@venturewild/workspace 0.6.3 → 0.6.5

package/server/src/settings.mjs

@@ -1,145 +1,145 @@
-// Settings store + the autonomy-dial resolver (§8 "Surface B"). Two things live here:
-//   1. resolveAutonomyMode() — the SAFETY-CRITICAL mapping from the user-facing
-//      autonomy level to the agent's permission mode. This is the guardrail.
-//   2. createSettings() — a file-backed store under ~/.wild-workspace/settings/ for
-//      the autonomy level + the conversation title (/rename override of the derived
-//      presence label). CLAUDE.md #1: never the synced repo, never localStorage.
-//
-// THE AUTONOMY DIAL — and why the middle tier is "coming soon", not built (read this):
-//
-//   The §8 build-risk is explicit: "Work, then show me" is NOT one native flag. It is
-//   acceptEdits PLUS our own confirm-gate on dangerous non-edit ops (deploy/delete/
-//   send/spend). A TRUE inline confirm-gate needs to intercept a tool call mid-turn,
-//   round-trip a confirmation to the browser, and resume — which our architecture
-//   can't do cleanly tonight: we wrap `claude -p` per turn (AR-17: no Agent SDK, so no
-//   `canUseTool` callback), and headless `-p` has no interactive permission prompt, so
-//   `default`/`acceptEdits` modes can't "ask" — they just deny. Building that
-//   round-trip is a real piece of infra, not a flag.
-//
-//   So per the pre-approved fallback we ship only the TWO UNAMBIGUOUS tiers and leave
-//   the middle DISABLED ("coming soon"):
-//     • 'check' (Check with me) → 'plan'  — read-only; the agent proposes, you approve.
-//     • 'full'  (Full autonomy) → honors the Build/Plan toggle (Build → bypass).
-//   The middle ('work') and ANY unknown value SAFELY fall back to 'plan' — NEVER
-//   bypassPermissions. That is the guardrail the build-risk warns about: an unbuilt or
-//   unrecognized autonomy level must never silently behave like Full autonomy.
-//
-//   DEFAULT = UNSET. An install with no chosen level keeps today's behavior exactly
-//   (the per-message Build/Plan toggle drives the mode — Build is already bypass). The
-//   dial is purely ADDITIVE: it lets a nervous user LOCK to read-only, which they
-//   couldn't before. We did NOT change the product's existing default, and we did NOT
-//   map the middle tier to Full. (Whether the default SHOULD become a guarded
-//   auto-build once the confirm-gate ships is a product call flagged for Tuan.)
-
-import fs from 'node:fs';
-import path from 'node:path';
-import os from 'node:os';
-
-// The three user-facing tiers. 'work' is DEFINED (so the UI can render it) but NOT
-// BUILD-BACKED — see resolveAutonomyMode (it falls back to the safe 'plan').
-export const AUTONOMY_LEVELS = ['check', 'work', 'full'];
-// Which tiers a user may actually SELECT today. 'work' is excluded — "coming soon".
-export const SELECTABLE_AUTONOMY = ['check', 'full'];
-
-/**
- * Map an autonomy level + the per-message Build/Plan toggle to the agent permission
- * mode buildClaudeArgs understands ('plan' | 'build'). THE GUARDRAIL lives here:
- *   - unknown / 'work' (middle, not built)  → 'plan'  (read-only — NEVER bypass)
- *   - 'check'                                → 'plan'  (hard read-only lock)
- *   - 'full'                                 → honors the toggle (Build → bypass)
- *   - null/undefined (unset)                 → honors the toggle (today's behavior)
- * The invariant tested in settings.test.mjs: NOTHING except 'full'/unset+Build ever
- * yields 'build' (which is the only path to bypassPermissions).
- */
-export function resolveAutonomyMode(level, requestedMode) {
-  const toggle = requestedMode === 'plan' ? 'plan' : 'build';
-  switch (level) {
-    case 'full':
-      return toggle; //                 Full autonomy → honor the toggle (Build = bypass)
-    case 'check':
-      return 'plan'; //                 Check with me → always read-only propose
-    case null:
-    case undefined:
-    case '':
-      return toggle; //                 unset → unchanged product behavior
-    default:
-      // 'work' (middle, not built) AND any unrecognized value → SAFE read-only.
-      // This is the anti-regression: an unbuilt guardrail never becomes Full.
