npm - @naisys/hub - Versions diffs - 3.0.0-beta.38 → 3.0.0-beta.40 - Mend

@naisys/hub 3.0.0-beta.38 → 3.0.0-beta.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +3 -1
package/dist/handlers/hubAgentService.js +93 -33
package/dist/handlers/hubConfigService.js +8 -3
package/dist/handlers/hubCostService.js +20 -11
package/dist/handlers/hubCostService.test.js +263 -0
package/dist/handlers/hubHeartbeatService.js +65 -19
package/dist/handlers/hubHostService.js +3 -0
package/dist/handlers/hubLogService.js +13 -5
package/dist/handlers/hubRedactionService.js +93 -0
package/dist/handlers/hubRedactionService.test.js +116 -0
package/dist/handlers/hubRunService.js +39 -10
package/dist/handlers/hubRuntimeKeyService.js +27 -0
package/dist/handlers/hubSendMailService.js +9 -5
package/dist/handlers/hubVariablePatchService.js +54 -0
package/dist/handlers/hubVariablePatchService.test.js +85 -0
package/dist/naisysHub.js +29 -12
package/dist/services/naisysServer.js +7 -2
package/npm-shrinkwrap.json +23 -23
package/package.json +9 -7

package/dist/handlers/hubVariablePatchService.test.js ADDED Viewed

@@ -0,0 +1,85 @@
+import { OPENAI_CODEX_ACCESS_TOKEN_VAR, OPENAI_CODEX_EXPIRES_AT_VAR, OPENAI_CODEX_REFRESH_TOKEN_VAR, } from "@naisys/common";
+import { HubEvents } from "@naisys/hub-protocol";
+import { describe, expect, test, vi } from "vitest";
+import { createHubVariablePatchService } from "./hubVariablePatchService.js";
+function createMocks() {
+    const variables = {
+        upsert: vi.fn(),
+    };
+    const hubDb = {
+        $transaction: vi.fn(async (callback) => callback({ variables })),
+    };
+    const configService = {
+        broadcastConfig: vi.fn(async () => { }),
+    };
+    const redactionService = {
+        rebuildDbSecrets: vi.fn(async () => { }),
+    };
+    const logService = {
+        error: vi.fn(),
+    };
+    const naisysServer = {
+        registerEvent: vi.fn(),
+    };
+    return {
+        variables,
+        hubDb,
+        configService,
+        redactionService,
+        logService,
+        naisysServer,
+    };
+}
+describe("hub variable patch service", () => {
+    test("persists Codex OAuth variables with per-key policy and broadcasts config", async () => {
+        const mocks = createMocks();
+        createHubVariablePatchService(mocks.naisysServer, { hubDb: mocks.hubDb }, mocks.configService, mocks.redactionService, mocks.logService);
+        const [, handler, schema] = mocks.naisysServer.registerEvent.mock
+            .calls[0];
+        expect(mocks.naisysServer.registerEvent).toHaveBeenCalledWith(HubEvents.VARIABLE_PATCH, expect.any(Function), expect.any(Object));
+        expect(schema.safeParse({
+            updates: [{ key: OPENAI_CODEX_ACCESS_TOKEN_VAR, value: "access" }],
+        }).success).toBe(true);
+        await handler(42, {
+            updates: [
+                { key: OPENAI_CODEX_ACCESS_TOKEN_VAR, value: "access" },
+                { key: OPENAI_CODEX_REFRESH_TOKEN_VAR, value: "refresh" },
+                { key: OPENAI_CODEX_EXPIRES_AT_VAR, value: "1700000000000" },
+            ],
+        });
+        expect(mocks.variables.upsert).toHaveBeenCalledTimes(3);
+        expect(mocks.variables.upsert).toHaveBeenCalledWith(expect.objectContaining({
+            where: { key: OPENAI_CODEX_ACCESS_TOKEN_VAR },
+            update: expect.objectContaining({
+                value: "access",
+                export_to_shell: false,
+                sensitive: true,
+                updated_by: "host:42",
+            }),
+        }));
+        expect(mocks.variables.upsert).toHaveBeenCalledWith(expect.objectContaining({
+            where: { key: OPENAI_CODEX_EXPIRES_AT_VAR },
+            update: expect.objectContaining({
+                value: "1700000000000",
+                export_to_shell: false,
+                sensitive: false,
+                updated_by: "host:42",
+            }),
+        }));
