@openape/nest 2.3.1 → 2.3.3

package/dist/index.mjs

@@ -59,6 +59,24 @@ function ecosystemPath(agentName) {
 }
 function ecosystemContents(apesBin, agentName) {
   void apesBin;
+  const envForwards = [
+    "APE_CHAT_BRIDGE_MODEL",
+    "LITELLM_BASE_URL",
+    "LITELLM_API_KEY",
+    "APE_CHAT_BRIDGE_TOOLS",
+    "APE_CHAT_BRIDGE_MAX_STEPS",
+    "APE_CHAT_BRIDGE_SYSTEM_PROMPT",
+    // Chat backend selection (chat.openape.ai vs troop.openape.ai) —
+    // honoured by the bridge at startup. See ape-agent/src/bridge.ts.
+    "OPENAPE_BRIDGE_TARGET",
+    "APE_CHAT_ENDPOINT"
+  ];
+  const envLines = envForwards.filter((k) => process2.env[k] !== void 0).map((k) => `      ${k}: ${JSON.stringify(process2.env[k])},`).join("\n");
+  const envBlock = envLines ? `
+    env: {
+${envLines}
+    },
+` : "";
   return `// Auto-generated by Pm2Supervisor for agent '${agentName}'.
 // Edit at runtime via:
 //   apes run --as ${agentName} -- pm2 reload ${pm2AppName(agentName)}
@@ -70,7 +88,7 @@ module.exports = {
     max_restarts: 10,
     min_uptime: '30s',
     restart_delay: 2000,
-    merge_logs: true,
+    merge_logs: true,${envBlock}
   }],
 }
 `;
@@ -85,8 +103,12 @@ function startScriptContents(agentName) {
 # Auto-generated by Pm2Supervisor for agent '${agentName}'.
 set -e
 ME="$(whoami)"
-export HOME="$(dscl . -read "/Users/$ME" NFSHomeDirectory 2>/dev/null | awk '{print $2}')"
-test -n "$HOME" || { echo "no NFSHomeDirectory for $ME (agent ${agentName})" >&2; exit 1; }
+if command -v getent >/dev/null 2>&1; then
+  export HOME="$(getent passwd "$ME" | cut -d: -f6)"
+else
+  export HOME="$(dscl . -read "/Users/$ME" NFSHomeDirectory 2>/dev/null | awk '{print $2}')"
+fi
+test -n "$HOME" || { echo "no home dir for $ME (agent ${agentName})" >&2; exit 1; }
 export PM2_HOME="$HOME/.pm2"
 mkdir -p "$(dirname "${log2}")"
 exec pm2 startOrReload ${ecosystem} >> ${log2} 2>&1 < /dev/null
@@ -171,12 +193,15 @@ var Pm2Supervisor = class {
    *  always-writable location.
    */
   async runAsAgent(agentName, args) {
+    const bin = process2.env.OPENAPE_BYPASS_APE_SHELL === "1" ? "sudo" : this.deps.apesBin;
+    const argv = process2.env.OPENAPE_BYPASS_APE_SHELL === "1" ? ["-n", "-H", "-u", agentName, "--", ...args] : ["run", "--as", agentName, "--wait", "--", ...args];
     try {
-      return await execFileAsync(
-        this.deps.apesBin,
-        ["run", "--as", agentName, "--wait", "--", ...args],
-        { maxBuffer: 1024 * 1024, env: process2.env, timeout: 6e4, cwd: "/tmp" }
-      );
+      return await execFileAsync(bin, argv, {
+        maxBuffer: 1024 * 1024,
+        env: process2.env,
+        timeout: 6e4,
+        cwd: "/tmp"
+      });
     } catch (err) {
       const e = err;
       const detail = (e.stderr ?? "").trim().split("\n").slice(-3).join(" / ");
@@ -225,11 +250,10 @@ var TroopSync = class {
   }
   async syncOne(name) {
     try {
-      await execFileAsync2(
-        this.deps.apesBin,
-        ["run", "--as", name, "--wait", "--", "apes", "agents", "sync"],
-        { maxBuffer: 1024 * 1024, env: process3.env, timeout: 6e4 }
-      );
+      const bypassApeShell = process3.env.OPENAPE_BYPASS_APE_SHELL === "1";
+      const cmd = bypassApeShell ? "/usr/bin/sudo" : this.deps.apesBin;