-      return 'plan';
-  }
-}
-
-function defaultSettingsDir(env = process.env, home = os.homedir()) {
-  const base = env.WILD_WORKSPACE_GLOBAL_DIR || path.join(home, '.wild-workspace');
-  return path.join(base, 'settings');
-}
-
-function readJsonSafe(file, fallback) {
-  try { return JSON.parse(fs.readFileSync(file, 'utf8')); } catch { return fallback; }
-}
-
-const TITLE_CAP = 120;
-
-export function createSettings({ baseDir, env = process.env, home = os.homedir() } = {}) {
-  const dir = baseDir || defaultSettingsDir(env, home);
-  const file = path.join(dir, 'settings.json');
-
-  function read() {
-    const v = readJsonSafe(file, null);
-    return v && typeof v === 'object' ? v : {};
-  }
-
-  function write(patch) {
-    const next = { ...read(), ...patch, ts: Date.now() };
-    try {
-      fs.mkdirSync(dir, { recursive: true });
-      const tmp = `${file}.${process.pid}.tmp`;
-      fs.writeFileSync(tmp, JSON.stringify(next, null, 2));
-      fs.renameSync(tmp, file);
-    } catch { /* read-only fs — degrade to not-persisted */ }
-    return next;
-  }
-
-  // autonomyLevel: 'check' | 'full' | null. We REFUSE to persist 'work' (not
-  // selectable) or any unknown value — storing it would be a latent foot-gun. null
-  // clears back to the unset/default behavior.
-  function getAutonomyLevel() {
-    const lvl = read().autonomyLevel;
-    return SELECTABLE_AUTONOMY.includes(lvl) ? lvl : null;
-  }
-  function setAutonomyLevel(level) {
-    const clean = SELECTABLE_AUTONOMY.includes(level) ? level : null;
-    write({ autonomyLevel: clean });
-    return clean;
-  }
-
-  function getConversationTitle() {
-    const t = read().conversationTitle;
-    return typeof t === 'string' && t.trim() ? t.trim() : null;
-  }
-  function setConversationTitle(title) {
-    const clean = typeof title === 'string' ? title.trim().slice(0, TITLE_CAP) : '';
-    write({ conversationTitle: clean || null });
-    return clean || null;
-  }
-
-  function getAll() {
-    return {
-      autonomyLevel: getAutonomyLevel(),
-      conversationTitle: getConversationTitle(),
-      // Surface what's selectable + which is build-backed, so the UI doesn't hardcode it.
-      autonomy: {
-        levels: AUTONOMY_LEVELS,
-        selectable: SELECTABLE_AUTONOMY,
-        comingSoon: AUTONOMY_LEVELS.filter((l) => !SELECTABLE_AUTONOMY.includes(l)),
-      },
-    };
-  }
-
-  return {
-    dir, file,
-    getAutonomyLevel, setAutonomyLevel,
-    getConversationTitle, setConversationTitle,
-    getAll,
-  };
-}
+// Settings store + the autonomy-dial resolver (§8 "Surface B"). Two things live here:
+//   1. resolveAutonomyMode() — the SAFETY-CRITICAL mapping from the user-facing
+//      autonomy level to the agent's permission mode. This is the guardrail.
+//   2. createSettings() — a file-backed store under ~/.wild-workspace/settings/ for
+//      the autonomy level + the conversation title (/rename override of the derived
+//      presence label). CLAUDE.md #1: never the synced repo, never localStorage.
+//
+// THE AUTONOMY DIAL — and why the middle tier is "coming soon", not built (read this):
+//
+//   The §8 build-risk is explicit: "Work, then show me" is NOT one native flag. It is
+//   acceptEdits PLUS our own confirm-gate on dangerous non-edit ops (deploy/delete/
+//   send/spend). A TRUE inline confirm-gate needs to intercept a tool call mid-turn,
+//   round-trip a confirmation to the browser, and resume — which our architecture
+//   can't do cleanly tonight: we wrap `claude -p` per turn (AR-17: no Agent SDK, so no
+//   `canUseTool` callback), and headless `-p` has no interactive permission prompt, so
+//   `default`/`acceptEdits` modes can't "ask" — they just deny. Building that
+//   round-trip is a real piece of infra, not a flag.
+//
+//   So per the pre-approved fallback we ship only the TWO UNAMBIGUOUS tiers and leave
+//   the middle DISABLED ("coming soon"):
+//     • 'check' (Check with me) → 'plan'  — read-only; the agent proposes, you approve.
+//     • 'full'  (Full autonomy) → honors the Build/Plan toggle (Build → bypass).
