npm - @tyvm/knowhow - Versions diffs - 0.0.83 → 0.0.85 - Mend

@tyvm/knowhow 0.0.83 → 0.0.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/package.json +4 -2
package/src/agents/base/base.ts +72 -62
package/src/agents/index.ts +30 -14
package/src/agents/researcher/researcher.ts +1 -2
package/src/agents/tools/aiClient.ts +48 -0
package/src/agents/tools/list.ts +57 -0
package/src/agents/tools/startAgentTask.ts +3 -1
package/src/chat/CliChatService.ts +20 -4
package/src/chat/modules/AgentModule.ts +399 -357
package/src/chat/modules/CustomCommandsModule.ts +0 -1
package/src/chat/modules/InternalChatModule.ts +18 -2
package/src/chat/modules/RendererModule.ts +109 -0
package/src/chat/modules/SessionsModule.ts +854 -0
package/src/chat/modules/SetupModule.ts +6 -8
package/src/chat/modules/index.ts +1 -0
package/src/chat/renderer/CompactRenderer.ts +209 -0
package/src/chat/renderer/ConsoleRenderer.ts +141 -0
package/src/chat/renderer/FancyRenderer.ts +421 -0
package/src/chat/renderer/index.ts +5 -0
package/src/chat/renderer/loadRenderer.ts +314 -0
package/src/chat/renderer/messagesToRenderEvents.ts +96 -0
package/src/chat/renderer/types.ts +88 -0
package/src/chat/types.ts +5 -0
package/src/chat.ts +69 -5
package/src/cli.ts +24 -5
package/src/clients/index.ts +91 -0
package/src/clients/pricing/google.ts +81 -2
package/src/clients/pricing/openai.ts +68 -0
package/src/config.ts +15 -0
package/src/plugins/AgentsMdPlugin.ts +1 -1
package/src/plugins/GitPlugin.ts +20 -20
package/src/plugins/PluginBase.ts +11 -0
package/src/plugins/SkillsPlugin.ts +150 -0
package/src/plugins/asana.ts +4 -4
package/src/plugins/embedding.ts +3 -5
package/src/plugins/exec.ts +3 -3
package/src/plugins/figma.ts +3 -7
package/src/plugins/github.ts +18 -29
package/src/plugins/jira.ts +2 -2
package/src/plugins/language.ts +4 -4
package/src/plugins/linear.ts +4 -4
package/src/plugins/notion.ts +6 -8
package/src/plugins/plugins.ts +29 -3
package/src/plugins/url.ts +2 -2
package/src/plugins/vim.ts +4 -3
package/src/services/AgentService.ts +17 -0
package/src/services/AgentSyncFs.ts +3 -0
package/src/services/EventService.ts +168 -27
package/src/services/KnowhowClient.ts +1 -0
package/src/services/SessionManager.ts +51 -1
package/src/services/SyncedAgentWatcher.ts +397 -0
package/src/services/SyncerService.ts +147 -0
package/src/services/index.ts +2 -0
package/src/services/modules/index.ts +14 -3
package/src/types.ts +103 -5
package/src/worker.ts +80 -2
package/src/workers/auth/PasskeySetup.ts +185 -0
package/src/workers/auth/WorkerPasskeyAuth.ts +190 -0
package/src/workers/auth/types.ts +58 -0
package/src/workers/tools/getChallenge.ts +33 -0
package/src/workers/tools/index.ts +8 -0
package/src/workers/tools/lock.ts +31 -0
package/src/workers/tools/unlock.ts +116 -0
package/tests/clients/pricing.test.ts +144 -0
package/tests/unit/modules/moduleLoading.test.ts +226 -0
package/tests/unit/plugins/pluginLoading.test.ts +151 -0
package/ts_build/package.json +4 -2
package/ts_build/src/agents/base/base.d.ts +4 -3
package/ts_build/src/agents/base/base.js +54 -30
package/ts_build/src/agents/base/base.js.map +1 -1
package/ts_build/src/agents/index.d.ts +3 -0
package/ts_build/src/agents/index.js +21 -11
package/ts_build/src/agents/index.js.map +1 -1
package/ts_build/src/agents/researcher/researcher.js +1 -1
package/ts_build/src/agents/researcher/researcher.js.map +1 -1
package/ts_build/src/agents/tools/aiClient.d.ts +3 -0
package/ts_build/src/agents/tools/aiClient.js +31 -1
package/ts_build/src/agents/tools/aiClient.js.map +1 -1
package/ts_build/src/agents/tools/list.js +48 -0
package/ts_build/src/agents/tools/list.js.map +1 -1
package/ts_build/src/agents/tools/startAgentTask.js +2 -1
package/ts_build/src/agents/tools/startAgentTask.js.map +1 -1
package/ts_build/src/chat/CliChatService.js +16 -5
package/ts_build/src/chat/CliChatService.js.map +1 -1
package/ts_build/src/chat/modules/AgentModule.d.ts +34 -17
package/ts_build/src/chat/modules/AgentModule.js +248 -258
package/ts_build/src/chat/modules/AgentModule.js.map +1 -1
