@poolzin/pool-bot 2026.2.24 → 2026.2.26

package/dist/infra/device-pairing.js

@@ -1,85 +1,28 @@
 import { randomUUID } from "node:crypto";
-import fs from "node:fs/promises";
-import path from "node:path";
-import { resolveStateDir } from "../config/paths.js";
+import { normalizeDeviceAuthScopes } from "../shared/device-auth.js";
+import { roleScopesAllow } from "../shared/operator-scope-compat.js";
+import { createAsyncLock, pruneExpiredPending, readJsonFile, resolvePairingPaths, writeJsonAtomic, } from "./pairing-files.js";
+import { generatePairingToken, verifyPairingToken } from "./pairing-token.js";
 const PENDING_TTL_MS = 5 * 60 * 1000;
-function resolvePaths(baseDir) {
-    const root = baseDir ?? resolveStateDir();
-    const dir = path.join(root, "devices");
-    return {
-        dir,
-        pendingPath: path.join(dir, "pending.json"),
-        pairedPath: path.join(dir, "paired.json"),
-    };
-}
-async function readJSON(filePath) {
-    try {
-        const raw = await fs.readFile(filePath, "utf8");
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-async function writeJSONAtomic(filePath, value) {
-    const dir = path.dirname(filePath);
-    await fs.mkdir(dir, { recursive: true });
-    const tmp = `${filePath}.${randomUUID()}.tmp`;
-    await fs.writeFile(tmp, JSON.stringify(value, null, 2), "utf8");
-    try {
-        await fs.chmod(tmp, 0o600);
-    }
-    catch {
-        // best-effort
-    }
-    await fs.rename(tmp, filePath);
-    try {
-        await fs.chmod(filePath, 0o600);
-    }
-    catch {
-        // best-effort
-    }
-}
-function pruneExpiredPending(pendingById, nowMs) {
-    for (const [id, req] of Object.entries(pendingById)) {
-        if (nowMs - req.ts > PENDING_TTL_MS) {
-            delete pendingById[id];
-        }
-    }
-}
-let lock = Promise.resolve();
-async function withLock(fn) {
-    const prev = lock;
-    let release;
-    lock = new Promise((resolve) => {
-        release = resolve;
-    });
-    await prev;
-    try {
-        return await fn();
-    }
-    finally {
-        release?.();
-    }
-}
+const withLock = createAsyncLock();
 async function loadState(baseDir) {
-    const { pendingPath, pairedPath } = resolvePaths(baseDir);
+    const { pendingPath, pairedPath } = resolvePairingPaths(baseDir, "devices");
     const [pending, paired] = await Promise.all([
-        readJSON(pendingPath),
-        readJSON(pairedPath),
+        readJsonFile(pendingPath),
+        readJsonFile(pairedPath),
     ]);
     const state = {
         pendingById: pending ?? {},
         pairedByDeviceId: paired ?? {},
     };
-    pruneExpiredPending(state.pendingById, Date.now());
+    pruneExpiredPending(state.pendingById, Date.now(), PENDING_TTL_MS);
     return state;
 }
 async function persistState(state, baseDir) {
-    const { pendingPath, pairedPath } = resolvePaths(baseDir);
+    const { pendingPath, pairedPath } = resolvePairingPaths(baseDir, "devices");
     await Promise.all([
-        writeJSONAtomic(pendingPath, state.pendingById),
-        writeJSONAtomic(pairedPath, state.pairedByDeviceId),
+        writeJsonAtomic(pendingPath, state.pendingById),
+        writeJsonAtomic(pairedPath, state.pairedByDeviceId),
     ]);
 }
 function normalizeDeviceId(deviceId) {
@@ -92,66 +35,124 @@ function normalizeRole(role) {
 function mergeRoles(...items) {
     const roles = new Set();
     for (const item of items) {
-        if (!item)
+        if (!item) {
             continue;
+        }
         if (Array.isArray(item)) {
             for (const role of item) {
                 const trimmed = role.trim();
-                if (trimmed)
+                if (trimmed) {
                     roles.add(trimmed);
+                }
             }
         }
         else {
             const trimmed = item.trim();
-            if (trimmed)
+            if (trimmed) {
                 roles.add(trimmed);
+            }
         }
     }
-    if (roles.size === 0)
+    if (roles.size === 0) {
         return undefined;
+    }
     return [...roles];
 }
 function mergeScopes(...items) {
     const scopes = new Set();
     for (const item of items) {
