@wolpertingerlabs/drawlatch 1.0.0-alpha.9.0 → 1.0.0-alpha.9.2

package/README.md

@@ -108,11 +108,11 @@ For custom setups (different aliases, multiple callers, different machines), you
 **1. Generate keys:**
 
 ```bash
-drawlatch generate-keys local my-laptop
-drawlatch generate-keys remote
+drawlatch generate-keys caller my-laptop
+drawlatch generate-keys server
 ```
 
-**2. Exchange public keys** — copy `*.pub.pem` files into the appropriate `keys/peers/` subdirectories. See [Key Exchange](#key-exchange) for details.
+**2. Exchange public keys** — on separate machines, copy `*.pub.pem` files to the matching `keys/callers/<alias>/` or `keys/server/` directory on the other machine. See [Key Exchange](#key-exchange) for details.
 
 **3. Create configs** — copy the example files and edit:
 
@@ -165,7 +165,6 @@ Once connected, agents get these tools:
 {
   "host": "0.0.0.0",
   "port": 9999,
-  "localKeysDir": "~/.drawlatch/keys/remote",
   "connectors": [],
   "callers": {},
   "rateLimitPerMinute": 60
@@ -176,11 +175,12 @@ Once connected, agents get these tools:
 |-------|-------------|---------|
 | `host` | Network interface to bind | `127.0.0.1` |
 | `port` | Listen port | `9999` |
-| `localKeysDir` | Path to server's own keypair | `~/.drawlatch/keys/remote` |
 | `connectors` | Custom connector definitions (see below) | `[]` |
 | `callers` | Per-caller access control (see below) | `{}` |
 | `rateLimitPerMinute` | Max requests per minute per session | `60` |
 
+Server keys are always loaded from `keys/server/` inside the config directory.
+
 ### Callers
 
 Each caller is identified by their public key and declares which connections they can access:
@@ -190,7 +190,6 @@ Each caller is identified by their public key and declares which connections the
   "callers": {
     "alice": {
       "name": "Alice (senior engineer)",
-      "peerKeyDir": "~/.drawlatch/keys/peers/alice",
       "connections": ["github", "stripe", "internal-api"],
       "env": {
         "GITHUB_TOKEN": "${ALICE_GITHUB_TOKEN}"
@@ -198,16 +197,16 @@ Each caller is identified by their public key and declares which connections the
     },
     "ci-server": {
       "name": "GitHub Actions CI",
-      "peerKeyDir": "~/.drawlatch/keys/peers/ci-server",
       "connections": ["github"]
     }
   }
 }
 ```
 
+Caller public keys are loaded automatically from `keys/callers/<alias>/` — no path configuration needed.
+
 | Field | Required | Description |
 |-------|----------|-------------|
-| `peerKeyDir` | Yes | Path to this caller's public key files |
 | `connections` | Yes | Array of connection names (built-in or custom connector aliases) |
 | `name` | No | Human-readable name for audit logs |
 | `env` | No | Per-caller env var overrides — redirect secret resolution per caller |
@@ -216,7 +215,9 @@ Each caller is identified by their public key and declares which connections the
 The `env` map lets multiple callers share the same connection with different credentials:
 - Keys are the env var names connectors reference (e.g., `GITHUB_TOKEN`)
 - Values are `"${REAL_ENV_VAR}"` (redirect) or literal strings (direct injection)
-- Checked before `process.env` during secret resolution
+- Checked before prefixed env vars during secret resolution
+
+Without an explicit `env` mapping, secrets resolve via prefixed env vars (e.g., caller "alice" + `GITHUB_TOKEN` → `ALICE_GITHUB_TOKEN`).
 
 ### Custom Connectors
 
@@ -256,8 +257,6 @@ Used by the local MCP proxy to connect to the remote server:
 ```json
 {
   "remoteUrl": "http://127.0.0.1:9999",
-  "localKeyAlias": "my-laptop",
-  "remotePublicKeysDir": "~/.drawlatch/keys/peers/remote-server",
   "connectTimeout": 10000,
   "requestTimeout": 30000
 }
@@ -266,13 +265,12 @@ Used by the local MCP proxy to connect to the remote server:
 | Field | Description | Default |
 |-------|-------------|---------|
 | `remoteUrl` | URL of the remote server | `http://localhost:9999` |
-| `localKeyAlias` | Key alias — resolved to `keys/local/<alias>/` | _(none)_ |
-| `localKeysDir` | Explicit path to proxy's keypair (ignored when `localKeyAlias` is set) | `~/.drawlatch/keys/local/default` |
-| `remotePublicKeysDir` | Path to remote server's public keys | `~/.drawlatch/keys/peers/remote-server` |
 | `connectTimeout` | Handshake timeout (ms) | `10000` |
 | `requestTimeout` | Request timeout (ms) | `30000` |
 