package/ts_build/src/chat/modules/CustomCommandsModule.js.map +1 -1
package/ts_build/src/chat/modules/InternalChatModule.d.ts +3 -0
package/ts_build/src/chat/modules/InternalChatModule.js +16 -1
package/ts_build/src/chat/modules/InternalChatModule.js.map +1 -1
package/ts_build/src/chat/modules/RendererModule.d.ts +16 -0
package/ts_build/src/chat/modules/RendererModule.js +76 -0
package/ts_build/src/chat/modules/RendererModule.js.map +1 -0
package/ts_build/src/chat/modules/SessionsModule.d.ts +33 -0
package/ts_build/src/chat/modules/SessionsModule.js +582 -0
package/ts_build/src/chat/modules/SessionsModule.js.map +1 -0
package/ts_build/src/chat/modules/SetupModule.d.ts +3 -3
package/ts_build/src/chat/modules/SetupModule.js +4 -6
package/ts_build/src/chat/modules/SetupModule.js.map +1 -1
package/ts_build/src/chat/modules/index.d.ts +1 -0
package/ts_build/src/chat/modules/index.js +3 -1
package/ts_build/src/chat/modules/index.js.map +1 -1
package/ts_build/src/chat/renderer/CompactRenderer.d.ts +23 -0
package/ts_build/src/chat/renderer/CompactRenderer.js +167 -0
package/ts_build/src/chat/renderer/CompactRenderer.js.map +1 -0
package/ts_build/src/chat/renderer/ConsoleRenderer.d.ts +22 -0
package/ts_build/src/chat/renderer/ConsoleRenderer.js +110 -0
package/ts_build/src/chat/renderer/ConsoleRenderer.js.map +1 -0
package/ts_build/src/chat/renderer/FancyRenderer.d.ts +23 -0
package/ts_build/src/chat/renderer/FancyRenderer.js +328 -0
package/ts_build/src/chat/renderer/FancyRenderer.js.map +1 -0
package/ts_build/src/chat/renderer/index.d.ts +5 -0
package/ts_build/src/chat/renderer/index.js +29 -0
package/ts_build/src/chat/renderer/index.js.map +1 -0
package/ts_build/src/chat/renderer/loadRenderer.d.ts +4 -0
package/ts_build/src/chat/renderer/loadRenderer.js +246 -0
package/ts_build/src/chat/renderer/loadRenderer.js.map +1 -0
package/ts_build/src/chat/renderer/messagesToRenderEvents.d.ts +15 -0
package/ts_build/src/chat/renderer/messagesToRenderEvents.js +72 -0
package/ts_build/src/chat/renderer/messagesToRenderEvents.js.map +1 -0
package/ts_build/src/chat/renderer/types.d.ts +75 -0
package/ts_build/src/chat/renderer/types.js +3 -0
package/ts_build/src/chat/renderer/types.js.map +1 -0
package/ts_build/src/chat/types.d.ts +5 -0
package/ts_build/src/chat.js +46 -4
package/ts_build/src/chat.js.map +1 -1
package/ts_build/src/cli.js +18 -5
package/ts_build/src/cli.js.map +1 -1
package/ts_build/src/clients/gemini.d.ts +10 -10
package/ts_build/src/clients/index.d.ts +10 -0
package/ts_build/src/clients/index.js +58 -0
package/ts_build/src/clients/index.js.map +1 -1
package/ts_build/src/clients/pricing/google.d.ts +10 -10
package/ts_build/src/clients/pricing/google.js +74 -2
package/ts_build/src/clients/pricing/google.js.map +1 -1
package/ts_build/src/clients/pricing/openai.js +65 -0
package/ts_build/src/clients/pricing/openai.js.map +1 -1
package/ts_build/src/config.d.ts +1 -0
package/ts_build/src/config.js +17 -1
package/ts_build/src/config.js.map +1 -1
package/ts_build/src/plugins/AgentsMdPlugin.js +1 -1
package/ts_build/src/plugins/AgentsMdPlugin.js.map +1 -1
package/ts_build/src/plugins/GitPlugin.js +20 -20
package/ts_build/src/plugins/GitPlugin.js.map +1 -1
package/ts_build/src/plugins/PluginBase.d.ts +1 -0
package/ts_build/src/plugins/PluginBase.js +13 -0
package/ts_build/src/plugins/PluginBase.js.map +1 -1
package/ts_build/src/plugins/SkillsPlugin.d.ts +13 -0
package/ts_build/src/plugins/SkillsPlugin.js +149 -0
package/ts_build/src/plugins/SkillsPlugin.js.map +1 -0
package/ts_build/src/plugins/asana.js +4 -4
package/ts_build/src/plugins/asana.js.map +1 -1
package/ts_build/src/plugins/embedding.js +3 -3
package/ts_build/src/plugins/embedding.js.map +1 -1
package/ts_build/src/plugins/exec.js +3 -3
package/ts_build/src/plugins/exec.js.map +1 -1
package/ts_build/src/plugins/figma.js +3 -3
package/ts_build/src/plugins/figma.js.map +1 -1
package/ts_build/src/plugins/github.js +18 -18
package/ts_build/src/plugins/github.js.map +1 -1
package/ts_build/src/plugins/jira.js +2 -2
package/ts_build/src/plugins/jira.js.map +1 -1
