@orkify/cli 1.0.0-beta.5

package/dist/ipc/DaemonServer.js

@@ -0,0 +1,166 @@
+import { existsSync, unlinkSync } from 'node:fs';
+import { createServer } from 'node:net';
+import { IPCMessageType, SOCKET_PATH } from '../constants.js';
+import { createMessageParser, createResponse, serialize } from './protocol.js';
+export class ClientConnection {
+    socket;
+    messageParser = createMessageParser();
+    constructor(socket) {
+        this.socket = socket;
+    }
+    send(message) {
+        if (!this.socket.destroyed) {
+            this.socket.write(serialize(message));
+        }
+    }
+    onData(handler) {
+        this.socket.on('data', (chunk) => {
+            const messages = this.messageParser(chunk);
+            handler(messages);
+        });
+    }
+    onClose(handler) {
+        this.socket.on('close', handler);
+    }
+    onError(handler) {
+        this.socket.on('error', handler);
+    }
+    close() {
+        this.socket.end();
+    }
+}
+export class DaemonServer {
+    server = null;
+    clients = new Set();
+    handlers = new Map();
+    logSubscribers = new Map();
+    registerHandler(type, handler) {
+        this.handlers.set(type, handler);
+    }
+    subscribeToLogs(processName, client, requestId) {
+        let subscribers = this.logSubscribers.get(processName);
+        if (!subscribers) {
+            subscribers = new Set();
+            this.logSubscribers.set(processName, subscribers);
+        }
+        subscribers.add({ client, requestId });
+    }
+    unsubscribeFromLogs(processName, client) {
+        const subscribers = this.logSubscribers.get(processName);
+        if (subscribers) {
+            for (const sub of subscribers) {
+                if (sub.client === client) {
+                    subscribers.delete(sub);
+                }
+            }
+        }
+    }
+    broadcastLog(processName, data) {
+        const subscribers = this.logSubscribers.get(processName);
+        if (subscribers) {
+            for (const { client, requestId } of subscribers) {
+                client.send({
+                    type: IPCMessageType.LOG_DATA,
+                    id: requestId,
+                    success: true,
+                    data,
+                });
+            }
+        }
+        // Also broadcast to 'all' subscribers
+        const allSubscribers = this.logSubscribers.get('all');
+        if (allSubscribers) {
+            for (const { client, requestId } of allSubscribers) {
+                client.send({
+                    type: IPCMessageType.LOG_DATA,
+                    id: requestId,
+                    success: true,
+                    data: { processName, ...data },
+                });
+            }
+        }
+    }
+    async start() {
+        // Clean up existing socket
+        if (existsSync(SOCKET_PATH)) {
+            try {
+                unlinkSync(SOCKET_PATH);
+            }
+            catch {
+                // Ignore errors
+            }
+        }
+        return new Promise((resolve, reject) => {
+            this.server = createServer((socket) => {
+                const client = new ClientConnection(socket);
+                this.clients.add(client);
+                client.onData(async (messages) => {
+                    for (const request of messages) {
+                        await this.handleRequest(request, client);
+                    }
+                });
+                client.onClose(() => {
+                    this.clients.delete(client);
+                    // Clean up log subscriptions
+                    for (const [name] of this.logSubscribers) {
+                        this.unsubscribeFromLogs(name, client);
+                    }
+                });
+                client.onError((err) => {
+                    console.error('Client error:', err.message);
+                });
+            });
+            this.server.on('error', (err) => {
+                reject(err);
+            });
+            this.server.listen(SOCKET_PATH, () => {
+                resolve();
+            });
+        });
+    }
+    async handleRequest(request, client) {
+        const handler = this.handlers.get(request.type);
+        if (!handler) {
+            client.send(createResponse(request.id, false, undefined, `Unknown command: ${request.type}`));
+            return;
+        }
+        try {
+            const response = await handler(request, client);
+            client.send(response);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'Unknown error';
+            client.send(createResponse(request.id, false, undefined, message));
+        }
+    }
+    broadcast(message) {
+        for (const client of this.clients) {
+            client.send(message);
+        }
+    }
+    stop() {
+        return new Promise((resolve) => {
+            for (const client of this.clients) {
+                client.close();
+            }
+            this.clients.clear();
+            if (this.server) {
+                this.server.close(() => {
+                    if (existsSync(SOCKET_PATH)) {
+                        try {
+                            unlinkSync(SOCKET_PATH);
+                        }
+                        catch {
+                            // Ignore
+                        }
+                    }
+                    resolve();
+                });
+            }
+            else {
+                resolve();
+            }
+        });
+    }
+}
+//# sourceMappingURL=DaemonServer.js.map

