@plosson/agentio 0.4.3 → 0.5.1

package/src/commands/status.ts

@@ -243,6 +243,7 @@ async function createServiceClient(
 interface ProfileStatus {
   service: string;
   profile: string;
+  readOnly?: boolean;
   status: 'ok' | 'invalid' | 'no-creds' | 'skipped';
   info?: string;
   error?: string;
@@ -265,13 +266,14 @@ export function registerStatusCommand(program: Command): void {
         const statuses: ProfileStatus[] = [];
 
         for (const { service, profiles } of allProfiles) {
-          for (const name of profiles) {
-            const credentials = await getCredentials(service, name);
+          for (const entry of profiles) {
+            const credentials = await getCredentials(service, entry.name);
 
             if (!credentials) {
               statuses.push({
                 service,
-                profile: name,
+                profile: entry.name,
+                readOnly: entry.readOnly,
                 status: 'no-creds',
               });
               continue;
@@ -280,13 +282,14 @@ export function registerStatusCommand(program: Command): void {
             if (options.test === false) {
               statuses.push({
                 service,
-                profile: name,
+                profile: entry.name,
+                readOnly: entry.readOnly,
                 status: 'skipped',
               });
               continue;
             }
 
-            const client = await createServiceClient(service, credentials, name);
+            const client = await createServiceClient(service, credentials, entry.name);
             let result: ValidationResult;
 
             if (client) {
@@ -297,7 +300,8 @@ export function registerStatusCommand(program: Command): void {
 
             statuses.push({
               service,
-              profile: name,
+              profile: entry.name,
+              readOnly: entry.readOnly,
               status: result.valid ? 'ok' : 'invalid',
               info: result.info,
               error: result.error,
@@ -344,7 +348,9 @@ export function registerStatusCommand(program: Command): void {
         // Print each profile on one line
         for (const s of statuses) {
           const servicePad = s.service.padEnd(serviceWidth);
-          const profilePad = s.profile.padEnd(profileWidth);
+          const readOnlyIndicator = s.readOnly ? ' [RO]' : '';
+          const profileWithRo = s.profile + readOnlyIndicator;
+          const profilePad = profileWithRo.padEnd(profileWidth + 5); // +5 for [RO]
 
           let statusStr: string;
           let details: string;

package/src/commands/telegram.ts

@@ -7,6 +7,7 @@ import { TelegramClient } from '../services/telegram/client';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin, prompt } from '../utils/stdin';
 import { getGatewayClient, isGatewayAvailable } from '../gateway/client';
+import { enforceWriteAccess } from '../utils/read-only';
 import {
   printInboxMessageList,
   printInboxMessage,
@@ -59,7 +60,8 @@ export function registerTelegramCommands(program: Command): void {
           sendOptions.disable_notification = true;
         }
 
-        const { client } = await getTelegramClient(options.profile);
+        const { client, profile } = await getTelegramClient(options.profile);
+        await enforceWriteAccess('telegram', profile, 'send message');
         const result = await client.sendMessage(text, sendOptions);
 
         console.log('Message sent');
@@ -81,6 +83,7 @@ export function registerTelegramCommands(program: Command): void {
     .command('add')
     .description('Add a new Telegram bot profile')
     .option('--profile <name>', 'Profile name (auto-detected from bot username if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nTelegram Bot Setup\n');
@@ -171,10 +174,13 @@ export function registerTelegramCommands(program: Command): void {
           channelName: channelName,
         };
 
-        await setProfile('telegram', profileName);
+        await setProfile('telegram', profileName, { readOnly: options.readOnly });
         await setCredentials('telegram', profileName, credentials);
 
         console.log(`\nProfile "${profileName}" configured!`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio telegram send --profile ${profileName} "Hello world"`);
       } catch (error) {
         handleError(error);
@@ -260,6 +266,11 @@ export function registerTelegramCommands(program: Command): void {
         }
 
         const client = await getGatewayClient();
+        // Get the inbox message to determine the profile for read-only check
+        const inboxMessage = await client.inboxGet(id);
+        if (inboxMessage) {
+          await enforceWriteAccess('telegram', inboxMessage.profile, 'reply to message');
+        }
         const result = await client.inboxReply(id, text);
         printInboxReplyResult(result);
       } catch (error) {
@@ -325,6 +336,7 @@ export function registerTelegramCommands(program: Command): void {
           else throw new CliError('INVALID_PARAMS', 'parse-mode must be "html" or "markdown"');
         }
 
