@openape/nest 2.0.2 → 2.1.0

package/dist/index.mjs

@@ -2,7 +2,7 @@
 
 // src/index.ts
 import { watch } from "fs";
-import process3 from "process";
+import process4 from "process";
 
 // src/lib/registry.ts
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
@@ -31,7 +31,7 @@ function listAgents() {
 import { execFile } from "child_process";
 import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
 import { join as join2 } from "path";
-import process from "process";
+import process2 from "process";
 import { promisify } from "util";
 var execFileAsync = promisify(execFile);
 var AGENTS_DIR = "/var/openape/agents";
@@ -49,7 +49,7 @@ function ecosystemContents(apesBin, agentName) {
 module.exports = {
   apps: [{
     name: '${pm2AppName(agentName)}',
-    script: 'openape-chat-bridge',
+    script: 'ape-agent',
     autorestart: true,
     max_restarts: 10,
     min_uptime: '30s',
@@ -154,7 +154,7 @@ var Pm2Supervisor = class {
       return await execFileAsync(
         this.deps.apesBin,
         ["run", "--as", agentName, "--wait", "--", ...args],
-        { maxBuffer: 1024 * 1024, env: process.env, timeout: 6e4, cwd: "/tmp" }
+        { maxBuffer: 1024 * 1024, env: process2.env, timeout: 6e4, cwd: "/tmp" }
       );
     } catch (err) {
       const e = err;
@@ -167,7 +167,7 @@ var Pm2Supervisor = class {
 
 // src/lib/troop-sync.ts
 import { execFile as execFile2 } from "child_process";
-import process2 from "process";
+import process3 from "process";
 import { promisify as promisify2 } from "util";
 var execFileAsync2 = promisify2(execFile2);
 var TICK_MS = 5 * 60 * 1e3;
@@ -206,7 +206,7 @@ var TroopSync = class {
       await execFileAsync2(
         this.deps.apesBin,
         ["run", "--as", name, "--wait", "--", "apes", "agents", "sync"],
-        { maxBuffer: 1024 * 1024, env: process2.env, timeout: 6e4 }
+        { maxBuffer: 1024 * 1024, env: process3.env, timeout: 6e4 }
       );
     } catch (err) {
       this.deps.log(`troop-sync: ${name} failed: ${err instanceof Error ? err.message.split("\n")[0] : String(err)}`);
@@ -214,15 +214,539 @@ var TroopSync = class {
   }
 };
 
+// src/lib/troop-ws.ts
+import { execFile as execFile3, execFileSync } from "child_process";
+import { createHash } from "crypto";
+import { readFileSync as readFileSync3 } from "fs";
+import { hostname, networkInterfaces } from "os";
+
+// ../../packages/cli-auth/dist/index.js
+import { ofetch } from "ofetch";
+import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, readdirSync, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join3 } from "path";
+import { ofetch as ofetch3 } from "ofetch";
+import { Buffer as Buffer2 } from "buffer";
+import { sign } from "crypto";
+import { existsSync as existsSync22, readFileSync as readFileSync22 } from "fs";
+import { homedir as homedir22 } from "os";
+import { join as join22 } from "path";
+import { ofetch as ofetch2 } from "ofetch";
+import { Buffer as Buffer3 } from "buffer";
+import { createPrivateKey } from "crypto";
+import { ofetch as ofetch4 } from "ofetch";
+function getConfigDir() {
+  const override = process.env.OPENAPE_CLI_AUTH_HOME;
+  if (override) return override;
+  return join3(homedir2(), ".config", "apes");
+}
+function getAuthFile() {
+  return join3(getConfigDir(), "auth.json");
+}
+function ensureConfigDir() {
+  const dir = getConfigDir();
+  if (!existsSync2(dir)) {
+    mkdirSync3(dir, { recursive: true, mode: 448 });
+  }
+}
+function loadIdpAuth() {
+  const file = getAuthFile();
+  if (!existsSync2(file)) return null;
+  try {
+    const raw = readFileSync2(file, "utf-8");
+    if (!raw.trim()) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function saveIdpAuth(auth) {
+  ensureConfigDir();
+  const file = getAuthFile();
+  let extra = {};
+  if (existsSync2(file)) {
+    try {
+      const raw = readFileSync2(file, "utf-8");
+      if (raw.trim()) {
+        const prev = JSON.parse(raw);
+        for (const key of Object.keys(prev)) {
+          if (!(key in auth)) {
+            extra[key] = prev[key];
+          }
+        }
+      }
+    } catch {
+      extra = {};
+    }
+  }
+  const merged = { ...extra, ...auth };
+  writeFileSync3(file, JSON.stringify(merged, null, 2), { mode: 384 });
+}
+var AuthError = class extends Error {
+  status;
+  hint;
+  constructor(status, message, hint) {
+    super(hint ? `${message}
+${hint}` : message);
+    this.name = "AuthError";
+    this.status = status;
+    this.hint = hint;
+  }
+};
+var NotLoggedInError = class extends AuthError {
+  constructor(hint) {
+    super(
+      401,
+      "Not logged in",
+      hint ?? "Run `apes login <email>` once on this device to authenticate against the OpenApe IdP."
