@onklave/agent-cli 0.1.9 → 0.1.11

package/main.js

@@ -510,7 +510,7 @@ var PlatformClient = class {
   async respondToGate(sessionId, decision, value) {
     await this.request(
       "POST",
-      `/api/v1/agent/sessions/${sessionId}/gate`,
+      `/api/v1/agent/sessions/${sessionId}/respond`,
       {
         decision,
         message: value
@@ -569,6 +569,17 @@ var PlatformClient = class {
   async unregisterMachine() {
     await this.request("POST", "/api/v1/runner/unregister");
   }
+  /*
+   * Update an already-registered machine's configuration. Used by
+   * `onklave register --refresh` to push freshly-detected capabilities.
+   */
+  async updateMachine(machineId, patch) {
+    await this.request(
+      "PATCH",
+      `/api/v1/runner/machines/${machineId}`,
+      patch
+    );
+  }
   /*
    * List all registered machines.
    */
@@ -642,12 +653,19 @@ var CommsClient = class {
   }
   /*
    * Connect to the Onklave comms service via Socket.IO.
+   * Pass `machineId` so the server can route inbound runner events
+   * (e.g. `assignment:claim-available`) to this specific runner.
    */
-  async connect(platformUrl, token) {
+  async connect(platformUrl, token, extra) {
     return new Promise((resolve3, reject) => {
       const commsUrl = platformUrl.replace(/\/+$/, "");
-      this.socket = io(`${commsUrl}/agent`, {
-        auth: { token },
+      this.socket = io(`${commsUrl}/agent-cli`, {
+        auth: {
+          token,
+          machineId: extra?.machineId,
+          deviceToken: extra?.deviceToken,
+          orgId: extra?.orgId
+        },
         transports: ["websocket", "polling"],
         reconnection: true,
         reconnectionAttempts: this.maxReconnectAttempts,
@@ -713,10 +731,13 @@ var CommsClient = class {
     this.socket?.emit("agent:audit", event);
   }
   /*
-   * Emit a heartbeat to the platform.
+   * Emit a heartbeat to the platform. The comms namespace expects the
+   * `runner:heartbeat` event and the RunnerHeartbeatPayload shape; the
+   * primary heartbeat path is HTTP via HeartbeatService, this socket path
+   * is reserved for the future daemon-with-open-socket flow.
    */
   emitHeartbeat(data) {
-    this.socket?.emit("agent:heartbeat", data);
+    this.socket?.emit("runner:heartbeat", data);
   }
   /*
    * Listen for approval responses from the platform.
@@ -738,6 +759,15 @@ var CommsClient = class {
   onSpawnRequest(handler) {
     this.socket?.on("agent:spawn", handler);
   }
+  /*
+   * Listen for assignment:claim-available events from the platform.
+   * The daemon mode (V6-CLI-002, deferred) will consume these to claim
+   * work items. For now this stays as a registerable listener so
+   * non-daemon use is unaffected.
+   */
+  onAssignmentAvailable(handler) {
+    this.socket?.on("assignment:claim-available", handler);
+  }
 };
 
 // _apps/@onklave/agent-cli/src/services/session-manager.ts
@@ -762,6 +792,12 @@ var SessionManager = class {
     if (config.allowedTools && config.allowedTools.length > 0) {
       args.push("--allowedTools", config.allowedTools.join(","));
     }
+    if (config.deniedTools && config.deniedTools.length > 0) {
+      args.push("--disallowedTools", config.deniedTools.join(","));
+    }
+    if (config.addDirs && config.addDirs.length > 0) {
+      args.push("--add-dir", ...config.addDirs);
+    }
     if (config.systemPromptAppend) {
       args.push("--append-system-prompt", config.systemPromptAppend);
     }
@@ -1178,6 +1214,69 @@ var GuardrailEnforcer = class {
   }
 };
 