-Key alias resolution order: `MCP_KEY_ALIAS` env var > `localKeyAlias` > `localKeysDir` > `keys/local/default`.
+Key paths are derived automatically — no configuration needed:
+- Caller keys: `keys/callers/{MCP_KEY_ALIAS || "default"}/`
+- Server public keys: `keys/server/`
 
 ### Advanced Configuration
 
@@ -337,40 +335,27 @@ See **[INGESTORS.md](INGESTORS.md)** for full configuration reference.
 
 Remote mode requires mutual authentication via Ed25519/X25519 keypairs. Each identity gets four PEM files (signing + exchange, public + private). The `drawlatch init` command handles this automatically for single-machine setups.
 
-For multi-machine setups, exchange public keys manually:
-
 **Directory structure:**
 
 ```
 ~/.drawlatch/keys/
-├── local/my-laptop/       # MCP proxy keypair
-├── remote/                # Remote server keypair
-└── peers/
-    ├── my-laptop/         # Proxy's public keys (on the server)
-    └── remote-server/     # Server's public keys (on the proxy)
+├── callers/
+│   ├── default/           # Default caller keypair
+│   └── alice/             # Additional caller keypair
+└── server/                # Server keypair
 ```
 
-**Exchange public keys** (`.pub.pem` only — never share private keys):
+Both sides (caller and server) store their keys in the same directory tree. On a single machine, `drawlatch init` generates both and they can authenticate immediately. On separate machines, copy the `*.pub.pem` files to the corresponding directory on the other machine.
 
-```bash
-# Proxy's public keys → server's peers directory
-cp keys/local/my-laptop/signing.pub.pem   keys/peers/my-laptop/signing.pub.pem
-cp keys/local/my-laptop/exchange.pub.pem  keys/peers/my-laptop/exchange.pub.pem
-
-# Server's public keys → proxy's peers directory
-cp keys/remote/signing.pub.pem   keys/peers/remote-server/signing.pub.pem
-cp keys/remote/exchange.pub.pem  keys/peers/remote-server/exchange.pub.pem
-```
-
-If the proxy and server are on different machines, transfer only `*.pub.pem` files via `scp` or similar.
+**Using [Callboard](https://github.com/WolpertingerLabs/callboard)?** Use `drawlatch sync` to exchange keys automatically via a double-code approval flow — no manual file copying needed.
 
 ### Multiple Agent Identities
 
 Generate a keypair per agent and set `MCP_KEY_ALIAS` at spawn time:
 
 ```bash
-drawlatch generate-keys local alice
-drawlatch generate-keys local bob
+drawlatch generate-keys caller alice
+drawlatch generate-keys caller bob
 ```
 
 ```json
@@ -385,7 +370,7 @@ drawlatch generate-keys local bob
 }
 ```
 
-Register each agent as a separate caller on the remote server with matching peer key directories.
+Register each agent as a separate caller in `remote.config.json`.
 
