@dmsdc-ai/aigentry-telepty 0.5.9 → 0.6.1

package/install.js

@@ -91,9 +91,14 @@ function buildLaunchdPlist(options = {}) {
   const nodeBin = options.nodeBin || process.execPath;
   const cliJs = options.cliJs || path.join(__dirname, 'cli.js');
   const logDir = options.logDir || path.join(os.homedir(), '.telepty', 'logs');
+  const command = options.command || 'daemon';
   const daemonPath = buildDaemonPath(nodeBin, ['/usr/local/bin', '/usr/bin', '/bin', '/usr/sbin', '/sbin']);
   const stdoutPath = path.join(logDir, 'launchd.out.log');
   const stderrPath = path.join(logDir, 'launchd.err.log');
+  const envPairs = [['PATH', daemonPath], ...Object.entries(options.extraEnv || {})];
+  const envXml = envPairs
+    .map(([key, value]) => `        <key>${escapeXml(key)}</key>\n        <string>${escapeXml(value)}</string>`)
+    .join('\n');
 
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -105,12 +110,11 @@ function buildLaunchdPlist(options = {}) {
     <array>
         <string>${escapeXml(nodeBin)}</string>
         <string>${escapeXml(cliJs)}</string>
-        <string>daemon</string>
+        <string>${escapeXml(command)}</string>
     </array>
     <key>EnvironmentVariables</key>
     <dict>
-        <key>PATH</key>
-        <string>${escapeXml(daemonPath)}</string>
+${envXml}
     </dict>
     <key>StandardOutPath</key>
     <string>${escapeXml(stdoutPath)}</string>
@@ -124,6 +128,11 @@ function buildLaunchdPlist(options = {}) {
 </plist>`;
 }
 
+function systemdEnvLine(key, value) {
+  const escaped = String(value).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  return `Environment="${key}=${escaped}"`;
+}
+
 function buildSystemdService(options = {}) {
   const nodeBin = options.nodeBin || process.execPath;
   const cliJs = options.cliJs || path.join(__dirname, 'cli.js');
@@ -131,17 +140,22 @@ function buildSystemdService(options = {}) {
   const userLine = user ? `User=${user}\n` : '';
   const daemonPath = buildDaemonPath(nodeBin, ['/usr/local/bin', '/usr/bin', '/bin']);
   const wantedBy = options.wantedBy || 'multi-user.target';
+  const command = options.command || 'daemon';
+  const description = options.description || 'Telepty Daemon';
+  const extraEnvLines = Object.entries(options.extraEnv || {})
+    .map(([key, value]) => `${systemdEnvLine(key, value)}\n`)
+    .join('');
 
   return `[Unit]
-Description=Telepty Daemon
+Description=${description}
 After=network.target
 
 [Service]
-ExecStart=${systemdExecArg(nodeBin)} ${systemdExecArg(cliJs)} daemon
+ExecStart=${systemdExecArg(nodeBin)} ${systemdExecArg(cliJs)} ${systemdExecArg(command)}
 Restart=always
 ${userLine}Environment=PATH=${daemonPath}
 Environment=NODE_ENV=production
-
+${extraEnvLines}
 [Install]
 WantedBy=${wantedBy}`;
 }
@@ -150,7 +164,8 @@ function buildWindowsAutostartCommand(options = {}) {
   const nodeBin = options.nodeBin || process.execPath;
   const cliJs = options.cliJs || path.join(__dirname, 'cli.js');
   const taskName = options.taskName || 'telepty-daemon';
-  const taskCommand = `${quoteWindowsArg(nodeBin)} ${quoteWindowsArg(cliJs)} daemon`;
+  const command = options.command || 'daemon';
+  const taskCommand = `${quoteWindowsArg(nodeBin)} ${quoteWindowsArg(cliJs)} ${command}`;
 
   return `schtasks /create /tn ${quoteWindowsArg(taskName)} /sc onlogon /rl LIMITED /f /tr ${quoteWindowsArg(taskCommand)}`;
 }
@@ -165,6 +180,91 @@ function buildWindowsQueryTaskCommand(options = {}) {
   return `schtasks /query /tn ${quoteWindowsArg(taskName)} /fo LIST`;
 }
 