package/ts_build/src/plugins/language.js +4 -4
package/ts_build/src/plugins/language.js.map +1 -1
package/ts_build/src/plugins/linear.js +4 -4
package/ts_build/src/plugins/linear.js.map +1 -1
package/ts_build/src/plugins/notion.js +6 -6
package/ts_build/src/plugins/notion.js.map +1 -1
package/ts_build/src/plugins/plugins.d.ts +3 -0
package/ts_build/src/plugins/plugins.js +18 -3
package/ts_build/src/plugins/plugins.js.map +1 -1
package/ts_build/src/plugins/url.js +2 -2
package/ts_build/src/plugins/url.js.map +1 -1
package/ts_build/src/plugins/vim.js +2 -2
package/ts_build/src/plugins/vim.js.map +1 -1
package/ts_build/src/services/AgentService.d.ts +3 -0
package/ts_build/src/services/AgentService.js +7 -0
package/ts_build/src/services/AgentService.js.map +1 -1
package/ts_build/src/services/AgentSyncFs.d.ts +1 -0
package/ts_build/src/services/AgentSyncFs.js +2 -0
package/ts_build/src/services/AgentSyncFs.js.map +1 -1
package/ts_build/src/services/EventService.d.ts +25 -2
package/ts_build/src/services/EventService.js +92 -14
package/ts_build/src/services/EventService.js.map +1 -1
package/ts_build/src/services/KnowhowClient.d.ts +1 -0
package/ts_build/src/services/KnowhowClient.js.map +1 -1
package/ts_build/src/services/SessionManager.d.ts +6 -0
package/ts_build/src/services/SessionManager.js +39 -1
package/ts_build/src/services/SessionManager.js.map +1 -1
package/ts_build/src/services/SyncedAgentWatcher.d.ts +101 -0
package/ts_build/src/services/SyncedAgentWatcher.js +312 -0
package/ts_build/src/services/SyncedAgentWatcher.js.map +1 -0
package/ts_build/src/services/SyncerService.d.ts +30 -0
package/ts_build/src/services/SyncerService.js +72 -0
package/ts_build/src/services/SyncerService.js.map +1 -0
package/ts_build/src/services/index.d.ts +2 -0
package/ts_build/src/services/index.js +2 -0
package/ts_build/src/services/index.js.map +1 -1
package/ts_build/src/services/modules/index.js +10 -2
package/ts_build/src/services/modules/index.js.map +1 -1
package/ts_build/src/types.d.ts +51 -2
package/ts_build/src/types.js +73 -5
package/ts_build/src/types.js.map +1 -1
package/ts_build/src/worker.d.ts +2 -0
package/ts_build/src/worker.js +59 -4
package/ts_build/src/worker.js.map +1 -1
package/ts_build/src/workers/auth/PasskeySetup.d.ts +10 -0
package/ts_build/src/workers/auth/PasskeySetup.js +131 -0
package/ts_build/src/workers/auth/PasskeySetup.js.map +1 -0
package/ts_build/src/workers/auth/WorkerPasskeyAuth.d.ts +35 -0
package/ts_build/src/workers/auth/WorkerPasskeyAuth.js +129 -0
package/ts_build/src/workers/auth/WorkerPasskeyAuth.js.map +1 -0
package/ts_build/src/workers/auth/types.d.ts +36 -0
package/ts_build/src/workers/auth/types.js +3 -0
package/ts_build/src/workers/auth/types.js.map +1 -0
package/ts_build/src/workers/tools/getChallenge.d.ts +9 -0
package/ts_build/src/workers/tools/getChallenge.js +27 -0
package/ts_build/src/workers/tools/getChallenge.js.map +1 -0
package/ts_build/src/workers/tools/index.d.ts +6 -0
package/ts_build/src/workers/tools/index.js +10 -0
package/ts_build/src/workers/tools/index.js.map +1 -1
package/ts_build/src/workers/tools/lock.d.ts +9 -0
package/ts_build/src/workers/tools/lock.js +27 -0
package/ts_build/src/workers/tools/lock.js.map +1 -0
package/ts_build/src/workers/tools/unlock.d.ts +18 -0
package/ts_build/src/workers/tools/unlock.js +78 -0
package/ts_build/src/workers/tools/unlock.js.map +1 -0
package/ts_build/tests/clients/pricing.test.d.ts +1 -0
package/ts_build/tests/clients/pricing.test.js +90 -0
package/ts_build/tests/clients/pricing.test.js.map +1 -0
package/ts_build/tests/unit/modules/moduleLoading.test.d.ts +1 -0
package/ts_build/tests/unit/modules/moduleLoading.test.js +187 -0
package/ts_build/tests/unit/modules/moduleLoading.test.js.map +1 -0
package/ts_build/tests/unit/plugins/pluginLoading.test.d.ts +1 -0
package/ts_build/tests/unit/plugins/pluginLoading.test.js +123 -0
package/ts_build/tests/unit/plugins/pluginLoading.test.js.map +1 -0

package/src/types.ts CHANGED Viewed

@@ -46,10 +46,23 @@ export type Config = {
   embedSources: EmbedSource[];
