npm - @openape/nest - Versions diffs - 2.2.0 → 2.3.0 - Mend

@openape/nest 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.mjs +89 -9
package/package.json +2 -2

package/dist/index.mjs CHANGED Viewed

@@ -84,8 +84,9 @@ function startScriptContents(agentName) {
   return `#!/bin/bash
 # Auto-generated by Pm2Supervisor for agent '${agentName}'.
 set -e
-export HOME="$(dscl . -read /Users/${agentName} NFSHomeDirectory 2>/dev/null | awk '{print $2}')"
-test -n "$HOME" || { echo "no NFSHomeDirectory for ${agentName}" >&2; exit 1; }
+ME="$(whoami)"
+export HOME="$(dscl . -read "/Users/$ME" NFSHomeDirectory 2>/dev/null | awk '{print $2}')"
+test -n "$HOME" || { echo "no NFSHomeDirectory for $ME (agent ${agentName})" >&2; exit 1; }
 export PM2_HOME="$HOME/.pm2"
 mkdir -p "$(dirname "${log2}")"
 exec pm2 startOrReload ${ecosystem} >> ${log2} 2>&1 < /dev/null
@@ -95,6 +96,7 @@ var Pm2Supervisor = class {
   constructor(deps) {
     this.deps = deps;
   }
+  deps;
   inflight = /* @__PURE__ */ new Set();
   /** Bring per-agent pm2 state in line with the registry. Idempotent. */
   async reconcile(desired) {
@@ -194,6 +196,7 @@ var TroopSync = class {
   constructor(deps) {
     this.deps = deps;
   }
+  deps;
   timer;
   inflight = false;
   start() {
@@ -234,7 +237,7 @@ var TroopSync = class {
 };
 // src/lib/troop-ws.ts
-import { execFile as execFile3, execFileSync } from "child_process";
+import { execFile as execFile3, execFileSync, spawn } from "child_process";
 import { createHash } from "crypto";
 import { readFileSync as readFileSync3 } from "fs";
 import { hostname, networkInterfaces } from "os";
@@ -536,6 +539,30 @@ async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
 // src/lib/troop-ws.ts
 import WebSocket from "ws";
+// src/lib/secret-relay.ts
+var SECRETS_REL_DIR = ".config/openape/secrets.d";
+var ENV_RE = /^[A-Z][A-Z0-9_]*$/;
+function agentNameFromEmail(email) {
+  const local = email.split("+")[0];
+  if (!local) return null;
+  const dash = local.lastIndexOf("-");
+  return dash > 0 ? local.slice(0, dash) : local;
+}
+function planSecretWrite(env) {
+  if (!ENV_RE.test(env)) return { ok: false, reason: `invalid env name: ${env}` };
+  const path = `"$HOME/${SECRETS_REL_DIR}/${env}.blob"`;
+  return {
+    ok: true,
+    script: `mkdir -p "$HOME/${SECRETS_REL_DIR}" && chmod 700 "$HOME/${SECRETS_REL_DIR}" && umask 077 && cat > ${path}`
+  };
+}
+function planSecretRevoke(env) {
+  if (!ENV_RE.test(env)) return { ok: false, reason: `invalid env name: ${env}` };
+  return { ok: true, script: `rm -f "$HOME/${SECRETS_REL_DIR}/${env}.blob"` };
+}
+// src/lib/troop-ws.ts
 var HEARTBEAT_INTERVAL_MS = 3e4;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
@@ -546,6 +573,7 @@ var TroopWs = class {
     this.hostId = readHostId();
     this.hostname = hostname();
   }
+  opts;
   socket = null;
   heartbeatTimer = null;
   reconnectTimer = null;
@@ -664,16 +692,48 @@ var TroopWs = class {
     }
     if (frame.type === "reload-bridge") {
       await this.handleReloadBridge(frame);
+      return;
+    }
+    if (frame.type === "secret-update") {
+      await this.handleSecretUpdate(frame);
+      return;
+    }
+    if (frame.type === "secret-revoke") {
+      await this.handleSecretRevoke(frame);
     }
   }
   async handleConfigUpdate(frame) {
-    const local = frame.agent_email.split("+")[0];
-    if (!local) return;
-    const dash = local.lastIndexOf("-");
-    const name = dash > 0 ? local.slice(0, dash) : local;
+    const name = agentNameFromEmail(frame.agent_email);
+    if (!name) return;
