@sickr/replay 0.6.0 → 0.7.0

package/dist/agentAuth.js

@@ -0,0 +1,76 @@
+import { readFileSync, writeFileSync, mkdirSync, chmodSync, unlinkSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+export const AGENT_API_URL = (process.env.SICKR_API_URL ?? 'https://support-backend.sickr.ai').replace(/\/+$/, '');
+function agentCredsPath() {
+    return join(homedir(), '.sickr', 'agent.json');
+}
+export function readAgentCredentials() {
+    try {
+        return JSON.parse(readFileSync(agentCredsPath(), 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function writeAgentCredentials(c) {
+    const dir = join(homedir(), '.sickr');
+    mkdirSync(dir, { recursive: true });
+    const p = agentCredsPath();
+    writeFileSync(p, JSON.stringify(c, null, 2) + '\n');
+    try {
+        chmodSync(p, 0o600);
+    }
+    catch { /* Windows: skip */ }
+}
+export function clearAgentCredentials() {
+    try {
+        unlinkSync(agentCredsPath());
+    }
+    catch { /* none */ }
+}
+export async function startAgentConnect(apiUrl, agentId) {
+    const r = await fetch(`${apiUrl.replace(/\/+$/, '')}/agent-connect/start`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ agent_id: agentId }),
+    });
+    if (!r.ok)
+        throw new Error(`agent-connect/start failed: ${r.status}`);
+    return await r.json();
+}
+export async function pollAgentConnect(apiUrl, deviceCode) {
+    const r = await fetch(`${apiUrl.replace(/\/+$/, '')}/agent-connect/poll`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ device_code: deviceCode }),
+    });
+    if (!r.ok)
+        throw new Error(`agent-connect/poll failed: ${r.status}`);
+    return await r.json();
+}
+export async function fetchAgentStatus(c) {
+    const r = await fetch(`${c.api_url.replace(/\/+$/, '')}/agent/self/status`, {
+        headers: { Authorization: `Bearer ${c.api_key}` },
+    });
+    if (!r.ok)
+        throw new Error(`agent/self/status failed: ${r.status}`);
+    return await r.json();
+}
+export async function rotateAgentKey(c) {
+    const r = await fetch(`${c.api_url.replace(/\/+$/, '')}/agent/self/rotate`, {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${c.api_key}` },
+    });
+    if (!r.ok)
+        throw new Error(`agent/self/rotate failed: ${r.status}`);
+    return await r.json();
+}
+export async function disconnectAgent(c) {
+    const r = await fetch(`${c.api_url.replace(/\/+$/, '')}/agent/self/disconnect`, {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${c.api_key}` },
+    });
+    if (!r.ok)
+        throw new Error(`agent/self/disconnect failed: ${r.status}`);
+}

package/dist/cli.js

@@ -9,69 +9,77 @@ import { mergeHooks, removeHooks } from './hookConfig.js';
 import { renderRunHtml, renderCombinedHtml } from './render.js';
 import { buildSharePayload, buildCombinedPayload, publish, PublishError } from './share.js';
 import { readCredentials, writeCredentials, clearCredentials, startDevice, pollDevice, sleep } from './auth.js';
+import { AGENT_API_URL, clearAgentCredentials, disconnectAgent, fetchAgentStatus, pollAgentConnect, readAgentCredentials, rotateAgentKey, startAgentConnect, writeAgentCredentials, } from './agentAuth.js';
 const REPLAY_ENDPOINT = process.env.SICKR_REPLAY_ENDPOINT ?? 'https://sickr.ai/api/replay';
-const COMMANDS = ['init', 'record', 'open', 'list', 'share', 'stop', 'clear', 'login', 'logout', 'whoami', 'help'];
+const COMMANDS = ['init', 'record', 'open', 'list', 'share', 'stop', 'clear', 'login', 'logout', 'whoami', 'agent', 'help'];
 export function parseCommand(argv) {
     const c = argv[0];
     return c && COMMANDS.includes(c) ? c : null;
 }
-export const HELP = `SICKR Replay — audit & replay what your AI coding agent did.
-
-Records your Claude Code or Codex session (prompts, edits, commands) to a local,
-redacted timeline you can replay — and optionally share as a public link.
-
-Why: a durable record of every agent action — a dashcam for your coding agent.
-If your agent (Claude or Codex) loses context or can't reload a past chat, the
-replay log helps you — and it — recall exactly what was just done.
