@pellux/goodvibes-sdk 0.21.27 → 0.21.28

package/dist/_internal/platform/pairing/companion-token.d.ts

@@ -18,19 +18,19 @@ export interface CompanionTokenRecord {
     readonly createdAt: number;
 }
 /**
- * Load the stored companion token for a surface, or generate and persist a new one.
+ * Load the stored companion token, or generate and persist a new one.
+ * Token is always written to <daemonHomeDir>/operator-tokens.json at mode 0600.
  */
-export declare function getOrCreateCompanionToken(surface: string, options?: {
-    basePath?: string;
-    daemonHomeDir?: string;
+export declare function getOrCreateCompanionToken(surface: string, options: {
+    daemonHomeDir: string;
     regenerate?: boolean;
 }): CompanionPairingResult;
 /**
- * Regenerate the companion token for a surface, replacing any existing token.
+ * Regenerate the companion token, replacing any existing token.
+ * Written to <daemonHomeDir>/operator-tokens.json at mode 0600.
  */
-export declare function regenerateCompanionToken(surface: string, options?: {
-    basePath?: string;
-    daemonHomeDir?: string;
+export declare function regenerateCompanionToken(surface: string, options: {
+    daemonHomeDir: string;
 }): CompanionPairingResult;
 /**
  * Build a CompanionConnectionInfo object from raw parameters.

package/dist/_internal/platform/pairing/companion-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"companion-token.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/pairing/companion-token.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AA4CD;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,OAAO,CAAA;CAAE,GAC5E,sBAAsB,CAyBxB;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GACtD,sBAAsB,CAExB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,OAAO,EAAE;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,uBAAuB,CAS1B;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,uBAAuB,GAAG,MAAM,CAS7E"}
+{"version":3,"file":"companion-token.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/pairing/companion-token.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAyBD;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,OAAO,CAAA;CAAE,GACvD,sBAAsB,CA6BxB;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;IAAE,aAAa,EAAE,MAAM,CAAA;CAAE,GACjC,sBAAsB,CAExB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,OAAO,EAAE;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,uBAAuB,CAS1B;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,uBAAuB,GAAG,MAAM,CAS7E"}