+      const argv = bypassApeShell ? ["-n", "-H", "-u", name, this.deps.apesBin, "agents", "sync"] : ["run", "--as", name, "--wait", "--", "apes", "agents", "sync"];
+      await execFileAsync2(cmd, argv, { maxBuffer: 1024 * 1024, env: process3.env, timeout: 6e4 });
     } catch (err) {
       this.deps.log(`troop-sync: ${name} failed: ${err instanceof Error ? err.message.split("\n")[0] : String(err)}`);
     }
@@ -237,309 +261,46 @@ var TroopSync = class {
 };
 
 // src/lib/troop-ws.ts
-import { execFile as execFile3, execFileSync, spawn } from "child_process";
-import { createHash } from "crypto";
+import { execFile as execFile3, spawn } from "child_process";
 import { readFileSync as readFileSync3 } from "fs";
-import { hostname, networkInterfaces } from "os";
+import { hostname } from "os";
+import WebSocket from "ws";
 
-// ../../packages/cli-auth/dist/index.js
-import { ofetch } from "ofetch";
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync2, readdirSync, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
+// src/lib/nest-device.ts
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join3 } from "path";
-import { ofetch as ofetch3 } from "ofetch";
-import { Buffer as Buffer2 } from "buffer";
-import { sign } from "crypto";
-import { existsSync as existsSync22, readFileSync as readFileSync22 } from "fs";
-import { homedir as homedir22 } from "os";
-import { join as join22 } from "path";
-import { ofetch as ofetch2 } from "ofetch";
-import { Buffer as Buffer3 } from "buffer";
-import { createPrivateKey } from "crypto";
-import { ofetch as ofetch4 } from "ofetch";
-function getConfigDir() {
-  const override = process.env.OPENAPE_CLI_AUTH_HOME;
-  if (override) return override;
-  return join3(homedir2(), ".config", "apes");
-}
-function getAuthFile() {
-  return join3(getConfigDir(), "auth.json");
-}
-function ensureConfigDir() {
-  const dir = getConfigDir();
-  if (!existsSync3(dir)) {
-    mkdirSync3(dir, { recursive: true, mode: 448 });
-  }
-}
-function loadIdpAuth() {
-  const file = getAuthFile();
-  if (!existsSync3(file)) return null;
-  try {
-    const raw = readFileSync2(file, "utf-8");
-    if (!raw.trim()) return null;
-    return JSON.parse(raw);
-  } catch {
-    return null;
-  }
-}
-function saveIdpAuth(auth) {
-  ensureConfigDir();
-  const file = getAuthFile();
-  let extra = {};
-  if (existsSync3(file)) {
-    try {
-      const raw = readFileSync2(file, "utf-8");
-      if (raw.trim()) {
-        const prev = JSON.parse(raw);
-        for (const key of Object.keys(prev)) {
-          if (!(key in auth)) {
-            extra[key] = prev[key];
-          }
-        }
-      }
-    } catch {
-      extra = {};
-    }
-  }
-  const merged = { ...extra, ...auth };
-  writeFileSync3(file, JSON.stringify(merged, null, 2), { mode: 384 });
-}
-var AuthError = class extends Error {
-  status;
-  hint;
-  constructor(status, message, hint) {
-    super(hint ? `${message}
-${hint}` : message);
-    this.name = "AuthError";
-    this.status = status;
-    this.hint = hint;
-  }
-};
-var NotLoggedInError = class extends AuthError {
-  constructor(hint) {
-    super(
-      401,
-      "Not logged in",
-      hint ?? "Run `apes login <email>` once on this device to authenticate against the OpenApe IdP."
