@simonfestl/husky-cli 1.19.1 → 1.19.2

package/dist/commands/auth.js

@@ -318,6 +318,8 @@ authCommand
             role: session.role,
             agent: session.agent.id,
         });
+        // Clear permissions cache so next check uses the new session role
+        clearPermissionsCache();
         // Fetch and cache permissions for the new session role
         await fetchAndCacheRole();
         if (options.json) {
@@ -360,6 +362,7 @@ authCommand
         return;
     }
     clearSessionConfig();
+    clearPermissionsCache();
     if (options.json) {
         console.log(JSON.stringify({ success: true, agent: session.agent }));
         return;
@@ -452,7 +455,8 @@ authCommand
             role: session.role,
             agent: session.agent.id,
         });
-        // Refresh permissions for the session role
+        // Clear permissions cache and refresh for the session role
+        clearPermissionsCache();
         await fetchAndCacheRole();
         if (options.json) {
             console.log(JSON.stringify({

package/dist/lib/permissions-cache.js

@@ -1,4 +1,4 @@
-import { getConfig } from "../commands/config.js";
+import { getConfig, isSessionActive } from "../commands/config.js";
 const CACHE_TTL_MS = 5 * 60 * 1000;
 let cache = null;
 let fetchPromise = null;
@@ -7,7 +7,16 @@ async function fetchPermissions() {
     if (!config.apiUrl || !config.apiKey) {
         throw new Error("API not configured");
     }
+    // If there's an active session, use the session's role
+    // This ensures permissions match the logged-in agent, not the API key
+    const roleToFetch = isSessionActive() && config.sessionRole
+        ? config.sessionRole
+        : undefined;
+    // Build URL - if we have a session role, request permissions for that specific role
     const url = new URL("/api/auth/whoami", config.apiUrl);
+    if (roleToFetch) {
+        url.searchParams.set("role", roleToFetch);
+    }
     const res = await fetch(url.toString(), {
         method: "GET",
         headers: {
@@ -20,16 +29,39 @@ async function fetchPermissions() {
         throw new Error(error.message || error.error || `HTTP ${res.status}`);
     }
     const data = await res.json();
-    const kbPermissions = data.permissions
+    // If we have a session role, override the returned role with the session role
+    // and fetch permissions for that role
+    const effectiveRole = roleToFetch || data.role;
+    const effectivePermissions = roleToFetch
+        ? await fetchPermissionsForRole(config.apiUrl, config.apiKey, roleToFetch)
+        : data.permissions;
+    const kbPermissions = effectivePermissions
         .filter((p) => p.startsWith("kb:"))
         .map((p) => p.replace("kb:", ""));
     return {
-        role: data.role,
-        permissions: data.permissions,
+        role: effectiveRole,
+        permissions: effectivePermissions,
         knowledgeBases: kbPermissions,
         fetchedAt: Date.now(),
     };
 }
+async function fetchPermissionsForRole(apiUrl, apiKey, role) {
+    // Use the /permissions/:role endpoint to get permissions for a specific role
+    const url = new URL(`/api/auth/permissions/${encodeURIComponent(role)}`, apiUrl);
+    const res = await fetch(url.toString(), {
+        method: "GET",
+        headers: {
+            "x-api-key": apiKey,
+            "Content-Type": "application/json",
+        },
+    });
+    if (!res.ok) {
+        // Fall back to empty permissions if fetch fails
+        return [];
+    }
+    const data = await res.json();
+    return data.permissions || [];
+}
 export async function getPermissions() {
     const now = Date.now();
     if (cache && now - cache.fetchedAt < CACHE_TTL_MS) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simonfestl/husky-cli",
-  "version": "1.19.1",
+  "version": "1.19.2",
   "description": "CLI for Huskyv0 Task Orchestration with Claude Agent SDK",
   "type": "module",
   "bin": {