package/dist/ipc/MultiUserClient.d.ts

@@ -0,0 +1,27 @@
+import type { ProcessInfo } from '../types/index.js';
+export interface UserProcessList {
+    user: string;
+    processes: ProcessInfo[];
+    error?: string;
+}
+export interface ListAllUsersResult {
+    users: UserProcessList[];
+    /** Informational messages (e.g., no sockets found) */
+    warnings: string[];
+    /** Users whose sockets couldn't be accessed (permission denied) */
+    inaccessibleUsers: string[];
+}
+/**
+ * Check if running with elevated privileges
+ */
+declare function isElevated(): boolean;
+/**
+ * List processes from all users on the system
+ * On Unix, requires elevated privileges (sudo) to see other users' processes
+ */
+export declare function listAllUsers(): Promise<ListAllUsersResult>;
+/**
+ * Check if the current user has elevated privileges
+ */
+export { isElevated };
+//# sourceMappingURL=MultiUserClient.d.ts.map

package/dist/ipc/MultiUserClient.js

@@ -0,0 +1,203 @@
+import { execSync } from 'node:child_process';
+import { readdirSync } from 'node:fs';
+import { connect } from 'node:net';
+import { platform } from 'node:os';
+import { IPC_CONNECT_TIMEOUT, IPC_RESPONSE_TIMEOUT, IPCMessageType } from '../constants.js';
+import { createMessageParser, createRequest, serialize } from './protocol.js';
+/**
+ * Check if running with elevated privileges
+ */
+function isElevated() {
+    if (platform() === 'win32') {
+        // On Windows, check if we can access a protected location
+        try {
+            execSync('net session', { stdio: 'ignore' });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    // Unix: check if running as root
+    return process.getuid?.() === 0;
+}
+/**
+ * Extract username from socket path
+ */
+function extractUserFromSocketPath(socketPath) {
+    // Unix: /home/username/.orkify/orkify.sock or /Users/username/.orkify/orkify.sock
+    // Also handles /root/.orkify/orkify.sock
+    const match = socketPath.match(/^\/(?:home|Users|root)\/([^/]+)\/\.orkify\/orkify\.sock$/);
+    if (match) {
+        return match[1];
+    }
+    // Handle /root specifically
+    if (socketPath === '/root/.orkify/orkify.sock') {
+        return 'root';
+    }
+    // Fallback: use directory name
+    const parts = socketPath.split('/');
+    const orkifyIndex = parts.indexOf('.orkify');
+    if (orkifyIndex > 0) {
+        return parts[orkifyIndex - 1];
+    }
+    return 'unknown';
+}
+/**
+ * Discover orkify sockets on Unix using lsof
+ * Requires elevated privileges to see other users' sockets
+ */
+function discoverUnixSockets() {
+    try {
+        // lsof -U lists all Unix domain sockets
+        // We filter for orkify.sock
+        const output = execSync('lsof -U 2>/dev/null', {
+            encoding: 'utf-8',
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        const sockets = [];
+        const seen = new Set();
+        for (const line of output.split('\n')) {
+            // Look for lines containing orkify.sock
+            if (line.includes('orkify.sock')) {
+                // lsof output format varies, but socket path is typically at the end
+                const match = line.match(/(\/\S+orkify\.sock)/);
+                if (match && !seen.has(match[1])) {
+                    seen.add(match[1]);
+                    sockets.push({
+                        user: extractUserFromSocketPath(match[1]),
+                        socketPath: match[1],
+                    });
+                }
+            }
+        }
+        return sockets;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Discover orkify named pipes on Windows
+ */
+function discoverWindowsPipes() {
+    try {
+        // Named pipes are enumerable in \\.\pipe\
+        const pipes = readdirSync('\\\\.\\pipe');
+        return pipes
+            .filter((name) => name.startsWith('orkify-'))
+            .map((name) => ({
+            user: name.replace('orkify-', ''),
+            socketPath: `\\\\.\\pipe\\${name}`,