-
-Usage: npx @sickr/replay <command> [options]
-
-Commands:
-  init <agent>   Install recording hooks for an agent (REQUIRED — no default)
-                 and start capturing to ~/.sickr/runs (secrets redacted):
-                   claude    Claude Code  (.claude/settings.json)
-                   codex     Codex        (.codex/hooks.json — needs Codex 0.133+)
-                   all       both of the above (feeds the combined view)
-                 Flag: --no-name  (label prompts "Human", not your login name)
-  open [run]     Render a run to a local HTML timeline and open it. 100% local.
-                 Defaults to the newest run; pass a run id, or --codex/--claude
-                 for the newest run of that agent. Combine across agents with a
-                 window: --today, --since <2h|30m|1d>, or --all (interleaved,
-                 filterable by agent, sortable by prompt/response time).
-  share [run]    Redact and publish ONE run to a public sickr.ai/r/<id> link
-                 (shows a preview and asks first). Links expire after 24h.
-                   --open    also open the published link in your browser
-                   --yes     skip the confirmation prompt
-                 Or publish a COMBINED multi-agent view with a window:
-                 --today / --since <2h|30m|1d> / --all (+ --claude/--codex).
-  list           List recorded runs, newest first.
-  stop           Stop recording — removes SICKR's hooks from this project.
-                 Your recorded runs are kept; run \`init\` to start again.
-  clear          Delete all local runs in ~/.sickr/runs (asks first).
-  login          Sign in with GitHub (optional — unlocks persistent shares and
-                 Replay Pro cohort eligibility). Zero-account use still works.
-  logout         Forget the local login. Server-side session stays valid until
-                 it expires; revoke from your account page if needed.
-  whoami         Show who you're logged in as.
-  help           Show this help.
-
-Requires Node 18+. Codex capture needs Codex CLI 0.133+ (run /hooks to trust);
-Claude Code: any hooks-capable build.
-
-────────────────────────────────────────────────────────────────────
-This replays your AI coding agents on ONE machine. SICKR governs your whole team.
-Issue tracking + your team + automation + agents — one governed workflow for
-audit, accountability, productivity and confidence.
-
-  · Gates & approvals — work holds at plan sign-off, review, merge and
-    validation checks until each one passes.
-  · Humans + agents on one board — agents are first-class teammates with
-    roles, capacity and accountability, not a side channel.
-  · A full, signed-off audit trail across every actor and every change.
-  · Runs 24/7 — produce as much work as you like; the team handles it.
-
-  Free tier available · bring your own Claude or Codex subscription.
-  → https://sickr.ai
+export const HELP = `SICKR Replay — audit & replay what your AI coding agent did.
+
+Records your Claude Code or Codex session (prompts, edits, commands) to a local,
+redacted timeline you can replay — and optionally share as a public link.
+
+Why: a durable record of every agent action — a dashcam for your coding agent.
+If your agent (Claude or Codex) loses context or can't reload a past chat, the
+replay log helps you — and it — recall exactly what was just done.
+
+Usage: npx @sickr/replay <command> [options]
+
+Commands:
+  init <agent>   Install recording hooks for an agent (REQUIRED — no default)
+                 and start capturing to ~/.sickr/runs (secrets redacted):
+                   claude    Claude Code  (.claude/settings.json)
+                   codex     Codex        (.codex/hooks.json — needs Codex 0.133+)
+                   all       both of the above (feeds the combined view)
+                 Flag: --no-name  (label prompts "Human", not your login name)
+  open [run]     Render a run to a local HTML timeline and open it. 100% local.
+                 Defaults to the newest run; pass a run id, or --codex/--claude
+                 for the newest run of that agent. Combine across agents with a
+                 window: --today, --since <2h|30m|1d>, or --all (interleaved,
+                 filterable by agent, sortable by prompt/response time).
+  share [run]    Redact and publish ONE run to a public sickr.ai/r/<id> link
+                 (shows a preview and asks first). Links expire after 24h.
+                   --open    also open the published link in your browser
+                   --yes     skip the confirmation prompt
+                 Or publish a COMBINED multi-agent view with a window:
+                 --today / --since <2h|30m|1d> / --all (+ --claude/--codex).
+  list           List recorded runs, newest first.
+  stop           Stop recording — removes SICKR's hooks from this project.
+                 Your recorded runs are kept; run \`init\` to start again.
+  clear          Delete all local runs in ~/.sickr/runs (asks first).
+  login          Sign in with GitHub (optional — unlocks persistent shares and
+                 Replay Pro cohort eligibility). Zero-account use still works.
+  logout         Forget the local login. Server-side session stays valid until
+                 it expires; revoke from your account page if needed.
