npm - agent-relay - Versions diffs - 1.2.3 → 1.3.0 - Mend

agent-relay 1.2.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (200) hide show

package/dist/daemon/api.js CHANGED Viewed

@@ -9,7 +9,8 @@ import { createLogger } from '../resiliency/logger.js';
 import { metrics } from '../resiliency/metrics.js';
 import { getWorkspaceManager } from './workspace-manager.js';
 import { getAgentManager } from './agent-manager.js';
-import { startCLIAuth, getAuthSession, cancelAuthSession, getSupportedProviders, } from './cli-auth.js';
+import { startCLIAuth, getAuthSession, submitAuthCode, cancelAuthSession, getSupportedProviders, } from './cli-auth.js';
+import { getRepoManager, initRepoManager } from './repo-manager.js';
 const logger = createLogger('daemon-api');
 export class DaemonApi extends EventEmitter {
     server;
@@ -21,6 +22,9 @@ export class DaemonApi extends EventEmitter {
     config;
     allowedOrigins;
     allowAllOrigins;
+    // Track alive status for ping/pong keepalive
+    clientAlive = new WeakMap();
+    pingInterval;
     constructor(config) {
         super();
         this.config = config;
@@ -80,11 +84,28 @@ export class DaemonApi extends EventEmitter {
      * Start the API server
      */
     async start() {
+        // Initialize repo manager (scans for existing repos, syncs from env)
+        // This runs in background - don't block server startup
+        initRepoManager().catch((err) => {
+            logger.warn('Failed to initialize repo manager', { error: String(err) });
+        });
         return new Promise((resolve) => {
             this.server = http.createServer((req, res) => this.handleRequest(req, res));
-            // Setup WebSocket server
-            this.wss = new WebSocketServer({ server: this.server });
+            // Setup WebSocket server (disable compression for compatibility)
+            this.wss = new WebSocketServer({ server: this.server, perMessageDeflate: false });
             this.wss.on('connection', (ws, req) => this.handleWebSocketConnection(ws, req));
+            // Setup ping/pong keepalive (30 second interval)
+            this.pingInterval = setInterval(() => {
+                this.wss?.clients.forEach((ws) => {
+                    if (this.clientAlive.get(ws) === false) {
+                        logger.info('WebSocket client unresponsive, closing');
+                        ws.terminate();
+                        return;
+                    }
+                    this.clientAlive.set(ws, false);
+                    ws.ping();
+                });
+            }, 30000);
             this.server.listen(this.config.port, this.config.host, () => {
                 logger.info('Daemon API started', { port: this.config.port, host: this.config.host });
                 resolve();
@@ -95,6 +116,11 @@ export class DaemonApi extends EventEmitter {
      * Stop the API server
      */
     async stop() {
+        // Clear ping interval
+        if (this.pingInterval) {
+            clearInterval(this.pingInterval);
+            this.pingInterval = undefined;
+        }
         // Close all WebSocket connections
         if (this.wss) {
             for (const ws of this.wss.clients) {
@@ -295,6 +321,8 @@ export class DaemonApi extends EventEmitter {
                     status: session.status,
                     authUrl: session.authUrl,
                     error: session.error,
+                    errorHint: session.errorHint,
+                    recoverable: session.recoverable,
                     promptsHandled: session.promptsHandled,
                 },
             };
@@ -306,17 +334,109 @@ export class DaemonApi extends EventEmitter {
             if (!session) {
                 return { status: 404, body: { error: 'Session not found' } };
             }
-            if (session.status !== 'success') {
-                return { status: 400, body: { error: 'Auth not complete', status: session.status } };
+            // Check for error state first
+            if (session.status === 'error') {
+                return {
+                    status: 400,
+                    body: {
+                        error: session.error || 'Authentication failed',
+                        errorHint: session.errorHint,
+                        recoverable: session.recoverable,
+                        status: session.status,
+                    },
+                };
+            }
+            // Check if auth is complete AND we have credentials
+            // Status can be 'success' before credentials are extracted (race condition)
+            if (session.status !== 'success' || !session.token) {
+                return {