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Connect to a socket and get the process list
+ */
+async function getProcessListFromSocket(socketPath) {
+    return new Promise((resolve) => {
+        const timeout = setTimeout(() => {
+            socket.destroy();
+            resolve({ error: 'Connection timeout' });
+        }, IPC_CONNECT_TIMEOUT);
+        const socket = connect(socketPath);
+        const messageParser = createMessageParser();
+        socket.on('connect', () => {
+            clearTimeout(timeout);
+            const responseTimeout = setTimeout(() => {
+                socket.destroy();
+                resolve({ error: 'Response timeout' });
+            }, IPC_RESPONSE_TIMEOUT);
+            const request = createRequest(IPCMessageType.LIST);
+            socket.write(serialize(request));
+            socket.on('data', (chunk) => {
+                const messages = messageParser(chunk);
+                for (const message of messages) {
+                    clearTimeout(responseTimeout);
+                    const response = message;
+                    socket.end();
+                    if (response.success) {
+                        resolve({ processes: response.data });
+                    }
+                    else {
+                        resolve({ error: response.error || 'Unknown error' });
+                    }
+                    return;
+                }
+            });
+        });
+        socket.on('error', (err) => {
+            clearTimeout(timeout);
+            socket.destroy();
+            const errorCode = err.code;
+            if (errorCode === 'EACCES' || errorCode === 'EPERM') {
+                resolve({ error: 'Permission denied' });
+            }
+            else if (errorCode === 'ECONNREFUSED') {
+                resolve({ error: 'Daemon not running' });
+            }
+            else if (errorCode === 'ENOENT') {
+                resolve({ error: 'Socket not found' });
+            }
+            else {
+                resolve({ error: err.message });
+            }
+        });
+    });
+}
+/**
+ * List processes from all users on the system
+ * On Unix, requires elevated privileges (sudo) to see other users' processes
+ */
+export async function listAllUsers() {
+    const os = platform();
+    const users = [];
+    const warnings = [];
+    const inaccessibleUsers = [];
+    // Check elevation on Unix
+    if (os !== 'win32' && !isElevated()) {
+        return {
+            users: [],
+            warnings: [],
+            inaccessibleUsers: [],
+        };
+    }
+    // Discover sockets
+    const sockets = os === 'win32' ? discoverWindowsPipes() : discoverUnixSockets();
+    if (sockets.length === 0) {
+        warnings.push('No orkify processes found on this system');
+        return { users, warnings, inaccessibleUsers };
+    }
+    // Connect to each socket and get process list
+    for (const { user, socketPath } of sockets) {
+        const result = await getProcessListFromSocket(socketPath);
+        if ('error' in result) {
+            if (result.error === 'Permission denied') {
+                inaccessibleUsers.push(user);
+            }
+            else if (result.error !== 'Socket not found' && result.error !== 'Daemon not running') {
+                warnings.push(`Cannot access ${user}'s processes: ${result.error}`);
+            }
+            // Skip users with no running daemon (not an error)
+        }
+        else {
+            users.push({
+                user,
+                processes: result.processes,
+            });
+        }
+    }
+    if (users.length === 0 && warnings.length === 0 && inaccessibleUsers.length === 0) {
+        warnings.push('No orkify daemons running on this system');
+    }
+    return { users, warnings, inaccessibleUsers };
+}
+/**
+ * Check if the current user has elevated privileges
+ */
+export { isElevated };
+//# sourceMappingURL=MultiUserClient.js.map

