@openrig/cli 0.2.0 → 0.3.0

package/daemon/dist/domain/workspace/workspace-resolver.js

@@ -0,0 +1,86 @@
+// PL-007 Workspace Primitive v0 — runtime resolution of typed workspace
+// context for whoami / node-inventory consumers.
+//
+// Given a persisted RigSpec.workspace block + a node's cwd + an optional
+// per-session env override, derive:
+//   - workspaceRoot          — verbatim from the spec
+//   - activeRepo             — env override, else default_repo, else null
+//   - repos                  — typed list (name, path, kind)
+//   - knowledgeRoot, knowledgeKind — verbatim when declared
+//
+// Per-node kind resolution (used by node-inventory) walks the cwd up the
+// directory tree looking for the longest containing repo path; falls back
+// to "knowledge" when cwd is under knowledgeRoot, else null.
+import * as path from "node:path";
+export function resolveWorkspaceContext(opts) {
+    const { spec, envOverride } = opts;
+    if (!spec)
+        return null;
+    // env override wins when it names a declared repo; otherwise fall through
+    // to default_repo. Unknown override is honored verbatim per PL-007 PRD §
+    // Item 3 — operators set OPENRIG_TARGET_REPO consciously.
+    const repoNames = new Set(spec.repos.map((r) => r.name));
+    let activeRepo = null;
+    if (envOverride && envOverride.trim() !== "") {
+        activeRepo = envOverride;
+    }
+    else if (spec.defaultRepo && repoNames.has(spec.defaultRepo)) {
+        activeRepo = spec.defaultRepo;
+    }
+    return {
+        workspaceRoot: spec.workspaceRoot,
+        activeRepo,
+        repos: spec.repos.map((r) => ({ name: r.name, path: r.path, kind: r.kind })),
+        knowledgeRoot: spec.knowledgeRoot ?? null,
+        knowledgeKind: spec.knowledgeRoot ? "knowledge" : null,
+    };
+}
+/** PL-007 — per-node workspace summary derived from a node's cwd against
+ *  the rig's WorkspaceSpec. Used by NodeInventory. Returns null when the
+ *  rig has no workspace declaration. */
+export function resolveNodeWorkspace(opts) {
+    const { spec, cwd } = opts;
+    if (!spec)
+        return null;
+    let activeRepo = null;
+    let kind = null;
+    if (cwd) {
+        // Find the longest-prefix repo whose path contains cwd.
+        let best = null;
+        for (const r of spec.repos) {
+            if (isInside(cwd, r.path) && r.path.length > (best?.len ?? -1)) {
+                best = { name: r.name, kind: r.kind, len: r.path.length };
+            }
+        }
+        if (best) {
+            activeRepo = best.name;
+            kind = best.kind;
+        }
+        else if (spec.knowledgeRoot && isInside(cwd, spec.knowledgeRoot)) {
+            kind = "knowledge";
+        }
+    }
+    // Fall back to the rig's default_repo when cwd doesn't resolve.
+    if (!activeRepo && spec.defaultRepo) {
+        activeRepo = spec.defaultRepo;
+        if (!kind) {
+            const r = spec.repos.find((x) => x.name === spec.defaultRepo);
+            if (r)
+                kind = r.kind;
+        }
+    }
+    return {
+        workspaceRoot: spec.workspaceRoot,
+        activeRepo,
+        kind,
+    };
+}
+function isInside(child, parent) {
+    const normChild = path.resolve(child);
+    const normParent = path.resolve(parent);
+    if (normChild === normParent)
+        return true;
+    const rel = path.relative(normParent, normChild);
+    return rel !== "" && !rel.startsWith("..") && !path.isAbsolute(rel);
+}
+//# sourceMappingURL=workspace-resolver.js.map