+// --- Broker-host service variant (telepty #42 broker MVP — spec §6 + §2 H; reuses #41 hardening) ---
+// The broker runs the SAME hardened service definition as the daemon, but executes
+// `<node> <cli.js> broker` (spec §5/§6) and carries the broker host env (TLS + JWT/enroll
+// secrets, spec §6). Selected via `telepty install --broker` or env TELEPTY_BROKER_MODE.
+const BROKER_LAUNCHD_LABEL = 'com.aigentry.telepty-broker';
+const BROKER_SYSTEMD_SERVICE = 'telepty-broker';
+const BROKER_WINDOWS_TASK = 'telepty-broker';
+
+// Pass-through env keys for the broker host service (spec §5/§6). Secrets are NEVER
+// hardcoded — they are read from the install-time environment and forwarded into the
+// generated service definition so the always-on broker host loads them on start.
+const BROKER_ENV_KEYS = [
+  'TELEPTY_JWT_SECRET',
+  'TELEPTY_ENROLL_SECRET',
+  'TELEPTY_TLS_CERT',
+  'TELEPTY_TLS_KEY',
+  'TELEPTY_BROKER_ACL',
+  'TELEPTY_ENROLL_MAX_NODES',
+  'PORT',
+];
+
+function collectBrokerServiceEnv(env = process.env) {
+  const result = { TELEPTY_BROKER_MODE: '1' };
+  for (const key of BROKER_ENV_KEYS) {
+    const value = env[key];
+    if (value !== undefined && value !== '') {
+      result[key] = String(value);
+    }
+  }
+  return result;
+}
+
+function buildBrokerLaunchdPlist(options = {}) {
+  return buildLaunchdPlist({
+    ...options,
+    label: options.label || BROKER_LAUNCHD_LABEL,
+    command: 'broker',
+    extraEnv: { ...collectBrokerServiceEnv(options.env), ...(options.extraEnv || {}) },
+  });
+}
+
+function buildBrokerSystemdService(options = {}) {
+  return buildSystemdService({
+    ...options,
+    command: 'broker',
+    description: options.description || 'Telepty Broker',
+    extraEnv: { ...collectBrokerServiceEnv(options.env), ...(options.extraEnv || {}) },
+  });
+}
+
+function buildBrokerWindowsAutostartCommand(options = {}) {
+  return buildWindowsAutostartCommand({
+    ...options,
+    taskName: options.taskName || BROKER_WINDOWS_TASK,
+    command: 'broker',
+  });
+}
+
+// Resolve the active service profile (daemon vs broker) so main() can install either
+// variant from one code path. The daemon profile reproduces the exact pre-#42 values
+// (no behavior change for existing installs); the broker profile selects distinct
+// label/service/task names, the `broker` command, and the broker host env.
+function resolveServiceProfile(options = {}) {
+  if (options.broker) {
+    return {
+      command: 'broker',
+      launchdLabel: BROKER_LAUNCHD_LABEL,
+      launchdPlistName: `${BROKER_LAUNCHD_LABEL}.plist`,
+      systemdService: BROKER_SYSTEMD_SERVICE,
+      windowsTask: BROKER_WINDOWS_TASK,
+      description: 'Telepty Broker',
+      extraEnv: collectBrokerServiceEnv(options.env),
+    };
+  }
+  return {
+    command: 'daemon',
+    launchdLabel: 'com.aigentry.telepty',
+    launchdPlistName: 'com.aigentry.telepty.plist',
+    systemdService: 'telepty',
+    windowsTask: 'telepty-daemon',
+    description: 'Telepty Daemon',
+    extraEnv: {},
+  };
+}
+
 function assertLaunchdServiceLive(label = 'com.aigentry.telepty') {
   let output = '';
   try {
@@ -224,6 +324,16 @@ async function installSkills() {
 async function main() {
   console.log("🚀 Installing @dmsdc-ai/aigentry-telepty...");
 