+                    status: 400,
+                    body: {
+                        error: 'Auth not complete or credentials not yet available',
+                        status: session.status,
+                        hasToken: !!session.token,
+                    },
+                };
             }
             return {
                 status: 200,
                 body: {
                     token: session.token,
+                    refreshToken: session.refreshToken,
+                    tokenExpiresAt: session.tokenExpiresAt,
                     provider: session.provider,
                 },
             };
         });
+        // Submit auth code to PTY session
+        this.routes.set('POST /auth/cli/:provider/code/:sessionId', async (req) => {
+            const { sessionId } = req.params;
+            const { code, state } = req.body;
+            if (!code || typeof code !== 'string') {
+                return { status: 400, body: { error: 'Auth code is required' } };
+            }
+            const result = await submitAuthCode(sessionId, code, state);
+            if (!result.success) {
+                return {
+                    status: 400,
+                    body: {
+                        error: result.error || 'Failed to submit auth code',
+                        needsRestart: result.needsRestart,
+                    },
+                };
+            }
+            return { status: 200, body: { success: true, message: 'Auth code submitted' } };
+        });
+        // Complete auth and wait for credentials
+        this.routes.set('POST /auth/cli/:provider/complete/:sessionId', async (req) => {
+            const { sessionId } = req.params;
+            const { authCode, state } = req.body;
+            // For Codex, we need to forward the authCode to the CLI's callback server
+            // The Codex CLI starts a callback server at localhost:1455
+            if (authCode) {
+                try {
+                    // Forward the OAuth callback to the Codex CLI's callback server
+                    const callbackUrl = `http://localhost:1455/auth/callback?code=${encodeURIComponent(authCode)}${state ? `&state=${encodeURIComponent(state)}` : ''}`;
+                    logger.info('Forwarding OAuth callback to Codex CLI', { callbackUrl: callbackUrl.replace(authCode, '[REDACTED]') });
+                    const callbackResponse = await fetch(callbackUrl, {
+                        signal: AbortSignal.timeout(5000),
+                    });
+                    if (!callbackResponse.ok) {
+                        logger.error('Failed to forward callback to Codex CLI', { status: callbackResponse.status });
+                        return {
+                            status: 400,
+                            body: {
+                                error: 'Failed to deliver OAuth callback to Codex CLI. The CLI may have timed out.',
+                                needsRestart: true,
+                            },
+                        };
+                    }
+                    logger.info('Successfully forwarded OAuth callback to Codex CLI');
+                }
+                catch (err) {
+                    logger.error('Error forwarding callback to Codex CLI', { error: String(err) });
+                    return {
+                        status: 500,
+                        body: {
+                            error: 'Failed to reach Codex CLI callback server. The CLI may not be running.',
+                            needsRestart: true,
+                        },
+                    };
+                }
+            }
+            // Wait for credentials to be available (polls for up to 15 seconds)
+            const { completeAuthSession } = await import('./cli-auth.js');
+            const completeResult = await completeAuthSession(sessionId);
+            if (!completeResult.success) {
+                return {
+                    status: 400,
+                    body: {
+                        error: completeResult.error || 'Authentication failed',
+                    },
+                };
+            }
+            return { status: 200, body: { success: true, token: completeResult.token } };
+        });
         // Cancel auth session
         this.routes.set('POST /auth/cli/:provider/cancel/:sessionId', async (req) => {
             const { sessionId } = req.params;
@@ -326,6 +446,89 @@ export class DaemonApi extends EventEmitter {
             }
             return { status: 200, body: { success: true } };
         });
+        // Check if provider is authenticated (credentials exist)
+        this.routes.set('GET /auth/cli/:provider/check', async (req) => {