package/dist/_internal/platform/pairing/companion-token.js

@@ -1,5 +1,5 @@
 import { randomBytes } from 'node:crypto';
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 const TOKEN_PREFIX = 'gv_';
 function generateTokenValue() {
@@ -9,41 +9,25 @@ function generatePeerId() {
     return randomBytes(12).toString('hex');
 }
 /**
- * Resolve the token store path.
+ * Resolve the operator token store path.
  *
- * Resolution order (first match wins):
- *   1. daemonHomeDir — daemon-identity-scoped path (0.21.19+, recommended)
- *   2. basePath — workspace-scoped path (0.21.17–0.21.18 layout, legacy fallback)
- *   3. process.cwd() — absolute fallback
+ * The only valid location is <daemonHomeDir>/operator-tokens.json.
+ * Operator tokens are global (daemon-home scoped) since 0.21.28.
+ * No workspace-scoped fallback exists.
  *
- * Storing tokens under daemonHomeDir means workspace swaps never invalidate
- * paired companions — a token paired once works regardless of which working
- * directory the daemon is currently serving.
+ * @throws {Error} when daemonHomeDir is not provided — all callers must supply it.
  */
-function resolveSharedTokenPath(basePath, daemonHomeDir) {
-    if (daemonHomeDir) {
-        return join(daemonHomeDir, 'operator-tokens.json');
-    }
-    const base = basePath ?? process.cwd();
-    return join(base, '.goodvibes', 'operator-tokens.json');
+function resolveSharedTokenPath(daemonHomeDir) {
+    return join(daemonHomeDir, 'operator-tokens.json');
 }
 /**
- * Resolve the path to the companion token file.
- *
- * Always resolves to the shared workspace-level path regardless of surface,
- * so that tokens are portable across TUI-embedded and standalone daemon postures.
- *
- * @deprecated `surface` parameter is ignored; use {@link resolveSharedTokenPath} directly.
- */
-function resolveTokenPath(_surface, basePath, daemonHomeDir) {
-    return resolveSharedTokenPath(basePath, daemonHomeDir);
-}
-/**
- * Load the stored companion token for a surface, or generate and persist a new one.
+ * Load the stored companion token, or generate and persist a new one.
+ * Token is always written to <daemonHomeDir>/operator-tokens.json at mode 0600.
  */
 export function getOrCreateCompanionToken(surface, options) {
-    const tokenPath = resolveTokenPath(surface, options?.basePath, options?.daemonHomeDir);
-    if (!options?.regenerate && existsSync(tokenPath)) {
+    void surface; // surface parameter retained for API compatibility; token path is global
+    const tokenPath = resolveSharedTokenPath(options.daemonHomeDir);
+    if (!options.regenerate && existsSync(tokenPath)) {
         try {
             const raw = readFileSync(tokenPath, 'utf-8');
             const record = JSON.parse(raw);
@@ -60,12 +44,19 @@ export function getOrCreateCompanionToken(surface, options) {
         peerId: generatePeerId(),
         createdAt: Date.now(),
     };
-    mkdirSync(dirname(tokenPath), { recursive: true });
-    writeFileSync(tokenPath, JSON.stringify(record, null, 2), 'utf-8');
+    const dir = dirname(tokenPath);
+    mkdirSync(dir, { recursive: true });
+    // Write with mode 0600 (owner read/write only) and enforce after write
+    writeFileSync(tokenPath, JSON.stringify(record, null, 2), { encoding: 'utf-8', mode: 0o600 });
+    try {
+        chmodSync(tokenPath, 0o600);
+    }
+    catch { /* best-effort */ }
     return { token: record.token, peerId: record.peerId, createdAt: record.createdAt };
 }
 /**
- * Regenerate the companion token for a surface, replacing any existing token.
+ * Regenerate the companion token, replacing any existing token.
+ * Written to <daemonHomeDir>/operator-tokens.json at mode 0600.
  */
 export function regenerateCompanionToken(surface, options) {
     return getOrCreateCompanionToken(surface, { ...options, regenerate: true });

package/dist/_internal/platform/version.js

@@ -1,6 +1,6 @@
 import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
-let version = '0.21.27';
+let version = '0.21.28';
 try {
     const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', '..', 'package.json'), 'utf-8'));
     version = pkg.version ?? version;

package/dist/_internal/platform/workspace/daemon-home.d.ts

@@ -18,7 +18,8 @@
  *   - If ~/.goodvibes/daemon/ does not exist:
  *     - ~/.goodvibes/tui/auth-users.json → ~/.goodvibes/daemon/auth-users.json
  *     - ~/.goodvibes/tui/auth-bootstrap.txt → ~/.goodvibes/daemon/auth-bootstrap.txt
- *     - <cwd>/.goodvibes/operator-tokens.json → ~/.goodvibes/daemon/operator-tokens.json (F3 revision)
+ *   - Operator tokens are global-only: read/written exclusively at
+ *     <daemonHomeDir>/operator-tokens.json. No workspace-scoped paths.
  *   - Old paths are left intact (never deleted) to avoid breaking older binaries.
  */
 import type { RuntimeEventBus } from '../runtime/events/index.js';
@@ -31,8 +32,6 @@ export interface DaemonHomeDirs {
 export interface DaemonHomeOptions {
     /** Value of --daemon-home CLI flag, if provided. */
     readonly daemonHomeArg?: string | undefined;
-    /** Current working directory, used as base for operator-tokens migration. */
-    readonly cwd?: string;
     /** Override process.env for testing. */
     readonly env?: NodeJS.ProcessEnv;
 }
@@ -48,14 +47,36 @@ export interface DaemonHomeMigrationDeps {
  * Resolve the daemon home directory from CLI flag, environment variable, or default.
  */
 export declare function resolveDaemonHomeDir(options?: DaemonHomeOptions): string;
+/**
+ * Returns the single canonical path for operator tokens.
+ * All reads and writes MUST use this path. No workspace-scoped fallback exists.
+ */
+export declare function resolveOperatorTokenPath(daemonHomeDir: string): string;
 /**
  * Run migration if the daemon home directory does not yet exist.
  * Creates the directory and copies identity files from legacy paths if found.
  * Old files are NOT deleted.
  *
+ * Operator tokens are NOT migrated from workspace-scoped paths — the global
+ * daemon-home path is canonical since 0.21.28. If tokens are missing,
+ * the first pairing operation will create them at the global path.
+ *
  * Returns `freshInstall: true` when migration ran, `false` when the dir already existed.
  */
 export declare function runDaemonHomeMigration(daemonHomeDir: string, options?: DaemonHomeOptions, deps?: DaemonHomeMigrationDeps): DaemonHomeDirs;
+/**
+ * Write operator tokens to the global daemon-home path with mode 0600.
+ * All token provisioning MUST go through this function.
+ *
+ * Uses a write-to-tmp-then-rename pattern for atomicity.
+ * Applies chmod 0600 after rename so the file is never world-readable.
+ */
+export declare function writeOperatorTokenFile(daemonHomeDir: string, content: string): void;
+/**
+ * Read operator tokens from the global daemon-home path.
+ * Returns undefined when the file does not exist or cannot be parsed.
+ */
+export declare function readOperatorTokenFile(daemonHomeDir: string): string | undefined;
 /**
  * Read a single key from daemon-settings.json, or return undefined if missing.
  */

