@poncho-ai/cli 0.4.2 → 0.5.1

package/src/index.ts

@@ -830,11 +830,30 @@ export const createRequestHandler = async (options?: {
   const conversationStore = createConversationStore(resolveStateConfig(config), { workingDir });
   const sessionStore = new SessionStore();
   const loginRateLimiter = new LoginRateLimiter();
-  const passphrase = process.env.AGENT_UI_PASSPHRASE ?? "";
+
+  // Unified authentication using PONCHO_AUTH_TOKEN for both Web UI and API
+  const authToken = process.env.PONCHO_AUTH_TOKEN ?? "";
+  const authRequired = config?.auth?.required ?? false;
+  const requireAuth = authRequired && authToken.length > 0;
+
   const isProduction = resolveHarnessEnvironment() === "production";
-  const requireUiAuth = passphrase.length > 0;
   const secureCookies = isProduction;
 
+  // Helper to extract and validate Bearer token from Authorization header
+  const validateBearerToken = (authHeader: string | string[] | undefined): boolean => {
+    if (!requireAuth || !authToken) {
+      return true; // No auth required
+    }
+    if (!authHeader || typeof authHeader !== "string") {
+      return false;
+    }
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    if (!match || !match[1]) {
+      return false;
+    }
+    return verifyPassphrase(match[1], authToken);
+  };
+
   return async (request: IncomingMessage, response: ServerResponse) => {
     if (!request.url || !request.method) {
       writeJson(response, 404, { error: "Not found" });
@@ -888,7 +907,7 @@ export const createRequestHandler = async (options?: {
       request.method !== "GET" && request.method !== "HEAD" && request.method !== "OPTIONS";
 
     if (pathname === "/api/auth/session" && request.method === "GET") {
-      if (!requireUiAuth) {
+      if (!requireAuth) {
         writeJson(response, 200, { authenticated: true, csrfToken: "" });
         return;
       }
@@ -906,7 +925,7 @@ export const createRequestHandler = async (options?: {
     }
 
     if (pathname === "/api/auth/login" && request.method === "POST") {
-      if (!requireUiAuth) {
+      if (!requireAuth) {
         writeJson(response, 200, { authenticated: true, csrfToken: "" });
         return;
       }
@@ -922,7 +941,7 @@ export const createRequestHandler = async (options?: {
       }
       const body = (await readRequestBody(request)) as { passphrase?: string };
       const provided = body.passphrase ?? "";
-      if (!verifyPassphrase(provided, passphrase)) {
+      if (!verifyPassphrase(provided, authToken)) {
         const failure = loginRateLimiter.registerFailure(ip);
         writeJson(response, 401, {
           code: "AUTH_ERROR",
@@ -963,15 +982,23 @@ export const createRequestHandler = async (options?: {
     }
 
     if (pathname.startsWith("/api/")) {
-      if (requireUiAuth && !session) {
+      // Check authentication: either valid session (Web UI) or valid Bearer token (API)
+      const hasBearerToken = request.headers.authorization?.startsWith("Bearer ");
+      const isAuthenticated = !requireAuth || session || validateBearerToken(request.headers.authorization);
+
+      if (!isAuthenticated) {
         writeJson(response, 401, {
           code: "AUTH_ERROR",
           message: "Authentication required",
         });
         return;
       }
+
+      // CSRF validation only for session-based requests (not Bearer token requests)
       if (
-        requireUiAuth &&
+        requireAuth &&
+        session &&
+        !hasBearerToken &&
         requiresCsrfValidation &&
         pathname !== "/api/auth/login" &&
         request.headers["x-csrf-token"] !== session?.csrfToken
@@ -1090,6 +1117,9 @@ export const createRequestHandler = async (options?: {
       let latestRunId = conversation.runtimeRunId ?? "";
       let assistantResponse = "";
       const toolTimeline: string[] = [];
+      const sections: Array<{ type: "text" | "tools"; content: string | string[] }> = [];
+      let currentText = "";
+      let currentTools: string[] = [];
       try {
         const recallCorpus = (await conversationStore.list(ownerId))
           .filter((item) => item.conversationId !== conversationId)
@@ -1106,7 +1136,7 @@ export const createRequestHandler = async (options?: {
           }))
           .filter((item) => item.content.length > 0);
 