+            const { provider } = req.params;
+            const { checkProviderAuth } = await import('./cli-auth.js');
+            const authenticated = await checkProviderAuth(provider);
+            return { status: 200, body: { authenticated } };
+        });
+        // === Repository Management ===
+        // Dynamic repo management without workspace restart
+        // List all repos
+        this.routes.set('GET /repos', async () => {
+            try {
+                const repoManager = getRepoManager();
+                const repos = repoManager.getRepos();
+                return { status: 200, body: { repos } };
+            }
+            catch (err) {
+                logger.error('Failed to list repos', { error: String(err) });
+                return { status: 500, body: { error: 'Failed to list repositories' } };
+            }
+        });
+        // Get a specific repo
+        this.routes.set('GET /repos/:name', async (req) => {
+            try {
+                const repoManager = getRepoManager();
+                // Handle encoded slashes (e.g., "owner%2Frepo" -> "owner/repo")
+                const fullName = decodeURIComponent(req.params.name);
+                const repo = repoManager.getRepo(fullName);
+                if (!repo) {
+                    return { status: 404, body: { error: 'Repository not found' } };
+                }
+                return { status: 200, body: repo };
+            }
+            catch (err) {
+                logger.error('Failed to get repo', { error: String(err) });
+                return { status: 500, body: { error: 'Failed to get repository' } };
+            }
+        });
+        // Sync (clone or update) a repo
+        this.routes.set('POST /repos/sync', async (req) => {
+            const body = req.body;
+            // Support single repo or batch
+            const reposToSync = [];
+            if (body.repo) {
+                reposToSync.push(body.repo);
+            }
+            if (body.repos && Array.isArray(body.repos)) {
+                reposToSync.push(...body.repos);
+            }
+            if (reposToSync.length === 0) {
+                return { status: 400, body: { error: 'repo or repos field is required' } };
+            }
+            try {
+                const repoManager = getRepoManager();
+                const results = await repoManager.syncRepos(reposToSync);
+                const allSuccess = results.every(r => r.success);
+                return {
+                    status: allSuccess ? 200 : 207, // 207 Multi-Status if partial success
+                    body: { results },
+                };
+            }
+            catch (err) {
+                logger.error('Failed to sync repos', { error: String(err) });
+                return { status: 500, body: { error: 'Failed to sync repositories' } };
+            }
+        });
+        // Remove a repo
+        this.routes.set('DELETE /repos/:name', async (req) => {
+            try {
+                const repoManager = getRepoManager();
+                const fullName = decodeURIComponent(req.params.name);
+                const deleteFiles = req.query.deleteFiles === 'true';
+                const removed = await repoManager.removeRepo(fullName, deleteFiles);
+                if (!removed) {
+                    return { status: 404, body: { error: 'Repository not found' } };
+                }
+                return { status: 200, body: { success: true, deleted: deleteFiles } };
+            }
+            catch (err) {
+                logger.error('Failed to remove repo', { error: String(err) });
+                return { status: 500, body: { error: 'Failed to remove repository' } };
+            }
+        });
     }
     /**
      * Handle HTTP request
@@ -461,6 +664,12 @@ export class DaemonApi extends EventEmitter {
      */
     handleWebSocketConnection(ws, req) {
         logger.info('WebSocket client connected', { url: req.url });
+        // Mark client as alive for ping/pong keepalive
+        this.clientAlive.set(ws, true);
+        // Handle pong responses
+        ws.on('pong', () => {
+            this.clientAlive.set(ws, true);
+        });
         // Create session
         const session = {
             userId: 'anonymous', // Would be set from auth

package/dist/daemon/cli-auth.d.ts CHANGED Viewed

@@ -20,6 +20,10 @@ interface AuthSession {
     refreshToken?: string;
     tokenExpiresAt?: Date;
     error?: string;
+    /** User-friendly hint for resolving the error */
+    errorHint?: string;
+    /** Whether the error can be resolved by retrying */
+    recoverable?: boolean;
     output: string;