+  // Broker-host variant (telepty #42): `telepty install --broker` or env TELEPTY_BROKER_MODE
+  // installs the SAME hardened service running `telepty broker` instead of `telepty daemon`.
+  // Default-OFF — existing daemon installs are entirely unaffected (additive).
+  const wantsBroker = process.argv.slice(2).includes('--broker')
+    || process.env.TELEPTY_BROKER_MODE === '1';
+  const profile = resolveServiceProfile({ broker: wantsBroker });
+  if (wantsBroker) {
+    console.log(`🛰️  Broker-host mode: installing service '${profile.launchdLabel}' (runs 'telepty broker').`);
+  }
+
   // 1. Install globally via npm
   console.log("📦 Installing package globally...");
   run("npm install -g @dmsdc-ai/aigentry-telepty");
@@ -243,24 +353,29 @@ async function main() {
   if (platform === 'win32') {
     cleanupLocalDaemons();
     console.log("⚙️ Setting up Windows scheduled task...");
-    run(buildWindowsAutostartCommand(launchOptions));
-    run(buildWindowsRunTaskCommand());
-    assertWindowsTaskRunning();
+    run(buildWindowsAutostartCommand({ ...launchOptions, taskName: profile.windowsTask, command: profile.command }));
+    run(buildWindowsRunTaskCommand({ taskName: profile.windowsTask }));
+    assertWindowsTaskRunning(profile.windowsTask);
     console.log("✅ Windows scheduled task installed and started.");
 
   } else if (platform === 'darwin') {
     console.log("⚙️ Setting up macOS launchd service...");
-    const plistPath = path.join(os.homedir(), 'Library', 'LaunchAgents', 'com.aigentry.telepty.plist');
+    const plistPath = path.join(os.homedir(), 'Library', 'LaunchAgents', profile.launchdPlistName);
     fs.mkdirSync(path.dirname(plistPath), { recursive: true });
     fs.mkdirSync(launchOptions.logDir, { recursive: true });
     try { execSync(`launchctl unload ${shellQuote(plistPath)} 2>/dev/null`); } catch(e){}
     cleanupLocalDaemons();
 
-    const plistContent = buildLaunchdPlist(launchOptions);
+    const plistContent = buildLaunchdPlist({
+      ...launchOptions,
+      label: profile.launchdLabel,
+      command: profile.command,
+      extraEnv: profile.extraEnv,
+    });
 
     fs.writeFileSync(plistPath, plistContent);
     run(`launchctl load ${shellQuote(plistPath)}`);
-    assertLaunchdServiceLive();
+    assertLaunchdServiceLive(profile.launchdLabel);
     console.log("✅ macOS LaunchAgent installed and started.");
 
   } else {
@@ -274,34 +389,40 @@ async function main() {
     if (hasSystemd) {
       if (process.getuid && process.getuid() === 0) {
         console.log("⚙️ Setting up systemd service for Linux...");
-        try { execSync('systemctl stop telepty', { stdio: 'ignore' }); } catch(e) {}
+        try { execSync(`systemctl stop ${profile.systemdService}`, { stdio: 'ignore' }); } catch(e) {}
         cleanupLocalDaemons();
         const serviceContent = buildSystemdService({
           ...launchOptions,
-          user: process.env.SUDO_USER || process.env.USER || 'root'
+          user: process.env.SUDO_USER || process.env.USER || 'root',
+          command: profile.command,
+          description: profile.description,
+          extraEnv: profile.extraEnv,
         });
 
-        fs.writeFileSync('/etc/systemd/system/telepty.service', serviceContent);
+        fs.writeFileSync(`/etc/systemd/system/${profile.systemdService}.service`, serviceContent);
         run('systemctl daemon-reload');
-        run('systemctl enable telepty');
-        run('systemctl start telepty');
-        assertSystemdServiceLive();
+        run(`systemctl enable ${profile.systemdService}`);
+        run(`systemctl start ${profile.systemdService}`);
+        assertSystemdServiceLive(profile.systemdService);
         console.log("✅ Systemd service installed and started.");
         process.exit(0);
       }
 