+//   The middle ('work') and ANY unknown value SAFELY fall back to 'plan' — NEVER
+//   bypassPermissions. That is the guardrail the build-risk warns about: an unbuilt or
+//   unrecognized autonomy level must never silently behave like Full autonomy.
+//
+//   DEFAULT = UNSET. An install with no chosen level keeps today's behavior exactly
+//   (the per-message Build/Plan toggle drives the mode — Build is already bypass). The
+//   dial is purely ADDITIVE: it lets a nervous user LOCK to read-only, which they
+//   couldn't before. We did NOT change the product's existing default, and we did NOT
+//   map the middle tier to Full. (Whether the default SHOULD become a guarded
+//   auto-build once the confirm-gate ships is a product call flagged for Tuan.)
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+
+// The three user-facing tiers. 'work' is DEFINED (so the UI can render it) but NOT
+// BUILD-BACKED — see resolveAutonomyMode (it falls back to the safe 'plan').
+export const AUTONOMY_LEVELS = ['check', 'work', 'full'];
+// Which tiers a user may actually SELECT today. 'work' is excluded — "coming soon".
+export const SELECTABLE_AUTONOMY = ['check', 'full'];
+
+/**
+ * Map an autonomy level + the per-message Build/Plan toggle to the agent permission
+ * mode buildClaudeArgs understands ('plan' | 'build'). THE GUARDRAIL lives here:
+ *   - unknown / 'work' (middle, not built)  → 'plan'  (read-only — NEVER bypass)
+ *   - 'check'                                → 'plan'  (hard read-only lock)
+ *   - 'full'                                 → honors the toggle (Build → bypass)
+ *   - null/undefined (unset)                 → honors the toggle (today's behavior)
+ * The invariant tested in settings.test.mjs: NOTHING except 'full'/unset+Build ever
+ * yields 'build' (which is the only path to bypassPermissions).
+ */
+export function resolveAutonomyMode(level, requestedMode) {
+  const toggle = requestedMode === 'plan' ? 'plan' : 'build';
+  switch (level) {
+    case 'full':
+      return toggle; //                 Full autonomy → honor the toggle (Build = bypass)
+    case 'check':
+      return 'plan'; //                 Check with me → always read-only propose
+    case null:
+    case undefined:
+    case '':
+      return toggle; //                 unset → unchanged product behavior
+    default:
+      // 'work' (middle, not built) AND any unrecognized value → SAFE read-only.
+      // This is the anti-regression: an unbuilt guardrail never becomes Full.
+      return 'plan';
+  }
+}
+
+function defaultSettingsDir(env = process.env, home = os.homedir()) {
+  const base = env.WILD_WORKSPACE_GLOBAL_DIR || path.join(home, '.wild-workspace');
+  return path.join(base, 'settings');
+}
+
+function readJsonSafe(file, fallback) {
+  try { return JSON.parse(fs.readFileSync(file, 'utf8')); } catch { return fallback; }
+}
+
+const TITLE_CAP = 120;
+
+export function createSettings({ baseDir, env = process.env, home = os.homedir() } = {}) {
+  const dir = baseDir || defaultSettingsDir(env, home);
+  const file = path.join(dir, 'settings.json');
+
+  function read() {
+    const v = readJsonSafe(file, null);
+    return v && typeof v === 'object' ? v : {};
+  }
+
+  function write(patch) {
+    const next = { ...read(), ...patch, ts: Date.now() };
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      const tmp = `${file}.${process.pid}.tmp`;
+      fs.writeFileSync(tmp, JSON.stringify(next, null, 2));
+      fs.renameSync(tmp, file);
+    } catch { /* read-only fs — degrade to not-persisted */ }
+    return next;
+  }
+
+  // autonomyLevel: 'check' | 'full' | null. We REFUSE to persist 'work' (not
+  // selectable) or any unknown value — storing it would be a latent foot-gun. null
+  // clears back to the unset/default behavior.
+  function getAutonomyLevel() {
+    const lvl = read().autonomyLevel;
+    return SELECTABLE_AUTONOMY.includes(lvl) ? lvl : null;
+  }
+  function setAutonomyLevel(level) {
+    const clean = SELECTABLE_AUTONOMY.includes(level) ? level : null;
+    write({ autonomyLevel: clean });
+    return clean;
+  }
+
+  function getConversationTitle() {
+    const t = read().conversationTitle;
+    return typeof t === 'string' && t.trim() ? t.trim() : null;
+  }
+  function setConversationTitle(title) {
+    const clean = typeof title === 'string' ? title.trim().slice(0, TITLE_CAP) : '';
+    write({ conversationTitle: clean || null });
+    return clean || null;
+  }
+
+  function getAll() {
+    return {
+      autonomyLevel: getAutonomyLevel(),
+      conversationTitle: getConversationTitle(),
+      // Surface what's selectable + which is build-backed, so the UI doesn't hardcode it.