 ## CLI Reference
 
@@ -402,6 +387,7 @@ Commands:
   config             Show effective configuration and secret status
   doctor             Validate setup and diagnose issues
   generate-keys      Generate Ed25519 + X25519 keypairs
+  sync               Exchange keys with a callboard instance
 
 Options:
   -h, --help         Show help
@@ -422,10 +408,13 @@ Logs options:
   --follow           Tail the log output
 
 Generate-keys subcommands:
-  local [alias]      Generate local proxy keypair (default alias: "default")
-  remote             Generate remote server keypair
+  caller [alias]     Generate caller keypair (default alias: "default")
+  server             Generate server keypair
   show <path>        Show fingerprint of existing keypair
   --dir <path>       Generate to custom directory
+
+Sync options:
+  --ttl <seconds>    Session timeout (default: 300)
 ```
 
 ## Library Usage (Local Mode)

package/bin/drawlatch.js

@@ -38,7 +38,7 @@ const { generateKeyBundle, saveKeyBundle, extractPublicKeys, fingerprint, loadKe
 );
 
 // Import connection template helpers
-const { listConnectionTemplates, listAvailableConnections } = await import(
+const { listConnectionTemplates } = await import(
   join(PKG_ROOT, "dist/shared/connections.js")
 );
 
@@ -80,8 +80,6 @@ try {
       lines: { type: "string", short: "n", default: "50" },
       follow: { type: "boolean", default: false },
       path: { type: "boolean", default: false },
-      connections: { type: "string" },
-      alias: { type: "string" },
       full: { type: "boolean", default: false },
       ttl: { type: "string", default: "300" },
     },
@@ -105,7 +103,10 @@ if (values.version) {
 }
 if (values.help && !subcommand) {
   printHelp();
-  const latestVersion = await updateCheckPromise;
+  const latestVersion = await Promise.race([
+    updateCheckPromise,
+    new Promise((r) => setTimeout(() => r(null), 100)),
+  ]);
   if (latestVersion) console.log(formatUpdateNotice(latestVersion));
   process.exit(0);
 }
@@ -187,7 +188,10 @@ switch (subcommand) {
   case "help":
     printHelp();
     {
-      const latestVersion = await updateCheckPromise;
+      const latestVersion = await Promise.race([
+        updateCheckPromise,
+        new Promise((r) => setTimeout(() => r(null), 100)),
+      ]);
       if (latestVersion) console.log(formatUpdateNotice(latestVersion));
     }
     break;
@@ -207,28 +211,15 @@ async function cmdDefault() {
     console.log("Drawlatch remote server is not running.\n");
     printHelp();
   }
-  const latestVersion = await updateCheckPromise;
+  // Show update notice only if the check already resolved (don't block on network)
+  const latestVersion = await Promise.race([
+    updateCheckPromise,
+    new Promise((r) => setTimeout(() => r(null), 100)),
+  ]);
   if (latestVersion) console.log(formatUpdateNotice(latestVersion));
 }
 
 async function cmdInit() {
-  const alias = values.alias || "default";
-  const connectionsList = values.connections
-    ? values.connections.split(",").map((c) => c.trim()).filter(Boolean)
-    : [];
-
-  // Validate requested connections exist
-  if (connectionsList.length > 0) {
-    const available = listAvailableConnections();
-    const availableSet = new Set(available);
-    const invalid = connectionsList.filter((c) => !availableSet.has(c));
-    if (invalid.length > 0) {
-      console.error(`Unknown connection(s): ${invalid.join(", ")}`);
-      console.error(`Available: ${available.join(", ")}`);
-      process.exit(1);
-    }
-  }
-
   console.log(`\nDrawlatch Setup`);
   console.log(`===============\n`);
 
@@ -251,20 +242,7 @@ async function cmdInit() {
     steps.push(`Server keys: CREATED (${fp})`);
   }
 
-  // Step 3: Generate caller keypair
-  const callerKeysDir = join(getCallerKeysDir(), alias);
-  if (existsSync(join(callerKeysDir, "signing.key.pem"))) {
-    const existing = loadKeyBundle(callerKeysDir);
-    const fp = fingerprint(extractPublicKeys(existing));
-    steps.push(`Caller keys (${alias}): already exist (${fp})`);
-  } else {
-    const bundle = generateKeyBundle();
-    saveKeyBundle(bundle, callerKeysDir);
-    const fp = fingerprint(extractPublicKeys(bundle));