+        await enforceWriteAccess('telegram', profileResult.profile, 'send message');
         const client = await getGatewayClient();
         const result = await client.outboxSend({
           service: 'telegram',

package/src/commands/whatsapp.ts

@@ -4,6 +4,7 @@ import { setProfile, resolveProfile, removeProfile } from '../config/config-mana
 import { CliError, handleError } from '../utils/errors';
 import { readStdin, prompt, confirm } from '../utils/stdin';
 import { getGatewayClient, isGatewayAvailable } from '../gateway/client';
+import { enforceWriteAccess } from '../utils/read-only';
 import {
   printInboxMessageList,
   printInboxMessage,
@@ -86,6 +87,7 @@ export function registerWhatsAppCommands(program: Command): void {
     .command('add')
     .description('Add a new WhatsApp profile and pair via QR code')
     .option('--profile <name>', 'Profile name')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nWhatsApp Profile Setup\n');
@@ -111,10 +113,13 @@ export function registerWhatsAppCommands(program: Command): void {
           paired: false,
         };
 
-        await setProfile('whatsapp', profileName);
+        await setProfile('whatsapp', profileName, { readOnly: options.readOnly });
         await setCredentials('whatsapp', profileName, credentials);
 
         console.log(`Profile "${profileName}" created.`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
 
         // Check if gateway is running
         const gatewayRunning = await isGatewayAvailable();
@@ -151,12 +156,13 @@ export function registerWhatsAppCommands(program: Command): void {
 
         console.log(`WhatsApp profiles (${profiles.length}):\n`);
 
-        for (const name of profiles) {
-          const creds = await getCredentials<WhatsAppCredentials>('whatsapp', name);
+        for (const entry of profiles) {
+          const creds = await getCredentials<WhatsAppCredentials>('whatsapp', entry.name);
           const status = creds?.paired ? 'paired' : 'not paired';
           const phone = creds?.phoneNumber ? ` (${creds.phoneNumber})` : '';
           const displayName = creds?.displayName ? ` - ${creds.displayName}` : '';
-          console.log(`  ${name}${phone}${displayName} [${status}]`);
+          const readOnlyIndicator = entry.readOnly ? ' [read-only]' : '';
+          console.log(`  ${entry.name}${readOnlyIndicator}${phone}${displayName} [${status}]`);
         }
       } catch (error) {
         handleError(error);
@@ -288,6 +294,11 @@ export function registerWhatsAppCommands(program: Command): void {
         }
 
         const client = await getGatewayClient();
+        // Get the inbox message to determine the profile for read-only check
+        const inboxMessage = await client.inboxGet(id);
+        if (inboxMessage) {
+          await enforceWriteAccess('whatsapp', inboxMessage.profile, 'reply to message');
+        }
         const result = await client.inboxReply(id, text);
         printInboxReplyResult(result);
       } catch (error) {
@@ -368,6 +379,7 @@ export function registerWhatsAppCommands(program: Command): void {
           }
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'send message');
         const client = await getGatewayClient();
 
         // Resolve destination
@@ -519,6 +531,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'At least one participant is required. Use --participants <phone...>');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'create group');
         const client = await getGatewayClient();
         const group = await client.whatsappGroupCreate(
           profileResult.profile,
@@ -554,6 +567,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Provide --name, --description, or --picture to update.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'update group');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -593,6 +607,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'add participants');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -637,6 +652,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'remove participants');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -681,6 +697,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'promote participants');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -725,6 +742,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'demote participants');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -768,6 +786,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'leave group');
         const client = await getGatewayClient();
 
         // Resolve name to ID if needed
@@ -843,6 +862,7 @@ export function registerWhatsAppCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Multiple profiles exist. Use --profile to specify one.');
         }
 
