@hivemind-os/collective-daemon 0.2.0

package/dist/chunk-BHN4GOYD.js

@@ -0,0 +1,1196 @@
+import {
+  validateClientProcessOwnership,
+  verifyPipeSecurity
+} from "./chunk-NXIFS427.js";
+
+// src/ipc/server.ts
+import { chmod, rm } from "fs/promises";
+import net2 from "net";
+import pino3 from "pino";
+
+// src/ipc/connection.ts
+import { randomUUID as randomUUID3 } from "crypto";
+import "net";
+import pino2 from "pino";
+
+// src/audit.ts
+import pino from "pino";
+var logger = pino({ name: "@hivemind-os/collective-daemon:audit" });
+var listeners = /* @__PURE__ */ new Set();
+function logAuditEvent(event) {
+  logger.info(event);
+  for (const listener of listeners) {
+    listener(event);
+  }
+}
+
+// src/mcp/session.ts
+import { randomUUID as randomUUID2 } from "crypto";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import {
+  CallToolRequestSchema,
+  GetTaskRequestSchema,
+  GetTaskPayloadRequestSchema,
+  ListTasksRequestSchema,
+  CancelTaskRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+import { SessionExpiredError } from "@hivemind-os/collective-core";
+import {
+  meshToolDefinitions,
+  meshToolHandlers,
+  registerResourceHandlers
+} from "@hivemind-os/collective-mcp-server";
+import { PaymentRail, TaskStatus } from "@hivemind-os/collective-types";
+
+// src/ipc/protocol.ts
+function parseMessage(line) {
+  try {
+    const parsed = JSON.parse(line);
+    if (!parsed || parsed.jsonrpc !== "2.0") {
+      return null;
+    }
+    if (typeof parsed.method === "string") {
+      if ("id" in parsed) {
+        if (typeof parsed.id !== "string" && typeof parsed.id !== "number") {
+          return null;
+        }
+        return {
+          jsonrpc: "2.0",
+          id: parsed.id,
+          method: parsed.method,
+          params: parsed.params
+        };
+      }
+      return {
+        jsonrpc: "2.0",
+        method: parsed.method,
+        params: parsed.params
+      };
+    }
+    if ("id" in parsed && (typeof parsed.id === "string" || typeof parsed.id === "number" || parsed.id === null)) {
+      const response = {
+        jsonrpc: "2.0",
+        id: parsed.id
+      };
+      if ("result" in parsed) {
+        response.result = parsed.result;
+      }
+      if ("error" in parsed) {
+        const error = parsed.error;
+        if (!error || typeof error !== "object") {
+          return null;
+        }
+        const code = error.code;
+        const message = error.message;
+        if (typeof code !== "number" || typeof message !== "string") {
+          return null;
+        }
+        response.error = {
+          code,
+          message,
+          data: error.data
+        };
+      }
+      if (!("result" in parsed) && !("error" in parsed)) {
+        return null;
+      }
+      return response;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function serializeResponse(response) {
+  return JSON.stringify(response);
+}
+function createErrorResponse(id, code, message, data) {
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: { code, message, data }
+  };
+}
+function isJsonRpcRequest(message) {
+  return "method" in message && "id" in message;
+}
+function isJsonRpcNotification(message) {
+  return "method" in message && !("id" in message);
+}
+
+// src/mcp/task-store.ts
+import { randomUUID } from "crypto";
+var DEFAULT_TTL_MS = 36e5;
+var DEFAULT_POLL_INTERVAL_MS = 2e3;
+var McpTaskStore = class {
+  tasks = /* @__PURE__ */ new Map();
+  chainToMcpId = /* @__PURE__ */ new Map();
+  cleanupTimers = /* @__PURE__ */ new Map();
+  create(onChainTaskId, options) {
+    const taskId = randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const ttl = options?.ttl !== void 0 ? options.ttl : DEFAULT_TTL_MS;
+    const entry = {
+      taskId,
+      onChainTaskId,
+      status: "working",
+      createdAt: now,
+      lastUpdatedAt: now,
+      ttl,
+      pollInterval: options?.pollInterval ?? DEFAULT_POLL_INTERVAL_MS,
+      progressToken: options?.progressToken
+    };
+    this.tasks.set(taskId, entry);
+    this.chainToMcpId.set(onChainTaskId, taskId);
+    this.scheduleCleanup(entry);
+    return entry;
+  }
+  get(taskId) {
+    return this.tasks.get(taskId);
+  }
+  getByChainId(onChainTaskId) {
+    const mcpId = this.chainToMcpId.get(onChainTaskId);
+    return mcpId ? this.tasks.get(mcpId) : void 0;
+  }
+  update(taskId, status, options) {
+    const entry = this.tasks.get(taskId);
+    if (!entry) {
+      return void 0;
+    }
+    entry.status = status;
+    entry.lastUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (options?.statusMessage !== void 0) {
+      entry.statusMessage = options.statusMessage;
+    }
+    if (options?.result !== void 0) {
