true, delivered: deliveredCount });
 });
@@ -1386,6 +1442,8 @@ busWss.on('connection', (ws, req) => {
       // Auto-route turn_request events (shared logic with HTTP publish)
       busAutoRoute(msg);
+      // Relay to peer daemons (dedup prevents loops)
+      if (!msg._relayed_from) relayToPeers(msg);
     } catch (e) {
       console.error('[BUS] Invalid message format', e);
     }
@@ -1401,7 +1459,9 @@ server.on('upgrade', (req, socket, head) => {
   const url = new URL(req.url, 'http://' + req.headers.host);
   const token = url.searchParams.get('token');
-  if (!isAllowedPeer(req.socket.remoteAddress) && token !== EXPECTED_TOKEN) {
+  const wsAuthHeader = req.headers['authorization'] || '';
+  const wsJwtValid = wsAuthHeader.startsWith('Bearer ') && verifyJwt(wsAuthHeader.slice(7));
+  if (!isAllowedPeer(req.socket.remoteAddress) && token !== EXPECTED_TOKEN && !wsJwtValid) {
     socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
     socket.destroy();
     return;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.1.53",
+  "version": "0.1.55",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",