+    );
+    this.name = "NotLoggedInError";
+  }
+};
+var OPENSSH_MAGIC = "openssh-key-v1\0";
+function loadEd25519PrivateKey(pem) {
+  if (pem.includes("BEGIN OPENSSH PRIVATE KEY")) {
+    return parseOpenSSHEd25519(pem);
+  }
+  return createPrivateKey(pem);
+}
+function parseOpenSSHEd25519(pem) {
+  const b64 = pem.replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, "").replace(/-----END OPENSSH PRIVATE KEY-----/, "").replace(/\s/g, "");
+  const buf = Buffer3.from(b64, "base64");
+  let offset = 0;
+  const magic = buf.subarray(0, OPENSSH_MAGIC.length).toString("ascii");
+  if (magic !== OPENSSH_MAGIC) {
+    throw new Error("Not an OpenSSH private key");
+  }
+  offset += OPENSSH_MAGIC.length;
+  const cipherLen = buf.readUInt32BE(offset);
+  offset += 4;
+  const cipher = buf.subarray(offset, offset + cipherLen).toString();
+  offset += cipherLen;
+  if (cipher !== "none") {
+    throw new Error(`Encrypted keys not supported (cipher: ${cipher}). Decrypt first with: ssh-keygen -p -f <key>`);
+  }
+  const kdfLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += kdfLen;
+  const kdfOptsLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += kdfOptsLen;
+  const numKeys = buf.readUInt32BE(offset);
+  offset += 4;
+  if (numKeys !== 1) {
+    throw new Error(`Expected 1 key, got ${numKeys}`);
+  }
+  const pubSectionLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += pubSectionLen;
+  const privSectionLen = buf.readUInt32BE(offset);
+  offset += 4;
+  const privSection = buf.subarray(offset, offset + privSectionLen);
+  let pOffset = 0;
+  const check1 = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const check2 = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  if (check1 !== check2) {
+    throw new Error("Check integers mismatch \u2014 key may be corrupted or encrypted");
+  }
+  const keyTypeLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const keyType = privSection.subarray(pOffset, pOffset + keyTypeLen).toString();
+  pOffset += keyTypeLen;
+  if (keyType !== "ssh-ed25519") {
+    throw new Error(`Expected ssh-ed25519, got ${keyType}`);
+  }
+  const pubKeyLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const pubKey = privSection.subarray(pOffset, pOffset + pubKeyLen);
+  pOffset += pubKeyLen;
+  const privKeyLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const privKeyData = privSection.subarray(pOffset, pOffset + privKeyLen);
+  const seed = privKeyData.subarray(0, 32);
+  return createPrivateKey({
+    key: { kty: "OKP", crv: "Ed25519", d: seed.toString("base64url"), x: pubKey.toString("base64url") },
+    format: "jwk"
+  });
+}
+async function getEndpoints(idp) {
+  let disco = {};
+  try {
+    disco = await ofetch2(`${idp}/.well-known/openid-configuration`);
+  } catch {
+  }
+  return {
+    challenge: disco.ddisa_agent_challenge_endpoint ?? `${idp}/api/agent/challenge`,
+    authenticate: disco.ddisa_agent_authenticate_endpoint ?? `${idp}/api/agent/authenticate`
+  };
+}
+function resolveKeyPath(p) {
+  if (p.startsWith("~")) return join22(homedir22(), p.slice(1));
+  return p;
+}
+function findSigningKey(auth) {
+  const candidates = [];
+  if (auth.key_path) candidates.push(resolveKeyPath(auth.key_path));
+  candidates.push(join22(homedir22(), ".ssh", "id_ed25519"));
+  for (const p of candidates) {
+    if (existsSync22(p)) {
+      try {
+        return { keyPath: p, keyContent: readFileSync22(p, "utf-8") };
+      } catch {
+      }
+    }
+  }
+  return null;
+}
+async function refreshAgentToken(auth, now = Math.floor(Date.now() / 1e3)) {
+  const key = findSigningKey(auth);
+  if (!key) return null;
+  let privateKey;
+  try {
+    privateKey = loadEd25519PrivateKey(key.keyContent);
+  } catch {
+    return null;
+  }
+  let endpoints;
+  try {
+    endpoints = await getEndpoints(auth.idp);
+  } catch {
+    return null;
+  }
+  let challenge;
+  try {
+    const resp = await ofetch2(endpoints.challenge, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: { agent_id: auth.email }
+    });