+      entry.result = options.result;
+    }
+    if (status === "completed" || status === "failed" || status === "cancelled") {
+      this.scheduleCleanup(entry);
+    }
+    return entry;
+  }
+  cancel(taskId) {
+    return this.update(taskId, "cancelled", { statusMessage: "Cancelled by client" });
+  }
+  list() {
+    return [...this.tasks.values()];
+  }
+  cleanup() {
+    for (const timer of this.cleanupTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.cleanupTimers.clear();
+    this.tasks.clear();
+    this.chainToMcpId.clear();
+  }
+  scheduleCleanup(entry) {
+    if (entry.ttl === null) {
+      return;
+    }
+    const existing = this.cleanupTimers.get(entry.taskId);
+    if (existing) {
+      clearTimeout(existing);
+    }
+    const timer = setTimeout(() => {
+      this.tasks.delete(entry.taskId);
+      this.chainToMcpId.delete(entry.onChainTaskId);
+      this.cleanupTimers.delete(entry.taskId);
+    }, entry.ttl);
+    if (typeof timer === "object" && "unref" in timer) {
+      timer.unref();
+    }
+    this.cleanupTimers.set(entry.taskId, timer);
+  }
+};
+
+// src/mcp/session.ts
+var IpcTransport = class {
+  constructor(emit) {
+    this.emit = emit;
+  }
+  emit;
+  onclose;
+  onerror;
+  onmessage;
+  sessionId = randomUUID2();
+  closed = false;
+  pendingResponses = /* @__PURE__ */ new Map();
+  async start() {
+    return;
+  }
+  async send(message) {
+    const jsonRpcMessage = message;
+    if (isJsonRpcResponse(jsonRpcMessage) && jsonRpcMessage.id !== null) {
+      this.pendingResponses.get(jsonRpcMessage.id)?.(jsonRpcMessage);
+      this.pendingResponses.delete(jsonRpcMessage.id);
+    }
+    await this.emit(jsonRpcMessage);
+  }
+  async close() {
+    if (this.closed) {
+      return;
+    }
+    this.closed = true;
+    this.pendingResponses.clear();
+    this.onclose?.();
+  }
+  async dispatch(message) {
+    if (this.closed) {
+      throw new Error("Transport is closed.");
+    }
+    this.onmessage?.(message);
+  }
+  waitForResponse(id) {
+    return new Promise((resolvePromise) => {
+      this.pendingResponses.set(id, resolvePromise);
+    });
+  }
+};
+var McpSession = class {
+  server;
+  transport;
+  state;
+  getStatus;
+  getAppName;
+  toolContext;
+  taskStore = new McpTaskStore();
+  initializePromise;
+  constructor(params) {
+    this.state = params.state;
+    this.getStatus = params.getStatus;
+    this.getAppName = params.getAppName;
+    this.toolContext = params.toolContext;
+    this.server = new Server(
+      { name: "@hivemind-os/collective-daemon", version: "0.1.0" },
+      {
+        capabilities: {
+          tools: {},
+          tasks: {},
+          ...params.toolContext ? { resources: {} } : {}
+        }
+      }
+    );
+    this.transport = new IpcTransport(params.emit);
+  }
+  async initialize() {
+    if (this.initializePromise) {
+      await this.initializePromise;
+      return;
+    }
+    this.registerTools();
+    this.initializePromise = this.server.connect(this.transport);
+    await this.initializePromise;
+  }
+  async handleMessage(message) {
+    if (isJsonRpcRequest(message)) {
+      const responsePromise = this.transport.waitForResponse(message.id);
+      await this.transport.dispatch(message);
+      return responsePromise;
+    }
+    await this.transport.dispatch(message);
+    return null;
+  }
+  evaluateSpending(request) {
+    return this.state.spendingPolicy.evaluate({
+      ...request,
+      originAppName: this.getAppName()
+    });
+  }
+  recordSpending(entry) {
+    const appName = this.getAppName();
+    logAuditEvent({
+      event: "spending",
+      appName,
+      amount: entry.amountMist.toString(),
+      taskId: entry.taskId
+    });
+    this.state.spendingPolicy.record({
+      ...entry,
+      originAppName: appName
+    });
+  }
+  async close() {
+    this.taskStore.cleanup();
+    await this.server.close();
+  }
+  /** Expose the low-level MCP Server for sampling requests. */
+  get mcpServer() {
+    return this.server;
+  }
+  /** Get the per-session MCP task store. */
+  getTaskStore() {
+    return this.taskStore;
+  }
+  /** Send a progress notification to the connected client. */
+  async sendProgress(progressToken, progress, total, message) {
+    await this.server.notification({
+      method: "notifications/progress",
+      params: { progressToken, progress, total, message }
+    });
+  }
+  /** Send a task status notification to the connected client. */
+  async sendTaskStatusNotification(entry) {
+    await this.server.notification({
+      method: "notifications/tasks/status",
+      params: {
+        taskId: entry.taskId,
+        status: entry.status,
+        ttl: entry.ttl,
+        createdAt: entry.createdAt,