+        await enforceWriteAccess('whatsapp', profileResult.profile, 'join group');
         const client = await getGatewayClient();
         const groupId = await client.whatsappGroupJoin(profileResult.profile, code);
         printWhatsAppGroupJoined(groupId);

package/src/config/config-manager.ts

@@ -2,12 +2,26 @@ import { homedir } from 'os';
 import { join } from 'path';
 import { mkdir, readFile, writeFile } from 'fs/promises';
 import { existsSync } from 'fs';
-import type { Config, ServiceName } from '../types/config';
+import type { Config, ServiceName, ProfileEntry, ProfileValue } from '../types/config';
 
 const CONFIG_DIR = join(homedir(), '.config', 'agentio');
 const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
 
-const ALL_SERVICES: ServiceName[] = ['gdocs', 'gdrive', 'gmail', 'gchat', 'github', 'jira', 'slack', 'telegram', 'whatsapp', 'discourse', 'sql'];
+const ALL_SERVICES: ServiceName[] = ['gdocs', 'gdrive', 'gmail', 'gcal', 'gtasks', 'gchat', 'gsheets', 'github', 'jira', 'slack', 'telegram', 'whatsapp', 'discourse', 'sql'];
+
+/**
+ * Normalize a profile value to ProfileEntry format
+ */
+function normalizeProfile(entry: ProfileValue): ProfileEntry {
+  return typeof entry === 'string' ? { name: entry } : entry;
+}
+
+/**
+ * Get the profile name from a ProfileValue
+ */
+function getProfileName(entry: ProfileValue): string {
+  return typeof entry === 'string' ? entry : entry.name;
+}
 
 const DEFAULT_CONFIG: Config = {
   profiles: {},
@@ -54,7 +68,8 @@ export async function getProfile(
   const config = await loadConfig();
 
   const serviceProfiles = config.profiles[service] || [];
-  if (!serviceProfiles.includes(profileName)) {
+  const found = serviceProfiles.find((p) => getProfileName(p) === profileName);
+  if (!found) {
     return null;
   }
 
@@ -66,20 +81,23 @@ export async function getProfile(
  * - If profileName is provided, validates it exists
  * - If not provided and exactly 1 profile exists, returns that profile
  * - Returns null if no profiles exist or if multiple profiles exist without explicit selection
+ * - Also returns the readOnly status of the resolved profile
  */
 export async function resolveProfile(
   service: ServiceName,
   profileName?: string
-): Promise<{ profile: string | null; error?: 'none' | 'multiple' }> {
+): Promise<{ profile: string | null; readOnly?: boolean; error?: 'none' | 'multiple' }> {
   const config = await loadConfig();
   const serviceProfiles = config.profiles[service] || [];
 
   if (profileName) {
     // Explicit profile requested - validate it exists
-    if (!serviceProfiles.includes(profileName)) {
+    const found = serviceProfiles.find((p) => getProfileName(p) === profileName);
+    if (!found) {
       return { profile: null };
     }
-    return { profile: profileName };
+    const entry = normalizeProfile(found);
+    return { profile: entry.name, readOnly: entry.readOnly };
   }
 
   // No profile specified - check if we can auto-select
@@ -88,16 +106,22 @@ export async function resolveProfile(
   }
 
   if (serviceProfiles.length === 1) {
-    return { profile: serviceProfiles[0] };
+    const entry = normalizeProfile(serviceProfiles[0]);
+    return { profile: entry.name, readOnly: entry.readOnly };
   }
 
   // Multiple profiles exist - user must specify
   return { profile: null, error: 'multiple' };
 }
 
+export interface SetProfileOptions {
+  readOnly?: boolean;
+}
+
 export async function setProfile(
   service: ServiceName,
-  profileName: string
+  profileName: string,
+  options?: SetProfileOptions
 ): Promise<void> {
   const config = await loadConfig();
 
@@ -105,8 +129,20 @@ export async function setProfile(
     config.profiles[service] = [];
   }
 
-  if (!config.profiles[service]!.includes(profileName)) {
-    config.profiles[service]!.push(profileName);
+  const existingIndex = config.profiles[service]!.findIndex(
+    (p) => getProfileName(p) === profileName
+  );
+
+  const entry: ProfileEntry = {
+    name: profileName,
+    ...(options?.readOnly ? { readOnly: true } : {}),
+  };
+
+  if (existingIndex === -1) {
+    config.profiles[service]!.push(entry);
+  } else {
+    // Update existing profile
+    config.profiles[service]![existingIndex] = entry;
   }
 
   await saveConfig(config);
@@ -119,11 +155,18 @@ export async function removeProfile(
   const config = await loadConfig();
 
   const serviceProfiles = config.profiles[service];
-  if (!serviceProfiles || !serviceProfiles.includes(profileName)) {
+  if (!serviceProfiles) {
+    return false;
+  }
+
+  const found = serviceProfiles.find((p) => getProfileName(p) === profileName);
+  if (!found) {
     return false;
   }
 