+    challenge = resp.challenge;
+  } catch {
+    return null;
+  }
+  let signature;
+  try {
+    signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
+  } catch {
+    return null;
+  }
+  let authResp;
+  try {
+    authResp = await ofetch2(endpoints.authenticate, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: { agent_id: auth.email, challenge, signature }
+    });
+  } catch {
+    return null;
+  }
+  return {
+    ...auth,
+    access_token: authResp.token,
+    expires_at: now + (authResp.expires_in || 3600),
+    key_path: auth.key_path ?? key.keyPath
+  };
+}
+var EXPIRY_SKEW_SECONDS = 30;
+async function getTokenEndpoint(idp) {
+  try {
+    const disco = await ofetch3(`${idp}/.well-known/openid-configuration`);
+    if (disco.token_endpoint) return disco.token_endpoint;
+  } catch {
+  }
+  return `${idp}/token`;
+}
+async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
+  const auth = loadIdpAuth();
+  if (!auth) {
+    throw new NotLoggedInError();
+  }
+  if (auth.expires_at > now + EXPIRY_SKEW_SECONDS) {
+    return auth;
+  }
+  if (!auth.refresh_token) {
+    const refreshed = await refreshAgentToken(auth, now);
+    if (refreshed) {
+      saveIdpAuth(refreshed);
+      return refreshed;
+    }
+    throw new NotLoggedInError(
+      `IdP token expired at ${new Date(auth.expires_at * 1e3).toISOString()} and no refresh_token is stored. Run \`apes login\` again.`
+    );
+  }
+  const tokenEndpoint = await getTokenEndpoint(auth.idp);
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: auth.refresh_token
+  });
+  let response;
+  try {
+    response = await ofetch3(tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+  } catch (err) {
+    const status = err.status ?? err.statusCode ?? 0;
+    if (status === 400 || status === 401) {
+      saveIdpAuth({ ...auth, refresh_token: void 0 });
+      throw new NotLoggedInError(
+        `Refresh token rejected by ${auth.idp}. Run \`apes login\` again.`
+      );
+    }
+    throw new AuthError(
+      0,
+      `Network error refreshing IdP token at ${tokenEndpoint}`,
+      `Underlying: ${err.message ?? err}`
+    );
+  }
+  if (!response.access_token) {
+    throw new AuthError(0, `IdP refresh response missing access_token (endpoint: ${tokenEndpoint})`);
+  }
+  const next = {
+    ...auth,
+    access_token: response.access_token,
+    refresh_token: response.refresh_token ?? auth.refresh_token,
+    expires_at: now + (response.expires_in ?? 3600)
+  };
+  saveIdpAuth(next);
+  return next;
+}
+
+// src/lib/troop-ws.ts
+import WebSocket from "ws";
+var HEARTBEAT_INTERVAL_MS = 3e4;
+var RECONNECT_BASE_MS = 1e3;
+var RECONNECT_MAX_MS = 3e4;
+var TroopWs = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.troopUrl = (opts.troopUrl ?? process.env.OPENAPE_TROOP_WS_URL ?? "wss://troop.openape.ai").replace(/\/$/, "");
+    this.hostId = readHostId();
+    this.hostname = hostname();
+  }
+  socket = null;
+  heartbeatTimer = null;
+  reconnectTimer = null;
+  reconnectAttempts = 0;
+  stopped = false;
+  troopUrl;
+  hostId;
+  hostname;
+  start() {
+    this.stopped = false;
+    void this.connect();
+  }
+  stop() {
+    this.stopped = true;
+    if (this.reconnectTimer) clearTimeout(this.reconnectTimer);
+    if (this.heartbeatTimer) clearInterval(this.heartbeatTimer);
+    this.reconnectTimer = null;
+    this.heartbeatTimer = null;
+    if (this.socket) {
+      try {
+        this.socket.close();
+      } catch {
+      }
+      this.socket = null;
+    }
+  }
+  async connect() {
+    if (this.stopped) return;
+    let token;
+    try {
+      const auth = await ensureFreshIdpAuth();
+      token = auth.access_token;
+    } catch (err) {
+      if (err instanceof NotLoggedInError) {
+        this.opts.log("troop-ws: not logged in (apes login) \u2014 skip connect, will retry");
+      } else {
+        this.opts.log(`troop-ws: auth refresh failed: ${err instanceof Error ? err.message : String(err)}`);
+      }
+      this.scheduleReconnect();
+      return;
+    }