+        lastUpdatedAt: entry.lastUpdatedAt,
+        ...entry.pollInterval !== void 0 ? { pollInterval: entry.pollInterval } : {},
+        ...entry.statusMessage !== void 0 ? { statusMessage: entry.statusMessage } : {}
+      }
+    });
+  }
+  registerTools() {
+    const daemonToolDefs = [
+      {
+        name: "collective_balance",
+        description: "Return the daemon wallet SUI balance, address, and DID.",
+        inputSchema: { type: "object", properties: {} }
+      },
+      {
+        name: "collective_status",
+        description: "Return daemon identity, uptime, and connected apps.",
+        inputSchema: { type: "object", properties: {} }
+      }
+    ];
+    const daemonToolHandlers = {
+      collective_balance: async () => {
+        const balanceMist = await this.state.suiClient.getBalance(this.state.address);
+        return {
+          did: this.state.did,
+          address: this.state.address,
+          balanceMist: balanceMist.toString()
+        };
+      },
+      collective_status: async () => {
+        const status = this.getStatus();
+        return {
+          ...status,
+          connectedApps: status.connectedApps.map((app) => ({ ...app, pid: app.appPid }))
+        };
+      }
+    };
+    const allToolDefs = [
+      ...daemonToolDefs,
+      ...meshToolDefinitions.filter((def) => !daemonToolHandlers[def.name]).map((def) => {
+        if (def.name === "collective_execute") {
+          return { ...def, execution: { taskSupport: "optional" } };
+        }
+        return def;
+      })
+    ];
+    const context = this.toolContext;
+    this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
+      tools: allToolDefs
+    }));
+    this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
+      const toolName = request.params.name;
+      const meta = request.params._meta;
+      const progressToken = meta?.progressToken;
+      const daemonHandler = daemonToolHandlers[toolName];
+      if (daemonHandler) {
+        try {
+          const result = await daemonHandler();
+          return createDaemonToolResult(result);
+        } catch (error) {
+          return createErrorResult(error instanceof Error ? error.message : String(error));
+        }
+      }
+      const meshHandler = meshToolHandlers[toolName];
+      if (meshHandler && context) {
+        if (toolName === "collective_execute" && this.clientSupportsTasks()) {
+          try {
+            return await this.handleExecuteAsTask(request.params.arguments, context, progressToken);
+          } catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return createErrorResult(message);
+          }
+        }
+        try {
+          const callContext = { ...context, originAppName: this.getAppName() };
+          const result = await meshHandler(request.params.arguments ?? {}, callContext);
+          return createSuccessResult(result);
+        } catch (error) {
+          const message = error instanceof SessionExpiredError ? "Authentication expired. Please re-authenticate via the daemon portal." : error instanceof Error ? error.message : String(error);
+          return createErrorResult(message);
+        }
+      }
+      return createErrorResult(`Unknown tool: ${toolName}`);
+    });
+    this.registerTaskHandlers();
+    if (context) {
+      registerResourceHandlers(this.server, context);
+    }
+  }
+  /**
+   * Check whether the connected client advertises MCP Tasks support.
+   * Only VS Code Copilot (as of 2025-11-25 spec) does this; Claude Desktop,
+   * ChatGPT, Cursor, Windsurf, and GH Coding Agent do not.
+   */
+  clientSupportsTasks() {
+    const caps = this.server.getClientCapabilities();
+    return caps?.tasks != null;
+  }
+  /**
+   * Handle collective_execute as an MCP Task: post the on-chain task, return immediately
+   * with a task handle, and track completion in the background.
+   */
+  async handleExecuteAsTask(args, context, progressToken) {
+    const callContext = { ...context, originAppName: this.getAppName() };
+    const executeAsyncHandler = meshToolHandlers["collective_execute_async"];
+    if (!executeAsyncHandler) {
+      throw new Error("collective_execute_async handler not found");
+    }
+    const asyncResult = await executeAsyncHandler(args, callContext);
+    const mcpTask = this.taskStore.create(asyncResult.task_id, {
+      progressToken,
+      pollInterval: 2e3
+    });
+    void this.trackTaskCompletion(mcpTask.taskId, asyncResult.task_id, callContext, {
+      providerDid: asyncResult.provider_did,
+      priceMist: BigInt(asyncResult.price_mist)
+    });
+    return {
+      task: mcpTask
+    };
+  }
+  /**
+   * Background loop that polls on-chain task status and sends notifications.