     promptsHandled: string[];
     createdAt: Date;
@@ -44,9 +48,12 @@ export declare function getAuthSession(sessionId: string): AuthSession | null;
  * Submit auth code to a waiting session
  * This writes the code to the PTY process stdin
  *
+ * @param sessionId - The auth session ID
+ * @param code - The OAuth authorization code
+ * @param state - Optional OAuth state parameter for CSRF validation (used by Codex)
  * @returns Object with success status and optional error message
  */
-export declare function submitAuthCode(sessionId: string, code: string): Promise<{
+export declare function submitAuthCode(sessionId: string, code: string, state?: string): Promise<{
     success: boolean;
     error?: string;
     needsRestart?: boolean;
@@ -64,4 +71,9 @@ export declare function completeAuthSession(sessionId: string): Promise<{
  * Cancel auth session
  */
 export declare function cancelAuthSession(sessionId: string): boolean;
+/**
+ * Check if a provider is authenticated (credentials exist)
+ * Used by the auth check endpoint for SSH tunnel flow
+ */
+export declare function checkProviderAuth(provider: string): Promise<boolean>;
 //# sourceMappingURL=cli-auth.d.ts.map

package/dist/daemon/cli-auth.js CHANGED Viewed

@@ -9,7 +9,7 @@ import * as crypto from 'crypto';
 import * as fs from 'fs/promises';
 import * as os from 'os';
 import { createLogger } from '../resiliency/logger.js';
-import { CLI_AUTH_CONFIG, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, getSupportedProviders, } from '../shared/cli-auth-config.js';
+import { CLI_AUTH_CONFIG, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, findMatchingError, getSupportedProviders, } from '../shared/cli-auth-config.js';
 const logger = createLogger('cli-auth');
 // Re-export for consumers
 export { CLI_AUTH_CONFIG, getSupportedProviders };
@@ -123,46 +123,49 @@ export async function startCLIAuth(provider, options = {}) {
                 session.error = 'Timeout waiting for auth completion (5 minutes). Please try again.';
             }
         }, config.waitTimeout + OAUTH_COMPLETION_TIMEOUT);
-        // Keep-alive: Some CLIs timeout if they don't receive stdin input
-        // Send a space+backspace every 20 seconds to simulate user presence
-        const keepAliveInterval = setInterval(() => {
-            if (session.status === 'waiting_auth' && session.process) {
-                try {
-                    // Send space then backspace - appears as user typing but no net effect
-                    session.process.write(' \b');
-                    logger.debug('Keep-alive ping sent', {
-                        sessionId,
-                        status: session.status,
-                        ageSeconds: Math.round((Date.now() - session.createdAt.getTime()) / 1000),
-                    });
-                }
-                catch {
-                    // Process may have exited
-                }
-            }
-        }, 20000);
+        // Note: Removed keep-alive mechanism that sent ' \b' every 20 seconds
+        // It was interfering with OAuth code paste, causing "invalid code" errors
+        // CLIs like Claude don't actually need stdin keep-alive during auth wait
         proc.onData((data) => {
             session.output += data;
-            // Handle prompts
-            const matchingPrompt = findMatchingPrompt(data, config.prompts, respondedPrompts);
-            if (matchingPrompt) {
-                respondedPrompts.add(matchingPrompt.description);
-                session.promptsHandled.push(matchingPrompt.description);
-                logger.info('Auto-responding to prompt', { description: matchingPrompt.description });
-                const delay = matchingPrompt.delay ?? 100;
-                setTimeout(() => {
-                    try {
-                        proc.write(matchingPrompt.response);
-                    }
-                    catch {
-                        // Process may have exited
-                    }
-                }, delay);
-            }
-            // Extract auth URL
             const cleanText = stripAnsiCodes(data);
+            // Check for error patterns FIRST - if error detected, don't auto-respond to prompts
+            // This prevents us from auto-responding to "Press Enter to retry" in error messages
+            const matchedError = findMatchingError(data, config.errorPatterns);
+            if (matchedError && session.status !== 'error') {
+                logger.warn('Auth error detected', {
+                    provider,
+                    sessionId,
+                    errorMessage: matchedError.message,
+                    recoverable: matchedError.recoverable,