+    const url = `${this.troopUrl}/api/nest-ws?token=${encodeURIComponent(token)}`;
+    const ws = new WebSocket(url);
+    this.socket = ws;
+    ws.on("open", () => {
+      this.reconnectAttempts = 0;
+      this.opts.log(`troop-ws: connected to ${this.troopUrl}`);
+      ws.send(JSON.stringify({
+        type: "hello",
+        host_id: this.hostId,
+        hostname: this.hostname,
+        version: this.opts.version ?? "unknown"
+      }));
+      this.heartbeatTimer = setInterval(() => {
+        try {
+          ws.send(JSON.stringify({ type: "heartbeat" }));
+        } catch {
+        }
+      }, HEARTBEAT_INTERVAL_MS);
+    });
+    ws.on("message", (data) => {
+      const text = typeof data === "string" ? data : Buffer.isBuffer(data) ? data.toString("utf8") : "";
+      if (!text) return;
+      let frame;
+      try {
+        frame = JSON.parse(text);
+      } catch {
+        return;
+      }
+      this.handleFrame(frame).catch((err) => {
+        this.opts.log(`troop-ws: frame handler error: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    });
+    ws.on("close", (code, reason) => {
+      this.opts.log(`troop-ws: disconnected (${code}${reason.length > 0 ? ` ${reason.toString()}` : ""}) \u2014 reconnecting`);
+      if (this.heartbeatTimer) {
+        clearInterval(this.heartbeatTimer);
+        this.heartbeatTimer = null;
+      }
+      this.socket = null;
+      this.scheduleReconnect();
+    });
+    ws.on("error", (err) => {
+      this.opts.log(`troop-ws: socket error: ${err.message}`);
+    });
+  }
+  scheduleReconnect() {
+    if (this.stopped) return;
+    if (this.reconnectTimer) return;
+    const attempt = Math.min(this.reconnectAttempts, 5);
+    this.reconnectAttempts++;
+    const delay = Math.min(RECONNECT_BASE_MS * 2 ** attempt, RECONNECT_MAX_MS);
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      void this.connect();
+    }, delay);
+  }
+  async handleFrame(frame) {
+    if (frame.type === "welcome") {
+      return;
+    }
+    if (frame.type === "ack") {
+      return;
+    }
+    if (frame.type === "config-update") {
+      await this.handleConfigUpdate(frame);
+      return;
+    }
+    if (frame.type === "spawn-intent") {
+      await this.handleSpawnIntent(frame);
+      return;
+    }
+    if (frame.type === "reload-bridge") {
+      await this.handleReloadBridge(frame);
+    }
+  }
+  async handleConfigUpdate(frame) {
+    const local = frame.agent_email.split("+")[0];
+    if (!local) return;
+    const dash = local.lastIndexOf("-");
+    const name = dash > 0 ? local.slice(0, dash) : local;
+    this.opts.log(`troop-ws: config-update for ${name} \u2014 running sync`);
+    await this.runApes(["run", "--as", name, "--wait", "--", "apes", "agents", "sync"], `config-update sync ${name}`);
+  }
+  async handleSpawnIntent(frame) {
+    this.opts.log(`troop-ws: spawn-intent ${frame.name} (intent ${frame.intent_id})`);
+    const args = ["agents", "spawn", frame.name];
+    if (frame.bridge?.key) args.push("--bridge-key", frame.bridge.key);
+    if (frame.bridge?.base_url) args.push("--bridge-base-url", frame.bridge.base_url);
+    if (frame.bridge?.model) args.push("--bridge-model", frame.bridge.model);
+    try {
+      const { stdout } = await runWithCapture(this.opts.apesBin, args);
+      const match = stdout.match(/Registered as\s+(\S+@\S+)/);
+      const agentEmail = match?.[1];
+      this.send({ type: "spawn-result", intent_id: frame.intent_id, ok: true, agent_email: agentEmail });
+    } catch (err) {
+      const error = err instanceof Error ? err.message : String(err);
+      this.send({ type: "spawn-result", intent_id: frame.intent_id, ok: false, error });
+    }
+  }
+  async handleReloadBridge(frame) {
+    this.opts.log(`troop-ws: reload-bridge ${frame.name}`);
+    await this.runApes(
+      ["run", "--as", frame.name, "--wait", "--", "pm2", "reload", `openape-bridge-${frame.name}`, "--update-env"],
+      `reload-bridge ${frame.name}`
+    );
+  }
+  async runApes(args, label) {
+    try {
+      await runWithCapture(this.opts.apesBin, args);