package/daemon/dist/domain/workspace/workspace-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-resolver.js","sourceRoot":"","sources":["../../../src/domain/workspace/workspace-resolver.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,iDAAiD;AACjD,EAAE;AACF,yEAAyE;AACzE,oCAAoC;AACpC,sDAAsD;AACtD,0EAA0E;AAC1E,6DAA6D;AAC7D,4DAA4D;AAC5D,EAAE;AACF,yEAAyE;AACzE,0EAA0E;AAC1E,6DAA6D;AAE7D,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAWlC,MAAM,UAAU,uBAAuB,CAAC,IAIvC;IACC,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,0EAA0E;IAC1E,yEAAyE;IACzE,0DAA0D;IAC1D,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzD,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7C,UAAU,GAAG,WAAW,CAAC;IAC3B,CAAC;SAAM,IAAI,IAAI,CAAC,WAAW,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/D,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IAChC,CAAC;IAED,OAAO;QACL,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU;QACV,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5E,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,IAAI;QACzC,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;KACvD,CAAC;AACJ,CAAC;AAED;;wCAEwC;AACxC,MAAM,UAAU,oBAAoB,CAAC,IAGpC;IACC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC3B,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,IAAI,GAAyB,IAAI,CAAC;IACtC,IAAI,GAAG,EAAE,CAAC;QACR,wDAAwD;QACxD,IAAI,IAAI,GAA8D,IAAI,CAAC;QAC3E,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/D,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC5D,CAAC;QACH,CAAC;QACD,IAAI,IAAI,EAAE,CAAC;YACT,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACnB,CAAC;aAAM,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACnE,IAAI,GAAG,WAAW,CAAC;QACrB,CAAC;IACH,CAAC;IACD,gEAAgE;IAChE,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACpC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;QAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC;gBAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU;QACV,IAAI;KACL,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa,EAAE,MAAc;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,SAAS,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACjD,OAAO,GAAG,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AACtE,CAAC"}

package/daemon/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,wBAAsB,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,mDAiC9C"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,wBAAsB,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,mDA0C9C"}

package/daemon/dist/index.js

@@ -1,11 +1,20 @@
 import { serve } from "@hono/node-server";
 import { readOpenRigEnv } from "./openrig-compat.js";
 import { createDaemon } from "./startup.js";
+import { assertBindAuthInvariant } from "./middleware/auth-bearer-token.js";
 export async function startServer(port) {
     const p = port ?? parseInt(readOpenRigEnv("OPENRIG_PORT", "RIGGED_PORT") ?? "7433", 10);
     const dbPath = readOpenRigEnv("OPENRIG_DB", "RIGGED_DB") ?? "openrig.sqlite";
-    const { app, contextMonitor, deps } = await createDaemon({ dbPath });
     const h = readOpenRigEnv("OPENRIG_HOST", "RIGGED_HOST") ?? "127.0.0.1";
+    // PL-005 Phase B: bearer token for Mission Control write verbs.
+    // No legacy alias (this env var is new in Phase B).
+    const bearerToken = process.env.OPENRIG_AUTH_BEARER_TOKEN ?? null;
+    // PL-005 Phase B HARD-GATE (audit row 8): refuse non-loopback bind
+    // when no bearer token is configured. Prevents shipping a tailnet-
+    // bound daemon with no auth on Mission Control write verbs.
+    // Throws AuthBearerTokenStartupError before any DB or HTTP work.
+    assertBindAuthInvariant({ host: h, bearerToken });
+    const { app, contextMonitor, deps } = await createDaemon({ dbPath, bearerToken });
     const server = serve({ fetch: app.fetch, port: p, hostname: h }, (info) => {
         console.log(`OpenRig daemon listening on http://localhost:${info.port}`);
         // Start context monitor polling only after successful server bind

package/daemon/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAa;IAC7C,MAAM,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IACxF,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,EAAE,WAAW,CAAC,IAAI,gBAAgB,CAAC;IAE7E,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,MAAM,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAErE,MAAM,CAAC,GAAG,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,IAAI,WAAW,CAAC;IAEvE,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;QACxE,OAAO,CAAC,GAAG,CAAC,gDAAgD,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,kEAAkE;QAClE,cAAc,CAAC,KAAK,EAAE,CAAC;QACvB,kEAAkE;QAClE,+DAA+D;QAC/D,yCAAyC;QACzC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,oEAAoE;IACpE,qEAAqE;IACrE,MAAM,QAAQ,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,iBAAiB,CAAC,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IAExD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,4EAA4E;AAC5E,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACf,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAElD,IAAI,WAAW,EAAE,CAAC;IAChB,WAAW,EAAE,CAAC;AAChB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAa;IAC7C,MAAM,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IACxF,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,EAAE,WAAW,CAAC,IAAI,gBAAgB,CAAC;IAE7E,MAAM,CAAC,GAAG,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,IAAI,WAAW,CAAC;IACvE,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,IAAI,CAAC;IAElE,mEAAmE;IACnE,mEAAmE;IACnE,4DAA4D;IAC5D,iEAAiE;IACjE,uBAAuB,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC;IAElD,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,MAAM,YAAY,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IAElF,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;QACxE,OAAO,CAAC,GAAG,CAAC,gDAAgD,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,kEAAkE;QAClE,cAAc,CAAC,KAAK,EAAE,CAAC;QACvB,kEAAkE;QAClE,+DAA+D;QAC/D,yCAAyC;QACzC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,oEAAoE;IACpE,qEAAqE;IACrE,MAAM,QAAQ,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,iBAAiB,CAAC,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IAExD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,4EAA4E;AAC5E,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACf,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAElD,IAAI,WAAW,EAAE,CAAC;IAChB,WAAW,EAAE,CAAC;AAChB,CAAC"}