       console.log("⚙️ Setting up user systemd service for Linux...");
-      const userServicePath = path.join(os.homedir(), '.config', 'systemd', 'user', 'telepty.service');
+      const userServicePath = path.join(os.homedir(), '.config', 'systemd', 'user', `${profile.systemdService}.service`);
       fs.mkdirSync(path.dirname(userServicePath), { recursive: true });
       cleanupLocalDaemons();
       fs.writeFileSync(userServicePath, buildSystemdService({
         ...launchOptions,
-        wantedBy: 'default.target'
+        wantedBy: 'default.target',
+        command: profile.command,
+        description: profile.description,
+        extraEnv: profile.extraEnv,
       }));
       run('systemctl --user daemon-reload');
-      run('systemctl --user enable telepty');
-      run('systemctl --user start telepty');
-      assertSystemdServiceLive('telepty', { user: true });
+      run(`systemctl --user enable ${profile.systemdService}`);
+      run(`systemctl --user start ${profile.systemdService}`);
+      assertSystemdServiceLive(profile.systemdService, { user: true });
       console.log("✅ User systemd service installed and started.");
       process.exit(0);
     }
@@ -309,9 +430,10 @@ async function main() {
     // Fallback for Linux without systemd
     console.log("⚠️ Skipping persistent systemd setup. Starting daemon for this session only...");
     cleanupLocalDaemons();
-    const subprocess = spawn(launchOptions.nodeBin, [launchOptions.cliJs, 'daemon'], {
+    const subprocess = spawn(launchOptions.nodeBin, [launchOptions.cliJs, profile.command], {
       detached: true,
-      stdio: 'ignore'
+      stdio: 'ignore',
+      env: { ...process.env, ...profile.extraEnv }
     });
     subprocess.unref();
     console.log("✅ Linux daemon started in background for the current session.");
@@ -333,4 +455,12 @@ module.exports = {
   buildSystemdService,
   buildWindowsAutostartCommand,
   resolveDaemonLaunchOptions,
+  buildBrokerLaunchdPlist,
+  buildBrokerSystemdService,
+  buildBrokerWindowsAutostartCommand,
+  collectBrokerServiceEnv,
+  resolveServiceProfile,
+  BROKER_LAUNCHD_LABEL,
+  BROKER_SYSTEMD_SERVICE,
+  BROKER_WINDOWS_TASK,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.5.9",
+  "version": "0.6.1",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",
@@ -35,9 +35,9 @@
   ],
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
-    "test": "node --require ./test-support/setup-env.js --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
-    "test:watch": "node --require ./test-support/setup-env.js --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
-    "test:ci": "node --require ./test-support/setup-env.js --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test": "node --require ./test-support/setup-env.js --test test/auth.test.js test/http-auth.test.js test/broker-protocol.test.js test/broker-auth.test.js test/broker-server.test.js test/broker-client.test.js test/daemon-broker-wiring.test.js test/broker-cli.test.js test/broker-integration.test.js test/daemon.test.js test/daemon-singleton.test.js test/daemon-harness-port.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/submit-render-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/install-broker-service.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/ensure-daemon-running.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js test/provenance.test.js test/inject-audit-broker-seam.test.js test/inject-provenance-daemon.test.js test/inject-audit-log.test.js test/inject-audit-daemon.test.js test/inject-audit-cli.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test:watch": "node --require ./test-support/setup-env.js --test --watch test/auth.test.js test/http-auth.test.js test/broker-protocol.test.js test/broker-auth.test.js test/broker-server.test.js test/broker-client.test.js test/daemon-broker-wiring.test.js test/broker-cli.test.js test/broker-integration.test.js test/daemon.test.js test/daemon-singleton.test.js test/daemon-harness-port.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/submit-render-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/install-broker-service.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/ensure-daemon-running.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js test/provenance.test.js test/inject-audit-broker-seam.test.js test/inject-provenance-daemon.test.js test/inject-audit-log.test.js test/inject-audit-daemon.test.js test/inject-audit-cli.test.js",
+    "test:ci": "node --require ./test-support/setup-env.js --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/broker-protocol.test.js test/broker-auth.test.js test/broker-server.test.js test/broker-client.test.js test/daemon-broker-wiring.test.js test/broker-cli.test.js test/broker-integration.test.js test/daemon.test.js test/daemon-singleton.test.js test/daemon-harness-port.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/submit-render-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/install-service-generation.test.js test/install-broker-service.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/ensure-daemon-running.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js test/provenance.test.js test/inject-audit-broker-seam.test.js test/inject-provenance-daemon.test.js test/inject-audit-log.test.js test/inject-audit-daemon.test.js test/inject-audit-cli.test.js && git diff --exit-code tests/snippet-protocol/v1/",
     "typecheck": "tsc --noEmit",
     "regen-fixtures": "node scripts/regen-snippet-fixtures.js"
   },
@@ -59,7 +59,7 @@
   ],
   "author": "dmsdc-ai",
   "license": "ISC",
-  "description": "Universal terminal session bridge — connect any terminal to any terminal, any machine",
+  "description": "Universal terminal session bridge \u2014 connect any terminal to any terminal, any machine",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/dmsdc-ai/aigentry-telepty.git"