+   */
+  async trackTaskCompletion(mcpTaskId, onChainTaskId, context, params) {
+    const POLL_INTERVAL_MS = 2e3;
+    const MAX_DURATION_MS = 3e5;
+    const startedAt = Date.now();
+    let lastChainStatus;
+    const entry = this.taskStore.get(mcpTaskId);
+    const progressToken = entry?.progressToken;
+    try {
+      while (true) {
+        if (Date.now() - startedAt > MAX_DURATION_MS) {
+          this.taskStore.update(mcpTaskId, "failed", { statusMessage: "Timed out waiting for provider" });
+          await this.sendTaskStatusNotification(this.taskStore.get(mcpTaskId));
+          return;
+        }
+        const task = await context.taskClient.getTask(onChainTaskId);
+        if (!task) {
+          this.taskStore.update(mcpTaskId, "failed", { statusMessage: "Task not found on chain" });
+          await this.sendTaskStatusNotification(this.taskStore.get(mcpTaskId));
+          return;
+        }
+        if (task.status !== lastChainStatus) {
+          lastChainStatus = task.status;
+          if (progressToken !== void 0) {
+            await this.emitProgressForChainStatus(progressToken, task.status);
+          }
+        }
+        const currentEntry = this.taskStore.get(mcpTaskId);
+        if (!currentEntry || currentEntry.status === "cancelled") {
+          return;
+        }
+        if (task.status === TaskStatus.COMPLETED || task.status === TaskStatus.RELEASED) {
+          let resultText = "";
+          if (task.resultBlobId) {
+            const resultBytes = await context.blobStore.fetch(task.resultBlobId);
+            if (resultBytes) {
+              resultText = new TextDecoder().decode(resultBytes);
+            }
+          }
+          if (task.status === TaskStatus.COMPLETED) {
+            await context.taskClient.releasePayment({
+              taskId: onChainTaskId,
+              keypair: context.keypair
+            });
+            context.spendingPolicy.record({
+              amountMist: params.priceMist,
+              rail: PaymentRail.SUI_ESCROW,
+              taskId: onChainTaskId,
+              appId: params.providerDid,
+              originAppName: context.originAppName
+            });
+          }
+          const toolResult = {
+            content: [{
+              type: "text",
+              text: serialize({
+                task_id: onChainTaskId,
+                result: resultText,
+                provider_did: params.providerDid,
+                price_mist: params.priceMist.toString(),
+                status: "RELEASED",
+                execution_mode: "async",
+                payment_rail: PaymentRail.SUI_ESCROW
+              })
+            }]
+          };
+          this.taskStore.update(mcpTaskId, "completed", { result: toolResult });
+          await this.sendTaskStatusNotification(this.taskStore.get(mcpTaskId));
+          return;
+        }
+        if (task.status === TaskStatus.CANCELLED || task.status === TaskStatus.DISPUTED) {
+          this.taskStore.update(mcpTaskId, "failed", {
+            statusMessage: `Task ended with status ${TaskStatus[task.status]}`
+          });
+          await this.sendTaskStatusNotification(this.taskStore.get(mcpTaskId));
+          return;
+        }
+        await delay(POLL_INTERVAL_MS);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.taskStore.update(mcpTaskId, "failed", { statusMessage: message });
+      try {
+        await this.sendTaskStatusNotification(this.taskStore.get(mcpTaskId));
+      } catch {
+      }
+    }
+  }
+  async emitProgressForChainStatus(progressToken, chainStatus) {
+    const stages = {
+      [TaskStatus.POSTED]: { progress: 0.25, message: "Escrow posted, waiting for provider" },
+      [TaskStatus.ACCEPTED]: { progress: 0.5, message: "Task accepted by provider" },
+      [TaskStatus.COMPLETED]: { progress: 0.9, message: "Provider completed, verifying result" },
+      [TaskStatus.RELEASED]: { progress: 1, message: "Payment released, task complete" }
+    };
+    const stage = stages[chainStatus];
+    if (stage) {
+      try {
+        await this.sendProgress(progressToken, stage.progress, 1, stage.message);
+      } catch {
+      }
+    }
+  }
+  registerTaskHandlers() {
+    this.server.setRequestHandler(GetTaskRequestSchema, async (request) => {
+      const entry = this.taskStore.get(request.params.taskId);
+      if (!entry) {
+        throw new Error(`Task ${request.params.taskId} not found`);
+      }
+      return toTaskResult(entry);
+    });
+    this.server.setRequestHandler(GetTaskPayloadRequestSchema, async (request) => {
+      const entry = this.taskStore.get(request.params.taskId);
+      if (!entry) {
+        throw new Error(`Task ${request.params.taskId} not found`);
+      }
+      if (entry.status !== "completed" || !entry.result) {
+        throw new Error(`Task ${request.params.taskId} is not yet completed (status: ${entry.status})`);
+      }
+      return entry.result;
+    });
+    this.server.setRequestHandler(ListTasksRequestSchema, async () => {
+      const tasks = this.taskStore.list().map((entry) => toTaskResult(entry));
+      return { tasks };