package/daemon/dist/middleware/auth-bearer-token.d.ts

@@ -0,0 +1,49 @@
+import type { MiddlewareHandler } from "hono";
+/**
+ * Constant-time string equality using Node's timingSafeEqual.
+ * Returns false when lengths differ (timingSafeEqual throws on
+ * length mismatch; we pad-compare to keep a constant-ish branch
+ * profile while still returning the honest false).
+ */
+export declare function constantTimeEqual(a: string, b: string): boolean;
+export interface AuthBearerTokenOpts {
+    /**
+     * The expected bearer token. When this is null, the middleware
+     * lets all requests through (the daemon-level startup check
+     * elsewhere ensures this only happens when bound on loopback).
+     */
+    expectedToken: string | null;
+}
+/**
+ * Hono middleware that enforces bearer-token auth on the routes it
+ * is mounted on. Returns 401 with a three-part error body for missing
+ * or mismatched tokens.
+ *
+ * When `expectedToken` is null, the middleware passes through. The
+ * startup check in `startup.ts` ensures null is only valid when the
+ * bind interface is loopback.
+ */
+export declare function authBearerTokenMiddleware(opts: AuthBearerTokenOpts): MiddlewareHandler;
+/**
+ * Detect whether a host bind value is loopback-only (safe to skip
+ * bearer requirement) vs non-loopback (tailnet / public; requires
+ * bearer). Loopback set: `127.x.x.x`, `::1`, `localhost`. Anything
+ * else (including `0.0.0.0`, `::`, named hostnames, tailnet IPs) is
+ * treated as non-loopback.
+ */
+export declare function isLoopbackBind(host: string | undefined | null): boolean;
+export declare class AuthBearerTokenStartupError extends Error {
+    constructor(message: string);
+}
+/**
+ * Startup-side check (HARD-GATE audit row 8). Throws an explicit
+ * AuthBearerTokenStartupError when the bind interface is non-loopback
+ * AND the bearer token is empty. Called from index.ts BEFORE
+ * `serve()` listens, so the daemon refuses to start in the unsafe
+ * configuration.
+ */
+export declare function assertBindAuthInvariant(opts: {
+    host: string;
+    bearerToken: string | null;
+}): void;
+//# sourceMappingURL=auth-bearer-token.d.ts.map

package/daemon/dist/middleware/auth-bearer-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-bearer-token.d.ts","sourceRoot":"","sources":["../../src/middleware/auth-bearer-token.ts"],"names":[],"mappings":"AAyBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAE9C;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAe/D;AAwBD,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,mBAAmB,GACxB,iBAAiB,CAyBnB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAWvE;AAED,qBAAa,2BAA4B,SAAQ,KAAK;gBACxC,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,GAAG,IAAI,CAQP"}