+      autonomy: {
+        levels: AUTONOMY_LEVELS,
+        selectable: SELECTABLE_AUTONOMY,
+        comingSoon: AUTONOMY_LEVELS.filter((l) => !SELECTABLE_AUTONOMY.includes(l)),
+      },
+    };
+  }
+
+  return {
+    dir, file,
+    getAutonomyLevel, setAutonomyLevel,
+    getConversationTitle, setConversationTitle,
+    getAll,
+  };
+}

package/server/src/share.mjs

@@ -1,182 +1,182 @@
-// Share-by-URL token issuance + verification (AR-20).
-// Reuses bmo-sync invite shape: tokens are signed claims with role + workspace + expiry.
-
-import { SignJWT, jwtVerify } from 'jose';
-import { nanoid } from 'nanoid';
-import { readFileSync, writeFileSync } from 'node:fs';
-
-const SHARE_ISSUER = 'wild-workspace';
-
-function secretToKey(secret) {
-  return new TextEncoder().encode(secret);
-}
-
-export async function mintShareToken({
-  secret,
-  workspaceId,
-  role,
-  ttlSeconds = 60 * 60 * 24, // 24h default per R17 mitigation
-  audience = 'wild-workspace-viewer',
-  subject = nanoid(12),
-}) {
-  if (!['viewer', 'client'].includes(role)) {
-    throw new Error(`shareable role must be 'viewer' or 'client'; got ${role}`);
-  }
-  const key = secretToKey(secret);
-  const iat = Math.floor(Date.now() / 1000);
-  const exp = iat + ttlSeconds;
-  const jwt = await new SignJWT({
-    role,
-    workspaceId,
-    jti: nanoid(16),
-  })
-    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-    .setIssuer(SHARE_ISSUER)
-    .setAudience(audience)
-    .setSubject(subject)
-    .setIssuedAt(iat)
-    .setExpirationTime(exp)
-    .sign(key);
-  return { token: jwt, exp, role, workspaceId, sub: subject };
-}
-
-// Mint a PARTNER-role token for an approved device (Phase 2 device sign-in).
-// Separate from `mintShareToken` on purpose: that path is least-privilege and
-// must NEVER mint partner (its viewer/client guard is load-bearing). A device
-// token is full owner access, so it's bounded (90d default) and individually
-// revocable via `TokenRegistry` (its `device-` subject is registered at approve
-// time). It verifies through the same `verifyShareToken` path — `classifyToken`
-// then resolves `role:'partner'` exactly like the env partner token, but with a
-// revocable `sub`.
-export async function mintDeviceToken({
-  secret,
-  workspaceId,
-  ttlSeconds = 90 * 24 * 60 * 60, // 90 days — bounded RCE-grade token
-  audience = 'wild-workspace-device',
-  subject = `device-${nanoid(12)}`,
-}) {
-  const key = secretToKey(secret);
-  const iat = Math.floor(Date.now() / 1000);
-  const exp = iat + ttlSeconds;
-  const jwt = await new SignJWT({
-    role: 'partner',
-    workspaceId,
-    jti: nanoid(16),
-  })
-    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-    .setIssuer(SHARE_ISSUER)
-    .setAudience(audience)
-    .setSubject(subject)
-    .setIssuedAt(iat)
-    .setExpirationTime(exp)
-    .sign(key);
-  return { token: jwt, exp, role: 'partner', workspaceId, sub: subject };
-}
-
-// Mint a one-time-ish BOOTSTRAP token for the first-device sign-in on the public
-// URL (B1). The local launcher fetches this over genuine loopback and opens
-// <slug>.venturewild.llc/?t=<token>; the SPA exchanges it for a DURABLE device
-// cookie (see /api/auth/exchange) and strips it from the address bar. It is
-// partner-role but deliberately SHORT-LIVED (5 min default) so its only window
-// of exposure — one navigation through the VW tunnel — is tightly bounded; the
-// long-lived credential the browser keeps is the re-minted device token, never
-// this. Carries `boot:true` so the exchange path can recognise + upgrade it.