   embeddingModel: string;
+  skills?: string[];
   plugins: { enabled: string[]; disabled: string[] };
+  chat?: {
+    /** Path to a custom root chat module (npm package or local file) */
+    rootModule?: string;
+    /** Path to a custom renderer (npm package or local file, can be .ts) */
+    renderer?: string;
+    /** Additional chat modules to load (npm packages or local files, can be .ts) */
+    modules?: string[];
+  };
   modules: string[];
+  pluginPackages?: Record<string, string>;
   agents: Assistant[];
   mcps: McpConfig[];
   modelProviders: ModelProvider[];
@@ -73,6 +86,18 @@ export type Config = {
     sandbox?: boolean;
     volumes?: string[];
     envFile?: string;
+    auth?: {
+      required?: boolean;
+      passkey?: {
+        publicKey?: string;       // base64-encoded public key
+        credentialId?: string;    // base64-encoded credential ID
+        algorithm?: string;       // e.g. "ES256"
+      };
+      sessionDurationHours?: number;
+    };
+    commandAuth?: {
+      [toolName: string]: "always" | "session" | "never";
+    };
     tunnel?: {
       enabled?: boolean;
       allowedPorts?: number[];
@@ -191,6 +216,12 @@ export const Models = {
   openai: {
     GPT_5_2: "gpt-5.2",
     GPT_5_1: "gpt-5.1",
+    GPT_54: "gpt-5.4",
+    GPT_54_Mini: "gpt-5.4-mini",
+    GPT_54_Nano: "gpt-5.4-nano",
+    GPT_54_Pro: "gpt-5.4-pro",
+    GPT_53_Chat: "gpt-5.3-chat-latest",
+    GPT_53_Codex: "gpt-5.3-codex",
     GPT_5: "gpt-5",
     GPT_5_Mini: "gpt-5-mini",
     GPT_5_Nano: "gpt-5-nano",
@@ -214,6 +245,12 @@ export const Models = {
     GPT_4o_Mini_Search: "gpt-4o-mini-search-preview-2025-03-11",
     GPT_4o_Search: "gpt-4o-search-preview-2025-03-11",
+    GPT_4o_Transcribe: "gpt-4o-transcribe",
+    GPT_4o_Mini_Transcribe: "gpt-4o-mini-transcribe",
+    GPT_Realtime_15: "gpt-realtime-1.5",
+    GPT_Realtime_Mini: "gpt-realtime-mini",
+    GPT_Image_15: "gpt-image-1.5",
+    GPT_Image_1_Mini: "gpt-image-1-mini",
     TTS_1: "tts-1",
     Whisper_1: "whisper-1",
     DALL_E_3: "dall-e-3",
@@ -225,19 +262,41 @@ export const Models = {
     // Codex_Mini: "codex-mini-latest",
   },
   google: {
-    Gemini_3_Preview: "gemini-3-pro-preview",
+    // Gemini 3.x
+    Gemini_31_Pro_Preview: "gemini-3.1-pro-preview",
+    Gemini_31_Flash_Image_Preview: "gemini-3.1-flash-image-preview",
+    Gemini_31_Flash_Lite_Preview: "gemini-3.1-flash-lite-preview",
+    Gemini_3_Flash_Preview: "gemini-3-flash-preview",
+    Gemini_3_Pro_Image_Preview: "gemini-3-pro-image-preview",
+    // Gemini 2.5
+    Gemini_25_Pro: "gemini-2.5-pro",
+    Gemini_25_Flash: "gemini-2.5-flash",
+    Gemini_25_Flash_Lite: "gemini-2.5-flash-lite",
     Gemini_25_Flash_Preview: "gemini-2.5-flash-preview-05-20",
     Gemini_25_Pro_Preview: "gemini-2.5-pro-preview-05-06",
+    Gemini_25_Flash_Image: "gemini-2.5-flash-image",
+    Gemini_25_Flash_Live: "gemini-2.5-flash-live-preview",
+    Gemini_25_Flash_Native_Audio: "gemini-2.5-flash-native-audio-preview-12-2025",
+    Gemini_25_Pro_TTS: "gemini-2.5-pro-preview-tts",
+    // Gemini 2.0 (deprecated)
     Gemini_20_Flash: "gemini-2.0-flash",
     Gemini_20_Flash_Preview_Image_Generation:
       "gemini-2.0-flash-exp-image-generation",
     Gemini_20_Flash_Lite: "gemini-2.0-flash-lite",
+    // Gemini 1.5 (legacy)
     Gemini_15_Flash: "gemini-1.5-flash",
     Gemini_15_Flash_8B: "gemini-1.5-flash-8b",
     Gemini_15_Pro: "gemini-1.5-pro",
+    // Media generation
     Imagen_3: "imagen-4.0-generate-001",
+    Imagen_4_Fast: "imagen-4.0-fast-generate-001",
+    Imagen_4_Ultra: "imagen-4.0-ultra-generate-001",
     Veo_2: "veo-2.0-generate-001",
+    Veo_3: "veo-3.0-generate-001",
+    Veo_3_Fast: "veo-3.0-fast-generate-001",
     Veo_3_1: "veo-3.1-generate-preview",
+    Veo_3_1_Fast: "veo-3.1-fast-generate-preview",
+    // Audio / Live
     Gemini_20_Flash_Live: "gemini-2.0-flash-live-001",
     Gemini_25_Flash_TTS: "gemini-2.5-flash-preview-tts",
     Gemini_20_Flash_TTS: "gemini-2.0-flash-preview-tts",
@@ -252,6 +311,7 @@ export const EmbeddingModels = {