package/dist/_internal/platform/workspace/daemon-home.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon-home.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/workspace/daemon-home.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAwB,MAAM,4BAA4B,CAAC;AAOxF,MAAM,WAAW,cAAc;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,iFAAiF;IACjF,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,oDAAoD;IACpD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C,6EAA6E;IAC7E,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,UAAU,CAAC,EAAE,eAAe,CAAC;CACvC;AAMD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,iBAAsB,GAAG,MAAM,CAiB5E;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,aAAa,EAAE,MAAM,EACrB,OAAO,GAAE,iBAAsB,EAC/B,IAAI,GAAE,uBAA4B,GACjC,cAAc,CAoFhB;AAMD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAWxF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAc1F"}
+{"version":3,"file":"daemon-home.d.ts","sourceRoot":"","sources":["../../../../src/_internal/platform/workspace/daemon-home.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAwB,MAAM,4BAA4B,CAAC;AAOxF,MAAM,WAAW,cAAc;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,iFAAiF;IACjF,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,oDAAoD;IACpD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C,wCAAwC;IACxC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,UAAU,CAAC,EAAE,eAAe,CAAC;CACvC;AAMD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,iBAAsB,GAAG,MAAM,CAiB5E;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAEtE;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CACpC,aAAa,EAAE,MAAM,EACrB,OAAO,GAAE,iBAAsB,EAC/B,IAAI,GAAE,uBAA4B,GACjC,cAAc,CA+BhB;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CASnF;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQ/E;AAMD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAWxF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAc1F"}