package/daemon/dist/middleware/auth-bearer-token.js

@@ -0,0 +1,135 @@
+// PL-005 Phase B: bearer-token middleware for /api/mission-control/*.
+//
+// Per slice IMPL § Write Set + audit hard-gates 8 + 9:
+//   - Constant-time bearer comparison via Node `crypto.timingSafeEqual`.
+//     No early-return on byte mismatch.
+//   - 401 with three-part error body on missing or mismatched token
+//     (what failed + why it matters + what to do).
+//   - Daemon refuses to start with a non-loopback bind interface AND
+//     empty bearer config — startup-side check (see startup.ts).
+//
+// MVP context (single-developer, single-user, single-host): one static
+// bearer token sourced from a config field. NO OAuth / SSO / per-user
+// routing / role-based permissions / token rotation. Token holder is
+// fully privileged.
+//
+// Mounted on /api/mission-control/* write verbs at minimum (POST
+// /action, POST /notifications/test). Reads (GET /views, /audit, etc.)
+// MAY be gated under the same token at operator option (Phase B
+// driver default: gate writes only; reads remain open behind tailnet
+// bind for the headed-browser-from-phone case where the operator
+// hasn't typed the token into mobile yet — the bearer is for write
+// integrity, not view confidentiality).
+import { Buffer } from "node:buffer";
+import { timingSafeEqual } from "node:crypto";
+/**
+ * Constant-time string equality using Node's timingSafeEqual.
+ * Returns false when lengths differ (timingSafeEqual throws on
+ * length mismatch; we pad-compare to keep a constant-ish branch
+ * profile while still returning the honest false).
+ */
+export function constantTimeEqual(a, b) {
+    // Length check is unavoidable for timingSafeEqual to work, but the
+    // compare is still constant-time within the equal-length case. For
+    // unequal lengths we still run a fixed-size compare against a buffer
+    // of zeros so an attacker cannot infer "wrong length vs wrong byte"
+    // from response timing.
+    const aBuf = Buffer.from(a, "utf8");
+    const bBuf = Buffer.from(b, "utf8");
+    if (aBuf.length !== bBuf.length) {
+        // Compare against a same-length zero buffer to keep the call site
+        // cost similar across mismatch paths. Result is always false here.
+        timingSafeEqual(aBuf, Buffer.alloc(aBuf.length));
+        return false;
+    }
+    return timingSafeEqual(aBuf, bBuf);
+}
+/**
+ * Three-part error body shape per OpenRig honest-error-reporting
+ * convention. Renders inside the route's c.json call.
+ */
+function unauthorizedBody(reason) {
+    return {
+        error: "unauthorized",
+        message: `Mission Control auth failed: ${reason}`,
+        what_failed: reason,
+        why_it_matters: "Mission Control write verbs require a bearer token because the daemon may be bound on a non-loopback interface (tailnet) where unauthenticated mutation would be unsafe.",
+        what_to_do: "Set the auth.bearerToken field in daemon config (or OPENRIG_AUTH_BEARER_TOKEN env), restart the daemon, and resend the request with `Authorization: Bearer <token>`.",
+    };
+}
+/**
+ * Hono middleware that enforces bearer-token auth on the routes it
+ * is mounted on. Returns 401 with a three-part error body for missing
+ * or mismatched tokens.
+ *
+ * When `expectedToken` is null, the middleware passes through. The
+ * startup check in `startup.ts` ensures null is only valid when the
+ * bind interface is loopback.
+ */
+export function authBearerTokenMiddleware(opts) {
+    const { expectedToken } = opts;
+    return async (c, next) => {
+        if (expectedToken === null) {
+            // Loopback-only mode (no bearer configured). Pass through.
+            await next();
+            return;
+        }
+        const header = c.req.header("Authorization") ?? c.req.header("authorization");
+        if (!header) {
+            return c.json(unauthorizedBody("missing Authorization header"), 401);
+        }
+        const match = /^Bearer\s+(.+)$/i.exec(header);
+        if (!match) {
+            return c.json(unauthorizedBody("Authorization header must be 'Bearer <token>'"), 401);
+        }
+        const provided = match[1].trim();
+        if (!constantTimeEqual(provided, expectedToken)) {
+            return c.json(unauthorizedBody("bearer token does not match"), 401);
+        }
+        await next();
+    };
+}
+/**
+ * Detect whether a host bind value is loopback-only (safe to skip
+ * bearer requirement) vs non-loopback (tailnet / public; requires
+ * bearer). Loopback set: `127.x.x.x`, `::1`, `localhost`. Anything
+ * else (including `0.0.0.0`, `::`, named hostnames, tailnet IPs) is
+ * treated as non-loopback.
+ */
+export function isLoopbackBind(host) {
+    if (!host || host.length === 0) {
+        // Default Hono / @hono/node-server bind is 0.0.0.0 — treat as
+        // non-loopback for safety (force operator to either bind explicitly
+        // to 127.0.0.1 or set the bearer token).
+        return false;
+    }
+    const trimmed = host.trim().toLowerCase();
+    if (trimmed === "localhost" || trimmed === "::1" || trimmed === "[::1]")
+        return true;
+    if (trimmed.startsWith("127."))
+        return true;
+    return false;
+}
+export class AuthBearerTokenStartupError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "AuthBearerTokenStartupError";
+    }
+}
+/**
+ * Startup-side check (HARD-GATE audit row 8). Throws an explicit
+ * AuthBearerTokenStartupError when the bind interface is non-loopback
+ * AND the bearer token is empty. Called from index.ts BEFORE
+ * `serve()` listens, so the daemon refuses to start in the unsafe
+ * configuration.
+ */
+export function assertBindAuthInvariant(opts) {
+    if (isLoopbackBind(opts.host))
+        return;
+    if (opts.bearerToken && opts.bearerToken.length > 0)
+        return;
+    throw new AuthBearerTokenStartupError(`daemon refusing to start: bind host '${opts.host}' is non-loopback but auth.bearerToken (env OPENRIG_AUTH_BEARER_TOKEN) is empty. ` +
+        `Either bind to 127.0.0.1 / localhost, OR set OPENRIG_AUTH_BEARER_TOKEN to a non-empty value before start. ` +
+        `Mission Control write verbs require bearer auth on any non-loopback bind because tailnet/public exposure without auth would let any peer on the network mutate operator state.`);
+}
+//# sourceMappingURL=auth-bearer-token.js.map