-export async function mintBootstrapToken({
-  secret,
-  workspaceId,
-  ttlSeconds = 5 * 60, // 5 minutes — bounds the token-in-URL window
-  audience = 'wild-workspace-bootstrap',
-  subject = `bootstrap-${nanoid(12)}`,
-}) {
-  const key = secretToKey(secret);
-  const iat = Math.floor(Date.now() / 1000);
-  const exp = iat + ttlSeconds;
-  const jwt = await new SignJWT({
-    role: 'partner',
-    workspaceId,
-    boot: true,
-    jti: nanoid(16),
-  })
-    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-    .setIssuer(SHARE_ISSUER)
-    .setAudience(audience)
-    .setSubject(subject)
-    .setIssuedAt(iat)
-    .setExpirationTime(exp)
-    .sign(key);
-  return { token: jwt, exp, role: 'partner', workspaceId, sub: subject };
-}
-
-export async function verifyShareToken(token, secret) {
-  if (!token) return null;
-  try {
-    const { payload } = await jwtVerify(token, secretToKey(secret), {
-      issuer: SHARE_ISSUER,
-    });
-    return payload;
-  } catch {
-    return null;
-  }
-}
-
-export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
-  const base = shareBaseUrl.replace(/\/$/, '');
-  return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
-}
-
-// Token registry so the partner can list + revoke. The revocation set (and the
-// active-token list) is persisted to `<dataDir>/revoked.json` so a "revoked"
-// share token stays revoked across a server restart (concern C8) — without it,
-// the in-memory set reset on restart and a previously-revoked-but-unexpired JWT
-// validated again by signature. No `persistPath` → in-memory only (tests).
-export class TokenRegistry {
-  constructor({ persistPath = null } = {}) {
-    this.persistPath = persistPath;
-    this.tokens = new Map(); // sub -> { sub, role, workspaceId, exp, label, createdAt }
-    this.revoked = new Set();
-    this._load();
-  }
-  _load() {
-    if (!this.persistPath) return;
-    try {
-      const data = JSON.parse(readFileSync(this.persistPath, 'utf8'));
-      if (Array.isArray(data.revoked)) this.revoked = new Set(data.revoked);
-      if (Array.isArray(data.tokens)) {
-        for (const t of data.tokens) if (t?.sub) this.tokens.set(t.sub, t);
-      }
-    } catch {
-      /* missing / corrupt — start empty */
-    }
-  }
-  _persist() {
-    if (!this.persistPath) return;
-    try {
-      const now = Math.floor(Date.now() / 1000);
-      // Don't carry expired tokens forward; the revoked set stays (small).
-      const tokens = [...this.tokens.values()].filter((r) => r.exp > now);
-      writeFileSync(
-        this.persistPath,
-        JSON.stringify({ revoked: [...this.revoked], tokens }, null, 2),
-        { mode: 0o600 },
-      );
-    } catch {
-      /* read-only fs — revocation degrades to in-memory for this run */
-    }
-  }
-  add(record) {
-    this.tokens.set(record.sub, record);
-    this._persist();
-  }
-  list() {
-    const now = Math.floor(Date.now() / 1000);
-    return [...this.tokens.values()].filter((r) => r.exp > now && !this.revoked.has(r.sub));
-  }
-  revoke(sub) {
-    this.revoked.add(sub);
-    this.tokens.delete(sub);
-    this._persist();
-  }
-  isRevoked(sub) {
-    return this.revoked.has(sub);
-  }
-}
+// Share-by-URL token issuance + verification (AR-20).
+// Reuses bmo-sync invite shape: tokens are signed claims with role + workspace + expiry.
+
+import { SignJWT, jwtVerify } from 'jose';
+import { nanoid } from 'nanoid';
+import { readFileSync, writeFileSync } from 'node:fs';
+
+const SHARE_ISSUER = 'wild-workspace';
+
+function secretToKey(secret) {
+  return new TextEncoder().encode(secret);
+}
+
+export async function mintShareToken({
+  secret,
+  workspaceId,
+  role,
+  ttlSeconds = 60 * 60 * 24, // 24h default per R17 mitigation
+  audience = 'wild-workspace-viewer',
+  subject = nanoid(12),
+}) {
+  if (!['viewer', 'client'].includes(role)) {
+    throw new Error(`shareable role must be 'viewer' or 'client'; got ${role}`);
+  }
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role,
+    workspaceId,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role, workspaceId, sub: subject };
+}
+
+// Mint a PARTNER-role token for an approved device (Phase 2 device sign-in).