-        if (!item)
+        if (!item) {
             continue;
+        }
         for (const scope of item) {
             const trimmed = scope.trim();
-            if (trimmed)
+            if (trimmed) {
                 scopes.add(trimmed);
+            }
         }
     }
-    if (scopes.size === 0)
+    if (scopes.size === 0) {
         return undefined;
+    }
     return [...scopes];
 }
-function normalizeScopes(scopes) {
-    if (!Array.isArray(scopes))
-        return [];
-    const out = new Set();
-    for (const scope of scopes) {
-        const trimmed = scope.trim();
-        if (trimmed)
-            out.add(trimmed);
-    }
-    return [...out].sort();
+function mergePendingDevicePairingRequest(existing, incoming, isRepair) {
+    const existingRole = normalizeRole(existing.role);
+    const incomingRole = normalizeRole(incoming.role);
+    return {
+        ...existing,
+        displayName: incoming.displayName ?? existing.displayName,
+        platform: incoming.platform ?? existing.platform,
+        clientId: incoming.clientId ?? existing.clientId,
+        clientMode: incoming.clientMode ?? existing.clientMode,
+        role: existingRole ?? incomingRole ?? undefined,
+        roles: mergeRoles(existing.roles, existing.role, incoming.role),
+        scopes: mergeScopes(existing.scopes, incoming.scopes),
+        remoteIp: incoming.remoteIp ?? existing.remoteIp,
+        // If either request is interactive, keep the pending request visible for approval.
+        silent: Boolean(existing.silent && incoming.silent),
+        isRepair: existing.isRepair || isRepair,
+        ts: Date.now(),
+    };
 }
 function scopesAllow(requested, allowed) {
-    if (requested.length === 0)
+    if (requested.length === 0) {
         return true;
-    if (allowed.length === 0)
+    }
+    if (allowed.length === 0) {
         return false;
+    }
     const allowedSet = new Set(allowed);
     return requested.every((scope) => allowedSet.has(scope));
 }
+const DEVICE_SCOPE_IMPLICATIONS = {
+    "operator.admin": ["operator.read", "operator.write", "operator.approvals", "operator.pairing"],
+    "operator.write": ["operator.read"],
+};
+function expandScopeImplications(scopes) {
+    const expanded = new Set(scopes);
+    const queue = [...scopes];
+    while (queue.length > 0) {
+        const scope = queue.pop();
+        if (!scope) {
+            continue;
+        }
+        for (const impliedScope of DEVICE_SCOPE_IMPLICATIONS[scope] ?? []) {
+            if (!expanded.has(impliedScope)) {
+                expanded.add(impliedScope);
+                queue.push(impliedScope);
+            }
+        }
+    }
+    return [...expanded];
+}
+function scopesAllowWithImplications(requested, allowed) {
+    return scopesAllow(expandScopeImplications(requested), expandScopeImplications(allowed));
+}
 function newToken() {
-    return randomUUID().replaceAll("-", "");
+    return generatePairingToken();
+}
+function getPairedDeviceFromState(state, deviceId) {
+    return state.pairedByDeviceId[normalizeDeviceId(deviceId)] ?? null;
+}
+function cloneDeviceTokens(device) {
+    return device.tokens ? { ...device.tokens } : {};
+}
+function buildDeviceAuthToken(params) {
+    return {
+        token: newToken(),
+        role: params.role,
+        scopes: params.scopes,
+        createdAtMs: params.existing?.createdAtMs ?? params.now,
+        rotatedAtMs: params.rotatedAtMs,
+        revokedAtMs: undefined,
+        lastUsedAtMs: params.existing?.lastUsedAtMs,
+    };
 }
 export async function listDevicePairing(baseDir) {
     const state = await loadState(baseDir);
-    const pending = Object.values(state.pendingById).sort((a, b) => b.ts - a.ts);
-    const paired = Object.values(state.pairedByDeviceId).sort((a, b) => b.approvedAtMs - a.approvedAtMs);
+    const pending = Object.values(state.pendingById).toSorted((a, b) => b.ts - a.ts);
+    const paired = Object.values(state.pairedByDeviceId).toSorted((a, b) => b.approvedAtMs - a.approvedAtMs);
     return { pending, paired };
 }
 export async function getPairedDevice(deviceId, baseDir) {