-  config.profiles[service] = serviceProfiles.filter((p) => p !== profileName);
+  config.profiles[service] = serviceProfiles.filter(
+    (p) => getProfileName(p) !== profileName
+  );
 
   await saveConfig(config);
   return true;
@@ -131,14 +174,14 @@ export async function removeProfile(
 
 export async function listProfiles(service?: ServiceName): Promise<{
   service: ServiceName;
-  profiles: string[];
+  profiles: ProfileEntry[];
 }[]> {
   const config = await loadConfig();
   const services = service ? [service] : ALL_SERVICES;
 
   return services.map((svc) => ({
     service: svc,
-    profiles: config.profiles[svc] || [],
+    profiles: (config.profiles[svc] || []).map(normalizeProfile),
   }));
 }
 
@@ -171,4 +214,51 @@ export async function listEnv(): Promise<Record<string, string>> {
   return config.env || {};
 }
 
+/**
+ * Check if a profile is read-only
+ */
+export async function isProfileReadOnly(
+  service: ServiceName,
+  profileName: string
+): Promise<boolean> {
+  const config = await loadConfig();
+  const serviceProfiles = config.profiles[service] || [];
+  const found = serviceProfiles.find((p) => getProfileName(p) === profileName);
+  if (!found) {
+    return false;
+  }
+  return normalizeProfile(found).readOnly === true;
+}
+
+/**
+ * Set the read-only status of a profile
+ */
+export async function setProfileReadOnly(
+  service: ServiceName,
+  profileName: string,
+  readOnly: boolean
+): Promise<boolean> {
+  const config = await loadConfig();
+  const serviceProfiles = config.profiles[service];
+  if (!serviceProfiles) {
+    return false;
+  }
+
+  const index = serviceProfiles.findIndex((p) => getProfileName(p) === profileName);
+  if (index === -1) {
+    return false;
+  }
+
+  const entry = normalizeProfile(serviceProfiles[index]);
+  if (readOnly) {
+    entry.readOnly = true;
+  } else {
+    delete entry.readOnly;
+  }
+  serviceProfiles[index] = entry;
+
+  await saveConfig(config);
+  return true;
+}
+
 export { CONFIG_DIR, CONFIG_FILE };

package/src/gateway/api.ts

@@ -56,7 +56,7 @@ import type { ServiceAdapter } from './adapters/types';
 import type { WhatsAppAdapter } from './adapters/whatsapp';
 
 let server: Server<unknown> | null = null;
-let apiSecret: string = '';
+let apiKey: string = '';
 let startTime: number = 0;
 let adapters: Map<ServiceName, ServiceAdapter> = new Map();
 
@@ -81,16 +81,13 @@ function jsonResponse<T>(data: T, status: number = 200): Response {
 }
 
 /**
- * Verify authorization header
+ * Verify X-API-Key header
  */
 function verifyAuth(request: Request): boolean {
-  if (!apiSecret) return true; // No auth configured
+  if (!apiKey) return true; // No auth configured
 
-  const authHeader = request.headers.get('Authorization');
-  if (!authHeader) return false;
-
-  const [type, token] = authHeader.split(' ');
-  return type === 'Bearer' && token === apiSecret;
+  const key = request.headers.get('X-API-Key');
+  return key === apiKey;
 }
 