package/src/audit/inject-log.js

@@ -0,0 +1,234 @@
+'use strict';
+
+// #43 P1 — inject audit spine.
+//
+// Component A in the spec (docs/specs/2026-06-09-inject-audit-provenance.md §3, §5, §8).
+// Three concerns, pure Node only (§17 무의존 — `crypto`/`fs`/`events`, no external deps):
+//   1. buildAuditLine(record)        — pure builder for the JSONL schema v1 (one line/delivery).
+//   2. createAuditWriter({...})       — bounded async append, size+age rotation, 0700 dir / 0600
+//                                       file, overflow→drop-oldest+event, NEVER fsync-block delivery.
+//   3. readInjectLog(path, filters)   — read/filter/paginate helper backing the P3 GET /api/injects.
+//
+// This is an AUDIT log, not a transactional ledger: no per-line fsync, bounded loss of the last
+// in-flight batch on hard crash is accepted (spec §8). Rotation/prune is best-effort and never
+// blocks the delivery hot path (append() is fire-and-forget; the writer drains on a timer).
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const { EventEmitter } = require('events');
+
+const SCHEMA_VERSION = 1;
+const DEFAULT_PREVIEW_BYTES = 200;
+const DEFAULT_QUEUE_MAX = 10000;
+const DEFAULT_FLUSH_MS = 250;
+const DEFAULT_MAX_BYTES = 50 * 1024 * 1024; // 50 MB
+const DEFAULT_MAX_FILES = 5;
+const DEFAULT_MAX_AGE_DAYS = 30;
+
+// Build one compact JSON line for a single delivery (schema v1, spec §5). Pure: the only
+// inputs are `record` fields; sha256/byte-length/spoof_suspected are derived here so the
+// builder is the single testable source of truth. Redaction default = hash-only: payload
+// content is NEVER written unless `record.preview === true`, and then only truncated.
+function buildAuditLine(record = {}) {
+  const payload = typeof record.payload === 'string' ? record.payload : '';
+  const claimed = record.claimed_from != null ? record.claimed_from : null;
+  const verified = record.verified_sender_sid != null ? record.verified_sender_sid : null;
+  const previewOn = record.preview === true;
+  const previewBytes = Number.isFinite(record.previewBytes) ? record.previewBytes : DEFAULT_PREVIEW_BYTES;
+
+  const line = {
+    v: SCHEMA_VERSION,
+    ts: record.ts || new Date().toISOString(),
+    inject_id: record.inject_id != null ? record.inject_id : null,
+    kind: record.kind || 'inject',
+    source: record.source || record.kind || 'inject',
+    claimed_from: claimed,
+    verified_sender_sid: verified,
+    spoof_suspected: !!(claimed && verified && claimed !== verified),
+    to: record.to != null ? record.to : null,
+    to_alias: record.to_alias != null ? record.to_alias : null,
+    origin: record.origin || 'trusted-local',
+    origin_host: record.origin_host != null ? record.origin_host : null,
+    ref_path: record.ref_path != null ? record.ref_path : null,
+    payload_sha256: crypto.createHash('sha256').update(payload).digest('hex'),
+    payload_bytes: Buffer.byteLength(payload),
+    payload_preview: previewOn ? truncatePreview(payload, previewBytes) : null,
+    delivery_result: record.delivery_result || 'success'
+  };
+  return JSON.stringify(line);
+}
+
+// Truncate a preview to at most `previewBytes` characters — never the full payload. Slicing
+// by character (not raw bytes) avoids splitting a multibyte sequence into invalid UTF-8.
+function truncatePreview(payload, previewBytes) {
+  if (payload.length <= previewBytes) return payload;