     this.opts.log(`troop-ws: config-update for ${name} \u2014 running sync`);
     await this.runApes(["run", "--as", name, "--wait", "--", "apes", "agents", "sync"], `config-update sync ${name}`);
   }
+  async handleSecretUpdate(frame) {
+    const name = agentNameFromEmail(frame.agent_email);
+    if (!name) return;
+    const plan = planSecretWrite(frame.env);
+    if (!plan.ok) {
+      this.opts.log(`troop-ws: secret-update ${frame.agent_email}/${frame.env} rejected: ${plan.reason}`);
+      return;
+    }
+    this.opts.log(`troop-ws: secret-update ${name}/${frame.env}`);
+    try {
+      await runWithInput(this.opts.apesBin, ["run", "--as", name, "--wait", "--", "sh", "-c", plan.script], frame.blob);
+    } catch (err) {
+      this.opts.log(`troop-ws: secret-update ${name}/${frame.env} failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  async handleSecretRevoke(frame) {
+    const name = agentNameFromEmail(frame.agent_email);
+    if (!name) return;
+    const plan = planSecretRevoke(frame.env);
+    if (!plan.ok) {
+      this.opts.log(`troop-ws: secret-revoke ${frame.agent_email}/${frame.env} rejected: ${plan.reason}`);
+      return;
+    }
+    this.opts.log(`troop-ws: secret-revoke ${name}/${frame.env}`);
+    await this.runApes(["run", "--as", name, "--wait", "--", "sh", "-c", plan.script], `secret-revoke ${name}/${frame.env}`);
+  }
   async handleSpawnIntent(frame) {
     this.opts.log(`troop-ws: spawn-intent ${frame.name} (intent ${frame.intent_id})`);
     const args = ["agents", "spawn", frame.name];
@@ -737,14 +797,34 @@ function runWithCapture(bin, args) {
           resolve({ stdout: stdout.toString(), stderr: stderr.toString() });
           return;
         }
-        const msg = stderr.toString() || err.message;
-        reject(new Error(msg.split("\n").filter(Boolean).slice(-3).join(" / ")));
+        const raw = stderr.toString().trim() || stdout.toString().trim() || err.message;
+        const meaningful = raw.split("\n").map((l) => l.replace(/\s+$/, "")).filter((l) => l.trim() && !/^\s*at\s/.test(l));
+        const picked = meaningful.length > 0 ? meaningful : raw.split("\n").filter(Boolean);
+        const msg = picked.slice(-15).join("\n").slice(-2500);
+        reject(new Error(msg || err.message));
         return;
       }
       resolve({ stdout: stdout.toString(), stderr: stderr.toString() });
     });
   });
 }
+function runWithInput(bin, args, input) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(bin, args, { stdio: ["pipe", "ignore", "pipe"], timeout: 3e4 });
+    let stderr = "";
+    child.stderr?.on("data", (d) => {
+      stderr += d.toString();
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code === 0) resolve();
+      else reject(new Error(stderr.split("\n").filter(Boolean).slice(-3).join(" / ") || `exit ${code}`));
+    });
+    child.stdin?.on("error", () => {
+    });
+    child.stdin?.end(input);
+  });
+}
 function readHostId() {
   try {
     if (process.platform === "darwin") {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openape/nest",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "OpenApe Nest — local control-plane daemon that supervises agent processes on this computer. Talks to troop SP for ownership state, spawns/destroys agents via DDISA always-grants, supervises chat-bridge children (replacing per-agent launchd plists).",
   "type": "module",
   "license": "MIT",
@@ -19,7 +19,7 @@
     "ofetch": "^1.4.1",
     "ws": "^8.18.0",
     "@openape/cli-auth": "0.4.0",
-    "@openape/core": "0.16.0"
+    "@openape/core": "0.17.0"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",