   },
   google: {
     Gemini_Embedding: "gemini-embedding-exp",
+    Gemini_Embedding_001: "gemini-embedding-001",
   },
 };
@@ -281,6 +341,12 @@ export const OpenAiReasoningModels = [
   Models.openai.o3,
   Models.openai.o3_Pro,
   Models.openai.o4_Mini,
+  Models.openai.GPT_54,
+  Models.openai.GPT_54_Mini,
+  Models.openai.GPT_54_Nano,
+  Models.openai.GPT_54_Pro,
+  Models.openai.GPT_53_Chat,
+  Models.openai.GPT_53_Codex,
   Models.openai.GPT_5,
   Models.openai.GPT_5_Mini,
   Models.openai.GPT_5_Nano,
@@ -296,6 +362,12 @@ export const OpenAiEmbeddingModels = [
 // export const OpenAiResponseOnlyModels = [Models.openai.Codex_Mini];
 export const GoogleReasoningModels = [
+  Models.google.Gemini_31_Pro_Preview,
+  Models.google.Gemini_31_Flash_Lite_Preview,
+  Models.google.Gemini_3_Flash_Preview,
+  Models.google.Gemini_25_Pro,
+  Models.google.Gemini_25_Flash,
+  Models.google.Gemini_25_Flash_Lite,
   Models.google.Gemini_25_Flash_Preview,
   Models.google.Gemini_25_Pro_Preview,
   Models.google.Gemini_20_Flash,
@@ -306,13 +378,20 @@ export const GoogleReasoningModels = [
 ];
 export const GoogleImageModels = [
+  Models.google.Gemini_31_Flash_Image_Preview,
+  Models.google.Gemini_3_Pro_Image_Preview,
+  Models.google.Gemini_25_Flash_Image,
   Models.google.Gemini_20_Flash_Preview_Image_Generation,
   Models.google.Imagen_3,
+  Models.google.Imagen_4_Fast,
+  Models.google.Imagen_4_Ultra,
 ];
 export const OpenAiImageModels = [
   Models.openai.DALL_E_3,
   Models.openai.DALL_E_2,
+  Models.openai.GPT_Image_15,
+  Models.openai.GPT_Image_1_Mini,
 ];
 export const OpenAiVideoModels = [
@@ -323,17 +402,36 @@ export const OpenAiVideoModels = [
 export const OpenAiTTSModels = [Models.openai.TTS_1];
-export const OpenAiTranscriptionModels = [Models.openai.Whisper_1];
 export const XaiImageModels = [Models.xai.GrokImagineImage];
+export const OpenAiTranscriptionModels = [
+  Models.openai.Whisper_1,
+  Models.openai.GPT_4o_Transcribe,
+  Models.openai.GPT_4o_Mini_Transcribe,
+];
+export const OpenAiRealtimeModels = [
+  Models.openai.GPT_4o_Realtime,
+  Models.openai.GPT_4o_Mini_Realtime,
+  Models.openai.GPT_Realtime_15,
+  Models.openai.GPT_Realtime_Mini,
+];
 export const XaiVideoModels = [Models.xai.GrokImagineVideo];
 export const GoogleTTSModels = [
   Models.google.Gemini_25_Flash_TTS,
+  Models.google.Gemini_25_Pro_TTS,
   Models.google.Gemini_20_Flash_TTS,
 ];
-export const GoogleVideoModels = [Models.google.Veo_2, Models.google.Veo_3_1];
+export const GoogleVideoModels = [
+  Models.google.Veo_2,
+  Models.google.Veo_3,
+  Models.google.Veo_3_Fast,
+  Models.google.Veo_3_1,
+  Models.google.Veo_3_1_Fast,
+];
-export const GoogleEmbeddingModels = [EmbeddingModels.google.Gemini_Embedding];
+export const GoogleEmbeddingModels = [
+  EmbeddingModels.google.Gemini_Embedding,
+  EmbeddingModels.google.Gemini_Embedding_001,
+];

package/src/worker.ts CHANGED Viewed

@@ -4,6 +4,9 @@ import { createTunnelHandler, TunnelHandler } from "@tyvm/knowhow-tunnel";
 import { includedTools } from "./agents/tools/list";
 import { loadJwt } from "./login";
 import { services } from "./services";
+import { PasskeySetupService } from "./workers/auth/PasskeySetup";
+import { WorkerPasskeyAuthService } from "./workers/auth/WorkerPasskeyAuth";
+import { makeUnlockTool, makeLockTool } from "./workers/tools";
 import { McpServerService } from "./services/Mcp";
 import * as allTools from "./agents/tools";
 import workerTools from "./workers/tools";
@@ -85,9 +88,33 @@ export async function worker(options?: {
   unshare?: boolean;
   sandbox?: boolean;
   noSandbox?: boolean;
+  passkey?: boolean;
+  passkeyReset?: boolean;
 }) {
   const config = await getConfig();
+  // Handle --passkey-reset: remove passkey from config
+  if (options?.passkeyReset) {
+    const passkeySetup = new PasskeySetupService();
+    await passkeySetup.reset();
+    return;
+  }
+  // Handle --passkey: run browser-based passkey registration flow
+  if (options?.passkey) {
+    let jwt: string;
+    try {