-    );
-    this.name = "NotLoggedInError";
-  }
-};
-var OPENSSH_MAGIC = "openssh-key-v1\0";
-function loadEd25519PrivateKey(pem) {
-  if (pem.includes("BEGIN OPENSSH PRIVATE KEY")) {
-    return parseOpenSSHEd25519(pem);
-  }
-  return createPrivateKey(pem);
-}
-function parseOpenSSHEd25519(pem) {
-  const b64 = pem.replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, "").replace(/-----END OPENSSH PRIVATE KEY-----/, "").replace(/\s/g, "");
-  const buf = Buffer3.from(b64, "base64");
-  let offset = 0;
-  const magic = buf.subarray(0, OPENSSH_MAGIC.length).toString("ascii");
-  if (magic !== OPENSSH_MAGIC) {
-    throw new Error("Not an OpenSSH private key");
-  }
-  offset += OPENSSH_MAGIC.length;
-  const cipherLen = buf.readUInt32BE(offset);
-  offset += 4;
-  const cipher = buf.subarray(offset, offset + cipherLen).toString();
-  offset += cipherLen;
-  if (cipher !== "none") {
-    throw new Error(`Encrypted keys not supported (cipher: ${cipher}). Decrypt first with: ssh-keygen -p -f <key>`);
-  }
-  const kdfLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += kdfLen;
-  const kdfOptsLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += kdfOptsLen;
-  const numKeys = buf.readUInt32BE(offset);
-  offset += 4;
-  if (numKeys !== 1) {
-    throw new Error(`Expected 1 key, got ${numKeys}`);
-  }
-  const pubSectionLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += pubSectionLen;
-  const privSectionLen = buf.readUInt32BE(offset);
-  offset += 4;
-  const privSection = buf.subarray(offset, offset + privSectionLen);
-  let pOffset = 0;
-  const check1 = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const check2 = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  if (check1 !== check2) {
-    throw new Error("Check integers mismatch \u2014 key may be corrupted or encrypted");
-  }
-  const keyTypeLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const keyType = privSection.subarray(pOffset, pOffset + keyTypeLen).toString();
-  pOffset += keyTypeLen;
-  if (keyType !== "ssh-ed25519") {
-    throw new Error(`Expected ssh-ed25519, got ${keyType}`);
-  }
-  const pubKeyLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const pubKey = privSection.subarray(pOffset, pOffset + pubKeyLen);
-  pOffset += pubKeyLen;
-  const privKeyLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const privKeyData = privSection.subarray(pOffset, pOffset + privKeyLen);
-  const seed = privKeyData.subarray(0, 32);
-  return createPrivateKey({
-    key: { kty: "OKP", crv: "Ed25519", d: seed.toString("base64url"), x: pubKey.toString("base64url") },
-    format: "jwk"
-  });
-}
-async function getEndpoints(idp) {
-  let disco = {};
-  try {
-    disco = await ofetch2(`${idp}/.well-known/openid-configuration`);
-  } catch {
-  }
-  return {
-    challenge: disco.ddisa_agent_challenge_endpoint ?? `${idp}/api/agent/challenge`,
-    authenticate: disco.ddisa_agent_authenticate_endpoint ?? `${idp}/api/agent/authenticate`
-  };
-}
-function resolveKeyPath(p) {
-  if (p.startsWith("~")) return join22(homedir22(), p.slice(1));
-  return p;
-}
-function findSigningKey(auth) {
-  const candidates = [];
-  if (auth.key_path) candidates.push(resolveKeyPath(auth.key_path));
-  candidates.push(join22(homedir22(), ".ssh", "id_ed25519"));
-  for (const p of candidates) {
-    if (existsSync22(p)) {
-      try {
-        return { keyPath: p, keyContent: readFileSync22(p, "utf-8") };
-      } catch {
-      }
-    }
-  }
-  return null;
-}
-async function refreshAgentToken(auth, now = Math.floor(Date.now() / 1e3)) {
-  const key = findSigningKey(auth);
-  if (!key) return null;
-  let privateKey;
-  try {
-    privateKey = loadEd25519PrivateKey(key.keyContent);
-  } catch {
-    return null;
-  }
-  let endpoints;
-  try {
-    endpoints = await getEndpoints(auth.idp);
-  } catch {
-    return null;
-  }
-  let challenge;
-  try {
-    const resp = await ofetch2(endpoints.challenge, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: { agent_id: auth.email }
-    });
-    challenge = resp.challenge;
-  } catch {
-    return null;
-  }
-  let signature;
-  try {
-    signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
-  } catch {
-    return null;
-  }
-  let authResp;
+import { ofetch } from "ofetch";