package/dist/ipc/protocol.d.ts

@@ -0,0 +1,7 @@
+import type { IPCMessage, IPCRequest, IPCResponse } from '../types/index.js';
+import { IPCMessageType } from '../constants.js';
+export declare function createRequest(type: (typeof IPCMessageType)[keyof typeof IPCMessageType], payload?: IPCRequest['payload']): IPCRequest;
+export declare function createResponse(requestId: string, success: boolean, data?: unknown, error?: string): IPCResponse;
+export declare function serialize(message: IPCMessage): string;
+export declare function createMessageParser(): (chunk: Buffer) => IPCMessage[];
+//# sourceMappingURL=protocol.d.ts.map

package/dist/ipc/protocol.js

@@ -0,0 +1,53 @@
+import { randomUUID } from 'node:crypto';
+import { IPCMessageType } from '../constants.js';
+const DELIMITER = '\n';
+export function createRequest(type, payload) {
+    return {
+        type,
+        id: randomUUID(),
+        payload,
+    };
+}
+export function createResponse(requestId, success, data, error) {
+    return {
+        type: success ? IPCMessageType.SUCCESS : IPCMessageType.ERROR,
+        id: requestId,
+        success,
+        data,
+        error,
+    };
+}
+export function serialize(message) {
+    return JSON.stringify(message) + DELIMITER;
+}
+// Max buffer size: 10MB. Prevents unbounded memory growth from
+// malformed data that never includes a newline delimiter.
+const MAX_BUFFER_SIZE = 10 * 1024 * 1024;
+export function createMessageParser() {
+    let buffer = '';
+    return (chunk) => {
+        buffer += chunk.toString();
+        // Guard against unbounded buffer growth
+        if (buffer.length >= MAX_BUFFER_SIZE) {
+            console.error(`IPC message buffer exceeded ${MAX_BUFFER_SIZE} bytes, discarding`);
+            buffer = '';
+            throw new Error('IPC message buffer overflow');
+        }
+        const messages = [];
+        let delimiterIndex;
+        while ((delimiterIndex = buffer.indexOf(DELIMITER)) !== -1) {
+            const messageStr = buffer.slice(0, delimiterIndex);
+            buffer = buffer.slice(delimiterIndex + 1);
+            if (messageStr.trim()) {
+                try {
+                    messages.push(JSON.parse(messageStr));
+                }
+                catch {
+                    console.error('Failed to parse IPC message:', messageStr.slice(0, 200));
+                }
+            }
+        }
+        return messages;
+    };
+}
+//# sourceMappingURL=protocol.js.map

package/dist/ipc/restoreDaemon.d.ts

@@ -0,0 +1,8 @@
+import type { IPCResponse, ProcessConfig } from '../types/index.js';
+import { DaemonClient } from './DaemonClient.js';
+/**
+ * Wait for old daemon to exit, start a new one, and restore processes.
+ * Shared by daemon-reload command and crash-recovery script.
+ */
+export declare function restoreDaemon(client: DaemonClient, configs: ProcessConfig[], daemonEnv?: Record<string, string>): Promise<IPCResponse>;
+//# sourceMappingURL=restoreDaemon.d.ts.map

package/dist/ipc/restoreDaemon.js

@@ -0,0 +1,19 @@
+import { existsSync } from 'node:fs';
+import { DAEMON_PID_FILE, IPCMessageType } from '../constants.js';
+/**
+ * Wait for old daemon to exit, start a new one, and restore processes.
+ * Shared by daemon-reload command and crash-recovery script.
+ */
+export async function restoreDaemon(client, configs, daemonEnv) {
+    if (daemonEnv)
+        client.setSpawnEnv(daemonEnv);
+    // Wait for old daemon to fully exit
+    const deadline = Date.now() + 10_000;
+    while (existsSync(DAEMON_PID_FILE) && Date.now() < deadline) {
+        await new Promise((r) => setTimeout(r, 50));
+    }
+    // Start new daemon (auto-start on connect) and restore configs
+    const response = await client.request(IPCMessageType.RESTORE_CONFIGS, configs);
+    return response;
+}
+//# sourceMappingURL=restoreDaemon.js.map

package/dist/machine-id.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Read a platform-specific machine identifier without elevated permissions.
+ * - Linux: /etc/machine-id (systemd, readable by all users)
+ * - macOS: IOPlatformUUID via ioreg
+ * - Windows: MachineGuid from registry
+ * Returns null if the ID can't be read (containers, restricted environments).
+ */
+export declare function getMachineId(): null | string;
+/** Reset cached value — for testing only */
+export declare function _resetMachineIdCache(): void;
+//# sourceMappingURL=machine-id.d.ts.map

package/dist/machine-id.js

@@ -0,0 +1,51 @@
+import { execFileSync } from 'node:child_process';
+import { readFileSync } from 'node:fs';
+let cached = null;
+/**
+ * Read a platform-specific machine identifier without elevated permissions.
+ * - Linux: /etc/machine-id (systemd, readable by all users)
+ * - macOS: IOPlatformUUID via ioreg
+ * - Windows: MachineGuid from registry
+ * Returns null if the ID can't be read (containers, restricted environments).
+ */
+export function getMachineId() {
+    if (cached !== null)
+        return cached || null;
+    try {
+        const id = readMachineId();
+        cached = id ?? '';
+        return id;
+    }
+    catch {
+        cached = '';
+        return null;
+    }
+}
+function readMachineId() {
+    switch (process.platform) {
+        case 'linux': {
+            const id = readFileSync('/etc/machine-id', 'utf8').trim();
+            return id || null;
+        }
+        case 'darwin': {
+            const out = execFileSync('ioreg', ['-rd1', '-c', 'IOPlatformExpertDevice'], {
+                encoding: 'utf8',
+                timeout: 3000,
+            });
+            const match = out.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+            return match?.[1] ?? null;
+        }
+        case 'win32': {
+            const out = execFileSync('reg', ['query', 'HKLM\\SOFTWARE\\Microsoft\\Cryptography', '/v', 'MachineGuid'], { encoding: 'utf8', timeout: 3000 });
+            const match = out.match(/MachineGuid\s+REG_SZ\s+(\S+)/);
+            return match?.[1] ?? null;
+        }
+        default:
+            return null;
+    }
+}
+/** Reset cached value — for testing only */
+export function _resetMachineIdCache() {
+    cached = null;
+}
+//# sourceMappingURL=machine-id.js.map