+      jwt = await loadJwt();
+    } catch {
+      console.error("❌ You must be logged in to set up a passkey.");
+      console.error("   Run 'knowhow login' first.");
+      process.exit(1);
+    }
+    const passkeySetup = new PasskeySetupService();
+    await passkeySetup.setup(jwt);
+    return;
+  }
   // Check if we're already running inside a Docker container
   const isInsideDocker = process.env.KNOWHOW_DOCKER === "true";
@@ -158,6 +185,24 @@ export async function worker(options?: {
   const clientName = "knowhow-worker";
   const clientVersion = "1.1.1";
+  // ---------------------------------------------------------------------------
+  // Passkey auth gating
+  // ---------------------------------------------------------------------------
+  let authService: WorkerPasskeyAuthService | null = null;
+  const passkeyConfig = config.worker?.auth?.passkey;
+  if (passkeyConfig?.publicKey && passkeyConfig?.credentialId) {
+    authService = new WorkerPasskeyAuthService(
+      {
+        publicKey: passkeyConfig.publicKey,
+        credentialId: passkeyConfig.credentialId,
+        algorithm: -7, // ES256
+      },
+      config.worker?.auth?.sessionDurationHours ?? 3
+    );
+    console.log("🔒 Passkey auth enabled — worker starts locked");
+  }
   if (!shouldUseSandbox) {
     console.log(`🖥️  Using host mode (${sandboxSource})`);
   }
@@ -172,7 +217,6 @@ export async function worker(options?: {
       ...config.worker,
       allowedTools: Tools.getToolNames(),
     };
     await updateConfig(config);
     return;
   }
@@ -183,7 +227,41 @@ export async function worker(options?: {
     return;
   }
-  const toolsToUse = Tools.getToolsByNames(config.worker.allowedTools);
+  let toolsToUse = Tools.getToolsByNames(config.worker.allowedTools);
+  // If passkey auth is enabled, wrap all tool functions to check locked state
+  // and register the unlock/lock auth tools
+  if (authService) {
+    const _authService = authService;
+    // Wrap every configured tool to gate on locked state
+    for (const tool of toolsToUse) {
+      const toolName = tool.function.name;
+      const originalFn = Tools.getFunction(toolName);
+      Tools.addFunctions({
+        [toolName]: async (...args: any[]) => {
+          if (_authService.isLocked()) {
+            return {
+              error: "WORKER_LOCKED",
+              message:
+                "Worker is locked. Call the `unlock` tool with your passkey assertion to unlock it first.",
+            };
+          }
+          return originalFn(...args);
+        },
+      });
+    }
+    // Build and register the auth tools
+    const { unlock, unlockDefinition } = makeUnlockTool(_authService);
+    const { lock, lockDefinition } = makeLockTool(_authService);
+    Tools.addFunctions({ unlock, lock });
+    toolsToUse = [unlockDefinition, lockDefinition, ...toolsToUse];
+    console.log("🔑 Auth tools registered: unlock, lock");
+  }
   mcpServer.createServer(clientName, clientVersion).withTools(toolsToUse);
   let connected = false;

package/src/workers/auth/PasskeySetup.ts ADDED Viewed

@@ -0,0 +1,185 @@
+import axios from "axios";
+import { KNOWHOW_API_URL } from "../../services/KnowhowClient";
+import { openBrowser } from "../../auth/browserLogin";
+import { Spinner } from "../../auth/spinner";
+import { getConfig, updateConfig } from "../../config";
+import { PasskeySetupSession, PasskeySetupStatus, PasskeyCredential } from "./types";
+/**
+ * Service that handles the CLI-side passkey setup flow.
+ *
+ * Flow:
+ *  1. POST /api/worker/passkey/setup/session  → get sessionId + browserUrl
+ *  2. Open browser to browserUrl
+ *  3. Poll /api/worker/passkey/setup/status/:sessionId until status === 'complete'
+ *  4. Save the returned credential to local config
+ */
+export class PasskeySetupService {
+  private baseUrl: string;
+  constructor(baseUrl: string = KNOWHOW_API_URL) {
+    if (!baseUrl) {
+      throw new Error("KNOWHOW_API_URL environment variable not set");
+    }
+    this.baseUrl = baseUrl;
+  }
+  /**
+   * Run the full passkey setup flow.