+        expect(mocks.redactionService.rebuildDbSecrets).toHaveBeenCalledOnce();
+        expect(mocks.configService.broadcastConfig).toHaveBeenCalledOnce();
+    });
+    test("logs and skips persistence for non-allowlisted variables", async () => {
+        const mocks = createMocks();
+        createHubVariablePatchService(mocks.naisysServer, { hubDb: mocks.hubDb }, mocks.configService, mocks.redactionService, mocks.logService);
+        const [, handler] = mocks.naisysServer.registerEvent.mock.calls[0];
+        await handler(7, {
+            updates: [{ key: "GOOGLE_API_KEY", value: "secret" }],
+        });
+        expect(mocks.hubDb.$transaction).not.toHaveBeenCalled();
+        expect(mocks.redactionService.rebuildDbSecrets).not.toHaveBeenCalled();
+        expect(mocks.configService.broadcastConfig).not.toHaveBeenCalled();
+        expect(mocks.logService.error).toHaveBeenCalledWith(expect.stringContaining("GOOGLE_API_KEY"));
+    });
+});
+//# sourceMappingURL=hubVariablePatchService.test.js.map

package/dist/naisysHub.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { createDualLogger, cwdWithTilde, ensureDotEnv, expandNaisysFolder, promptResetSuperAdminPasskey, runSetupWizard, } from "@naisys/common-node";
+import { createDualLogger, cwdWithTilde, ensureDotEnv, expandNaisysFolder, promptResetSuperAdminAccount, runSetupWizard, } from "@naisys/common-node";
 import { createHubDatabaseService } from "@naisys/hub-database";
 import { program } from "commander";
 import dotenv from "dotenv";
@@ -15,9 +15,12 @@ import { createHubHostService } from "./handlers/hubHostService.js";
 import { createHubLogService } from "./handlers/hubLogService.js";
 import { createHubMailService } from "./handlers/hubMailService.js";
 import { createHubModelsService } from "./handlers/hubModelsService.js";
+import { createHubRedactionService } from "./handlers/hubRedactionService.js";
 import { createHubRunService } from "./handlers/hubRunService.js";
+import { createHubRuntimeKeyService } from "./handlers/hubRuntimeKeyService.js";
 import { createHubSendMailService } from "./handlers/hubSendMailService.js";
 import { createHubUserService } from "./handlers/hubUserService.js";
+import { createHubVariablePatchService } from "./handlers/hubVariablePatchService.js";
 import { loadOrCreateAccessKey } from "./services/accessKeyService.js";
 import { seedAgentConfigs } from "./services/agentRegistrar.js";
 import { createHostRegistrar } from "./services/hostRegistrar.js";
@@ -29,6 +32,7 @@ import { createNaisysServer } from "./services/naisysServer.js";
 export const startHub = async (startupType, startSupervisor, plugins, startupAgentPath, wizardRan) => {
     try {
         const agentPath = startupAgentPath || ".";
+        let cleanupSupervisor;
         // Create log service first
         const logService = createDualLogger("hub-server.log");
         logService.log(`[Hub] Starting Hub server in ${startupType} mode...`);
@@ -64,22 +68,30 @@ export const startHub = async (startupType, startSupervisor, plugins, startupAge
         createHubUserService(naisysServer, hubDatabaseService, logService);
         // Register hub models service for seeding and broadcasting models
         await createHubModelsService(naisysServer, hubDatabaseService, logService);
+        // Register redaction service so log/mail ingest can scrub sensitive values
+        // before they hit the DB or get rebroadcast. Must come after the models
+        // service since that upgrades built-in model API key variables to sensitive
+        // — initializing the redactor earlier would snapshot them as non-sensitive.
+        const redactionService = await createHubRedactionService(naisysServer, hubDatabaseService, logService);
+        createHubVariablePatchService(naisysServer, hubDatabaseService, configService, redactionService, logService);
+        // Shared mint/revoke for runtime API keys (agent service + heartbeat).