 /**
@@ -756,10 +753,10 @@ async function handleRequest(request: Request): Promise<Response> {
 /**
  * Start the API server
  */
-export function startApiServer(config: GatewayConfig['api'], serviceAdapters: Map<ServiceName, ServiceAdapter>): Server<unknown> {
-  const port = config?.port ?? DEFAULT_GATEWAY_CONFIG.api.port;
-  const host = config?.host ?? DEFAULT_GATEWAY_CONFIG.api.host;
-  apiSecret = config?.secret ?? '';
+export function startApiServer(config: GatewayConfig, serviceAdapters: Map<ServiceName, ServiceAdapter>): Server<unknown> {
+  const port = config?.server?.port ?? DEFAULT_GATEWAY_CONFIG.server.port;
+  const host = config?.server?.host ?? DEFAULT_GATEWAY_CONFIG.server.host;
+  apiKey = config?.apiKey ?? '';
   startTime = Date.now();
   adapters = serviceAdapters;
 

package/src/gateway/client.ts

@@ -49,20 +49,20 @@ import type {
 } from './types';
 import type { WhatsAppGroup, WhatsAppParticipantAction } from '../types/whatsapp';
 
-let cachedConfig: { url: string; secret: string } | null = null;
+let cachedConfig: { url: string; apiKey: string } | null = null;
 
 /**
- * Get gateway URL and secret from config or environment
+ * Get gateway URL and API key from config or environment
  */
-async function getGatewayConnection(): Promise<{ url: string; secret: string }> {
+async function getGatewayConnection(): Promise<{ url: string; apiKey: string }> {
   if (cachedConfig) return cachedConfig;
 
   // Check environment variables first
   const envUrl = process.env.AGENTIO_GATEWAY_URL || await getEnv('AGENTIO_GATEWAY_URL');
-  const envSecret = process.env.AGENTIO_GATEWAY_SECRET || await getEnv('AGENTIO_GATEWAY_SECRET');
+  const envApiKey = process.env.AGENTIO_GATEWAY_API_KEY || await getEnv('AGENTIO_GATEWAY_API_KEY');
 
   if (envUrl) {
-    cachedConfig = { url: envUrl, secret: envSecret || '' };
+    cachedConfig = { url: envUrl, apiKey: envApiKey || '' };
     return cachedConfig;
   }
 
@@ -70,16 +70,19 @@ async function getGatewayConnection(): Promise<{ url: string; secret: string }>
   const config = await loadConfig() as unknown as { gateway?: GatewayConfig };
   const gatewayConfig = config.gateway;
 
-  if (!gatewayConfig?.api) {
-    throw new CliError('CONFIG_ERROR', 'Gateway not configured', 'Set AGENTIO_GATEWAY_URL or configure gateway in config');
+  // Priority: apiUrl > construct from server host:port
+  if (gatewayConfig?.apiUrl) {
+    cachedConfig = { url: gatewayConfig.apiUrl, apiKey: gatewayConfig.apiKey ?? '' };
+    return cachedConfig;
   }
 
-  const host = gatewayConfig.api.host ?? '127.0.0.1';
-  const port = gatewayConfig.api.port ?? 7890;
+  // Fallback for local gateway (construct URL from server host:port)
+  const host = gatewayConfig?.server?.host ?? '127.0.0.1';
+  const port = gatewayConfig?.server?.port ?? 7890;
   const url = `http://${host}:${port}`;
-  const secret = gatewayConfig.api.secret ?? '';
+  const apiKey = gatewayConfig?.apiKey ?? '';
 
-  cachedConfig = { url, secret };
+  cachedConfig = { url, apiKey };
   return cachedConfig;
 }
 
@@ -87,14 +90,14 @@ async function getGatewayConnection(): Promise<{ url: string; secret: string }>
  * Make a request to the gateway API
  */
 async function request<T>(method: string, endpoint: string, body?: unknown): Promise<T> {
-  const { url, secret } = await getGatewayConnection();
+  const { url, apiKey } = await getGatewayConnection();
 
   const headers: Record<string, string> = {
     'Content-Type': 'application/json',
   };
 
-  if (secret) {
-    headers['Authorization'] = `Bearer ${secret}`;
+  if (apiKey) {
+    headers['X-API-Key'] = apiKey;
   }
 
   try {
@@ -106,7 +109,7 @@ async function request<T>(method: string, endpoint: string, body?: unknown): Pro
 
     if (!response.ok) {
       if (response.status === 401) {
-        throw new CliError('AUTH_FAILED', 'Gateway authentication failed', 'Check AGENTIO_GATEWAY_SECRET');
+        throw new CliError('AUTH_FAILED', 'Gateway authentication failed', 'Check AGENTIO_GATEWAY_API_KEY');
       }
 
       const errorData = await response.json().catch(() => ({})) as { error?: string };