+function resolveDevicePath() {
+  return process.env.OPENAPE_NEST_DEVICE_PATH ?? join3(homedir2(), "nest-device.json");
+}
+function readDeviceCreds() {
+  const envHost = process.env.OPENAPE_NEST_HOST_ID?.trim();
+  const envSecret = process.env.OPENAPE_NEST_DEVICE_SECRET?.trim();
+  if (envHost && envSecret) return { hostId: envHost, deviceSecret: envSecret };
+  const path = resolveDevicePath();
+  if (!existsSync3(path)) return null;
   try {
-    authResp = await ofetch2(endpoints.authenticate, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: { agent_id: auth.email, challenge, signature }
-    });
+    const parsed = JSON.parse(readFileSync2(path, "utf8"));
+    const hostId = typeof parsed.host_id === "string" ? parsed.host_id.trim() : "";
+    const deviceSecret = typeof parsed.device_secret === "string" ? parsed.device_secret : "";
+    if (!hostId || !deviceSecret) return null;
+    return { hostId, deviceSecret };
   } catch {
     return null;
   }
-  return {
-    ...auth,
-    access_token: authResp.token,
-    expires_at: now + (authResp.expires_in || 3600),
-    key_path: auth.key_path ?? key.keyPath
-  };
 }
-var EXPIRY_SKEW_SECONDS = 30;
-async function getTokenEndpoint(idp) {
-  try {
-    const disco = await ofetch3(`${idp}/.well-known/openid-configuration`);
-    if (disco.token_endpoint) return disco.token_endpoint;
-  } catch {
-  }
-  return `${idp}/token`;
+function troopHttpUrl(troopWsUrl) {
+  return troopWsUrl.replace(/^wss:\/\//, "https://").replace(/^ws:\/\//, "http://");
 }
-async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
-  const auth = loadIdpAuth();
-  if (!auth) {
-    throw new NotLoggedInError();
-  }
-  if (auth.expires_at > now + EXPIRY_SKEW_SECONDS) {
-    return auth;
-  }
-  if (!auth.refresh_token) {
-    const refreshed = await refreshAgentToken(auth, now);
-    if (refreshed) {
-      saveIdpAuth(refreshed);
-      return refreshed;
-    }
-    throw new NotLoggedInError(
-      `IdP token expired at ${new Date(auth.expires_at * 1e3).toISOString()} and no refresh_token is stored. Run \`apes login\` again.`
-    );
-  }
-  const tokenEndpoint = await getTokenEndpoint(auth.idp);
-  const body = new URLSearchParams({
-    grant_type: "refresh_token",
-    refresh_token: auth.refresh_token
-  });
-  let response;
-  try {
-    response = await ofetch3(tokenEndpoint, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: body.toString()
-    });
-  } catch (err) {
-    const status = err.status ?? err.statusCode ?? 0;
-    if (status === 400 || status === 401) {
-      saveIdpAuth({ ...auth, refresh_token: void 0 });
-      throw new NotLoggedInError(
-        `Refresh token rejected by ${auth.idp}. Run \`apes login\` again.`
-      );
-    }
-    throw new AuthError(
-      0,
-      `Network error refreshing IdP token at ${tokenEndpoint}`,
-      `Underlying: ${err.message ?? err}`
-    );
-  }
-  if (!response.access_token) {
-    throw new AuthError(0, `IdP refresh response missing access_token (endpoint: ${tokenEndpoint})`);
-  }
-  const next = {
-    ...auth,
-    access_token: response.access_token,
-    refresh_token: response.refresh_token ?? auth.refresh_token,
-    expires_at: now + (response.expires_in ?? 3600)
-  };
-  saveIdpAuth(next);
-  return next;
+async function mintNestToken(troopWsUrl, creds) {
+  const res = await ofetch(
+    `${troopHttpUrl(troopWsUrl)}/api/nests/token`,
+    { method: "POST", body: { host_id: creds.hostId, device_secret: creds.deviceSecret } }
+  );
+  return { token: res.access_token, expiresAt: res.expires_at };
 }
 
-// src/lib/troop-ws.ts
-import WebSocket from "ws";
-
 // src/lib/secret-relay.ts
 var SECRETS_REL_DIR = ".config/openape/secrets.d";
 var ENV_RE = /^[A-Z][A-Z0-9_]*$/;
@@ -570,7 +331,6 @@ var TroopWs = class {
   constructor(opts) {
     this.opts = opts;
     this.troopUrl = (opts.troopUrl ?? process.env.OPENAPE_TROOP_WS_URL ?? "wss://troop.openape.ai").replace(/\/$/, "");
-    this.hostId = readHostId();
     this.hostname = hostname();
   }
   opts;
@@ -580,8 +340,14 @@ var TroopWs = class {
   reconnectAttempts = 0;
   stopped = false;
   troopUrl;
-  hostId;
+  // Set from the device creds on each connect (troop is authoritative for
+  // host_id now; the daemon no longer self-fingerprints).