package/dist/_internal/platform/workspace/daemon-home.js

@@ -18,10 +18,11 @@
  *   - If ~/.goodvibes/daemon/ does not exist:
  *     - ~/.goodvibes/tui/auth-users.json → ~/.goodvibes/daemon/auth-users.json
  *     - ~/.goodvibes/tui/auth-bootstrap.txt → ~/.goodvibes/daemon/auth-bootstrap.txt
- *     - <cwd>/.goodvibes/operator-tokens.json → ~/.goodvibes/daemon/operator-tokens.json (F3 revision)
+ *   - Operator tokens are global-only: read/written exclusively at
+ *     <daemonHomeDir>/operator-tokens.json. No workspace-scoped paths.
  *   - Old paths are left intact (never deleted) to avoid breaking older binaries.
  */
-import { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync, renameSync, readdirSync } from 'node:fs';
+import { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync, renameSync, chmodSync } from 'node:fs';
 import { join, isAbsolute, resolve, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { logger } from '../utils/logger.js';
@@ -49,6 +50,16 @@ export function resolveDaemonHomeDir(options = {}) {
     return join(homedir(), '.goodvibes', 'daemon');
 }
 // ---------------------------------------------------------------------------
+// Global operator token path
+// ---------------------------------------------------------------------------
+/**
+ * Returns the single canonical path for operator tokens.
+ * All reads and writes MUST use this path. No workspace-scoped fallback exists.
+ */
+export function resolveOperatorTokenPath(daemonHomeDir) {
+    return join(daemonHomeDir, 'operator-tokens.json');
+}
+// ---------------------------------------------------------------------------
 // One-time migration
 // ---------------------------------------------------------------------------
 /**
@@ -56,6 +67,10 @@ export function resolveDaemonHomeDir(options = {}) {
  * Creates the directory and copies identity files from legacy paths if found.
  * Old files are NOT deleted.
  *
+ * Operator tokens are NOT migrated from workspace-scoped paths — the global
+ * daemon-home path is canonical since 0.21.28. If tokens are missing,
+ * the first pairing operation will create them at the global path.
+ *
  * Returns `freshInstall: true` when migration ran, `false` when the dir already existed.
  */
 export function runDaemonHomeMigration(daemonHomeDir, options = {}, deps = {}) {
@@ -66,7 +81,6 @@ export function runDaemonHomeMigration(daemonHomeDir, options = {}, deps = {}) {
     // Create the daemon home directory tree
     mkdirSync(daemonHomeDir, { recursive: true });
     const userGoodVibesRoot = join(homedir(), '.goodvibes');
-    const cwd = options.cwd ?? process.cwd();
     // Migrate auth-users.json from tui surface path
     const legacyAuthUsers = join(userGoodVibesRoot, 'tui', 'auth-users.json');
     if (existsSync(legacyAuthUsers)) {
@@ -77,67 +91,52 @@ export function runDaemonHomeMigration(daemonHomeDir, options = {}, deps = {}) {
     if (existsSync(legacyBootstrap)) {
         safeCopy(legacyBootstrap, join(daemonHomeDir, 'auth-bootstrap.txt'));
     }
-    // Migrate operator-tokens.json — search multiple legacy paths (F3 revision).
-    // 0.21.17 used <cwd>/.goodvibes/operator-tokens.json (workspace-scoped).
-    // 0.21.16 and earlier used surface-scoped ~/.goodvibes/<surface>/companion-token.json.
-    // 0.21.19+ canonical path is <daemonHomeDir>/operator-tokens.json.
-    const destTokenPath = join(daemonHomeDir, 'operator-tokens.json');
-    if (!existsSync(destTokenPath)) {
-        // Priority 1: workspace-scoped path from 0.21.17
-        const legacyWorkspaceTokens = join(cwd, '.goodvibes', 'operator-tokens.json');
-        // Priority 2: surface-scoped legacy tokens from 0.21.16 and earlier
-        const legacySurfaceToken = join(userGoodVibesRoot, 'tui', 'companion-token.json');
-        // Priority 3: XDG data home if set
-        const xdgDataHome = options.env?.['XDG_DATA_HOME'];
-        const xdgToken = xdgDataHome ? join(xdgDataHome, 'goodvibes', 'operator-tokens.json') : null;
-        // Scan for any surface-scoped companion-token.json files under ~/.goodvibes/
-        const surfaceScopedTokens = [];
-        try {
-            const entries = readdirSync(userGoodVibesRoot, { withFileTypes: true });
-            for (const entry of entries) {
-                if (entry.isDirectory()) {
-                    const candidate = join(userGoodVibesRoot, entry.name, 'companion-token.json');
-                    if (existsSync(candidate))
-                        surfaceScopedTokens.push(candidate);
-                }
-            }
-        }
-        catch {
-            // Best-effort scan
-        }
-        const tokenSources = [
