@dmsdc-ai/aigentry-telepty 0.5.6 → 0.5.8

package/daemon.js

@@ -139,6 +139,13 @@ app.use(express.json());
 // Peer allowlist: comma-separated IPs/CIDRs in TELEPTY_PEER_ALLOWLIST env
 const PEER_ALLOWLIST = (process.env.TELEPTY_PEER_ALLOWLIST || '').split(',').map(s => s.trim()).filter(Boolean);
 
+// #533 Phase 2 — peer-lane inject guardrail. The orchestrator sid(s) define the
+// ORCH LANE (always allowed). Space-separated; default matches aigentry-orchestrator
+// bin/ask.sh so both ends agree on "who is the orchestrator" from one config. If this
+// resolves empty the guardrail fails OPEN (see classifyPeerLaneInject).
+const ORCHESTRATOR_SIDS = (process.env.AIGENTRY_ORCHESTRATOR_SIDS || 'orchestrator aigentry-orchestrator-claude')
+  .split(/\s+/).map(s => s.trim()).filter(Boolean);
+
 // Cross-machine bus relay: forward bus events to peer daemons
 const relayToPeers = createPeerRelay({
   relayPeers: relayPeersFromEnv(process.env),
@@ -368,6 +375,68 @@ function respondWithError(res, httpStatus, code, error, extra = {}) {
   return res.status(httpStatus).json(buildErrorBody(code, error, extra));
 }
 
+// #533 Phase 2 — pure peer-lane inject policy verdict (self-contained; no parser
+// dependency). The PEER LANE is sender ≠ orchestrator AND target ≠ orchestrator.
+// On that lane the body MUST be a sanctioned compact-JSON envelope (the shape
+// produced by aigentry-orchestrator bin/ask.sh build_envelope); anything else is
+// out-of-policy peer→peer traffic (e.g. work-delegation) and is blocked.
+// Returns { lane, decision, reason, kind, envelopePresent }:
+//   lane ∈ 'orchestrator' | 'peer' | 'disabled'
+//   decision ∈ 'allow' | 'block'
+//   kind ∈ 'ask-request' | 'ask-reply' | null
+const PEER_INJECT_KINDS = new Set(['ask-request', 'ask-reply']);
+
+function classifyPeerLaneInject({ from, to, prompt, orchestratorSids } = {}) {
+  const orchSet = Array.isArray(orchestratorSids) ? orchestratorSids : [];
+  // Fail-OPEN: with no known orchestrator sid we cannot tell the orch lane apart
+  // from the peer lane (every inject would look peer-lane), which would over-block
+  // legitimate orchestrator traffic and brick the mesh. Degrade to allow + warn;
+  // the Phase-1 orchestrator-side auditor still detects raw bypass (defense in depth).
+  if (orchSet.length === 0) {
+    return { lane: 'disabled', decision: 'allow', reason: 'orch-sid-unconfigured-fail-open', kind: null, envelopePresent: false };
+  }
+  // No sender → operator/CLI/multicast/broadcast, never peer-lane.
+  if (!from) {
+    return { lane: 'orchestrator', decision: 'allow', reason: 'no-sender', kind: null, envelopePresent: false };
+  }
+  // Orchestrator lane (either end is the orchestrator) → always allowed, untouched.
+  if (orchSet.includes(from) || orchSet.includes(to)) {
+    return { lane: 'orchestrator', decision: 'allow', reason: 'orch-lane', kind: null, envelopePresent: false };
+  }
+
+  // Peer lane: require a sanctioned envelope on the first non-empty line.
+  let env = null;
+  try {
+    const firstLine = String(prompt || '').split(/\r?\n/).map(l => l.trim()).find(l => l.length > 0);
+    if (firstLine) {
+      const parsed = JSON.parse(firstLine);
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) env = parsed;
+    }
+  } catch {
+    env = null;
+  }
+  if (!env) {
+    return { lane: 'peer', decision: 'block', reason: 'malformed-envelope', kind: null, envelopePresent: false };
+  }
+  if (!PEER_INJECT_KINDS.has(env.kind)) {
+    return { lane: 'peer', decision: 'block', reason: 'wrong-kind', kind: null, envelopePresent: true };
+  }
+  // Common required fields + per-kind payload (matches ask.sh build_envelope).
+  const nonEmptyStr = (v) => typeof v === 'string' && v.length > 0;
+  const baseOk = nonEmptyStr(env.from) && nonEmptyStr(env.to) && nonEmptyStr(env.thread_id) && Number.isInteger(env.round);
+  const payloadOk = env.kind === 'ask-request' ? nonEmptyStr(env.question) : nonEmptyStr(env.answer);
+  if (!baseOk || !payloadOk) {
+    return { lane: 'peer', decision: 'block', reason: 'invalid-field', kind: null, envelopePresent: true };
+  }
+  // Sender-consistency: the envelope's declared sender must match the inject's
+  // from (cheap anti-spoof). `to` is NOT cross-checked — the route resolves aliases,
+  // which would false-block legitimate aliased targets.
+  if (env.from !== from) {
+    return { lane: 'peer', decision: 'block', reason: 'from-mismatch', kind: null, envelopePresent: true };
+  }
+  return { lane: 'peer', decision: 'allow', reason: 'sanctioned-envelope', kind: env.kind, envelopePresent: true };
+}
+
 function normalizeNullableText(value) {
   if (value === undefined || value === null) {
     return null;
@@ -1548,6 +1617,24 @@ function resolveSessionAlias(requestedId) {
   return candidates[0];
 }
 