-    steps.push(`Caller keys (${alias}): CREATED (${fp})`);
-  }
-
-  // Step 4: Scaffold proxy.config.json
+  // Step 3: Scaffold proxy.config.json
   const proxyConfigPath = getProxyConfigPath();
   if (existsSync(proxyConfigPath)) {
     steps.push(`Proxy config: already exists`);
@@ -278,7 +256,7 @@ async function cmdInit() {
     steps.push(`Proxy config: CREATED`);
   }
 
-  // Step 5: Scaffold remote.config.json
+  // Step 4: Scaffold remote.config.json
   const remoteConfigPath = getRemoteConfigPath();
   if (existsSync(remoteConfigPath)) {
     steps.push(`Remote config: already exists`);
@@ -287,44 +265,22 @@ async function cmdInit() {
       host: "0.0.0.0",
       port: 9999,
       rateLimitPerMinute: 60,
-      callers: {
-        [alias]: {
-          name: alias === "default" ? "Default Caller" : alias,
-          connections: connectionsList,
-        },
-      },
+      callers: {},
     };
     writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig, null, 2) + "\n", { mode: 0o600 });
-    steps.push(`Remote config: CREATED (caller "${alias}" with ${connectionsList.length} connection(s))`);
+    steps.push(`Remote config: CREATED`);
   }
 
-  // Step 7: Scaffold .env file
+  // Step 5: Scaffold .env file
   if (existsSync(ENV_FILE)) {
     steps.push(`.env file: already exists`);
   } else {
     const envLines = [
       "# Drawlatch environment secrets",
-      "# Uncomment and set tokens for your enabled connections",
+      "# Set tokens for your enabled connections",
+      "# Secrets are prefixed per caller (e.g., DEFAULT_GITHUB_TOKEN)",
       "",
     ];
-
-    // Get secret info for requested connections (or all if none specified)
-    const templates = listConnectionTemplates();
-    const relevantTemplates = connectionsList.length > 0
-      ? templates.filter((t) => connectionsList.includes(t.alias))
-      : templates.filter((t) => ["github", "slack", "discord-bot", "openai", "anthropic"].includes(t.alias));
-
-    for (const t of relevantTemplates) {
-      envLines.push(`# ${t.name}`);
-      for (const s of t.requiredSecrets) {
-        envLines.push(`# ${s}=`);
-      }
-      for (const s of t.optionalSecrets) {
-        envLines.push(`# ${s}=`);
-      }
-      envLines.push("");
-    }
-
     writeFileSync(ENV_FILE, envLines.join("\n") + "\n", { mode: 0o600 });
     steps.push(`.env file: CREATED`);
   }
@@ -335,25 +291,10 @@ async function cmdInit() {
   }
 
   console.log(`\nSetup complete! Next steps:\n`);
-
-  if (connectionsList.length > 0) {
-    const templates = listConnectionTemplates();
-    const enabledTemplates = templates.filter((t) => connectionsList.includes(t.alias));
-    const allSecrets = enabledTemplates.flatMap((t) => t.requiredSecrets);
-    if (allSecrets.length > 0) {
-      console.log(`  1. Set your API secrets in ${ENV_FILE}:`);
-      for (const s of [...new Set(allSecrets)]) {
-        console.log(`       ${s}=your_token_here`);
-      }
-      console.log();
-    }
-  } else {
-    console.log(`  1. Edit ${remoteConfigPath} to add connections (e.g., "github", "slack")`);
-    console.log(`     Then set the required secrets in ${ENV_FILE}\n`);
-  }
-
-  console.log(`  2. Start the remote server:`);
+  console.log(`  1. Start the remote server:`);
   console.log(`       drawlatch start\n`);
+  console.log(`  2. Add callers via key sync:`);
+  console.log(`       drawlatch sync\n`);
   console.log(`  3. Verify your setup:`);
   console.log(`       drawlatch doctor\n`);
 }
@@ -869,14 +810,14 @@ async function cmdSync() {
         console.log(
           `  Keys saved to: ${join(CONFIG_DIR, "keys", "callers", status.callerAlias)}/`,
         );
-        console.log(
-          `\nAdd connections for this caller in remote.config.json:`,
-        );
+        console.log(`\nThe caller can now connect (no server restart needed).`);
+        console.log(`\nTo grant API access, add connections in ${join(CONFIG_DIR, "remote.config.json")}:`);
         console.log(`  "callers": {`);
         console.log(`    "${status.callerAlias}": {`);
         console.log(`      "connections": ["github", "slack", ...]`);
         console.log(`    }`);
         console.log(`  }`);
