npm - @dmsdc-ai/aigentry-telepty - Versions diffs - 0.1.54 → 0.1.55 - Mend

@dmsdc-ai/aigentry-telepty 0.1.54 → 0.1.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/BUS_EVENT_SCHEMA.md CHANGED Viewed

@@ -53,6 +53,13 @@ Every session is uniquely identified by a locator triple:
 - Override: `TELEPTY_MACHINE_ID` env var
 - Exposed in: `GET /api/meta` (`machine_id` field), session `locator` object, bus event `source_host`
+### Global Session ID Uniqueness (P4)
+- Convention: `{project}-{NNN}` (e.g. `aigentry-devkit-001`)
+- Cross-machine uniqueness: guaranteed by `locator.machine_id` prefix in bus events
+- Collision resolution: `resolveSessionAlias` returns local session only; remote sessions discovered via `source_host` field
+- If two machines have `aigentry-devkit-001`, inject uses `target@host` to disambiguate
+- Short form `aigentry-devkit-001` resolves to LOCAL session; remote requires explicit `@host`
 ### Peer Auth
 - Localhost: always trusted
 - Tailscale (100.x.y.z): trusted by default

package/daemon.js CHANGED Viewed

@@ -69,6 +69,24 @@ function relayToPeers(msg) {
   }
 }
+// JWT auth: set TELEPTY_JWT_SECRET to enable. Tokens in Authorization: Bearer <token>
+const JWT_SECRET = process.env.TELEPTY_JWT_SECRET || null;
+function verifyJwt(token) {
+  if (!JWT_SECRET || !token) return false;
+  try {
+    // Simple HS256 JWT verification (no external deps)
+    const [headerB64, payloadB64, sigB64] = token.split('.');
+    if (!headerB64 || !payloadB64 || !sigB64) return false;
+    const expected = crypto.createHmac('sha256', JWT_SECRET)
+      .update(`${headerB64}.${payloadB64}`).digest('base64url');
+    if (sigB64 !== expected) return false;
+    const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+    if (payload.exp && Date.now() / 1000 > payload.exp) return false;
+    return payload;
+  } catch { return false; }
+}
 function isAllowedPeer(ip) {
   if (!ip) return false;
   const cleanIp = ip.replace('::ffff:', '');
@@ -95,6 +113,12 @@ app.use((req, res, next) => {
     return next();
   }
+  // JWT Bearer token
+  const authHeader = req.headers['authorization'] || '';
+  if (authHeader.startsWith('Bearer ') && verifyJwt(authHeader.slice(7))) {
+    return next();
+  }
   console.warn(`[AUTH] Rejected unauthorized request from ${clientIp}`);
   res.status(401).json({ error: 'Unauthorized: Invalid or missing token.' });
 });
@@ -1435,7 +1459,9 @@ server.on('upgrade', (req, socket, head) => {
   const url = new URL(req.url, 'http://' + req.headers.host);
   const token = url.searchParams.get('token');
-  if (!isAllowedPeer(req.socket.remoteAddress) && token !== EXPECTED_TOKEN) {
+  const wsAuthHeader = req.headers['authorization'] || '';
+  const wsJwtValid = wsAuthHeader.startsWith('Bearer ') && verifyJwt(wsAuthHeader.slice(7));
+  if (!isAllowedPeer(req.socket.remoteAddress) && token !== EXPECTED_TOKEN && !wsJwtValid) {
     socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
     socket.destroy();
     return;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.1.54",
+  "version": "0.1.55",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",