+// _apps/@onklave/agent-cli/src/services/heartbeat.service.ts
+var DEFAULT_INTERVAL_MS = 3e4;
+var HeartbeatService = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.timer = null;
+    this.intervalMs = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
+    this.onError = opts.onError ?? ((err) => console.error(`[heartbeat] ${err.message}`));
+  }
+  start() {
+    if (this.timer) return;
+    void this.emit();
+    this.timer = setInterval(() => {
+      void this.emit();
+    }, this.intervalMs);
+    if (typeof this.timer.unref === "function") {
+      this.timer.unref();
+    }
+  }
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+  }
+  /**
+   * Single heartbeat emission. Exposed for tests and one-shot diagnostics
+   * (`onklave doctor`).
+   */
+  async emit() {
+    const body = {
+      machineId: this.opts.machineId,
+      status: "online",
+      activeSessionCount: this.opts.getActiveSessionCount(),
+      resourceUsage: this.opts.getResourceUsage?.()
+    };
+    try {
+      const response = await fetch(
+        `${this.opts.platformUrl}/api/v1/runner/heartbeat`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            "x-device-token": this.opts.deviceToken
+          },
+          body: JSON.stringify(body),
+          signal: AbortSignal.timeout(1e4)
+        }
+      );
+      if (!response.ok) {
+        this.onError(
+          new Error(
+            `heartbeat failed: ${response.status} ${response.statusText}`
+          )
+        );
+      }
+    } catch (err) {
+      this.onError(err instanceof Error ? err : new Error(String(err)));
+    }
+  }
+};
+
 // _apps/@onklave/agent-cli/src/tui/render.tsx
 import { render } from "ink";
 