+        console.log(`\nThen set the required secrets in ${ENV_FILE}`);
         console.log();
         process.exit(0);
       }
@@ -1167,7 +1108,7 @@ drawlatch v${VERSION}
 Usage: drawlatch [command] [options]
 
 Commands:
-  init               Set up drawlatch (keys, config, .env) in one step
+  init               Set up drawlatch server (keys, config, .env)
   start              Start the remote server (background by default)
   stop               Stop the background remote server
   restart            Restart the background remote server
@@ -1185,9 +1126,7 @@ Options:
 Running 'drawlatch' with no arguments shows status (if running) or this help.
 
 Examples:
-  drawlatch init                       Set up everything with defaults
-  drawlatch init --connections github   Set up with GitHub connection
-  drawlatch init --alias mybot         Set up with custom caller alias
+  drawlatch init                       Set up the remote server
   drawlatch start                      Start remote server in background
   drawlatch start -f                   Start remote server in foreground
   drawlatch start -f --tunnel          Start with a public tunnel for webhooks
@@ -1304,23 +1243,18 @@ function printInitHelp() {
   console.log(`
 drawlatch init
 
-Set up drawlatch for first-time use. Generates keys, creates config
-files, exchanges public keys, and scaffolds a .env template.
+Set up the drawlatch remote server. Generates server keys, creates
+config files, and scaffolds a .env template.
+
+Callers are added separately via 'drawlatch sync' after the server
+is running.
 
 Usage: drawlatch init [options]
 
 Options:
-  --connections <list>  Comma-separated connections to enable (e.g., github,slack)
-  --alias <name>        Name for the local identity (default: "default")
-  -h, --help            Show this help message
+  -h, --help     Show this help message
 
 All steps are idempotent — safe to re-run without overwriting existing files.
-
-Examples:
-  drawlatch init                          Set up with defaults
-  drawlatch init --connections github     Set up with GitHub enabled
-  drawlatch init --alias laptop           Use "laptop" as the caller alias
-  drawlatch init --alias ci --connections github,slack
 `);
 }
 

package/dist/remote/server.js

@@ -1416,14 +1416,22 @@ export function main() {
     }
     const config = loadRemoteConfig();
     const serverKeysDirPath = getServerKeysDir();
-    if (!fs.existsSync(serverKeysDirPath)) {
-        console.error(`[remote] Error: Server keys not found at ${serverKeysDirPath}`);
+    const requiredKeyFiles = ['signing.key.pem', 'signing.pub.pem', 'exchange.key.pem', 'exchange.pub.pem'];
+    const missingKeyFiles = requiredKeyFiles.filter((f) => !fs.existsSync(path.join(serverKeysDirPath, f)));
+    if (missingKeyFiles.length > 0) {
+        if (!fs.existsSync(serverKeysDirPath)) {
+            console.error(`[remote] Error: Server keys not found at ${serverKeysDirPath}`);
+        }
+        else {
+            console.error(`[remote] Error: Incomplete server keys in ${serverKeysDirPath}`);
+            console.error(`[remote] Missing: ${missingKeyFiles.join(', ')}`);
+        }
         console.error('[remote] Run: drawlatch generate-keys server');
         process.exit(1);
     }
     if (Object.keys(config.callers).length === 0) {
-        console.error('[remote] Warning: No callers configured. No clients will be able to connect.');
-        console.error('[remote] Add callers to remote.config.json or run: drawlatch init');
+        console.log('[remote] No callers configured — server will accept sync requests.');
+        console.log('[remote] To add callers, run: drawlatch sync');
     }
     const port = process.env.DRAWLATCH_PORT ? parseInt(process.env.DRAWLATCH_PORT, 10) : config.port;
     const host = process.env.DRAWLATCH_HOST ?? config.host;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wolpertingerlabs/drawlatch",
-  "version": "1.0.0-alpha.9.0",
+  "version": "1.0.0-alpha.9.2",
   "description": "Encrypted MCP proxy with mutual authentication. Local MCP server forwards requests through an encrypted channel to a remote secrets-holding server.",
   "type": "module",
   "main": "./dist/mcp/server.js",