+  hostId = "";
   hostname;
+  // Short-lived device token, held in memory only and re-minted before
+  // expiry. Never persisted — only the long-lived device_secret is on disk.
+  cachedToken = null;
+  cachedTokenExp = 0;
   start() {
     this.stopped = false;
     void this.connect();
@@ -600,18 +366,30 @@ var TroopWs = class {
       this.socket = null;
     }
   }
+  // Mint (or reuse) a short-lived device token. Cached in memory and
+  // re-minted ~1 min before expiry; never written to disk.
+  async mintToken(creds) {
+    const nowSec = Math.floor(Date.now() / 1e3);
+    if (this.cachedToken && this.cachedTokenExp - nowSec > 60) return this.cachedToken;
+    const { token, expiresAt } = await mintNestToken(this.troopUrl, creds);
+    this.cachedToken = token;
+    this.cachedTokenExp = expiresAt;
+    return token;
+  }
   async connect() {
     if (this.stopped) return;
+    const creds = readDeviceCreds();
+    if (!creds) {
+      this.opts.log("troop-ws: no device creds (set OPENAPE_NEST_HOST_ID + OPENAPE_NEST_DEVICE_SECRET, or ~/nest-device.json) \u2014 not connecting, will retry");
+      this.scheduleReconnect();
+      return;
+    }
+    this.hostId = creds.hostId;
     let token;
     try {
-      const auth = await ensureFreshIdpAuth();
-      token = auth.access_token;
+      token = await this.mintToken(creds);
     } catch (err) {
-      if (err instanceof NotLoggedInError) {
-        this.opts.log("troop-ws: not logged in (apes login) \u2014 skip connect, will retry");
-      } else {
-        this.opts.log(`troop-ws: auth refresh failed: ${err instanceof Error ? err.message : String(err)}`);
-      }
+      this.opts.log(`troop-ws: token mint failed (nest revoked or bad secret?): ${err instanceof Error ? err.message : String(err)}`);
       this.scheduleReconnect();
       return;
     }
@@ -825,30 +603,6 @@ function runWithInput(bin, args, input) {
     child.stdin?.end(input);
   });
 }
-function readHostId() {
-  try {
-    if (process.platform === "darwin") {
-      const out = execFileSync("/usr/sbin/ioreg", ["-d2", "-c", "IOPlatformExpertDevice"], { encoding: "utf8" });
-      const match = out.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
-      if (match) return match[1];
-    }
-  } catch {
-  }
-  return hashBasedHostId();
-}
-function hashBasedHostId() {
-  const nics = networkInterfaces();
-  const macs = [];
-  for (const list of Object.values(nics)) {
-    if (!list) continue;
-    for (const nic of list) {
-      if (!nic.mac || nic.mac === "00:00:00:00:00:00" || nic.internal) continue;
-      macs.push(nic.mac);
-    }
-  }
-  const seed = `${hostname()}|${macs.toSorted().join(",")}`;
-  return createHash("sha256").update(seed).digest("hex").slice(0, 32);
-}
 function readNestVersion() {
   try {
     const root = new URL("../../package.json", import.meta.url);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/nest",
-  "version": "2.3.1",
+  "version": "2.3.3",
   "description": "OpenApe Nest — local control-plane daemon that supervises agent processes on this computer. Talks to troop SP for ownership state, spawns/destroys agents via DDISA always-grants, supervises chat-bridge children (replacing per-agent launchd plists).",
   "type": "module",
   "license": "MIT",
@@ -18,7 +18,7 @@
   "dependencies": {
     "ofetch": "^1.4.1",
     "ws": "^8.18.0",
-    "@openape/cli-auth": "0.4.1",
+    "@openape/cli-auth": "0.5.0",
     "@openape/core": "0.17.0"
   },
   "devDependencies": {