+        const runtimeKeyService = createHubRuntimeKeyService(hubDatabaseService, redactionService);
         // Register hub host service for broadcasting connected host list
         createHubHostService(naisysServer, hostRegistrar, logService);
         // Register hub run service for session_create/session_increment requests
         createHubRunService(naisysServer, hubDatabaseService, logService);
         // Register hub heartbeat service for NAISYS instance heartbeat tracking
-        const heartbeatService = createHubHeartbeatService(naisysServer, hubDatabaseService, logService);
+        const heartbeatService = createHubHeartbeatService(naisysServer, hubDatabaseService, logService, redactionService, runtimeKeyService);
         // Register hub log service for log_write events from NAISYS instances
-        createHubLogService(naisysServer, hubDatabaseService, logService, heartbeatService);
+        createHubLogService(naisysServer, hubDatabaseService, logService, heartbeatService, redactionService);
         // Register hub cost service for cost_write events from NAISYS instances
         const costService = createHubCostService(naisysServer, hubDatabaseService, logService, heartbeatService, configService);
         // Register hub send mail service (pure mail sending, no auto-start logic)
-        const sendMailService = createHubSendMailService(naisysServer, hubDatabaseService, heartbeatService);
+        const sendMailService = createHubSendMailService(naisysServer, hubDatabaseService, heartbeatService, redactionService);
         // Register hub agent service for agent_start requests routed to target hosts
-        const agentService = createHubAgentService(naisysServer, hubDatabaseService, logService, heartbeatService, sendMailService, hostRegistrar);
+        const agentService = createHubAgentService(naisysServer, hubDatabaseService, logService, heartbeatService, sendMailService, hostRegistrar, runtimeKeyService);
         // Register hub mail service for mail events from NAISYS instances
-        createHubMailService(naisysServer, hubDatabaseService, logService, heartbeatService, sendMailService, agentService, costService, configService);
+        const mailService = createHubMailService(naisysServer, hubDatabaseService, logService, heartbeatService, sendMailService, agentService, costService, configService);
         /**
          * There should be no dependency between supervisor and hub
          * Sharing the same process space is to save 150 mb of node.js runtime memory on small servers
@@ -88,14 +100,16 @@ export const startHub = async (startupType, startSupervisor, plugins, startupAge
             // Don't import the whole fastify web server module tree unless needed
             // Use variable to avoid compile-time type dependency on @naisys/supervisor (allows parallel builds)
             const supervisorModule = "@naisys/supervisor";
-            const { supervisorPlugin, bootstrapSupervisor } = (await import(supervisorModule));
-            const resetSuperAdminPasskey = wizardRan
-                ? await promptResetSuperAdminPasskey("Supervisor Setup", {
+            const hostedSupervisor = (await import(supervisorModule));
+            const { supervisorPlugin, bootstrapSupervisor } = hostedSupervisor;
+            cleanupSupervisor = hostedSupervisor.cleanupSupervisor;
+            const resetSuperAdminAccount = wizardRan
+                ? await promptResetSuperAdminAccount("Supervisor Setup", {
                     defaultReset: !process.argv.includes("--setup"),
                 })
                 : false;
             // Bootstrap before plugin register so the operator prompt isn't bounded by pluginTimeout and doesn't interleave with hub connection logs.
-            await bootstrapSupervisor({ resetSuperAdminPasskey });
+            await bootstrapSupervisor({ resetSuperAdminAccount });
             await fastify.register(supervisorPlugin, {
                 plugins,
                 serverPort,
@@ -109,11 +123,14 @@ export const startHub = async (startupType, startSupervisor, plugins, startupAge
             logService.disableConsole();
         }
         let shutdownPromise = null;
+        // Like NAISYS: process exit reaps sockets and Fastify. Clear known timers
+        // synchronously, but only wait for the DB disconnect.