package/daemon/dist/middleware/auth-bearer-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-bearer-token.js","sourceRoot":"","sources":["../../src/middleware/auth-bearer-token.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,EAAE;AACF,uDAAuD;AACvD,yEAAyE;AACzE,wCAAwC;AACxC,oEAAoE;AACpE,mDAAmD;AACnD,qEAAqE;AACrE,iEAAiE;AACjE,EAAE;AACF,uEAAuE;AACvE,sEAAsE;AACtE,qEAAqE;AACrE,oBAAoB;AACpB,EAAE;AACF,iEAAiE;AACjE,uEAAuE;AACvE,gEAAgE;AAChE,qEAAqE;AACrE,iEAAiE;AACjE,mEAAmE;AACnE,wCAAwC;AAExC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,mEAAmE;IACnE,mEAAmE;IACnE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,kEAAkE;QAClE,mEAAmE;QACnE,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACjD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,MAAc;IAOtC,OAAO;QACL,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,gCAAgC,MAAM,EAAE;QACjD,WAAW,EAAE,MAAM;QACnB,cAAc,EACZ,0KAA0K;QAC5K,UAAU,EACR,sKAAsK;KACzK,CAAC;AACJ,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,UAAU,yBAAyB,CACvC,IAAyB;IAEzB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC;IAC/B,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,2DAA2D;YAC3D,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC9E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,8BAA8B,CAAC,EAAE,GAAG,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,CAAC,IAAI,CACX,gBAAgB,CAAC,+CAA+C,CAAC,EACjE,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,aAAa,CAAC,EAAE,CAAC;YAChD,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,6BAA6B,CAAC,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,IAA+B;IAC5D,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,8DAA8D;QAC9D,oEAAoE;QACpE,yCAAyC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,IAAI,OAAO,KAAK,WAAW,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACrF,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,2BAA4B,SAAQ,KAAK;IACpD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,6BAA6B,CAAC;IAC5C,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAGvC;IACC,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO;IACtC,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO;IAC5D,MAAM,IAAI,2BAA2B,CACnC,wCAAwC,IAAI,CAAC,IAAI,mFAAmF;QAClI,4GAA4G;QAC5G,gLAAgL,CACnL,CAAC;AACJ,CAAC"}

package/daemon/dist/openrig-compat.d.ts

@@ -2,7 +2,7 @@ export declare function getOpenRigHome(): string;
 export declare function getLegacyRiggedHome(): string;
 export declare const OPENRIG_HOME: string;
 export declare const LEGACY_RIGGED_HOME: string;
-export declare function readOpenRigEnv(primary: string, legacy: string): string | undefined;
+export declare function readOpenRigEnv(primary: string, legacy?: string): string | undefined;
 export declare function getPreferredOpenRigHome(): string;
 export declare function getDefaultOpenRigPath(filename: string): string;
 export declare function getCompatibleOpenRigPath(filename: string): string;

package/daemon/dist/openrig-compat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openrig-compat.d.ts","sourceRoot":"","sources":["../src/openrig-compat.ts"],"names":[],"mappings":"AAMA,wBAAgB,cAAc,IAAI,MAAM,CAIvC;AAED,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED,eAAO,MAAM,YAAY,QAAmB,CAAC;AAC7C,eAAO,MAAM,kBAAkB,QAAwB,CAAC;AAQxD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAWlF;AAED,wBAAgB,uBAAuB,IAAI,MAAM,CAahD;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgBjE"}
+{"version":3,"file":"openrig-compat.d.ts","sourceRoot":"","sources":["../src/openrig-compat.ts"],"names":[],"mappings":"AAMA,wBAAgB,cAAc,IAAI,MAAM,CAIvC;AAED,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C;AAED,eAAO,MAAM,YAAY,QAAmB,CAAC;AAC7C,eAAO,MAAM,kBAAkB,QAAwB,CAAC;AAQxD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAanF;AAED,wBAAgB,uBAAuB,IAAI,MAAM,CAahD;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgBjE"}