+                });
+                session.status = 'error';
+                session.error = matchedError.message;
+                session.errorHint = matchedError.hint;
+                session.recoverable = matchedError.recoverable;
+            }
+            // Don't auto-respond to prompts if we're in error state
+            // This prevents responding to "Press Enter to retry" after an error
+            if (session.status !== 'error') {
+                const matchingPrompt = findMatchingPrompt(data, config.prompts, respondedPrompts);
+                if (matchingPrompt) {
+                    respondedPrompts.add(matchingPrompt.description);
+                    session.promptsHandled.push(matchingPrompt.description);
+                    logger.info('Auto-responding to prompt', { description: matchingPrompt.description });
+                    const delay = matchingPrompt.delay ?? 100;
+                    setTimeout(() => {
+                        try {
+                            proc.write(matchingPrompt.response);
+                        }
+                        catch {
+                            // Process may have exited
+                        }
+                    }, delay);
+                }
+            }
+            // Extract auth URL (only if not in error state and don't have URL yet)
             const match = cleanText.match(config.urlPattern);
-            if (match && match[1] && !session.authUrl) {
+            if (match && match[1] && !session.authUrl && session.status !== 'error') {
                 session.authUrl = match[1];
                 session.status = 'waiting_auth';
                 logger.info('Auth URL captured', { provider, url: session.authUrl });
@@ -172,7 +175,7 @@ export async function startCLIAuth(provider, options = {}) {
             }
             // Log all output after auth URL is captured (for debugging)
             if (session.authUrl) {
-                const trimmedData = stripAnsiCodes(data).trim();
+                const trimmedData = cleanText.trim();
                 if (trimmedData.length > 0) {
                     logger.info('PTY output after auth URL', {
                         provider,
@@ -182,12 +185,18 @@ export async function startCLIAuth(provider, options = {}) {
                 }
             }
             // Check for success and try to extract credentials
-            if (matchesSuccessPattern(data, config.successPatterns)) {
+            // Don't override error status - if there was an error, keep it
+            if (session.status !== 'error' && matchesSuccessPattern(data, config.successPatterns)) {
                 session.status = 'success';
                 logger.info('Success pattern detected, attempting credential extraction', { provider });
                 // Try to extract credentials immediately (CLI may not exit after success)
                 // Use a small delay to let the CLI finish writing the file
                 setTimeout(async () => {
+                    // Don't extract if status changed to error (e.g., error detected after success pattern)
+                    if (session.status === 'error') {
+                        logger.info('Skipping credential extraction - session is in error state', { provider });
+                        return;
+                    }
                     try {
                         const creds = await extractCredentials(provider, config);
                         if (creds) {
@@ -206,7 +215,6 @@ export async function startCLIAuth(provider, options = {}) {
         proc.onExit(async ({ exitCode }) => {
             clearTimeout(timeout);
             clearTimeout(authUrlTimeout);
-            clearInterval(keepAliveInterval);
             // Clear process reference so submitAuthCode knows PTY is gone
             session.process = undefined;
             // Log full output for debugging PTY exit issues
@@ -221,8 +229,9 @@ export async function startCLIAuth(provider, options = {}) {
                 // Last 500 chars of output for debugging
                 outputTail: cleanOutput.slice(-500),
             });
-            // Try to extract credentials
-            if (session.authUrl || exitCode === 0) {
+            // Try to extract credentials (but don't override error status)
+            // CLI might exit cleanly (code 0) even after an OAuth error
+            if ((session.authUrl || exitCode === 0) && session.status !== 'error') {
                 try {
                     const creds = await extractCredentials(provider, config);
                     if (creds) {
@@ -265,9 +274,12 @@ export function getAuthSession(sessionId) {
  * Submit auth code to a waiting session