+    });
+    this.server.setRequestHandler(CancelTaskRequestSchema, async (request) => {
+      const entry = this.taskStore.get(request.params.taskId);
+      if (!entry) {
+        throw new Error(`Task ${request.params.taskId} not found`);
+      }
+      if (entry.status === "completed" || entry.status === "failed" || entry.status === "cancelled") {
+        return toTaskResult(entry);
+      }
+      if (this.toolContext) {
+        try {
+          const chainTask = await this.toolContext.taskClient.getTask(entry.onChainTaskId);
+          if (chainTask) {
+            if (chainTask.status === TaskStatus.POSTED) {
+              await this.toolContext.taskClient.cancelTask({
+                taskId: entry.onChainTaskId,
+                keypair: this.toolContext.keypair
+              });
+            } else if (chainTask.status === TaskStatus.ACCEPTED) {
+              await this.toolContext.taskClient.disputeTask({
+                taskId: entry.onChainTaskId,
+                keypair: this.toolContext.keypair
+              });
+            }
+          }
+        } catch {
+        }
+      }
+      const cancelled = this.taskStore.cancel(request.params.taskId);
+      return toTaskResult(cancelled ?? entry);
+    });
+  }
+};
+function createDaemonToolResult(payload) {
+  return {
+    content: [{ type: "text", text: serialize(payload) }],
+    structuredContent: payload
+  };
+}
+function createSuccessResult(payload) {
+  return {
+    content: [{ type: "text", text: serialize(payload) }]
+  };
+}
+function createErrorResult(message) {
+  return {
+    isError: true,
+    content: [{ type: "text", text: serialize({ error: message }) }]
+  };
+}
+function toTaskResult(entry) {
+  return {
+    taskId: entry.taskId,
+    status: entry.status,
+    ttl: entry.ttl,
+    createdAt: entry.createdAt,
+    lastUpdatedAt: entry.lastUpdatedAt,
+    ...entry.pollInterval !== void 0 ? { pollInterval: entry.pollInterval } : {},
+    ...entry.statusMessage !== void 0 ? { statusMessage: entry.statusMessage } : {}
+  };
+}
+function serialize(payload) {
+  return JSON.stringify(payload, bigintReplacer, 2);
+}
+function bigintReplacer(_key, value) {
+  return typeof value === "bigint" ? value.toString() : value;
+}
+function isJsonRpcResponse(message) {
+  return !("method" in message);
+}
+function delay(ms) {
+  return new Promise((resolvePromise) => {
+    setTimeout(resolvePromise, ms);
+  });
+}
+
+// src/ipc/connection.ts
+var logger2 = pino2({ name: "@hivemind-os/collective-daemon:connection" });
+var Connection = class {
+  constructor(socket, state, options) {
+    this.socket = socket;
+    this.state = state;
+    this.options = options;
+    this.socket.setEncoding("utf8");
+    this.socket.setNoDelay(true);
+    this.session = new McpSession({
+      state: this.state,
+      emit: async (message) => {
+        this.sendMessage(message);
+      },
+      getStatus: this.options.getStatus,
+      getAppName: () => this.appName ?? "unknown",
+      toolContext: this.options.toolContext
+    });
+    this.sessionReady = this.session.initialize();
+    this.socket.on("data", (chunk) => {
+      this.buffer += chunk.toString();
+      this.drainBuffer();
+    });
+    this.socket.on("close", () => {
+      this.close();
+    });
+    this.socket.on("end", () => {
+      this.close();
+    });
+    this.socket.on("error", (error) => {
+      logger2.debug({ err: error, connectionId: this.id }, "Socket error.");
+      this.close();
+    });
+  }
+  socket;
+  state;
+  options;
+  id = randomUUID3();
+  connectedAt = Date.now();
+  /** The app name set during shim_hello handshake, or undefined if not yet received. */
+  get connectedAppName() {
+    return this.appName;
+  }
+  /** The low-level MCP Server for this connection (for sampling requests). */
+  get mcpServer() {
+    return this.session.mcpServer;
+  }
+  appName;
+  appPid;
+  profile;
+  session;
+  sessionReady;
+  buffer = "";
+  helloReceived = false;
+  closed = false;
+  drainBuffer() {
+    let newlineIndex = this.buffer.indexOf("\n");
+    while (newlineIndex >= 0) {
+      const line = this.buffer.slice(0, newlineIndex).trim();
+      this.buffer = this.buffer.slice(newlineIndex + 1);
+      if (line) {
+        const message = parseMessage(line);
+        if (!message) {
+          this.sendMessage(createErrorResponse(null, -32700, "Parse error"));
+        } else {
+          void this.handleMessage(message).catch((error) => {
+            logger2.error({ err: error, connectionId: this.id }, "Failed to handle IPC message.");
+            if (isJsonRpcRequest(message)) {
+              this.sendMessage(createErrorResponse(message.id, -32603, "Internal error"));
+            }
+          });
+        }
+      }
+      newlineIndex = this.buffer.indexOf("\n");
+    }
+  }
+  async handleMessage(message) {
+    if (isJsonRpcRequest(message) && message.method === "shim_hello") {
+      if (this.helloReceived) {
+        this.sendMessage(createErrorResponse(message.id, -32600, "shim_hello has already been received"));
+        return;
+      }