-            legacyWorkspaceTokens,
-            ...(xdgToken ? [xdgToken] : []),
-            legacySurfaceToken,
-            ...surfaceScopedTokens,
-        ];
-        for (const src of tokenSources) {
-            if (!existsSync(src))
-                continue;
-            // Validate JSON before copying — corrupt JSON must not be migrated.
-            try {
-                JSON.parse(readFileSync(src, 'utf-8'));
-            }
-            catch (parseErr) {
-                const reason = parseErr instanceof Error ? parseErr.message : String(parseErr);
-                logger.warn('daemon-home: skipping corrupt token file during migration', {
-                    sourcePath: src,
-                    reason,
-                });
-                _emitMigrationEvent(deps.runtimeBus, { type: 'WORKSPACE_IDENTITY_MIGRATION_FAILED', sourcePath: src, reason });
-                safeCopy(src, destTokenPath, { skipIfInvalid: true });
-                continue;
-            }
-            if (safeCopy(src, destTokenPath)) {
-                logger.info('daemon-home: migrated operator token', { from: src, to: destTokenPath });
-                _emitMigrationEvent(deps.runtimeBus, { type: 'WORKSPACE_IDENTITY_MIGRATED', from: src, to: destTokenPath });
-            }
-            break; // First valid source wins
-        }
-    }
+    // NOTE: Operator tokens are NOT migrated from legacy workspace-scoped paths.
+    // The canonical path is <daemonHomeDir>/operator-tokens.json (global, set at 0600).
+    // If no token file exists at the canonical path, the first pairing call will
+    // create it via getOrCreateCompanionToken (companion-token.ts).
+    void deps; // deps.runtimeBus reserved for future migration event emission
     return { daemonHomeDir, freshInstall: true };
 }
 // ---------------------------------------------------------------------------
+// Operator token file write (global-only, mode 0600)
+// ---------------------------------------------------------------------------
+/**
+ * Write operator tokens to the global daemon-home path with mode 0600.
+ * All token provisioning MUST go through this function.
+ *
+ * Uses a write-to-tmp-then-rename pattern for atomicity.
+ * Applies chmod 0600 after rename so the file is never world-readable.
+ */
+export function writeOperatorTokenFile(daemonHomeDir, content) {
+    const tokenPath = resolveOperatorTokenPath(daemonHomeDir);
+    mkdirSync(dirname(tokenPath), { recursive: true });
+    const tmpPath = tokenPath + '.tmp';
+    writeFileSync(tmpPath, content, { encoding: 'utf-8', mode: 0o600 });
+    chmodSync(tmpPath, 0o600);
+    renameSync(tmpPath, tokenPath);
+    // Apply chmod again after rename — some filesystems reset permissions on rename
+    try {
+        chmodSync(tokenPath, 0o600);
+    }
+    catch { /* best-effort */ }
+}
+/**
+ * Read operator tokens from the global daemon-home path.
+ * Returns undefined when the file does not exist or cannot be parsed.
+ */
+export function readOperatorTokenFile(daemonHomeDir) {
+    const tokenPath = resolveOperatorTokenPath(daemonHomeDir);
+    if (!existsSync(tokenPath))
+        return undefined;
+    try {
+        return readFileSync(tokenPath, 'utf-8');
+    }
+    catch {
+        return undefined;
+    }
+}
+// ---------------------------------------------------------------------------
 // Daemon settings persistence
 // ---------------------------------------------------------------------------
 /**
@@ -182,30 +181,11 @@ export function writeDaemonSetting(daemonHomeDir, key, value) {
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
-/**
- * Emit a workspace migration event on the runtime bus.
- * Never throws — bus emission must not interrupt migration.
- */
-function _emitMigrationEvent(bus, payload) {
-    if (!bus)
-        return;
-    try {
-        const envelope = createEventEnvelope(payload.type, payload, { sessionId: '', source: 'daemon-home-migration' });
-        bus.emit('workspace', 
-        // WorkspaceEvent discriminated-union member; single widening cast is safe.
-        envelope);
-    }
-    catch {
-        // Swallow — never let event emission break migration
-    }
-}
 /**
  * Copy src to dest. Returns true on success, false on failure.
  * Failures are logged at warn level. Never throws.
  */
-function safeCopy(src, dest, opts) {
-    if (opts?.skipIfInvalid)
-        return false;
+function safeCopy(src, dest) {
     try {
         copyFileSync(src, dest);
         return true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-sdk",
-  "version": "0.21.27",
+  "version": "0.21.28",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/mgd34msu/goodvibes-sdk.git"