package/daemon/dist/openrig-compat.js

@@ -23,10 +23,12 @@ export function readOpenRigEnv(primary, legacy) {
     const primaryValue = process.env[primary];
     if (primaryValue !== undefined && primaryValue !== "")
         return primaryValue;
-    const legacyValue = process.env[legacy];
-    if (legacyValue !== undefined && legacyValue !== "") {
-        warnOnce(`env:${legacy}`, `Warning: ${legacy} is deprecated; use ${primary} instead.`);
-        return legacyValue;
+    if (legacy) {
+        const legacyValue = process.env[legacy];
+        if (legacyValue !== undefined && legacyValue !== "") {
+            warnOnce(`env:${legacy}`, `Warning: ${legacy} is deprecated; use ${primary} instead.`);
+            return legacyValue;
+        }
     }
     return undefined;
 }

package/daemon/dist/openrig-compat.js.map

@@ -1 +1 @@
-{"version":3,"file":"openrig-compat.js","sourceRoot":"","sources":["../src/openrig-compat.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;AAErC,MAAM,UAAU,cAAc;IAC5B,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IACjE,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IAChD,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,cAAc,EAAE,CAAC;AAC7C,MAAM,CAAC,MAAM,kBAAkB,GAAG,mBAAmB,EAAE,CAAC;AAExD,SAAS,QAAQ,CAAC,GAAW,EAAE,OAAe;IAC5C,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAChC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,MAAc;IAC5D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,EAAE;QAAE,OAAO,YAAY,CAAC;IAE3E,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;QACpD,QAAQ,CAAC,OAAO,MAAM,EAAE,EAAE,YAAY,MAAM,uBAAuB,OAAO,WAAW,CAAC,CAAC;QACvF,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,gBAAgB,GAAG,mBAAmB,EAAE,CAAC;IAE/C,IAAI,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IAChD,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,QAAQ,CACN,WAAW,EACX,yCAAyC,gBAAgB,gBAAgB,WAAW,GAAG,CACxF,CAAC;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,IAAI,CAAC,cAAc,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,QAAgB;IACvD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,gBAAgB,GAAG,mBAAmB,EAAE,CAAC;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IAEhD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,QAAQ,CACN,QAAQ,QAAQ,EAAE,EAClB,oCAAoC,UAAU,gBAAgB,WAAW,GAAG,CAC7E,CAAC;QACF,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}
+{"version":3,"file":"openrig-compat.js","sourceRoot":"","sources":["../src/openrig-compat.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;AAErC,MAAM,UAAU,cAAc;IAC5B,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IACjE,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IAChD,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,cAAc,EAAE,CAAC;AAC7C,MAAM,CAAC,MAAM,kBAAkB,GAAG,mBAAmB,EAAE,CAAC;AAExD,SAAS,QAAQ,CAAC,GAAW,EAAE,OAAe;IAC5C,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAChC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,MAAe;IAC7D,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,EAAE;QAAE,OAAO,YAAY,CAAC;IAE3E,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;YACpD,QAAQ,CAAC,OAAO,MAAM,EAAE,EAAE,YAAY,MAAM,uBAAuB,OAAO,WAAW,CAAC,CAAC;YACvF,OAAO,WAAW,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,gBAAgB,GAAG,mBAAmB,EAAE,CAAC;IAE/C,IAAI,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IAChD,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,QAAQ,CACN,WAAW,EACX,yCAAyC,gBAAgB,gBAAgB,WAAW,GAAG,CACxF,CAAC;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,IAAI,CAAC,cAAc,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,QAAgB;IACvD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,gBAAgB,GAAG,mBAAmB,EAAE,CAAC;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IAEhD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,QAAQ,CACN,QAAQ,QAAQ,EAAE,EAClB,oCAAoC,UAAU,gBAAgB,WAAW,GAAG,CAC7E,CAAC;QACF,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/daemon/dist/routes/agent-images.d.ts

@@ -0,0 +1,8 @@
+import { Hono } from "hono";
+export interface AgentImageRoutesDeps {
+    /** Spec-library roots scanned by the evidence guard. v0 includes
+     *  the canonical user spec directory + workspace specs root. */
+    specRoots: () => readonly string[];
+}
+export declare function agentImagesRoutes(deps: AgentImageRoutesDeps): Hono;
+//# sourceMappingURL=agent-images.d.ts.map

package/daemon/dist/routes/agent-images.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-images.d.ts","sourceRoot":"","sources":["../../src/routes/agent-images.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AA6B5B,MAAM,WAAW,oBAAoB;IACnC;oEACgE;IAChE,SAAS,EAAE,MAAM,SAAS,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,oBAAoB,GAAG,IAAI,CAoMlE"}