+  whoami         Show who you're logged in as.
+  agent connect --agent-id <id>
+                 Connect this machine to a configured SICKR agent using GitHub
+                 browser approval. Stores the agent key in ~/.sickr/agent.json.
+  agent status  Show the connected agent, org and team.
+  agent rotate  Rotate this machine's agent key.
+  agent disconnect
+                 Revoke this machine's agent key and remove it locally.
+  help           Show this help.
+
+Requires Node 18+. Codex capture needs Codex CLI 0.133+ (run /hooks to trust);
+Claude Code: any hooks-capable build.
+
+────────────────────────────────────────────────────────────────────
+This replays your AI coding agents on ONE machine. SICKR governs your whole team.
+Issue tracking + your team + automation + agents — one governed workflow for
+audit, accountability, productivity and confidence.
+
+  · Gates & approvals — work holds at plan sign-off, review, merge and
+    validation checks until each one passes.
+  · Humans + agents on one board — agents are first-class teammates with
+    roles, capacity and accountability, not a side channel.
+  · A full, signed-off audit trail across every actor and every change.
+  · Runs 24/7 — produce as much work as you like; the team handles it.
+
+  Free tier available · bring your own Claude or Codex subscription.
+  → https://sickr.ai
 `;
 export function currentRunId(cc) {
     return String(cc.session_id ?? 'session');
@@ -350,17 +358,24 @@ async function confirmPublish(yes, what) {
     }
     return true;
 }
-/** Publish with a single friendly retry on 429 (the WAF allows ~1/10s). Returns the URL. */
+/** Publish with a single friendly retry on 429 (the WAF allows ~1/10s).
+ *  If the user is logged in, attach their token so the share lands in the
+ *  7-day daily slot (free_authed) instead of the 24h anon dedup pool. */
 async function publishWithRetry(payload) {
+    const token = readCredentials()?.token ?? null;
+    const post = async () => {
+        const r = await publish(payload, REPLAY_ENDPOINT, { token });
+        return { url: r.url, ttl_days: r.ttl_days ?? 1 };
+    };
     try {
-        return (await publish(payload, REPLAY_ENDPOINT)).url;
+        return await post();
     }
     catch (err) {
         if (err instanceof PublishError && err.status === 429) {
             process.stdout.write('sickr: rate-limited — you can publish about once every 10s. Waiting to retry once...\n');
             await new Promise((r) => setTimeout(r, 11_000));
             try {
-                return (await publish(payload, REPLAY_ENDPOINT)).url;
+                return await post();
             }
             catch (retryErr) {
                 if (retryErr instanceof PublishError && retryErr.status === 429) {
@@ -373,6 +388,13 @@ async function publishWithRetry(payload) {
         throw err;
     }
 }
+function expiryLine(ttl_days) {
+    if (ttl_days >= 30)
+        return `sickr: this link is live for ${ttl_days} days (Replay Pro retention).\n`;
+    if (ttl_days >= 2)
+        return `sickr: this link is live for ${ttl_days} days — re-share before it expires to extend.\n`;
+    return `sickr: this link expires in 24h. Run \`replay login\` to extend to 7 days.\n`;
+}
 async function handleShare(runId, yes, open) {
     const id = runId ?? latestRunId();
     if (!id) {
@@ -385,8 +407,8 @@ async function handleShare(runId, yes, open) {
         `sickr: tip — run \`npx @sickr/replay open ${id}\` to review the full timeline locally before sharing.\n`);
     if (!(await confirmPublish(yes, 'this run')))
         return;
-    const url = await publishWithRetry(payload);
-    process.stdout.write(`sickr: published → ${url}\nsickr: this link expires in 24h.\nsickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n`);
+    const { url, ttl_days } = await publishWithRetry(payload);
+    process.stdout.write(`sickr: published → ${url}\n${expiryLine(ttl_days)}sickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n`);
     if (open)
         openInBrowser(url);
 }
@@ -406,8 +428,8 @@ async function handleShareCombined(sel, yes, open) {
         `sickr: tip — run the matching \`open\` window to review locally before sharing.\n`);
     if (!(await confirmPublish(yes, 'this combined replay')))
         return;
-    const url = await publishWithRetry(payload);
-    process.stdout.write(`sickr: published → ${url}\nsickr: this link expires in 24h.\nsickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n`);
+    const { url, ttl_days } = await publishWithRetry(payload);