+   */
+  async setup(jwt: string): Promise<void> {
+    const spinner = new Spinner();
+    try {
+      spinner.start("Creating passkey setup session");
+      const session = await this.createSetupSession(jwt);
+      spinner.stop();
+      await openBrowser(session.browserUrl);
+      console.log(
+        `\nIf the browser didn't open automatically, please visit:\n  ${session.browserUrl}\n`
+      );
+      spinner.start("Waiting for passkey registration in browser…");
+      const credential = await this.pollForCompletion(session.sessionId, spinner);
+      spinner.stop();
+      spinner.start("Saving passkey credential to config");
+      await this.saveCredential(credential);
+      spinner.stop();
+      console.log("✅ Passkey registered successfully!");
+      console.log(
+        "   Worker will now require passkey authentication for new connections."
+      );
+    } catch (error) {
+      spinner.stop();
+      throw error;
+    }
+  }
+  /**
+   * Remove passkey requirement from config.
+   */
+  async reset(): Promise<void> {
+    const config = await getConfig();
+    if (!config.worker?.auth?.passkey) {
+      console.log("ℹ️  No passkey configured for this worker.");
+      return;
+    }
+    const updatedConfig = {
+      ...config,
+      worker: {
+        ...config.worker,
+        auth: {
+          ...config.worker.auth,
+          required: false,
+          passkey: undefined,
+        },
+      },
+    };
+    await updateConfig(updatedConfig);
+    console.log("✅ Passkey requirement removed from config.");
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  private async createSetupSession(jwt: string): Promise<PasskeySetupSession> {
+    try {
+      const response = await axios.post<PasskeySetupSession>(
+        `${this.baseUrl}/api/worker/passkey/setup/session`,
+        {},
+        {
+          headers: { Authorization: `Bearer ${jwt}` },
+          timeout: 10000,
+        }
+      );
+      return response.data;
+    } catch (error) {
+      if (axios.isAxiosError(error)) {
+        throw new Error(
+          `Failed to create passkey setup session: ${
+            error.response?.data?.message || error.message
+          }`
+        );
+      }
+      throw error;
+    }
+  }
+  private async pollForCompletion(
+    sessionId: string,
+    spinner: Spinner
+  ): Promise<PasskeyCredential> {
+    const maxAttempts = 60; // 5 minutes at 5-second intervals
+    let attempt = 0;
+    while (attempt < maxAttempts) {
+      attempt++;
+      try {
+        const response = await axios.get<PasskeySetupStatus>(
+          `${this.baseUrl}/api/worker/passkey/setup/status/${sessionId}`,
+          { timeout: 10000 }
+        );
+        const { status, credential } = response.data;
+        if (status === "complete" && credential) {
+          return credential;
+        } else if (status === "expired") {
+          throw new Error(
+            "Passkey setup session expired. Please run 'knowhow worker --passkey' again."
+          );
+        }
+      } catch (error) {
+        if (axios.isAxiosError(error) && error.code === "ECONNABORTED") {
+          // Timeout — keep polling
+        } else if (!(error instanceof Error && error.message.includes("expired"))) {
+          // Re-throw non-timeout, non-expected errors
+          throw error;
+        } else {
+          throw error;
+        }
+      }
+      await this.sleep(5000);
+    }
+    throw new Error("Passkey setup timed out. Please try again.");
+  }
+  private async saveCredential(credential: PasskeyCredential): Promise<void> {
+    const config = await getConfig();
+    const updatedConfig = {
+      ...config,
+      worker: {
+        ...config.worker,
+        auth: {
+          ...config.worker?.auth,
+          required: true,
+          passkey: {
+            publicKey: credential.publicKey,
+            credentialId: credential.credentialId,
+            algorithm: credential.algorithm,
+          },
+          sessionDurationHours: config.worker?.auth?.sessionDurationHours ?? 3,
+        },
+      },
+    };
+    await updateConfig(updatedConfig);
+  }
+  private async sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+}

package/src/workers/auth/WorkerPasskeyAuth.ts ADDED Viewed

@@ -0,0 +1,190 @@
+import crypto from "crypto";
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+/**
+ * Manages the locked/unlocked state of the worker's passkey auth.
+ * When the worker has passkey configured, it starts locked.
+ * The user must call `unlock` with a valid WebAuthn assertion to unlock.
+ * The worker verifies the signature locally using the stored public key.
+ */
+export interface PasskeyConfig {
+  publicKey: string;    // base64url-encoded COSE public key
+  credentialId: string; // base64url-encoded credential ID
+  algorithm: number;    // e.g. -7 for ES256
+}
+export interface UnlockParams {
+  /** base64url-encoded signature from WebAuthn assertion */
+  signature: string;
+  /** base64url-encoded credential ID */
+  credentialId: string;
+  /** base64url-encoded authenticatorData */
+  authenticatorData: string;
+  /** base64url-encoded clientDataJSON */
+  clientDataJSON: string;
+  /** The challenge that was signed (base64url) */
+  challenge: string;
+}
+export class WorkerPasskeyAuthService {
+  private locked = true;
+  private sessionExpiry: number | null = null;
+  private sessionDurationMs: number;
+  // Pending challenge: base64url
+  private pendingChallenge: string | null = null;
+  private pendingChallengeExpiry: number | null = null;
+  private readonly CHALLENGE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+  constructor(
+    private passkeyConfig: PasskeyConfig,
+    sessionDurationHours: number = 3
+  ) {
+    this.sessionDurationMs = sessionDurationHours * 60 * 60 * 1000;
+  }
+  isLocked(): boolean {
+    if (!this.locked) {
+      // Check if session has expired
+      if (this.sessionExpiry && Date.now() > this.sessionExpiry) {
+        console.log("🔒 Passkey session expired, locking worker");
+        this.locked = true;
+        this.sessionExpiry = null;
+      }
+    }
+    return this.locked;
+  }
+  /**
+   * Generate a new challenge for the client to sign.