@@ -1764,6 +1863,21 @@ async function runCommand(args) {
     resolvedConfig.platformUrl,
     creds.token
   );
+  const sessionManager = new SessionManager();
+  let heartbeat = null;
+  if (creds.machineId && creds.deviceToken) {
+    heartbeat = new HeartbeatService({
+      platformUrl: resolvedConfig.platformUrl,
+      deviceToken: creds.deviceToken,
+      machineId: creds.machineId,
+      getActiveSessionCount: () => sessionManager.getActiveSessionIds().length
+    });
+    heartbeat.start();
+    const stopHeartbeat = () => heartbeat?.stop();
+    process.once("SIGTERM", stopHeartbeat);
+    process.once("SIGINT", stopHeartbeat);
+    process.once("beforeExit", stopHeartbeat);
+  }
   let sessionId;
   try {
     console.log("Creating agent session on Onklave platform...");
@@ -1788,7 +1902,11 @@ async function runCommand(args) {
   const auditStreamer = new AuditStreamer(commsClient);
   try {
     console.log("Connecting to Onklave comms service...");
-    await commsClient.connect(resolvedConfig.platformUrl, creds.token);
+    await commsClient.connect(resolvedConfig.platformUrl, creds.token, {
+      machineId: creds.machineId,
+      deviceToken: creds.deviceToken,
+      orgId: creds.orgId
+    });
     console.log("Connected.");
   } catch (err) {
     console.warn(
@@ -1817,13 +1935,27 @@ async function runCommand(args) {
       );
     }
   }
-  const _guardrailEnforcer = new GuardrailEnforcer({
+  const guardrailEnforcer = new GuardrailEnforcer({
     rules: resolvedConfig.guardrails,
     allowedTools: resolvedConfig.allowedTools,
     deniedTools: resolvedConfig.deniedTools,
     readablePaths: resolvedConfig.readablePaths,
     writablePaths: resolvedConfig.writablePaths
   });
+  for (const tool of resolvedConfig.allowedTools) {
+    const verdict = guardrailEnforcer.checkToolCall(tool, {});
+    if (!verdict.allowed) {
+      console.warn(
+        `Warning: allowed tool "${tool}" is also denied by guardrails \u2014 Claude will reject this tool.`
+      );
+    }
+  }
+  const addDirs = [
+    .../* @__PURE__ */ new Set([
+      ...resolvedConfig.writablePaths,
+      ...resolvedConfig.readablePaths
+    ])
+  ];
   const sessionConfig = {
     task: resolvedConfig.task,
     context: resolvedConfig.context,
@@ -1834,12 +1966,25 @@ async function runCommand(args) {
     guardrails: resolvedConfig.guardrails,
     allowedTools: resolvedConfig.allowedTools,
     deniedTools: resolvedConfig.deniedTools,
+    addDirs,
     apiKey: resolvedConfig.apiKey,
     headless: resolvedConfig.headless,
     platformUrl: resolvedConfig.platformUrl,
     orgId: resolvedConfig.orgId,
     systemPromptAppend: personaSystemPrompt ?? resolvedConfig.systemPromptAppend
   };
+  auditStreamer.record({
+    sessionId,
+    type: "state_change" /* STATE_CHANGE */,
+    action: "guardrails_applied",
+    details: {
+      ruleCount: resolvedConfig.guardrails.length,
+      allowedTools: resolvedConfig.allowedTools,
+      deniedTools: resolvedConfig.deniedTools,
+      addDirs
+    },
+    outcome: "success"
+  });
   statePublisher.publishSessionStarted(sessionId, sessionConfig);
   auditStreamer.record({
     sessionId,
@@ -1849,7 +1994,6 @@ async function runCommand(args) {
     outcome: "success"
   });
   const useTui = flags["tui"] === true || process.stdout.isTTY === true && !resolvedConfig.headless && flags["tui"] !== false;
-  const sessionManager = new SessionManager();
   if (useTui) {
     const tuiInstance = renderTui({
       sessionId,
@@ -2568,11 +2712,14 @@ async function configCommand(args) {
 import * as os3 from "os";
 async function registerCommand(args) {
   const { flags } = parseArgs(args);
+  const refresh = flags["refresh"] === true;
   const linkingToken = flags["token"];
-  if (typeof linkingToken !== "string" || !linkingToken) {
-    console.error("Error: --token is required.\n");
-    console.log("Usage: onklave register --token <linking-token>\n");
-    console.log("To obtain a linking token:");
+  if (!refresh && (typeof linkingToken !== "string" || !linkingToken)) {
+    console.error("Error: --token is required (or pass --refresh).\n");
+    console.log("Usage:");
+    console.log("  onklave register --token <linking-token>");
+    console.log("  onklave register --refresh        # re-detect capabilities");
+    console.log("\nTo obtain a linking token:");
     console.log("  1. Log in to the Onklave Portal");
     console.log("  2. Navigate to Settings > Machines");
     console.log('  3. Click "Register Machine" to generate a linking token');
@@ -2586,6 +2733,28 @@ async function registerCommand(args) {
     process.exitCode = 1;
     return;
   }
+  const platformClient = new PlatformClient(creds.platformUrl, creds.token);
+  if (refresh) {
+    if (!creds.machineId) {
+      console.error(
+        "Error: --refresh requires a previously-registered machine. Run `onklave register --token <linking-token>` first."
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const capabilities = detectCapabilities();
+    console.log("Re-detecting capabilities for this machine...");
+    console.log(`  Capabilities: ${capabilities.join(", ") || "(none)"}`);
+    try {
+      await platformClient.updateMachine(creds.machineId, { capabilities });
+      console.log(`
+Machine ${creds.machineId} updated successfully.`);
+    } catch (err) {
+      console.error(`Refresh failed: ${err.message}`);
+      process.exitCode = 1;
+    }
+    return;
+  }
   const metadata = {
     hostname: os3.hostname(),
     os: `${os3.platform()} ${os3.release()}`,
@@ -2593,14 +2762,19 @@ async function registerCommand(args) {
     nodeVersion: process.version,
     capabilities: detectCapabilities()
   };
-  const platformClient = new PlatformClient(creds.platformUrl, creds.token);
   try {
     console.log("Registering machine with Onklave platform...");
     console.log(`  Hostname: ${metadata.hostname}`);
     console.log(`  OS: ${metadata.os}`);
     console.log(`  Arch: ${metadata.arch}`);
     console.log(`  Node: ${metadata.nodeVersion}`);
-    const result = await platformClient.registerMachine(linkingToken, metadata);
+    console.log(
+      `  Capabilities: ${metadata.capabilities?.join(", ") || "(none)"}`
+    );
+    const result = await platformClient.registerMachine(
+      linkingToken,
+      metadata
+    );
     await authService.saveDeviceToken(result.deviceToken, result.machineId);
     console.log(`
 Machine registered successfully.`);
@@ -2610,6 +2784,9 @@ Machine registered successfully.`);
       `
 This machine can now receive remote agent session requests.`
     );
+    console.log(
+      `Tip: after installing new tools (e.g. Docker), run \`onklave register --refresh\` to update capabilities.`
+    );
   } catch (err) {
     console.error(`Registration failed: ${err.message}`);
     process.exitCode = 1;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"