+    process.stdout.write(`sickr: published → ${url}\n${expiryLine(ttl_days)}sickr: Replay Pro (live + remote) — early access, rolling out in cohorts → https://sickr.ai/#waitlist\n`);
     if (open)
         openInBrowser(url);
 }
@@ -498,6 +520,152 @@ export function handleWhoami() {
     }
     process.stdout.write(`sickr: ${c.login}${c.name ? ` (${c.name})` : ''} · since ${c.login_at}\n`);
 }
+function valueAt(rest, flag) {
+    const i = rest.indexOf(flag);
+    return i >= 0 && rest[i + 1] && !rest[i + 1].startsWith('-') ? rest[i + 1] : null;
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function agentContextLabel(context) {
+    const root = isRecord(context) ? context : {};
+    const agent = isRecord(root.agent) ? root.agent : {};
+    const org = isRecord(root.org) ? root.org : {};
+    const team = isRecord(root.team) ? root.team : {};
+    return {
+        agentId: typeof agent.agent_id === 'string' ? agent.agent_id : 'unknown',
+        provider: typeof agent.provider === 'string' ? agent.provider : 'unknown',
+        status: typeof agent.status === 'string' ? agent.status : 'unknown',
+        org: typeof org.name === 'string' ? org.name : 'unknown org',
+        team: typeof team.name === 'string' ? team.name : 'unknown team',
+    };
+}
+export async function handleAgentStatus() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stdout.write('sickr: agent is not connected. Run `sickr agent connect --agent-id <id>`.\n');
+        return;
+    }
+    try {
+        const label = agentContextLabel(await fetchAgentStatus(c));
+        process.stdout.write(`sickr: connected as ${label.agentId} (${label.provider}, ${label.status})\n` +
+            `org: ${label.org}  team: ${label.team}\n` +
+            `api: ${c.api_url}\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent status failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+export async function handleAgentRotate() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stderr.write('sickr: agent is not connected. Run `sickr agent connect --agent-id <id>`.\n');
+        process.exit(1);
+        return;
+    }
+    try {
+        const rotated = await rotateAgentKey(c);
+        writeAgentCredentials({ ...c, api_key: rotated.api_key, key_id: rotated.key?.id ?? c.key_id });
+        process.stdout.write(`sickr: rotated key for ${c.agent_id}.\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent rotate failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+export async function handleAgentDisconnect() {
+    const c = readAgentCredentials();
+    if (!c) {
+        process.stdout.write('sickr: agent is not connected.\n');
+        return;
+    }
+    try {
+        await disconnectAgent(c);
+        clearAgentCredentials();
+        process.stdout.write(`sickr: disconnected ${c.agent_id} and removed the local key.\n`);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: agent disconnect failed (${e.message}).\n`);
+        process.exit(1);
+    }
+}
+function storeApprovedAgent(apiUrl, result) {
+    writeAgentCredentials({
+        api_url: apiUrl,
+        agent_id: result.agent_id,
+        api_key: result.api_key,
+        key_id: result.key_id ?? null,
+        org_id: result.org_id,
+        team_id: result.team_id,
+        connected_at: new Date().toISOString(),
+    });
+}
+export async function handleAgentConnect(rest) {
+    const agentId = valueAt(rest, '--agent-id') ?? rest.find((a) => !a.startsWith('-')) ?? null;
+    if (!agentId) {
+        process.stderr.write('sickr: `agent connect` requires --agent-id <id>.\n');
+        process.exit(1);
+        return;
+    }
+    const apiUrl = (valueAt(rest, '--api-url') ?? AGENT_API_URL).replace(/\/+$/, '');
+    let started;
+    try {
+        started = await startAgentConnect(apiUrl, agentId);
+    }
+    catch (e) {
+        process.stderr.write(`sickr: could not start agent connect (${e.message}).\n`);
+        process.exit(1);
+        return;
+    }
+    const verifyUrl = started.verification_uri_complete ?? started.verification_uri;
+    process.stdout.write(`\nsickr: approve agent ${agentId} in your browser:\n\n` +
+        `    ${verifyUrl}\n\n` +
+        `code: ${started.user_code}\n` +
+        `(opening browser...)\n`);
+    openInBrowser(verifyUrl);
+    const deadline = Date.now() + started.expires_in * 1000;
+    const intervalMs = Math.max(1, started.interval) * 1000;
+    while (Date.now() < deadline) {
+        await sleep(intervalMs);
+        let polled;
+        try {
+            polled = await pollAgentConnect(apiUrl, started.device_code);
+        }
+        catch (e) {
+            process.stderr.write(`sickr: agent connect poll failed (${e.message}).\n`);