  * This writes the code to the PTY process stdin
  *
+ * @param sessionId - The auth session ID
+ * @param code - The OAuth authorization code
+ * @param state - Optional OAuth state parameter for CSRF validation (used by Codex)
  * @returns Object with success status and optional error message
  */
-export async function submitAuthCode(sessionId, code) {
+export async function submitAuthCode(sessionId, code, state) {
     // Log all active sessions for debugging
     const activeSessionIds = Array.from(sessions.keys());
     logger.info('submitAuthCode called', {
@@ -305,11 +317,14 @@ export async function submitAuthCode(sessionId, code) {
             outputTail: session.output ? stripAnsiCodes(session.output).slice(-500) : 'no output',
         });
         // Try to extract credentials as a fallback - maybe auth completed in browser
+        // But don't override error status
         const config = CLI_AUTH_CONFIG[session.provider];
-        if (config) {
+        if (config && session.status !== 'error') {
             try {
                 const creds = await extractCredentials(session.provider, config);
-                if (creds) {
+                // Re-check status after async operation (race condition protection)
+                // Use type assertion because TypeScript narrowing doesn't account for async race conditions
+                if (creds && session.status !== 'error') {
                     session.token = creds.token;
                     session.refreshToken = creds.refreshToken;
                     session.tokenExpiresAt = creds.expiresAt;
@@ -331,8 +346,78 @@ export async function submitAuthCode(sessionId, code) {
         };
     }
     try {
-        // Clean the code - trim whitespace
-        const cleanCode = code.trim();
+        // Clean the code - trim whitespace and strip state parameter if present
+        // Claude OAuth codes come as "CODE#STATE" - we only need the code part
+        let cleanCode = code.trim();
+        if (cleanCode.includes('#')) {
+            const originalCode = cleanCode;
+            cleanCode = cleanCode.split('#')[0];
+            logger.info('Stripped state parameter from auth code', {
+                sessionId,
+                originalLength: originalCode.length,
+                cleanLength: cleanCode.length,
+            });
+        }
+        // For Codex (openai), forward the callback to the CLI's localhost server
+        // instead of writing to PTY stdin. The CLI spawns a localhost server
+        // waiting for the OAuth callback.
+        if (session.provider === 'openai' && session.authUrl) {
+            // Extract the redirect port from the auth URL (usually 1455)
+            const redirectMatch = session.authUrl.match(/redirect_uri=http%3A%2F%2Flocalhost%3A(\d+)/);
+            const port = redirectMatch ? redirectMatch[1] : '1455';
+            logger.info('Forwarding OAuth callback to Codex CLI localhost server', {
+                sessionId,
+                port,
+                codeLength: cleanCode.length,
+                hasState: !!state,
+            });
+            try {
+                // Forward the callback to the CLI's localhost server
+                // Include state parameter for CSRF validation if provided
+                let callbackUrl = `http://localhost:${port}/auth/callback?code=${encodeURIComponent(cleanCode)}`;
+                if (state) {
+                    callbackUrl += `&state=${encodeURIComponent(state)}`;
+                }
+                const response = await fetch(callbackUrl, {
+                    method: 'GET',
+                    signal: AbortSignal.timeout(5000),
+                });
+                if (response.ok) {
+                    logger.info('OAuth callback forwarded successfully to Codex CLI', { sessionId, status: response.status });
+                    // Start polling for credentials
+                    const config = CLI_AUTH_CONFIG[session.provider];
+                    if (config) {
+                        pollForCredentials(session, config);
+                    }
+                    return { success: true };
+                }
+                else {
+                    // Try to get error details from response body
+                    let errorBody = '';
+                    try {
+                        errorBody = await response.text();
+                    }
+                    catch {
+                        // Ignore
+                    }
+                    logger.warn('Codex CLI localhost server returned error', {
+                        sessionId,
+                        status: response.status,