+  return payload.slice(0, previewBytes);
+}
+
+// Bounded async writer. append() pushes onto an in-memory FIFO and returns immediately; a
+// timer drains the batch with a single appendFile (spec §8). Overflow drops the OLDEST and
+// emits `audit_overflow` (silent truncation forbidden). Rotation/prune runs inside the drain,
+// off the delivery hot path. Returns an EventEmitter-like object ({ append, flush, close, on }).
+function createAuditWriter(options = {}) {
+  const filePath = options.path;
+  if (!filePath) throw new Error('createAuditWriter requires a path');
+  const queueMax = Number.isFinite(options.queueMax) ? options.queueMax : DEFAULT_QUEUE_MAX;
+  const flushMs = Number.isFinite(options.flushMs) ? options.flushMs : DEFAULT_FLUSH_MS;
+  const preview = options.preview === true;
+  const previewBytes = Number.isFinite(options.previewBytes) ? options.previewBytes : DEFAULT_PREVIEW_BYTES;
+  const maxBytes = Number.isFinite(options.maxBytes) ? options.maxBytes : DEFAULT_MAX_BYTES;
+  const maxFiles = Number.isFinite(options.maxFiles) ? options.maxFiles : DEFAULT_MAX_FILES;
+  const maxAgeDays = Number.isFinite(options.maxAgeDays) ? options.maxAgeDays : DEFAULT_MAX_AGE_DAYS;
+
+  const emitter = new EventEmitter();
+  let queue = [];
+  let timer = null;
+  let writing = false;
+  let closed = false;
+  let droppedTotal = 0;
+
+  ensureDir();
+
+  function ensureDir() {
+    const dir = path.dirname(filePath);
+    try {
+      fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+      fs.chmodSync(dir, 0o700); // tighten even if the dir pre-existed with a looser mode
+    } catch { /* best-effort; surfaced as audit_error at first write if truly broken */ }
+  }
+
+  // Fire-and-forget: NEVER returns a promise to the caller — the delivery path must not await.
+  function append(record) {
+    if (closed) return;
+    if (queue.length >= queueMax) {
+      queue.shift(); // drop oldest
+      droppedTotal += 1;
+      emitter.emit('audit_overflow', { dropped: droppedTotal, queueMax });
+    }
+    queue.push({
+      ...record,
+      preview: record.preview != null ? record.preview : preview,
+      previewBytes: record.previewBytes != null ? record.previewBytes : previewBytes
+    });
+    scheduleFlush();
+  }
+
+  function scheduleFlush() {
+    if (timer || writing || queue.length === 0) return;
+    timer = setTimeout(() => { timer = null; flush().catch(() => {}); }, flushMs);
+    if (timer && typeof timer.unref === 'function') timer.unref();
+  }
+
+  async function flush() {
+    if (writing || queue.length === 0) return;
+    writing = true;
+    const batch = queue;
+    queue = [];
+    try {
+      await rotateIfNeeded();
+      const data = batch.map((r) => buildAuditLine(r)).join('\n') + '\n';
+      await fs.promises.appendFile(filePath, data, { mode: 0o600 });
+      // appendFile's mode only applies on create — chmod each flush so a pre-existing file
+      // (or umask-loosened create) is forced to 0600 (the file may carry preview content).
+      try { await fs.promises.chmod(filePath, 0o600); } catch { /* best-effort */ }
+    } catch (err) {
+      emitter.emit('audit_error', err);
+    } finally {
+      writing = false;
+      if (queue.length > 0) scheduleFlush();
+    }
+  }
+
+  async function rotateIfNeeded() {
+    let size = 0;
+    try { size = (await fs.promises.stat(filePath)).size; } catch { size = 0; }