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'pending')
+            continue;
+        if (polled.status === 'approved') {
+            storeApprovedAgent(apiUrl, polled);
+            process.stdout.write(`\nsickr: connected ${polled.agent_id}. Run \`sickr agent status\` to verify.\n`);
+            return;
+        }
+        if (polled.status === 'expired') {
+            process.stderr.write('sickr: agent connect code expired. Run `sickr agent connect` again.\n');
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'denied') {
+            process.stderr.write('sickr: agent connect was denied.\n');
+            process.exit(1);
+            return;
+        }
+        if (polled.status === 'consumed') {
+            process.stderr.write('sickr: agent connect code was already used. Run `sickr agent connect` again.\n');
+            process.exit(1);
+            return;
+        }
+        process.stderr.write(`sickr: agent connect error: ${polled.error ?? 'unknown'}.\n`);
+        process.exit(1);
+        return;
+    }
+    process.stderr.write('sickr: agent connect timed out. Run `sickr agent connect` again.\n');
+    process.exit(1);
+}
 async function readStdin() {
     const chunks = [];
     for await (const chunk of process.stdin)
@@ -563,6 +731,29 @@ async function main() {
         case 'whoami':
             handleWhoami();
             return;
+        case 'agent': {
+            const sub = rest[0];
+            const agentRest = rest.slice(1);
+            if (sub === 'connect') {
+                await handleAgentConnect(agentRest);
+                return;
+            }
+            if (sub === 'status') {
+                await handleAgentStatus();
+                return;
+            }
+            if (sub === 'disconnect') {
+                await handleAgentDisconnect();
+                return;
+            }
+            if (sub === 'rotate') {
+                await handleAgentRotate();
+                return;
+            }
+            process.stderr.write('sickr: unknown agent command. Use `sickr agent connect|status|disconnect|rotate`.\n');
+            process.exit(1);
+            return;
+        }
         case 'share': {
             const yes = rest.includes('--yes') || rest.includes('-y');
             const openAfter = rest.includes('--open');

package/dist/share.js

@@ -1,3 +1,4 @@
+import { gzipSync } from 'node:zlib';
 /** Strip the local id; events are already redacted at capture time. */
 export function buildSharePayload(run) {
     return { run: { cwd: run.cwd, startedAt: run.startedAt, events: run.events } };
@@ -14,12 +15,15 @@ export class PublishError extends Error {
         this.name = 'PublishError';
     }
 }
-export async function publish(payload, endpoint) {
-    const res = await fetch(endpoint, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(payload),
-    });
+export async function publish(payload, endpoint, opts = {}) {
+    // Gzip the JSON body: ~5-10x smaller for typical sessions, comfortably fits
+    // the worker's 4 MB cap even for combined multi-day windows.
+    const raw = JSON.stringify(payload);
+    const gz = gzipSync(raw);
+    const headers = { 'Content-Type': 'application/json', 'Content-Encoding': 'gzip' };
+    if (opts.token)
+        headers.Authorization = `Bearer ${opts.token}`;
+    const res = await fetch(endpoint, { method: 'POST', headers, body: gz });
     if (!res.ok)
         throw new PublishError(res.status);
     return (await res.json());

package/package.json

@@ -1,21 +1,21 @@
-{
-  "name": "@sickr/replay",
-  "version": "0.6.0",
-  "type": "module",
-  "description": "npx @sickr/replay — local Claude Code audit + one-click share. The free wedge into SICKR.",
-  "bin": { "replay": "dist/cli.js" },
-  "files": ["dist"],
-  "publishConfig": { "access": "public" },
-  "scripts": {
-    "build": "tsc",
-    "test": "vitest run",
-    "dev": "tsc -w"
-  },
-  "engines": { "node": ">=20" },
-  "license": "UNLICENSED",
-  "devDependencies": {
-    "@types/node": "^20.14.0",
-    "typescript": "^5.6.2",
-    "vitest": "^2.1.1"
-  }
-}
+{
+  "name": "@sickr/replay",
+  "version": "0.7.0",
+  "type": "module",
+  "description": "npx @sickr/replay — local Claude Code audit + one-click share. The free wedge into SICKR.",
+  "bin": { "replay": "dist/cli.js", "sickr": "dist/cli.js" },
+  "files": ["dist"],
+  "publishConfig": { "access": "public" },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "dev": "tsc -w"
+  },
+  "engines": { "node": ">=20" },
+  "license": "UNLICENSED",
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "typescript": "^5.6.2",
+    "vitest": "^2.1.1"
+  }
+}