+      await this.handleShimHello(message.id, message.params);
+      return;
+    }
+    if (!this.helloReceived) {
+      if (isJsonRpcRequest(message)) {
+        this.sendMessage(createErrorResponse(message.id, -32e3, "Expected shim_hello as the first message"));
+      }
+      return;
+    }
+    if (isJsonRpcRequest(message) && message.method === "daemon_status") {
+      this.handleDaemonStatus(message.id);
+      return;
+    }
+    if (isJsonRpcRequest(message) && message.method === "auth.status") {
+      this.handleAuthStatus(message.id);
+      return;
+    }
+    if (isJsonRpcRequest(message) && message.method === "auth.reauth") {
+      await this.handleAuthReauth(message.id);
+      return;
+    }
+    await this.handleMcpMessage(message);
+  }
+  async handleShimHello(id, params) {
+    if (!isRecord(params)) {
+      this.sendMessage(createErrorResponse(id, -32602, "shim_hello requires app metadata"));
+      return;
+    }
+    const appPid = readPid(params.pid ?? params.appPid);
+    const appName = readString(params.appName) ?? readString(params.clientName) ?? inferAppName(appPid);
+    const profile = readString(params.profile);
+    if (!appName || appPid === void 0) {
+      this.sendMessage(createErrorResponse(id, -32602, "shim_hello requires appName and pid"));
+      return;
+    }
+    const validation = await this.options.validateClient({
+      appName,
+      appPid,
+      profile
+    });
+    if (!validation.allowed) {
+      logger2.warn(
+        {
+          connectionId: this.id,
+          appName,
+          appPid,
+          expectedUser: validation.expectedUser,
+          actualUser: validation.actualUser,
+          reason: validation.reason
+        },
+        "IPC client validation failed."
+      );
+      this.rejectAndClose(id, validation.reason ?? "IPC client validation failed.");
+      return;
+    }
+    this.appName = appName;
+    this.appPid = appPid;
+    this.profile = profile;
+    this.helloReceived = true;
+    this.options.onHello({
+      appName: this.appName,
+      appPid: this.appPid,
+      profile: this.profile
+    });
+    logAuditEvent({
+      event: "app_connected",
+      appName: this.appName,
+      appPid: this.appPid,
+      connectionId: this.id
+    });
+    this.sendMessage({
+      jsonrpc: "2.0",
+      id,
+      result: {
+        acknowledged: true,
+        connectionId: this.id
+      }
+    });
+  }
+  handleDaemonStatus(id) {
+    const status = this.options.getStatus();
+    this.sendMessage({
+      jsonrpc: "2.0",
+      id,
+      result: {
+        did: status.did,
+        uptime: status.uptime,
+        connectedApps: status.connectedApps.map((app) => ({
+          appName: app.appName,
+          connectedAt: app.connectedAt
+        })),
+        spendingToday: status.spendingToday,
+        providerRunning: status.providerRunning
+      }
+    });
+  }
+  handleAuthStatus(id) {
+    this.sendMessage({
+      jsonrpc: "2.0",
+      id,
+      result: this.options.getAuthStatus()
+    });
+  }
+  async handleAuthReauth(id) {
+    const result = await this.options.triggerReauth();
+    this.sendMessage({
+      jsonrpc: "2.0",
+      id,
+      result
+    });
+  }
+  async handleMcpMessage(message) {
+    await this.sessionReady;
+    try {
+      if (isJsonRpcRequest(message)) {
+        const toolCall = parseToolCall(message);
+        if (toolCall) {
+          logAuditEvent({
+            event: "tool_call",
+            appName: this.appName ?? "unknown",
+            tool: toolCall.tool,
+            taskId: toolCall.taskId
+          });
+        }
+      }
+      await this.session.handleMessage(message);
+    } catch (error) {
+      logger2.error({ err: error, connectionId: this.id }, "MCP session error.");
+      if (isJsonRpcRequest(message)) {
+        this.sendMessage(createErrorResponse(message.id, -32603, "MCP session error"));
+      } else if (isJsonRpcNotification(message)) {
+        this.close();
+      }
+    }
+  }
+  sendNotification(method, params) {
+    this.sendMessage({
+      jsonrpc: "2.0",
+      method,
+      params
+    });
+  }
+  close() {
+    if (this.closed) {
+      return;
+    }
+    this.closed = true;
+    this.options.onClose();
+    if (this.appName) {
+      logAuditEvent({
+        event: "app_disconnected",
+        appName: this.appName,
+        connectionId: this.id,
+        duration: Date.now() - this.connectedAt
+      });
+    }
+    void this.session.close().catch((error) => {
+      logger2.debug({ err: error, connectionId: this.id }, "Failed to close MCP session cleanly.");
+    });
+    if (!this.socket.destroyed && !this.socket.writableEnded) {
+      this.socket.destroy();
+    }
+  }
+  rejectAndClose(id, message) {
+    if (this.closed || this.socket.destroyed) {
+      return;
+    }
+    this.socket.end(`${serializeResponse(createErrorResponse(id, -32001, message))}
+`);
+    this.close();
+  }
+  sendMessage(message) {
+    if (this.closed || this.socket.destroyed) {
+      return;
+    }
+    this.socket.write(`${serializeResponse(message)}
+`);
+  }
+};