+    if (size >= maxBytes) {
+      // Shift .{maxFiles-1}→.{maxFiles} … .1→.2, dropping the oldest beyond maxFiles, then
+      // active→.1. rename overwrites, so the file falling off the top is discarded.
+      for (let i = maxFiles - 1; i >= 1; i--) {
+        try { await fs.promises.rename(`${filePath}.${i}`, `${filePath}.${i + 1}`); } catch { /* gap */ }
+      }
+      try { await fs.promises.rename(filePath, `${filePath}.1`); } catch { /* nothing to rotate */ }
+    }
+    await pruneByAge();
+  }
+
+  async function pruneByAge() {
+    if (!(maxAgeDays > 0)) return;
+    const cutoff = Date.now() - maxAgeDays * 86400000;
+    for (let i = 1; i <= maxFiles; i++) {
+      const rotated = `${filePath}.${i}`;
+      try {
+        const st = await fs.promises.stat(rotated);
+        if (st.mtimeMs < cutoff) await fs.promises.unlink(rotated);
+      } catch { /* absent or busy — best-effort */ }
+    }
+  }
+
+  async function close() {
+    closed = true;
+    if (timer) { clearTimeout(timer); timer = null; }
+    await flush();
+  }
+
+  return {
+    append,
+    flush,
+    close,
+    on: emitter.on.bind(emitter),
+    off: emitter.off.bind(emitter)
+  };
+}
+
+function toMs(value) {
+  if (value == null) return null;
+  if (typeof value === 'number') return value < 1e12 ? value * 1000 : value;
+  const s = String(value).trim();
+  if (/^\d+$/.test(s)) {
+    const n = Number(s);
+    return n < 1e12 ? n * 1000 : n;
+  }
+  const parsed = Date.parse(s);
+  return Number.isNaN(parsed) ? null : parsed;
+}
+
+// Filter an array of parsed records (spec §7). `from` matches claimed_from OR
+// verified_sender_sid; `to` matches the resolved sid OR the pre-resolution alias.
+function matchInjects(records, filters = {}) {
+  let out = records;
+  const since = toMs(filters.since);
+  const until = toMs(filters.until);
+  if (since != null) out = out.filter((r) => { const t = toMs(r.ts); return t != null && t >= since; });
+  if (until != null) out = out.filter((r) => { const t = toMs(r.ts); return t != null && t <= until; });
+  if (filters.to) out = out.filter((r) => r.to === filters.to || r.to_alias === filters.to);
+  if (filters.from) out = out.filter((r) => r.claimed_from === filters.from || r.verified_sender_sid === filters.from);
+  if (filters.spoof) out = out.filter((r) => r.spoof_suspected === true);
+  return out;
+}
+
+// Read the jsonl, filter, return newest-first, paginate by cursor (line offset into the
+// filtered newest-first list). Bounded by `limit` (default 200). Absent file → empty result.
+function readInjectLog(filePath, options = {}) {
+  const limit = Math.min(Math.max(Number(options.limit) || 200, 1), 1000);
+  const cursor = Number(options.cursor) > 0 ? Number(options.cursor) : 0;
+  let raw = '';
+  try { raw = fs.readFileSync(filePath, 'utf8'); } catch { return { injects: [], next_cursor: null }; }
+
+  const records = raw.split('\n').filter(Boolean).map((l) => {
+    try { return JSON.parse(l); } catch { return null; }
+  }).filter(Boolean);
+
+  const filtered = matchInjects(records, options);
+  filtered.reverse(); // newest first
+  const page = filtered.slice(cursor, cursor + limit);
+  const next = cursor + limit < filtered.length ? cursor + limit : null;
+  return { injects: page, next_cursor: next };
+}
+
+module.exports = {
+  buildAuditLine,
+  createAuditWriter,
+  readInjectLog,
+  matchInjects
+};