package/dist/mcp/auth.d.ts

@@ -0,0 +1,118 @@
+import type { OAuthTokenVerifier } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { z } from 'zod';
+import type { ConfigStore } from '../config/ConfigStore.js';
+/**
+ * Valid MCP tool names — kept in sync with tools registered in server.ts.
+ */
+export declare const TOOL_NAMES: readonly ["list", "logs", "snap", "listAllUsers", "up", "down", "restart", "reload", "delete", "restore", "kill"];
+declare const mcpKeySchema: z.ZodObject<{
+    name: z.ZodString;
+    token: z.ZodString;
+    tools: z.ZodArray<z.ZodString, "many">;
+    allowedIps: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    token: string;
+    tools: string[];
+    allowedIps?: string[] | undefined;
+}, {
+    name: string;
+    token: string;
+    tools: string[];
+    allowedIps?: string[] | undefined;
+}>;
+declare const mcpConfigSchema: z.ZodObject<{
+    keys: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        token: z.ZodString;
+        tools: z.ZodArray<z.ZodString, "many">;
+        allowedIps: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        token: string;
+        tools: string[];
+        allowedIps?: string[] | undefined;
+    }, {
+        name: string;
+        token: string;
+        tools: string[];
+        allowedIps?: string[] | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    keys: {
+        name: string;
+        token: string;
+        tools: string[];
+        allowedIps?: string[] | undefined;
+    }[];
+}, {
+    keys?: {
+        name: string;
+        token: string;
+        tools: string[];
+        allowedIps?: string[] | undefined;
+    }[] | undefined;
+}>;
+export type McpConfig = z.infer<typeof mcpConfigSchema>;
+export type McpKey = z.infer<typeof mcpKeySchema>;
+/**
+ * Load and validate the MCP config from ~/.orkify/mcp.yml.
+ * Returns cached version if available; cache is invalidated on SIGHUP or file change.
+ */
+export declare function loadMcpConfig(configPath?: string): McpConfig;
+/**
+ * Start watching the config file for changes and listen for SIGHUP to reload.
+ * Called once when the HTTP server starts.
+ */
+export declare function startConfigWatcher(): void;
+/**
+ * Token verifier that reads keys from the local YAML config.
+ * Implements the MCP SDK's OAuthTokenVerifier interface.
+ */
+export declare class LocalConfigVerifier implements OAuthTokenVerifier {
+    private configPath;
+    constructor(configPath?: string);
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+}
+/**
+ * Token verifier that reads keys from the remote ProjectConfig via ConfigStore.
+ * Matches tokens by SHA-256 hash (the dashboard stores hashes, not raw tokens).
+ */
+export declare class RemoteConfigVerifier implements OAuthTokenVerifier {
+    private configStore;
+    constructor(configStore: ConfigStore);
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    getAllowedIpsForToken(token: string): string[] | undefined;
+}
+/**
+ * Generate a new MCP token: prefix + 48 hex chars (24 random bytes).
+ */
+export declare function generateToken(): string;
+/**
+ * Append a new key to the MCP config file.
+ * Creates the file with 0o600 permissions if it doesn't exist.
+ */
+export declare function appendKeyToConfig(key: McpKey, configPath?: string): void;
+/**
+ * Warn to stderr if the MCP config file has permissions more open than 0600.
+ * Skipped on Windows where Unix mode bits don't apply.
+ */
+export declare function warnIfConfigInsecure(configPath?: string): void;
+/**
+ * Strip the `::ffff:` prefix from IPv4-mapped IPv6 addresses.
+ * Express may report `::ffff:127.0.0.1` for IPv4 clients.
+ */
+export declare function normalizeIp(ip: string): string;
+/**
+ * Check if a client IP is allowed by the key's `allowedIps` list.
+ * Returns `true` if `allowedIps` is absent or empty (all IPs allowed).
+ * Uses Node.js `BlockList` as an allowlist — `check()` returns `true` for listed IPs.
+ */
+export declare function isIpAllowed(clientIp: string, allowedIps?: string[]): boolean;
+/**
+ * Look up a key by name from the config.
+ */
+export declare function findKeyByName(name: string, configPath?: string): McpKey | undefined;
+export {};
+//# sourceMappingURL=auth.d.ts.map