package/daemon/dist/routes/agent-images.js

@@ -0,0 +1,253 @@
+// Fork Primitive + Starter Agent Images v0 (PL-016) — daemon HTTP
+// routes.
+//
+// Endpoints:
+//   GET    /api/agent-images/library                — list all images (resume token redacted)
+//   POST   /api/agent-images/library/sync           — re-walk discovery roots
+//   GET    /api/agent-images/library/:id            — image manifest + stats (resume token redacted)
+//   GET    /api/agent-images/library/:id/preview    — manifest + sized supplementary file metadata
+//   POST   /api/agent-images/library/:id/pin        — pin from prune
+//   POST   /api/agent-images/library/:id/unpin      — unpin
+//   DELETE /api/agent-images/library/:id            — delete (subject to evidence guard unless force=true)
+//   POST   /api/agent-images/snapshot               — capture a new image from a source seat
+//   POST   /api/agent-images/prune                  — prune evictable images (dry-run by default)
+//
+// Resume tokens are NEVER returned over the wire — they're redacted at
+// route boundary. Only the rigspec-instantiator (in-process) consumes
+// the token directly.
+import { Hono } from "hono";
+import { rmSync } from "node:fs";
+import { evaluateProtection } from "../domain/agent-images/evidence-guard.js";
+import { AgentImageError } from "../domain/agent-images/agent-image-types.js";
+function redactResumeToken(entry) {
+    return { ...entry, sourceResumeToken: "(redacted)" };
+}
+export function agentImagesRoutes(deps) {
+    const router = new Hono();
+    router.get("/library", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        return c.json(lib.list().map(redactResumeToken));
+    });
+    router.post("/library/sync", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const result = lib.scan();
+        return c.json({ ...result, entries: lib.list().map(redactResumeToken) });
+    });
+    router.post("/snapshot", async (c) => {
+        const capturer = c.get("snapshotCapturer");
+        if (!capturer)
+            return c.json({ error: "snapshot_capturer_unavailable" }, 503);
+        const body = (await c.req.json().catch(() => ({})));
+        if (!body.sourceSession || !body.name) {
+            return c.json({
+                error: "missing_required_fields",
+                hint: "POST body must include { sourceSession, name }",
+            }, 400);
+        }
+        try {
+            const result = capturer.capture({
+                sourceSession: body.sourceSession,
+                name: body.name,
+                version: body.version,
+                notes: body.notes,
+                estimatedTokens: body.estimatedTokens,
+                lineage: body.lineage,
+            });
+            // Redact resume token in the response — operator just needs the
+            // image id and on-disk path.
+            return c.json({
+                imageId: result.imageId,
+                imagePath: result.imagePath,
+                manifest: { ...result.manifest, sourceResumeToken: "(redacted)" },
+            });
+        }
+        catch (err) {
+            if (err instanceof AgentImageError) {
+                const status = err.code === "image_not_found" ? 404
+                    : err.code === "runtime_mismatch" ? 400
+                        : err.code === "image_referenced" ? 409
+                            : 500;
+                return c.json({ error: err.code, message: err.message, details: err.details ?? null }, status);
+            }
+            return c.json({ error: "snapshot_failed", message: err.message }, 500);
+        }
+    });
+    router.post("/prune", async (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const body = (await c.req.json().catch(() => ({})));
+        const dryRun = body.dryRun !== false;
+        const force = !!body.force;
+        const images = lib.list();
+        const protections = evaluateProtection({
+            images,
+            specRoots: deps.specRoots(),
+        });
+        const protectedImages = protections.filter((p) => p.protected);
+        const evictable = protections.filter((p) => !p.protected);
+        if (dryRun) {
+            return c.json({
+                dryRun: true,
+                protected: protectedImages,
+                evictable: evictable.map((p) => ({ imageId: p.imageId, imageName: p.imageName, imageVersion: p.imageVersion })),
+            });
+        }
+        // Real prune: delete evictable images. Force overrides the guard
+        // — protected images get deleted too. CATASTROPHIC bounce risk on
+        // force; surface it visibly in the response.
+        const targets = force ? protections : evictable;
+        const deleted = [];
+        const errors = [];
+        for (const t of targets) {
+            const entry = lib.get(t.imageId);
+            if (!entry)
+                continue;
+            try {
+                rmSync(entry.sourcePath, { recursive: true, force: true });
+                deleted.push(t.imageId);
+            }
+            catch (err) {
+                errors.push({ imageId: t.imageId, error: err.message });
+            }
+        }
+        lib.scan();
+        return c.json({
+            dryRun: false,
+            forced: force,