package/src/audit/provenance.js

@@ -0,0 +1,86 @@
+'use strict';
+
+// #47 P4 — delivery provenance wrapper.
+//
+// Component B in the spec (docs/specs/2026-06-09-inject-audit-provenance.md §6; ADR §3/§4).
+// Pure Node only (§17 무의존 — `crypto`, no external deps), no I/O, no daemon state, so the
+// trust decision is unit-testable in isolation.
+//
+//   - mintSessionNonce()                  — per-session random nonce (the shared secret).
+//   - resolveOrigin(ctx)                  — 'trusted-local' | 'untrusted-remote'.
+//   - wrapDelivery(payload, {sid,origin,nonce})  — banner + fence around byte-exact payload.
+//   - applyProvenance(payload, opts)      — capability gate: wrap iff capable && nonce, else RAW.
+//
+// TRUST MODEL (spec §6, ADR §3): this is a nonce-gated, tamper-EVIDENT in-band banner, NOT a
+// signature. Strength = secrecy of the nonce; a body-typed banner without the session nonce is
+// non-authoritative. The authoritative path stays OUT-OF-BAND (token-gated GET /api/injects).
+//
+// §1 경량 WATCHED LINE (ADR §4 A4): the banner is a single nonce STRING-MATCH only. No HMAC, no
+// PKI, no signed envelope an LLM "verifies" — an LLM cannot verify crypto over its own input, so
+// that would be security theater. If this grows toward a crypto protocol, that is the 위헌 line —
+// stop.
+
+const crypto = require('crypto');
+
+const PROV_VERSION = 1;
+// U+27E6 / U+27E7 — rare in normal prompts, visually distinct, single-token-ish across tokenizers.
+const FENCE_OPEN = '⟦';  // ⟦
+const FENCE_CLOSE = '⟧'; // ⟧
+
+// Per-session random nonce. base64url so it survives intact through any plain-text channel and
+// carries no fence/whitespace chars. 18 bytes → 24 url-safe chars (~144 bits).
+function mintSessionNonce() {
+  return crypto.randomBytes(18).toString('base64url');
+}
+
+// Map a delivery context to a coarse origin label. Explicit label wins; a `remote` signal maps
+// to untrusted-remote; everything else (and any unknown label) is trusted-local.
+function resolveOrigin(ctx = {}) {
+  if (ctx.origin === 'trusted-local' || ctx.origin === 'untrusted-remote') return ctx.origin;
+  if (ctx.remote === true) return 'untrusted-remote';
+  return 'trusted-local';
+}
+
+// Render the banner `from=` field, honest about confidence: the verified sid verbatim when the
+// daemon verified it, otherwise `claimed:<x>?` (trailing ? = unverified), or `claimed:?` if blank.
+function formatSender({ verified, claimed } = {}) {
+  if (verified) return String(verified);
+  if (claimed) return `claimed:${claimed}?`;
+  return 'claimed:?';
+}
+
+// Wrap a payload in the nonce-gated provenance banner (spec §6 format):
+//   ⟦telepty:provenance v=1 from=<sid> origin=<...> nonce=<N>⟧
+//   <payload, byte-for-byte>
+//   ⟦telepty:end nonce=<N>⟧
+// Requires a nonce — an un-nonced banner would be forgeable by anyone, defeating the gate.
+function wrapDelivery(payload, opts = {}) {
+  const { sid, origin, nonce } = opts;
+  if (!nonce) throw new Error('wrapDelivery requires a nonce');
+  const o = resolveOrigin({ origin });
+  const from = sid != null ? sid : 'claimed:?';
+  const body = typeof payload === 'string' ? payload : String(payload == null ? '' : payload);
+  const header = `${FENCE_OPEN}telepty:provenance v=${PROV_VERSION} from=${from} origin=${o} nonce=${nonce}${FENCE_CLOSE}`;
+  const footer = `${FENCE_OPEN}telepty:end nonce=${nonce}${FENCE_CLOSE}`;
+  return `${header}\n${body}\n${footer}`;
+}
+
+// Capability gate for the delivery hot path (pure). Sessions that are NOT provenance-capable
+// (the default) — or that have no minted nonce — receive the RAW payload byte-for-byte, so no
+// existing session's delivered bytes change (regression guard, spec §6 rollout). Returns
+// { payload, wrapped }.
+function applyProvenance(payload, opts = {}) {
+  const { capable, nonce, verified, claimed, origin } = opts;
+  if (!capable || !nonce) return { payload, wrapped: false };
+  const sid = formatSender({ verified, claimed });
+  return { payload: wrapDelivery(payload, { sid, origin, nonce }), wrapped: true };
+}
+
+module.exports = {
+  PROV_VERSION,
+  mintSessionNonce,
+  resolveOrigin,
+  formatSender,
+  wrapDelivery,
+  applyProvenance
+};