-        for await (const event of harness.run({
+        for await (const event of harness.runWithTelemetry({
           task: messageText,
           parameters: {
             ...(body.parameters ?? {}),
@@ -1119,25 +1149,48 @@ export const createRequestHandler = async (options?: {
             latestRunId = event.runId;
           }
           if (event.type === "model:chunk") {
+            // If we have tools accumulated and text starts again, push tools as a section
+            if (currentTools.length > 0) {
+              sections.push({ type: "tools", content: currentTools });
+              currentTools = [];
+            }
             assistantResponse += event.content;
+            currentText += event.content;
           }
           if (event.type === "tool:started") {
-            toolTimeline.push(`- start \`${event.tool}\``);
+            // If we have text accumulated, push it as a text section
+            if (currentText.length > 0) {
+              sections.push({ type: "text", content: currentText });
+              currentText = "";
+            }
+            const toolText = `- start \`${event.tool}\``;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (event.type === "tool:completed") {
-            toolTimeline.push(`- done \`${event.tool}\` (${event.duration}ms)`);
+            const toolText = `- done \`${event.tool}\` (${event.duration}ms)`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (event.type === "tool:error") {
-            toolTimeline.push(`- error \`${event.tool}\`: ${event.error}`);
+            const toolText = `- error \`${event.tool}\`: ${event.error}`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (event.type === "tool:approval:required") {
-            toolTimeline.push(`- approval required \`${event.tool}\``);
+            const toolText = `- approval required \`${event.tool}\``;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (event.type === "tool:approval:granted") {
-            toolTimeline.push(`- approval granted (${event.approvalId})`);
+            const toolText = `- approval granted (${event.approvalId})`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (event.type === "tool:approval:denied") {
-            toolTimeline.push(`- approval denied (${event.approvalId})`);
+            const toolText = `- approval denied (${event.approvalId})`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
           if (
             event.type === "run:completed" &&
@@ -1149,6 +1202,13 @@ export const createRequestHandler = async (options?: {
           await telemetry.emit(event);
           response.write(formatSseEvent(event));
         }
+        // Finalize sections
+        if (currentTools.length > 0) {
+          sections.push({ type: "tools", content: currentTools });
+        }
+        if (currentText.length > 0) {
+          sections.push({ type: "text", content: currentText });
+        }
         conversation.messages = [
           ...conversation.messages,
           { role: "user", content: messageText },
@@ -1156,8 +1216,11 @@ export const createRequestHandler = async (options?: {
             role: "assistant",
             content: assistantResponse,
             metadata:
-              toolTimeline.length > 0
-                ? ({ toolActivity: toolTimeline } as Message["metadata"])
+              toolTimeline.length > 0 || sections.length > 0
+                ? ({
+                    toolActivity: toolTimeline,
+                    sections: sections.length > 0 ? sections : undefined,
+                  } as Message["metadata"])
                 : undefined,
           },
         ];
@@ -1246,7 +1309,7 @@ export const runOnce = async (
     return;
   }
 
-  for await (const event of harness.run(input)) {
+  for await (const event of harness.runWithTelemetry(input)) {
     await telemetry.emit(event);
     if (event.type === "model:chunk") {
       process.stdout.write(event.content);

package/src/init-onboarding.ts

@@ -441,11 +441,12 @@ const collectEnvFileLines = (answers: OnboardingAnswers): string[] => {
     (answers["auth.type"] as "bearer" | "header" | "custom" | undefined) ?? "bearer";
   const authHeaderName = String(answers["auth.headerName"] ?? "x-poncho-key");
   if (authRequired) {
-    lines.push("# Auth (API request authentication)");
+    lines.push("# Auth (protects both Web UI and API)");
+    lines.push("# Web UI: enter this token as the passphrase");
     if (authType === "bearer") {
-      lines.push("# Requests should include: Authorization: Bearer <token>");
+      lines.push("# API: include Authorization: Bearer <token> header");
     } else if (authType === "header") {
-      lines.push(`# Requests should include: ${authHeaderName}: <token>`);
+      lines.push(`# API: include ${authHeaderName}: <token> header`);
     } else {
       lines.push("# Custom auth mode: read this token in your auth.validate function.");
     }