         async function runShutdown() {
             try {
+                cleanupSupervisor?.();
                 heartbeatService.cleanup();
-                await io.close();
-                await fastify.close();
+                costService.cleanup();
+                mailService.cleanup();
             }
             finally {
                 await hubDatabaseService.disconnect();

package/dist/services/naisysServer.js CHANGED Viewed

@@ -68,7 +68,10 @@ export function createNaisysServer(nsp, initialHubAccessKey, logService, hostReg
         const { hubAccessKey: clientAccessKey, hostName, machineId: rawMachineId, instanceId: rawInstanceId, startedAt: rawStartedAt, hostType: rawHostType, clientVersion, environment: rawEnvironment, } = socket.handshake.auth;
         if (!clientAccessKey || clientAccessKey !== hubAccessKey) {
             logService.log(`[Hub] Connection rejected: invalid access key from ${socket.handshake.address}`);
-            return next(createConnectError("Invalid access key", "invalid_access_key"));
+            // Non-fatal: keys can rotate while a client is in retry; the client's
+            // auth callback re-reads the key on each attempt so the next try picks
+            // up the new value.
+            return next(createConnectError("Invalid access key", "invalid_access_key", false));
         }
         if (!hostName) {
             logService.log(`[Hub] Connection rejected: missing hostName`);
@@ -123,7 +126,9 @@ export function createNaisysServer(nsp, initialHubAccessKey, logService, hostReg
         }
         catch (err) {
             logService.error(`[Hub] Connection rejected: failed to register host ${hostName}: ${err}`);
-            return next(createConnectError("NAISYS instance registration failed", "registration_failed"));
+            // Non-fatal: registration touches the DB and can hit transient failures
+            // (pool timeout, deadlock); let the client keep retrying.
+            return next(createConnectError("NAISYS instance registration failed", "registration_failed", false));
         }
     });
     // Handle new connections

package/npm-shrinkwrap.json CHANGED Viewed

@@ -1,17 +1,17 @@
 {
   "name": "@naisys/hub",
-  "version": "3.0.0-beta.38",
+  "version": "3.0.0-beta.40",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@naisys/hub",
-      "version": "3.0.0-beta.38",
+      "version": "3.0.0-beta.40",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.38",
-        "@naisys/common-node": "3.0.0-beta.38",
-        "@naisys/hub-database": "3.0.0-beta.38",
-        "@naisys/hub-protocol": "3.0.0-beta.38",
+        "@naisys/common": "3.0.0-beta.40",
+        "@naisys/common-node": "3.0.0-beta.40",
+        "@naisys/hub-database": "3.0.0-beta.40",
+        "@naisys/hub-protocol": "3.0.0-beta.40",
         "commander": "^14.0.3",
         "dotenv": "^17.3.1",
         "fastify": "^5.8.2",
@@ -24,7 +24,7 @@
         "node": ">=22.0.0"
       },
       "peerDependencies": {
-        "@naisys/supervisor": "3.0.0-beta.38"
+        "@naisys/supervisor": "3.0.0-beta.40"
       },
       "peerDependenciesMeta": {
         "@naisys/supervisor": {
@@ -189,32 +189,32 @@
       "license": "MIT"
     },
     "node_modules/@naisys/common": {
-      "version": "3.0.0-beta.38",
-      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.38.tgz",
-      "integrity": "sha512-YJIawcV12XNgzQz/QcM2oAYhu4O4V55tHm0JZrEdmBt2GS33VsGIVJqhDtg3sVWvtsDfh8QkK7EjwPEvgj7fzA==",
+      "version": "3.0.0-beta.40",
+      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.40.tgz",
+      "integrity": "sha512-qHXg14eU+DBz97iFoWdkx1Bn6Y6eminvB0Gbsu7u0iIFEDVXXUqnq4o0qBobHoS8g7OBTqTHtyiRkuECQIwhEQ==",
       "dependencies": {