+// Separate from `mintShareToken` on purpose: that path is least-privilege and
+// must NEVER mint partner (its viewer/client guard is load-bearing). A device
+// token is full owner access, so it's bounded (90d default) and individually
+// revocable via `TokenRegistry` (its `device-` subject is registered at approve
+// time). It verifies through the same `verifyShareToken` path — `classifyToken`
+// then resolves `role:'partner'` exactly like the env partner token, but with a
+// revocable `sub`.
+export async function mintDeviceToken({
+  secret,
+  workspaceId,
+  ttlSeconds = 90 * 24 * 60 * 60, // 90 days — bounded RCE-grade token
+  audience = 'wild-workspace-device',
+  subject = `device-${nanoid(12)}`,
+}) {
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role: 'partner',
+    workspaceId,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role: 'partner', workspaceId, sub: subject };
+}
+
+// Mint a one-time-ish BOOTSTRAP token for the first-device sign-in on the public
+// URL (B1). The local launcher fetches this over genuine loopback and opens
+// <slug>.venturewild.llc/?t=<token>; the SPA exchanges it for a DURABLE device
+// cookie (see /api/auth/exchange) and strips it from the address bar. It is
+// partner-role but deliberately SHORT-LIVED (5 min default) so its only window
+// of exposure — one navigation through the VW tunnel — is tightly bounded; the
+// long-lived credential the browser keeps is the re-minted device token, never
+// this. Carries `boot:true` so the exchange path can recognise + upgrade it.
+export async function mintBootstrapToken({
+  secret,
+  workspaceId,
+  ttlSeconds = 5 * 60, // 5 minutes — bounds the token-in-URL window
+  audience = 'wild-workspace-bootstrap',
+  subject = `bootstrap-${nanoid(12)}`,
+}) {
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role: 'partner',
+    workspaceId,
+    boot: true,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role: 'partner', workspaceId, sub: subject };
+}
+
+export async function verifyShareToken(token, secret) {
+  if (!token) return null;
+  try {
+    const { payload } = await jwtVerify(token, secretToKey(secret), {
+      issuer: SHARE_ISSUER,
+    });
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
+  const base = shareBaseUrl.replace(/\/$/, '');
+  return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
+}
+
+// Token registry so the partner can list + revoke. The revocation set (and the
+// active-token list) is persisted to `<dataDir>/revoked.json` so a "revoked"
+// share token stays revoked across a server restart (concern C8) — without it,
+// the in-memory set reset on restart and a previously-revoked-but-unexpired JWT
+// validated again by signature. No `persistPath` → in-memory only (tests).
+export class TokenRegistry {
+  constructor({ persistPath = null } = {}) {
+    this.persistPath = persistPath;
+    this.tokens = new Map(); // sub -> { sub, role, workspaceId, exp, label, createdAt }
+    this.revoked = new Set();
+    this._load();
+  }
+  _load() {
+    if (!this.persistPath) return;
+    try {
+      const data = JSON.parse(readFileSync(this.persistPath, 'utf8'));
+      if (Array.isArray(data.revoked)) this.revoked = new Set(data.revoked);
+      if (Array.isArray(data.tokens)) {
+        for (const t of data.tokens) if (t?.sub) this.tokens.set(t.sub, t);
+      }
+    } catch {
+      /* missing / corrupt — start empty */
+    }
+  }
+  _persist() {
+    if (!this.persistPath) return;
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      // Don't carry expired tokens forward; the revoked set stays (small).
+      const tokens = [...this.tokens.values()].filter((r) => r.exp > now);
+      writeFileSync(
+        this.persistPath,
+        JSON.stringify({ revoked: [...this.revoked], tokens }, null, 2),
+        { mode: 0o600 },
+      );
+    } catch {
+      /* read-only fs — revocation degrades to in-memory for this run */
+    }
+  }
+  add(record) {
+    this.tokens.set(record.sub, record);
+    this._persist();
+  }
+  list() {
+    const now = Math.floor(Date.now() / 1000);
+    return [...this.tokens.values()].filter((r) => r.exp > now && !this.revoked.has(r.sub));
+  }
+  revoke(sub) {
+    this.revoked.add(sub);
+    this.tokens.delete(sub);
+    this._persist();
+  }
+  isRevoked(sub) {
+    return this.revoked.has(sub);
+  }
+}