package/src/run-interactive-ink.ts

@@ -443,6 +443,9 @@ export const runInteractiveInk = async ({
     let sawChunk = false;
     let toolEvents = 0;
     const toolTimeline: string[] = [];
+    const sections: Array<{ type: "text" | "tools"; content: string | string[] }> = [];
+    let currentText = "";
+    let currentTools: string[] = [];
     let runFailed = false;
     let usage: TokenUsage | undefined;
     let latestRunId = "";
@@ -459,8 +462,14 @@ export const runInteractiveInk = async ({
         }
         if (event.type === "model:chunk") {
           sawChunk = true;
+          // If we have tools accumulated and text starts again, push tools as a section
+          if (currentTools.length > 0) {
+            sections.push({ type: "tools", content: currentTools });
+            currentTools = [];
+          }
           responseText += event.content;
           streamedText += event.content;
+          currentText += event.content;
 
           if (!thinkingCleared) {
             clearThinking();
@@ -485,11 +494,18 @@ export const runInteractiveInk = async ({
           clearThinking();
 
           if (event.type === "tool:started") {
+            // If we have text accumulated, push it as a text section
+            if (currentText.length > 0) {
+              sections.push({ type: "text", content: currentText });
+              currentText = "";
+            }
             const preview = showToolPayloads
               ? compactPreview(event.input, 400)
               : compactPreview(event.input, 100);
             console.log(yellow(`tools> start ${event.tool} input=${preview}`));
-            toolTimeline.push(`- start \`${event.tool}\``);
+            const toolText = `- start \`${event.tool}\``;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
             toolEvents += 1;
           } else if (event.type === "tool:completed") {
             const preview = showToolPayloads
@@ -503,29 +519,37 @@ export const runInteractiveInk = async ({
             if (showToolPayloads) {
               console.log(yellow(`tools> output ${preview}`));
             }
-            toolTimeline.push(
-              `- done \`${event.tool}\` in ${formatDuration(event.duration)}`,
-            );
+            const toolText = `- done \`${event.tool}\` in ${formatDuration(event.duration)}`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           } else if (event.type === "tool:error") {
             console.log(
               red(`tools> error ${event.tool}: ${event.error}`),
             );
-            toolTimeline.push(`- error \`${event.tool}\`: ${event.error}`);
+            const toolText = `- error \`${event.tool}\`: ${event.error}`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           } else if (event.type === "tool:approval:required") {
             console.log(
               magenta(`tools> approval required for ${event.tool}`),
             );
-            toolTimeline.push(`- approval required \`${event.tool}\``);
+            const toolText = `- approval required \`${event.tool}\``;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           } else if (event.type === "tool:approval:granted") {
             console.log(
               gray(`tools> approval granted (${event.approvalId})`),
             );
-            toolTimeline.push(`- approval granted (${event.approvalId})`);
+            const toolText = `- approval granted (${event.approvalId})`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           } else if (event.type === "tool:approval:denied") {
             console.log(
               magenta(`tools> approval denied (${event.approvalId})`),
             );
-            toolTimeline.push(`- approval denied (${event.approvalId})`);
+            const toolText = `- approval denied (${event.approvalId})`;
+            toolTimeline.push(toolText);
+            currentTools.push(toolText);
           }
         } else if (event.type === "run:error") {
           clearThinking();
@@ -588,13 +612,24 @@ export const runInteractiveInk = async ({
       activeConversationId = created.conversationId;
     }
 
+    // Finalize sections
+    if (currentTools.length > 0) {
+      sections.push({ type: "tools", content: currentTools });
+    }
+    if (currentText.length > 0) {
+      sections.push({ type: "text", content: currentText });
+    }
+
     messages.push({ role: "user", content: trimmed });
     messages.push({
       role: "assistant",
       content: responseText,
       metadata:
-        toolTimeline.length > 0
-          ? ({ toolActivity: toolTimeline } as Message["metadata"])
+        toolTimeline.length > 0 || sections.length > 0
+          ? ({
+              toolActivity: toolTimeline,
+              sections: sections.length > 0 ? sections : undefined,
+            } as Message["metadata"])
           : undefined,
     });
     turn = computeTurn(messages);