         "semver": "^7.7.4",
         "zod": "^4.3.6"
       }
     },
     "node_modules/@naisys/common-node": {
-      "version": "3.0.0-beta.38",
-      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.38.tgz",
-      "integrity": "sha512-dNVvY+gWzBx4I+3chvNl74MgrcxVBFpPB+0acYSl7bcINvhqmbqLMYryR4AwOvU+dc09GDbpgugE6EWIQnn/zA==",
+      "version": "3.0.0-beta.40",
+      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.40.tgz",
+      "integrity": "sha512-+ACXA1oBPv/2YFaw1zyKMMZPUPtpSRntMwR0PBxz1DhXxTV5IgWjRHusxqr0Eh+fd17HqrpRvBw1Mp86kwAXyQ==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.38",
+        "@naisys/common": "3.0.0-beta.40",
         "better-sqlite3": "^12.6.2",
         "js-yaml": "^4.1.1",
         "pino": "^10.3.1"
       }
     },
     "node_modules/@naisys/hub-database": {
-      "version": "3.0.0-beta.38",
-      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.38.tgz",
-      "integrity": "sha512-h+e50Qjg389ewSKU2jAisexlmajEAK34lMz6FKWd8Hog/PI6v3BYKB/8wgL2HmI78apmHIjh1FRW3NQNF+D8rw==",
+      "version": "3.0.0-beta.40",
+      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.40.tgz",
+      "integrity": "sha512-Esavfu3plu4n1UymgyVkXpeLYNGC4UXtoS+QNnkvjVjZM7IGuFG5iDz37P6GFOAZA9Ir6sImES1iz0uK8D0Kxg==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.38",
-        "@naisys/common-node": "3.0.0-beta.38",
+        "@naisys/common": "3.0.0-beta.40",
+        "@naisys/common-node": "3.0.0-beta.40",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "better-sqlite3": "^12.6.2",
@@ -222,11 +222,11 @@
       }
     },
     "node_modules/@naisys/hub-protocol": {
-      "version": "3.0.0-beta.38",
-      "resolved": "https://registry.npmjs.org/@naisys/hub-protocol/-/hub-protocol-3.0.0-beta.38.tgz",
-      "integrity": "sha512-HLNcDmbdQVDeOxQlohoSrQdz/EXvNKx16BZVEovlwixuGCfINgweOkjtr4qypHO0peHPD0p1ayBa2QAjRrSY5Q==",
+      "version": "3.0.0-beta.40",
+      "resolved": "https://registry.npmjs.org/@naisys/hub-protocol/-/hub-protocol-3.0.0-beta.40.tgz",
+      "integrity": "sha512-JlCOwypcAm8YbxZTVwszXPkaa89j3bJpJZi7uc5Cd+oXLbbJmCS1KpVgjQwdzU9TpacX8D0FkPk6gsoRT6fi5w==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.38",
+        "@naisys/common": "3.0.0-beta.40",
         "zod": "^4.3.6"
       }
     },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@naisys/hub",
-  "version": "3.0.0-beta.38",
+  "version": "3.0.0-beta.40",
   "description": "NAISYS Hub - Adds persistence and multi-instance coordination to NAISYS",
   "type": "module",
   "main": "dist/naisysHub.js",
@@ -17,6 +17,7 @@
     "dev": "tsx watch src/naisysHub.ts",
     "start": "node dist/naisysHub.js",
     "build": "tsc",
+    "test": "vitest run",
     "type-check": "tsc --noEmit",
     "npm:publish:dryrun": "npm publish --dry-run",
     "npm:publish": "npm publish --access public"
@@ -31,7 +32,7 @@
     "!dist/**/*.d.ts.map"
   ],
   "peerDependencies": {
-    "@naisys/supervisor": "3.0.0-beta.38"
+    "@naisys/supervisor": "3.0.0-beta.40"
   },
   "peerDependenciesMeta": {
     "@naisys/supervisor": {
@@ -39,10 +40,10 @@
     }
   },
   "dependencies": {
-    "@naisys/common": "3.0.0-beta.38",
-    "@naisys/common-node": "3.0.0-beta.38",
-    "@naisys/hub-database": "3.0.0-beta.38",
-    "@naisys/hub-protocol": "3.0.0-beta.38",
+    "@naisys/common": "3.0.0-beta.40",
+    "@naisys/common-node": "3.0.0-beta.40",
+    "@naisys/hub-database": "3.0.0-beta.40",
+    "@naisys/hub-protocol": "3.0.0-beta.40",
     "commander": "^14.0.3",
     "dotenv": "^17.3.1",
     "fastify": "^5.8.2",
@@ -51,7 +52,8 @@
   "devDependencies": {
     "@types/node": "^25.5.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.0"
   },
   "engines": {
     "node": ">=22.0.0"