+// #548 (alias-cascade shared-fate): resolveSessionAlias' most-recent-wins fuzzy match is correct for
+// READ/inject ("talk to the current `coder`"), but DESTRUCTIVE ops (DELETE / kill) must NEVER cascade
+// across distinct sids that merely share an alias. The incident: cleaning an already-gone `coder-532`
+// fuzzy-fell-through to its live sibling `coder-533` (same `coder` track) and KILLED it. Distinct sids
+// = distinct lifecycles. This resolver enforces "destroy exactly the session you named":
+//   - exact sid match → that sid;
+//   - a fully-qualified sid (ends in `-<digits>`) with no exact match → null (a stale/duplicate DELETE
+//     of a gone sid must NOT fall through to a sibling — this is the exact #548 cascade);
+//   - a bare alias → resolve ONLY when a single session carries it (unambiguous); multiple siblings → null
+//     (refuse rather than silently pick most-recent and kill the wrong one).
+function resolveSessionForDestroy(requestedId) {
+  if (sessions[requestedId]) return requestedId;
+  if (/-\d+$/.test(requestedId)) return null;
+  const baseAlias = requestedId.replace(/-\d+$/, '');
+  const candidates = Object.keys(sessions).filter(id => id.replace(/-\d+$/, '') === baseAlias);
+  return candidates.length === 1 ? candidates[0] : null;
+}
+
 app.post('/api/sessions/spawn', (req, res) => {
   const { session_id, command, args = [], cwd = process.cwd(), cols = 80, rows = 30, type = 'AGENT' } = req.body;
   if (!session_id) return res.status(400).json({ error: 'session_id is strictly required.' });
@@ -2435,6 +2522,32 @@ app.post('/api/sessions/:id/inject', async (req, res) => {
   // Routing metadata stays in session/bus state, not in the visible prompt text.
   const finalPrompt = prompt;
   const inject_id = crypto.randomUUID();
+
+  // #533 Phase 2 — peer-lane inject guardrail (in-band hard block, before delivery).
+  // Out-of-policy peer→peer injects (no sanctioned ask-request/ask-reply envelope)
+  // are blocked here so raw work-delegation bypass is prevented, not just detected.
+  // Orchestrator↔peer, broadcast/multicast (no `from`), and existing kinds are untouched.
+  const peerVerdict = classifyPeerLaneInject({ from, to: requestedId, prompt, orchestratorSids: ORCHESTRATOR_SIDS });
+  if (peerVerdict.decision === 'block') {
+    broadcastSessionEvent('peer_inject_blocked', id, session, {
+      extra: {
+        target_agent: id,
+        from: from || null,
+        reason: peerVerdict.reason,
+        attempted_kind: peerVerdict.kind,
+        envelope_present: peerVerdict.envelopePresent,
+        inject_id
+      }
+    });
+    console.warn(`[PEER-GUARD] blocked peer inject ${from} → ${id} (${peerVerdict.reason})`);
+    return respondWithError(res, 403, 'PEER_INJECT_BLOCKED',
+      'Peer-lane inject blocked: not a sanctioned ask-request/ask-reply envelope. Use bin/ask.sh.',
+      { reason: peerVerdict.reason, sanctioned_channel: 'bin/ask.sh' });
+  }
+  if (peerVerdict.lane === 'disabled') {
+    console.warn('[PEER-GUARD] orchestrator sid unconfigured (AIGENTRY_ORCHESTRATOR_SIDS empty) — peer guardrail disabled (fail-open)');
+  }
+
   try {
     const delivery = await deliverInjectionToSession(id, session, finalPrompt, {
       noEnter: !!no_enter,
@@ -2728,7 +2841,8 @@ app.patch('/api/sessions/:id', (req, res) => {
 