+   * Returns base64url-encoded challenge bytes.
+   */
+  generateChallenge(): string {
+    const challengeBytes = crypto.randomBytes(32);
+    const challenge = challengeBytes.toString("base64url");
+    this.pendingChallenge = challenge;
+    this.pendingChallengeExpiry = Date.now() + this.CHALLENGE_TTL_MS;
+    return challenge;
+  }
+  /**
+   * Attempt to unlock the worker by verifying a WebAuthn assertion.
+   * Returns true if the signature is valid and the worker is now unlocked.
+   */
+  async unlock(params: UnlockParams): Promise<{ success: boolean; reason?: string }> {
+    // Verify the challenge matches what we issued
+    if (!this.pendingChallenge) {
+      return { success: false, reason: "No pending challenge. Call getChallenge first." };
+    }
+    if (this.pendingChallengeExpiry && Date.now() > this.pendingChallengeExpiry) {
+      this.pendingChallenge = null;
+      this.pendingChallengeExpiry = null;
+      return { success: false, reason: "Challenge expired. Please request a new challenge." };
+    }
+    // Verify the challenge in clientDataJSON matches our pending challenge
+    let clientData: { type: string; challenge: string; origin: string };
+    try {
+      const clientDataBytes = Buffer.from(params.clientDataJSON, "base64url");
+      clientData = JSON.parse(clientDataBytes.toString("utf8"));
+    } catch {
+      return { success: false, reason: "Invalid clientDataJSON" };
+    }
+    // The challenge in clientDataJSON is base64url-encoded
+    if (clientData.challenge !== this.pendingChallenge) {
+      return { success: false, reason: "Challenge mismatch" };
+    }
+    if (clientData.type !== "webauthn.get") {
+      return { success: false, reason: "Invalid clientData type" };
+    }
+    // Verify credential ID matches our stored credential
+    if (params.credentialId !== this.passkeyConfig.credentialId) {
+      return { success: false, reason: "Unknown credential" };
+    }
+    // Verify the signature using @simplewebauthn/server
+    const valid = await this.verifySignature(params, clientData.origin);
+    if (!valid) {
+      return { success: false, reason: "Invalid signature" };
+    }
+    // Unlock!
+    this.locked = false;
+    this.sessionExpiry = Date.now() + this.sessionDurationMs;
+    this.pendingChallenge = null;
+    this.pendingChallengeExpiry = null;
+    const expiresAt = new Date(this.sessionExpiry).toISOString();
+    console.log(`🔓 Worker unlocked! Session expires at ${expiresAt}`);
+    return { success: true };
+  }
+  lock(): void {
+    this.locked = true;
+    this.sessionExpiry = null;
+    this.pendingChallenge = null;
+    this.pendingChallengeExpiry = null;
+    console.log("🔒 Worker locked");
+  }
+  getSessionInfo() {
+    if (this.locked || !this.sessionExpiry) {
+      return { locked: true, expiresAt: null };
+    }
+    return {
+      locked: false,
+      expiresAt: new Date(this.sessionExpiry).toISOString(),
+    };
+  }
+  /**
+   * Returns the credential ID stored in the passkey config.
+   */
+  getCredentialId(): string {
+    return this.passkeyConfig.credentialId;
+  }
+  // ---------------------------------------------------------------------------
+  // Signature verification via @simplewebauthn/server
+  // ---------------------------------------------------------------------------
+  /**
+   * Verify a WebAuthn assertion using @simplewebauthn/server's verifyAuthenticationResponse.
+   * This handles all COSE key format complexity automatically.
+   */
+  private async verifySignature(params: UnlockParams, origin: string): Promise<boolean> {
+    try {
+      const { verified } = await verifyAuthenticationResponse({
+        response: {
+          id: params.credentialId,
+          rawId: params.credentialId,
+          response: {
+            authenticatorData: params.authenticatorData,
+            clientDataJSON: params.clientDataJSON,
+            signature: params.signature,
+          },
+          type: "public-key",
+          clientExtensionResults: {},
+        },
+        expectedChallenge: this.pendingChallenge!,
+        expectedOrigin: origin,
+        expectedRPID: new URL(origin).hostname,
+        credential: {
+          id: this.passkeyConfig.credentialId,
+          publicKey: Buffer.from(this.passkeyConfig.publicKey, "base64url"),
+          counter: 0,
+          transports: undefined,
+        },
+        requireUserVerification: false,
+      });
+      return verified;
+    } catch (err) {
+      console.error("Signature verification error:", err);
+      return false;
+    }
+  }
+}