+    } catch (err) {
+      this.opts.log(`troop-ws: ${label} failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  send(frame) {
+    const ws = this.socket;
+    if (!ws || ws.readyState !== WebSocket.OPEN) return;
+    try {
+      ws.send(JSON.stringify(frame));
+    } catch (err) {
+      this.opts.log(`troop-ws: send failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+function runWithCapture(bin, args) {
+  return new Promise((resolve, reject) => {
+    execFile3(bin, args, { maxBuffer: 4 * 1024 * 1024 }, (err, stdout, stderr) => {
+      if (err) {
+        const msg = stderr.toString() || err.message;
+        reject(new Error(msg.split("\n").filter(Boolean).slice(-3).join(" / ")));
+        return;
+      }
+      resolve({ stdout: stdout.toString(), stderr: stderr.toString() });
+    });
+  });
+}
+function readHostId() {
+  try {
+    if (process.platform === "darwin") {
+      const out = execFileSync("/usr/sbin/ioreg", ["-d2", "-c", "IOPlatformExpertDevice"], { encoding: "utf8" });
+      const match = out.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+      if (match) return match[1];
+    }
+  } catch {
+  }
+  return hashBasedHostId();
+}
+function hashBasedHostId() {
+  const nics = networkInterfaces();
+  const macs = [];
+  for (const list of Object.values(nics)) {
+    if (!list) continue;
+    for (const nic of list) {
+      if (!nic.mac || nic.mac === "00:00:00:00:00:00" || nic.internal) continue;
+      macs.push(nic.mac);
+    }
+  }
+  const seed = `${hostname()}|${macs.toSorted().join(",")}`;
+  return createHash("sha256").update(seed).digest("hex").slice(0, 32);
+}
+function readNestVersion() {
+  try {
+    const root = new URL("../../package.json", import.meta.url);
+    const pkg = JSON.parse(readFileSync3(root, "utf8"));
+    return typeof pkg.version === "string" ? pkg.version : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+
 // src/index.ts
-var APES_BIN = process3.env.OPENAPE_APES_BIN ?? "apes";
+var APES_BIN = process4.env.OPENAPE_APES_BIN ?? "apes";
 var RECONCILE_DEBOUNCE_MS = 1e3;
 function log(line) {
-  process3.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
+  process4.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
 `);
 }
 var supervisor = new Pm2Supervisor({ apesBin: APES_BIN, log });
 var troopSync = new TroopSync({ apesBin: APES_BIN, log });
+var troopWs = new TroopWs({ apesBin: APES_BIN, log, version: readNestVersion() });
 async function reconcile() {
   try {
     await supervisor.reconcile(listAgents());
@@ -233,6 +757,7 @@ async function reconcile() {
 }
 void reconcile();
 troopSync.start();
+troopWs.start();
 var reconcileTimer;
 try {
   watch(REGISTRY_PATH, () => {
@@ -248,15 +773,17 @@ try {
     void reconcile();
   }, 5e3).unref();
 }
-process3.on("SIGTERM", () => {
+process4.on("SIGTERM", () => {
   log("nest: SIGTERM \u2014 stopping");
   troopSync.stop();
+  troopWs.stop();
   if (reconcileTimer) clearTimeout(reconcileTimer);
-  process3.exit(0);
+  process4.exit(0);
 });
-process3.on("SIGINT", () => {
+process4.on("SIGINT", () => {
   log("nest: SIGINT \u2014 stopping");
   troopSync.stop();
+  troopWs.stop();
   if (reconcileTimer) clearTimeout(reconcileTimer);
-  process3.exit(0);
+  process4.exit(0);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/nest",
-  "version": "2.0.2",
+  "version": "2.1.0",
   "description": "OpenApe Nest — local control-plane daemon that supervises agent processes on this computer. Talks to troop SP for ownership state, spawns/destroys agents via DDISA always-grants, supervises chat-bridge children (replacing per-agent launchd plists).",
   "type": "module",
   "license": "MIT",
@@ -17,12 +17,14 @@
   },
   "dependencies": {
     "ofetch": "^1.4.1",
+    "ws": "^8.18.0",
     "@openape/cli-auth": "0.4.0",
     "@openape/core": "0.16.0"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",
     "@types/node": "^22.19.13",
+    "@types/ws": "^8.5.13",
     "eslint": "^9.35.0",
     "tsup": "^8.5.1",
     "typescript": "^5.9.3",