 app.post('/api/sessions/:id/kill', async (req, res) => {
   const requestedId = req.params.id;
-  const resolvedId = resolveSessionAlias(requestedId);
+  // #548: destructive op — must not cascade across alias-sharing siblings.
+  const resolvedId = resolveSessionForDestroy(requestedId);
   if (!resolvedId) return res.status(404).json({ error: 'Session not found', requested: requestedId });
 
   try {
@@ -2757,7 +2871,8 @@ app.post('/api/sessions/:id/kill', async (req, res) => {
 
 app.delete('/api/sessions/:id', (req, res) => {
   const requestedId = req.params.id;
-  const resolvedId = resolveSessionAlias(requestedId);
+  // #548: destructive op — must not cascade across alias-sharing siblings.
+  const resolvedId = resolveSessionForDestroy(requestedId);
   if (!resolvedId) return res.status(404).json({ error: 'Session not found', requested: requestedId });
   const session = sessions[resolvedId];
   const id = resolvedId;
@@ -3502,4 +3617,5 @@ module.exports = {
   scheduleBootstrapPromptPoll,    // #29: arms the floor timer (deps DI: setTimeout/...)
   decideSurfaceGc,                // #17: surface-liveness verdict→action (incl. INV-17 unknown→skip)
   applySurfaceMismatchProbe,      // surface_mismatched debounce + payload helper (deps DI: emit/clock)
+  classifyPeerLaneInject,         // #533 Phase 2: pure peer-lane inject policy verdict
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.5.6",
+  "version": "0.5.8",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",
@@ -35,9 +35,9 @@
   ],
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
-    "test": "node --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
-    "test:watch": "node --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
-    "test:ci": "node --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test": "node --require ./test-support/setup-env.js --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test:watch": "node --require ./test-support/setup-env.js --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
+    "test:ci": "node --require ./test-support/setup-env.js --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
     "typecheck": "tsc --noEmit",
     "regen-fixtures": "node scripts/regen-snippet-fixtures.js"
   },

package/session-state.js

@@ -96,6 +96,14 @@ const THINKING_PATTERNS = [
   /\breading\b/i,              // Claude Code "Reading..."
   /\bsearching\b/i,            // Claude Code "Searching..."
   /\bplanning\b/i,             // Claude Code "Planning..."
+  // codex CLI active-work markers (#558): codex emits NO braille spinner and NO OSC 133, so its
+  // "busy" state went unrecognized → blank sidebar pill. These are high-signal codex/claude markers
+  // shown ONLY while actively generating/running tools. ("Working" is intentionally NOT matched —
+  // it false-positives on common dev output like "working tree" / "working directory".)
+  /\besc to interrupt\b/i,     // codex + claude: shown only during active generation / tool run
+  /\bstarting mcp servers?\b/i,// codex: MCP bootstrap on launch
+  /\bbooting mcp server\b/i,   // codex: MCP server boot
+  /\bexploring\b/i,            // codex activity verb (parallels Claude Code "Searching")
   /\.{3,}\s*$/,                // trailing dots "..."
 ];
 

package/terminal-backend.js

@@ -107,24 +107,6 @@ function cmuxSendText(sessionId, text) {
   }
 }
 
-// Send enter key to a cmux surface
-function cmuxSendEnter(sessionId) {
-  const surface = findSurface(sessionId);
-  if (!surface) return false;
-
-  try {
-    execSync(`cmux send-key --surface ${surface} return`, {
-      timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
-    });
-    console.log(`[BACKEND] cmux send-key return to ${sessionId} (${surface})`);
-    return true;
-  } catch (err) {
-    console.error(`[BACKEND] cmux send-key failed for ${sessionId}:`, err.message);
-    surfaceCache.delete(sessionId);
-    return false;
-  }
-}
-
 // Invalidate cache for a session (e.g., when surface changes)
 function invalidateCache(sessionId) {
   surfaceCache.delete(sessionId);
@@ -534,7 +516,6 @@ module.exports = {
   detectTerminal,
   findSurface,
   cmuxSendText,
-  cmuxSendEnter,
   refreshSurfaceCache,
   invalidateCache,
   clearCache,