@@ -165,11 +166,14 @@ export async function requestDevicePairing(req, baseDir) {
         if (!deviceId) {
             throw new Error("deviceId required");
         }
-        const existing = Object.values(state.pendingById).find((p) => p.deviceId === deviceId);
+        const isRepair = Boolean(state.pairedByDeviceId[deviceId]);
+        const existing = Object.values(state.pendingById).find((pending) => pending.deviceId === deviceId);
         if (existing) {
-            return { status: "pending", request: existing, created: false };
+            const merged = mergePendingDevicePairingRequest(existing, req, isRepair);
+            state.pendingById[existing.requestId] = merged;
+            await persistState(state, baseDir);
+            return { status: "pending", request: merged, created: false };
         }
-        const isRepair = Boolean(state.pairedByDeviceId[deviceId]);
         const request = {
             requestId: randomUUID(),
             deviceId,
@@ -195,17 +199,24 @@ export async function approveDevicePairing(requestId, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const pending = state.pendingById[requestId];
-        if (!pending)
+        if (!pending) {
             return null;
+        }
         const now = Date.now();
         const existing = state.pairedByDeviceId[pending.deviceId];
         const roles = mergeRoles(existing?.roles, existing?.role, pending.roles, pending.role);
-        const scopes = mergeScopes(existing?.scopes, pending.scopes);
+        const approvedScopes = mergeScopes(existing?.approvedScopes ?? existing?.scopes, pending.scopes);
         const tokens = existing?.tokens ? { ...existing.tokens } : {};
         const roleForToken = normalizeRole(pending.role);
         if (roleForToken) {
-            const nextScopes = normalizeScopes(pending.scopes);
             const existingToken = tokens[roleForToken];
+            const requestedScopes = normalizeDeviceAuthScopes(pending.scopes);
+            const nextScopes = requestedScopes.length > 0
+                ? requestedScopes
+                : normalizeDeviceAuthScopes(existingToken?.scopes ??
+                    approvedScopes ??
+                    existing?.approvedScopes ??
+                    existing?.scopes);
             const now = Date.now();
             tokens[roleForToken] = {
                 token: newToken(),
@@ -226,7 +237,8 @@ export async function approveDevicePairing(requestId, baseDir) {
             clientMode: pending.clientMode,
             role: pending.role,
             roles,
-            scopes,
+            scopes: approvedScopes,
+            approvedScopes,
             remoteIp: pending.remoteIp,
             tokens,
             createdAtMs: existing?.createdAtMs ?? now,
@@ -242,19 +254,33 @@ export async function rejectDevicePairing(requestId, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const pending = state.pendingById[requestId];
-        if (!pending)
+        if (!pending) {
             return null;
+        }
         delete state.pendingById[requestId];
         await persistState(state, baseDir);
         return { requestId, deviceId: pending.deviceId };
     });
 }
+export async function removePairedDevice(deviceId, baseDir) {
+    return await withLock(async () => {
+        const state = await loadState(baseDir);
+        const normalized = normalizeDeviceId(deviceId);
+        if (!normalized || !state.pairedByDeviceId[normalized]) {
+            return null;
+        }
+        delete state.pairedByDeviceId[normalized];
+        await persistState(state, baseDir);
+        return { deviceId: normalized };
+    });
+}
 export async function updatePairedDeviceMetadata(deviceId, patch, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const existing = state.pairedByDeviceId[normalizeDeviceId(deviceId)];
-        if (!existing)
+        if (!existing) {
             return;
+        }
         const roles = mergeRoles(existing.roles, existing.role, patch.role);
         const scopes = mergeScopes(existing.scopes, patch.scopes);
         state.pairedByDeviceId[deviceId] = {
@@ -263,6 +289,7 @@ export async function updatePairedDeviceMetadata(deviceId, patch, baseDir) {