+                        statusText: response.statusText,
+                        errorBody: errorBody.substring(0, 500), // Limit log size
+                        callbackUrl: callbackUrl.replace(/code=[^&]+/, 'code=***'), // Redact code
+                    });
+                    // Fall through to PTY write as fallback
+                }
+            }
+            catch (err) {
+                logger.warn('Failed to forward callback to Codex CLI localhost server', {
+                    sessionId,
+                    error: String(err),
+                });
+                // Fall through to PTY write as fallback
+            }
+        }
         logger.info('Writing auth code to PTY', {
             sessionId,
             originalLength: code.length,
@@ -382,6 +467,14 @@ async function pollForCredentials(session, config) {
         try {
             const creds = await extractCredentials(session.provider, config);
             if (creds) {
+                // Double-check we're not in error state (race condition protection)
+                // Use type assertion because TypeScript narrowing doesn't account for async race conditions
+                if (session.status === 'error') {
+                    logger.info('Credentials found but session is in error state, not overriding', {
+                        provider: session.provider,
+                    });
+                    return;
+                }
                 session.token = creds.token;
                 session.refreshToken = creds.refreshToken;
                 session.tokenExpiresAt = creds.expiresAt;
@@ -424,9 +517,18 @@ export async function completeAuthSession(sessionId) {
     const maxAttempts = 15;
     const pollInterval = 1000;
     for (let i = 0; i < maxAttempts; i++) {
+        // Check if session went into error state
+        if (session.status === 'error') {
+            return { success: false, error: session.error || 'Authentication failed' };
+        }
         try {
             const creds = await extractCredentials(session.provider, config);
             if (creds) {
+                // Double-check we're not in error state (race condition protection)
+                // Use type assertion because TypeScript narrowing doesn't account for async race conditions
+                if (session.status === 'error') {
+                    return { success: false, error: session.error || 'Authentication failed' };
+                }
                 session.token = creds.token;
                 session.refreshToken = creds.refreshToken;
                 session.tokenExpiresAt = creds.expiresAt;
@@ -534,4 +636,21 @@ async function extractCredentials(provider, config) {
         return null;
     }
 }
+/**
+ * Check if a provider is authenticated (credentials exist)
+ * Used by the auth check endpoint for SSH tunnel flow
+ */
+export async function checkProviderAuth(provider) {
+    const config = CLI_AUTH_CONFIG[provider];
+    if (!config) {
+        return false;
+    }
+    try {
+        const creds = await extractCredentials(provider, config);
+        return !!creds?.token;
+    }
+    catch {
+        return false;
+    }
+}
 //# sourceMappingURL=cli-auth.js.map

package/dist/daemon/connection.d.ts CHANGED Viewed

@@ -8,7 +8,7 @@
  *                   ERROR -------> CLOSED
  */
 import net from 'node:net';
-import { type Envelope, type AckPayload } from '../protocol/types.js';
+import { type Envelope, type AckPayload, type EntityType } from '../protocol/types.js';
 export type ConnectionState = 'CONNECTING' | 'HANDSHAKING' | 'ACTIVE' | 'CLOSING' | 'CLOSED' | 'ERROR';
 export interface ConnectionConfig {
     maxFrameBytes: number;
@@ -39,11 +39,14 @@ export declare class Connection {
     private config;
     private _state;
     private _agentName?;
+    private _entityType?;
     private _cli?;
     private _program?;
     private _model?;
     private _task?;
     private _workingDirectory?;
+    private _displayName?;
+    private _avatarUrl?;
     private _sessionId;
     private _resumeToken;
     private _isResumed;
@@ -59,11 +62,14 @@ export declare class Connection {
     constructor(socket: net.Socket, config?: Partial<ConnectionConfig>);
     get state(): ConnectionState;
     get agentName(): string | undefined;
+    get entityType(): EntityType | undefined;
     get cli(): string | undefined;
     get program(): string | undefined;
     get model(): string | undefined;
     get task(): string | undefined;
     get workingDirectory(): string | undefined;
+    get displayName(): string | undefined;
+    get avatarUrl(): string | undefined;
     get sessionId(): string;
     get resumeToken(): string;
     get isResumed(): boolean;