+            deleted,
+            errors,
+            protected: force ? [] : protectedImages,
+        });
+    });
+    router.get("/library/:id", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const id = decodeURIComponent(c.req.param("id"));
+        if (id === "sync" || id === "snapshot" || id === "prune")
+            return c.notFound();
+        const entry = lib.get(id);
+        if (!entry)
+            return c.json({ error: `Agent image '${id}' not found in library` }, 404);
+        return c.json(redactResumeToken(entry));
+    });
+    router.get("/library/:id/preview", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const id = decodeURIComponent(c.req.param("id"));
+        const entry = lib.get(id);
+        if (!entry)
+            return c.json({ error: `Agent image '${id}' not found in library` }, 404);
+        return c.json({
+            id,
+            name: entry.name,
+            version: entry.version,
+            runtime: entry.runtime,
+            sourceSeat: entry.sourceSeat,
+            manifestEstimatedTokens: entry.manifestEstimatedTokens,
+            derivedEstimatedTokens: entry.derivedEstimatedTokens,
+            stats: entry.stats,
+            lineage: entry.lineage,
+            pinned: entry.pinned,
+            notes: entry.notes,
+            files: entry.files,
+            starterSnippet: buildStarterSnippet(entry),
+        });
+    });
+    router.post("/library/:id/pin", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const id = decodeURIComponent(c.req.param("id"));
+        try {
+            lib.pin(id);
+            return c.json({ ok: true, id, pinned: true });
+        }
+        catch (err) {
+            if (err instanceof AgentImageError && err.code === "image_not_found") {
+                return c.json({ error: err.code, message: err.message }, 404);
+            }
+            return c.json({ error: "pin_failed", message: err.message }, 500);
+        }
+    });
+    router.post("/library/:id/unpin", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const id = decodeURIComponent(c.req.param("id"));
+        try {
+            lib.unpin(id);
+            return c.json({ ok: true, id, pinned: false });
+        }
+        catch (err) {
+            if (err instanceof AgentImageError && err.code === "image_not_found") {
+                return c.json({ error: err.code, message: err.message }, 404);
+            }
+            return c.json({ error: "unpin_failed", message: err.message }, 500);
+        }
+    });
+    router.delete("/library/:id", (c) => {
+        const lib = c.get("agentImageLibrary");
+        if (!lib)
+            return c.json({ error: "agent_image_library_unavailable" }, 503);
+        const id = decodeURIComponent(c.req.param("id"));
+        const force = (c.req.query("force") ?? "") === "true";
+        const entry = lib.get(id);
+        if (!entry)
+            return c.json({ error: `Agent image '${id}' not found in library` }, 404);
+        // Evidence guard for non-force deletes.
+        if (!force) {
+            const protections = evaluateProtection({
+                images: lib.list(),
+                specRoots: deps.specRoots(),
+            });
+            const status = protections.find((p) => p.imageId === id);
+            if (status && status.protected) {
+                return c.json({
+                    error: "image_referenced",
+                    message: `Agent image '${id}' is protected: ${status.reasons.join(", ")}. Use force=true to override.`,
+                    reasons: status.reasons,
+                    references: status.references,
+                }, 409);
+            }
+        }
+        try {
+            rmSync(entry.sourcePath, { recursive: true, force: true });
+            lib.scan();
+            return c.json({ ok: true, id, forced: force });
+        }
+        catch (err) {
+            return c.json({ error: "delete_failed", message: err.message }, 500);
+        }
+    });
+    return router;
+}
+/** PRD § Item 5: review-pane "Use as starter" surface. We synthesize
+ *  the agent.yaml snippet here so the UI can render it directly with
+ *  no client-side templating.
+ *
+ *  PL-016 source-cwd behavior: when the
+ *  manifest carries source_cwd, the snippet emits `cwd: <source_cwd>`
+ *  ahead of the session_source block. The fork
+ *  starts in the SAME directory the parent session was created in,
+ *  Claude's project-dir-scoped session storage works because the jsonl
+ *  file lives there. The daemon relies on provider cwd resolution and
+ *  does NOT override cwd at fork dispatch. If the operator manually
+ *  changes cwd, fork fails honestly with "no
+ *  conversation found". Manifests without source_cwd (pre-Finding-2)
+ *  render without the cwd line for back-compat. */
+function buildStarterSnippet(entry) {
+    const lines = [];
+    if (entry.sourceCwd) {
+        lines.push(`cwd: ${JSON.stringify(entry.sourceCwd)}`);
+    }
+    lines.push("session_source:", "  mode: agent_image", "  ref:", "    kind: image_name", `    value: ${JSON.stringify(entry.name)}`, `    version: ${JSON.stringify(entry.version)}`);
+    return lines.join("\n") + "\n";
+}
+//# sourceMappingURL=agent-images.js.map