             deviceId: existing.deviceId,
             createdAtMs: existing.createdAtMs,
             approvedAtMs: existing.approvedAtMs,
+            approvedScopes: existing.approvedScopes,
             role: patch.role ?? existing.role,
             roles,
             scopes,
@@ -271,8 +298,9 @@ export async function updatePairedDeviceMetadata(deviceId, patch, baseDir) {
     });
 }
 export function summarizeDeviceTokens(tokens) {
-    if (!tokens)
+    if (!tokens) {
         return undefined;
+    }
     const summaries = Object.values(tokens)
         .map((token) => ({
         role: token.role,
@@ -282,27 +310,32 @@ export function summarizeDeviceTokens(tokens) {
         revokedAtMs: token.revokedAtMs,
         lastUsedAtMs: token.lastUsedAtMs,
     }))
-        .sort((a, b) => a.role.localeCompare(b.role));
+        .toSorted((a, b) => a.role.localeCompare(b.role));
     return summaries.length > 0 ? summaries : undefined;
 }
 export async function verifyDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        const device = getPairedDeviceFromState(state, params.deviceId);
+        if (!device) {
             return { ok: false, reason: "device-not-paired" };
+        }
         const role = normalizeRole(params.role);
-        if (!role)
+        if (!role) {
             return { ok: false, reason: "role-missing" };
+        }
         const entry = device.tokens?.[role];
-        if (!entry)
+        if (!entry) {
             return { ok: false, reason: "token-missing" };
-        if (entry.revokedAtMs)
+        }
+        if (entry.revokedAtMs) {
             return { ok: false, reason: "token-revoked" };
-        if (entry.token !== params.token)
+        }
+        if (!verifyPairingToken(params.token, entry.token)) {
             return { ok: false, reason: "token-mismatch" };
-        const requestedScopes = normalizeScopes(params.scopes);
-        if (!scopesAllow(requestedScopes, entry.scopes)) {
+        }
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
+        if (!roleScopesAllow({ role, requestedScopes, allowedScopes: entry.scopes })) {
             return { ok: false, reason: "scope-mismatch" };
         }
         entry.lastUsedAtMs = Date.now();
@@ -316,30 +349,29 @@ export async function verifyDeviceToken(params) {
 export async function ensureDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
+        const context = resolveDeviceTokenUpdateContext({
+            state,
+            deviceId: params.deviceId,
+            role: params.role,
+        });
+        if (!context) {
             return null;
-        const role = normalizeRole(params.role);
-        if (!role)
-            return null;
-        const requestedScopes = normalizeScopes(params.scopes);
-        const tokens = device.tokens ? { ...device.tokens } : {};
-        const existing = tokens[role];
+        }
+        const { device, role, tokens, existing } = context;
         if (existing && !existing.revokedAtMs) {
-            if (scopesAllow(requestedScopes, existing.scopes)) {
+            if (roleScopesAllow({ role, requestedScopes, allowedScopes: existing.scopes })) {
                 return existing;
             }
         }
         const now = Date.now();
-        const next = {
-            token: newToken(),
+        const next = buildDeviceAuthToken({
             role,
             scopes: requestedScopes,
-            createdAtMs: existing?.createdAtMs ?? now,
+            existing,
+            now,
             rotatedAtMs: existing ? now : undefined,
-            revokedAtMs: undefined,
-            lastUsedAtMs: existing?.lastUsedAtMs,
-        };
+        });
         tokens[role] = next;
         device.tokens = tokens;
         state.pairedByDeviceId[device.deviceId] = device;
@@ -347,33 +379,46 @@ export async function ensureDeviceToken(params) {
         return next;
     });
 }
+function resolveDeviceTokenUpdateContext(params) {
+    const device = getPairedDeviceFromState(params.state, params.deviceId);
+    if (!device) {
+        return null;
+    }
+    const role = normalizeRole(params.role);