+function parseToolCall(message) {
+  if (message.method !== "tools/call" || !isRecord(message.params) || typeof message.params.name !== "string") {
+    return null;
+  }
+  return {
+    tool: message.params.name,
+    taskId: readTaskId(message.params.arguments)
+  };
+}
+function readTaskId(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  return readString(value.taskId) ?? readString(value.task_id);
+}
+function readPid(value) {
+  return typeof value === "number" && Number.isInteger(value) && value >= 0 ? value : void 0;
+}
+function inferAppName(pid) {
+  return typeof pid === "number" ? `app-${pid}` : void 0;
+}
+function readString(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : void 0;
+}
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+// src/ipc/connection-registry.ts
+var ConnectionRegistry = class {
+  connections = /* @__PURE__ */ new Map();
+  registerConnection(connectionId, connectedAt = Date.now()) {
+    this.connections.set(connectionId, {
+      connectionId,
+      connectedAt
+    });
+  }
+  updateConnection(connectionId, metadata) {
+    const current = this.connections.get(connectionId);
+    const next = {
+      connectionId,
+      connectedAt: current?.connectedAt ?? Date.now(),
+      appName: metadata.appName,
+      appPid: metadata.appPid,
+      profile: metadata.profile
+    };
+    this.connections.set(connectionId, next);
+    return toConnectedApp(next);
+  }
+  unregisterConnection(connectionId) {
+    this.connections.delete(connectionId);
+  }
+  getConnectedApps() {
+    return Array.from(this.connections.values()).filter(isConnectedApp).map(toConnectedApp).sort((left, right) => left.connectedAt - right.connectedAt);
+  }
+};
+function isConnectedApp(entry) {
+  return typeof entry.appName === "string" && typeof entry.appPid === "number";
+}
+function toConnectedApp(entry) {
+  if (!isConnectedApp(entry)) {
+    throw new Error(`Connection ${entry.connectionId} is missing app metadata.`);
+  }
+  return {
+    connectionId: entry.connectionId,
+    connectedAt: entry.connectedAt,
+    appName: entry.appName,
+    appPid: entry.appPid,
+    profile: entry.profile
+  };
+}
+
+// src/ipc/server.ts
+var logger3 = pino3({ name: "@hivemind-os/collective-daemon:ipc-server" });
+var IpcServer = class {
+  constructor(ipcPath, state, options = {}) {
+    this.ipcPath = ipcPath;
+    this.state = state;
+    this.options = options;
+  }
+  ipcPath;
+  state;
+  options;
+  server;
+  connections = /* @__PURE__ */ new Map();
+  connectionRegistry = new ConnectionRegistry();
+  toolContext;
+  async start() {
+    if (this.server) {
+      return;
+    }
+    if (process.platform !== "win32") {
+      await rm(this.ipcPath, { force: true });
+    }
+    const server = net2.createServer((socket) => {
+      this.handleConnection(socket);
+    });
+    await new Promise((resolvePromise, reject) => {
+      server.once("error", reject);
+      if (process.platform === "win32") {
+        server.listen(this.ipcPath, () => {
+          server.off("error", reject);
+          resolvePromise();
+        });
+        return;
+      }
+      server.listen({ path: this.ipcPath, readableAll: false, writableAll: false }, () => {
+        server.off("error", reject);
+        resolvePromise();
+      });
+    });
+    if (process.platform !== "win32") {
+      await chmod(this.ipcPath, 384);
+      logger3.debug({ ipcPath: this.ipcPath }, "IPC socket permissions set to 0600 for local-user isolation.");
+    } else {
+      await this.logPipeSecurity();
+    }
+    server.on("error", (error) => {
+      logger3.error({ err: error }, "IPC server error.");
+    });
+    this.server = server;
+  }
+  async stop() {
+    const server = this.server;
+    if (!server) {
+      return;
+    }
+    this.server = void 0;
+    for (const connection of [...this.connections.values()]) {
+      connection.close();
+    }
+    await new Promise((resolvePromise, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolvePromise();
+      });
+    });
+    if (process.platform !== "win32") {
+      await rm(this.ipcPath, { force: true });
+    }
+  }
+  getConnectedApps() {
+    return this.connectionRegistry.getConnectedApps();
+  }
+  getStatus() {
+    return {
+      ...this.state.getStatusBase(),
+      connectedApps: this.getConnectedApps()
+    };
+  }
+  getAuthStatus() {
+    return this.options.getAuthStatus?.() ?? {
+      authMode: this.state.authProvider.mode,
+      authenticated: this.state.authProvider.isAuthenticated(),
+      state: this.state.authProvider.isAuthenticated() ? "authenticated" : "reauth_required",
+      address: this.state.authProvider.isAuthenticated() ? this.state.address : null,
+      expiresAt: null,
+      expiresInMs: null,
+      refreshAvailable: false,
+      lastError: null,
+      updatedAt: Date.now()
+    };
+  }
+  notifyAuthStatusChanged(status = this.getAuthStatus()) {
+    for (const connection of this.connections.values()) {
+      connection.sendNotification("auth.status_changed", status);
+    }
+  }
+  /**
+   * Broadcast a notification to all connected MCP sessions.