+    if (!role) {
+        return null;
+    }
+    const tokens = cloneDeviceTokens(device);
+    const existing = tokens[role];
+    return { device, role, tokens, existing };
+}
 export async function rotateDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        const context = resolveDeviceTokenUpdateContext({
+            state,
+            deviceId: params.deviceId,
+            role: params.role,
+        });
+        if (!context) {
             return null;
-        const role = normalizeRole(params.role);
-        if (!role)
+        }
+        const { device, role, tokens, existing } = context;
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes ?? existing?.scopes ?? device.scopes);
+        const approvedScopes = normalizeDeviceAuthScopes(device.approvedScopes ?? device.scopes ?? existing?.scopes);
+        if (!scopesAllowWithImplications(requestedScopes, approvedScopes)) {
             return null;
-        const tokens = device.tokens ? { ...device.tokens } : {};
-        const existing = tokens[role];
-        const requestedScopes = normalizeScopes(params.scopes ?? existing?.scopes ?? device.scopes);
+        }
         const now = Date.now();
-        const next = {
-            token: newToken(),
+        const next = buildDeviceAuthToken({
             role,
             scopes: requestedScopes,
-            createdAtMs: existing?.createdAtMs ?? now,
+            existing,
+            now,
             rotatedAtMs: now,
-            revokedAtMs: undefined,
-            lastUsedAtMs: existing?.lastUsedAtMs,
-        };
+        });
         tokens[role] = next;
         device.tokens = tokens;
-        if (params.scopes !== undefined) {
-            device.scopes = requestedScopes;
-        }
         state.pairedByDeviceId[device.deviceId] = device;
         await persistState(state, params.baseDir);
         return next;
@@ -383,13 +428,16 @@ export async function revokeDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
         const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        if (!device) {
             return null;
+        }
         const role = normalizeRole(params.role);
-        if (!role)
+        if (!role) {
             return null;
-        if (!device.tokens?.[role])
+        }
+        if (!device.tokens?.[role]) {
             return null;
+        }
         const tokens = { ...device.tokens };
         const entry = { ...tokens[role], revokedAtMs: Date.now() };
         tokens[role] = entry;
@@ -399,3 +447,15 @@ export async function revokeDeviceToken(params) {
         return entry;
     });
 }
+export async function clearDevicePairing(deviceId, baseDir) {
+    return await withLock(async () => {
+        const state = await loadState(baseDir);
+        const normalizedId = normalizeDeviceId(deviceId);
+        if (!state.pairedByDeviceId[normalizedId]) {
+            return false;
+        }
+        delete state.pairedByDeviceId[normalizedId];
+        await persistState(state, baseDir);
+        return true;
+    });
+}

package/dist/infra/env.js

@@ -3,21 +3,26 @@ import { parseBooleanValue } from "../utils/boolean.js";
 const log = createSubsystemLogger("env");
 const loggedEnv = new Set();
 function formatEnvValue(value, redact) {
-    if (redact)
+    if (redact) {
         return "<redacted>";
+    }
     const singleLine = value.replace(/\s+/g, " ").trim();
-    if (singleLine.length <= 160)
+    if (singleLine.length <= 160) {
         return singleLine;
+    }
     return `${singleLine.slice(0, 160)}…`;
 }
 export function logAcceptedEnvOption(option) {
-    if (process.env.VITEST || process.env.NODE_ENV === "test")
+    if (process.env.VITEST || process.env.NODE_ENV === "test") {
         return;
-    if (loggedEnv.has(option.key))
+    }
+    if (loggedEnv.has(option.key)) {
         return;
+    }
     const rawValue = option.value ?? process.env[option.key];
-    if (!rawValue || !rawValue.trim())
+    if (!rawValue || !rawValue.trim()) {
         return;
+    }
     loggedEnv.add(option.key);
     log.info(`env: ${option.key}=${formatEnvValue(rawValue, option.redact)} (${option.description})`);
 }