+   * Used for provider inbound task notifications and other system-wide events.
+   */
+  broadcastNotification(method, params) {
+    for (const connection of this.connections.values()) {
+      connection.sendNotification(method, params);
+    }
+  }
+  /**
+   * Look up the low-level MCP Server for a connected app by name.
+   * Throws if multiple connections match (ambiguous).
+   * Returns undefined if no match is found.
+   */
+  getMcpServerForApp(appName) {
+    const matches = [];
+    for (const connection of this.connections.values()) {
+      if (connection.connectedAppName === appName) {
+        matches.push(connection);
+      }
+    }
+    if (matches.length > 1) {
+      throw new Error(
+        `Ambiguous MCP sampling target: ${matches.length} connections match appName "${appName}". Use a more specific identifier or disconnect duplicate clients.`
+      );
+    }
+    return matches[0]?.mcpServer;
+  }
+  handleConnection(socket) {
+    logger3.info({ ipcPath: this.ipcPath }, "Received IPC connection attempt.");
+    const connection = new Connection(socket, this.state, {
+      getStatus: () => this.getStatus(),
+      getAuthStatus: () => this.getAuthStatus(),
+      triggerReauth: () => this.options.triggerReauth?.() ?? Promise.resolve({ portalUrl: null, browserOpened: false, status: this.getAuthStatus() }),
+      validateClient: (metadata) => this.validateClient(metadata),
+      toolContext: this.toolContext,
+      onHello: (metadata) => {
+        this.connectionRegistry.updateConnection(connection.id, metadata);
+      },
+      onClose: () => {
+        this.connections.delete(connection.id);
+        this.connectionRegistry.unregisterConnection(connection.id);
+      }
+    });
+    this.connections.set(connection.id, connection);
+    this.connectionRegistry.registerConnection(connection.id, connection.connectedAt);
+  }
+  async logPipeSecurity() {
+    try {
+      const inspectPipeSecurity = this.options.verifyPipeSecurity ?? verifyPipeSecurity;
+      const status = await inspectPipeSecurity(this.ipcPath);
+      const bindings = {
+        ipcPath: this.ipcPath,
+        userScoped: status.userScoped,
+        aclVerified: status.aclVerified,
+        owner: status.acl?.owner,
+        identities: status.acl?.identities
+      };
+      if (!status.userScoped) {
+        logger3.warn(bindings, status.note);
+        return;
+      }
+      if (!status.aclVerified) {
+        logger3.debug(bindings, status.note);
+        return;
+      }
+      logger3.info(bindings, status.note);
+    } catch (error) {
+      logger3.warn({ err: error, ipcPath: this.ipcPath }, "Failed to inspect Windows pipe security.");
+    }
+  }
+  async validateClient(metadata) {
+    if (process.platform !== "win32") {
+      return {
+        allowed: true,
+        source: "unix-socket"
+      };
+    }
+    const validateClientProcess = this.options.validateClient ?? ((client) => validateClientProcessOwnership(client.appPid));
+    const validation = await validateClientProcess(metadata);
+    if (!validation.allowed) {
+      logger3.warn(
+        {
+          ipcPath: this.ipcPath,
+          appName: metadata.appName,
+          appPid: metadata.appPid,
+          expectedUser: validation.expectedUser,
+          actualUser: validation.actualUser,
+          reason: validation.reason
+        },
+        "Rejected IPC client during Windows identity validation."
+      );
+    }
+    return validation;
+  }
+};
+
+export {
+  IpcServer
+};
+//# sourceMappingURL=chunk-BHN4GOYD.js.map