agent-relay 2.0.19 → 2.0.21

package/packages/bridge/dist/spawner.js

@@ -290,15 +290,20 @@ export class AgentSpawner {
             : projectRootOrOptions;
         const paths = getProjectPaths(options.projectRoot);
         this.projectRoot = paths.projectRoot;
+        // Use explicit teamDir if provided (ensures spawner checks same files as daemon)
+        // This is critical in cloud workspaces where detectWorkspacePath may return different paths
+        const effectiveTeamDir = options.teamDir ?? paths.teamDir;
         // Use connected-agents.json (live socket connections) instead of agents.json (historical registry)
         // This ensures spawned agents have actual daemon connections for channel message delivery
-        this.agentsPath = path.join(paths.teamDir, 'connected-agents.json');
-        this.registryPath = path.join(paths.teamDir, 'agents.json');
+        this.agentsPath = path.join(effectiveTeamDir, 'connected-agents.json');
+        this.registryPath = path.join(effectiveTeamDir, 'agents.json');
+        // Debug: log path configuration
+        log.info(`AgentSpawner paths: projectRoot=${this.projectRoot} teamDir=${effectiveTeamDir} (explicit=${!!options.teamDir}) agentsPath=${this.agentsPath}`);
         // Use explicit socketPath if provided (ensures spawned agents connect to same daemon)
         // Otherwise derive from project paths
         this.socketPath = options.socketPath ?? paths.socketPath;
-        this.logsDir = path.join(paths.teamDir, 'worker-logs');
-        this.workersPath = path.join(paths.teamDir, 'workers.json');
+        this.logsDir = path.join(effectiveTeamDir, 'worker-logs');
+        this.workersPath = path.join(effectiveTeamDir, 'workers.json');
         this.dashboardPort = options.dashboardPort;
         // Store spawn tracking callbacks
         this.onMarkSpawning = options.onMarkSpawning;
@@ -531,7 +536,7 @@ export class AgentSpawner {
      * Spawn a new worker agent using relay-pty
      */
     async spawn(request) {
-        const { name, cli, task, team, spawnerName, userId, includeWorkflowConventions } = request;
+        const { name, cli, task, team, spawnerName, userId, includeWorkflowConventions, interactive } = request;
         const debug = process.env.DEBUG_SPAWN === '1';
         // Validate agent name to prevent path traversal attacks
         if (name.includes('..') || name.includes('/') || name.includes('\\')) {
@@ -558,7 +563,7 @@ export class AgentSpawner {
             };
         }
         // Enforce agent limit based on plan (MAX_AGENTS is set by provisioner based on plan)
-        const maxAgents = parseInt(process.env.MAX_AGENTS || '10', 10);
+        const maxAgents = parseInt(process.env.MAX_AGENTS ?? '', 10) || 10_000;
         const currentAgentCount = this.activeWorkers.size;
         if (currentAgentCount >= maxAgents) {
             log.warn(`Agent limit reached: ${currentAgentCount}/${maxAgents}`);
@@ -604,17 +609,24 @@ export class AgentSpawner {
             // Pre-configure MCP permissions for all supported CLIs
             // This creates/updates CLI-specific settings files with agent-relay permissions
             ensureMcpPermissions(this.projectRoot, commandName, debug);
-            // Add --dangerously-skip-permissions for Claude agents
+            // Add auto-accept flags for non-interactive agents (normal spawns, not setup terminals)
+            // When interactive=true (setup flows), we SKIP these flags so users can respond to prompts
             const isClaudeCli = commandName.startsWith('claude');
-            if (isClaudeCli) {
-                if (!args.includes('--dangerously-skip-permissions')) {
+            const isCursorCli = commandName === 'agent' || rawCommandName === 'cursor';
+            if (!interactive) {
+                // Add --dangerously-skip-permissions for Claude agents
+                if (isClaudeCli && !args.includes('--dangerously-skip-permissions')) {
                     args.push('--dangerously-skip-permissions');
                 }
+                // Add --force for Cursor agents (auto-approve tool usage in non-interactive mode)
+                if (isCursorCli && !args.includes('--force')) {
+                    args.push('--force');
+                }
             }
-            // Add --force for Cursor agents (CLI is 'agent', may be passed as 'cursor')
-            const isCursorCli = commandName === 'agent' || rawCommandName === 'cursor';
-            if (isCursorCli && !args.includes('--force')) {
-                args.push('--force');
+            else {
+                // Interactive mode: log that we're skipping auto-accept flags
+                if (debug)
+                    log.debug(`Interactive mode: skipping auto-accept flags for ${name}`);
             }
             // Apply agent config (model, --agent flag) from .claude/agents/ if available
             // This ensures spawned agents respect their profile settings
@@ -638,15 +650,18 @@ export class AgentSpawner {
                 if (debug)
                     log.debug(`Applied agent config for ${name}: ${args.join(' ')}`);
             }
-            // Add --dangerously-bypass-approvals-and-sandbox for Codex agents
+            // Add auto-accept flags for Codex and Gemini (only in non-interactive mode)
             const isCodexCli = commandName.startsWith('codex');
-            if (isCodexCli && !args.includes('--dangerously-bypass-approvals-and-sandbox')) {
-                args.push('--dangerously-bypass-approvals-and-sandbox');
-            }
-            // Add --yolo for Gemini agents (auto-accept all prompts)
             const isGeminiCli = commandName === 'gemini';
-            if (isGeminiCli && !args.includes('--yolo')) {
-                args.push('--yolo');
+            if (!interactive) {
+                // Add --dangerously-bypass-approvals-and-sandbox for Codex agents
+                if (isCodexCli && !args.includes('--dangerously-bypass-approvals-and-sandbox')) {
+                    args.push('--dangerously-bypass-approvals-and-sandbox');
+                }
+                // Add --yolo for Gemini agents (auto-accept all prompts)
+                if (isGeminiCli && !args.includes('--yolo')) {
+                    args.push('--yolo');
+                }
             }
             // Auto-install MCP config if not present (project-local)
             // Uses .mcp.json in the project root - doesn't modify global settings
@@ -919,6 +934,23 @@ export class AgentSpawner {
             await pty.start();
             if (debug)
                 log.debug(`PTY started, pid: ${pty.pid}`);
+            // Cursor CLI shows "Press any key to log in..." prompt that blocks all progress
+            // Send a keystroke after startup to bypass this initial prompt
+            // Only do this for interactive/setup flows where auth is needed
+            // For normal spawns (already authenticated), this prompt won't appear
+            if (isCursorCli && interactive) {
+                // Wait a moment for CLI to initialize and show the prompt
+                await sleep(1500);
+                if (debug)
+                    log.debug(`Sending initial keystroke for Cursor setup to bypass "Press any key" prompt`);
+                try {
+                    // Send Enter key to proceed past the initial prompt
+                    await pty.write('\r');
+                }
+                catch (err) {
+                    log.warn(`Failed to send initial keystroke for Cursor: ${err}`);
+                }
+            }
             // Wait for the agent to register with the daemon
             const registered = await this.waitForAgentRegistration(name, 30_000, 500);
             if (!registered) {
@@ -1270,22 +1302,39 @@ export class AgentSpawner {
      */
     async waitForAgentRegistration(name, timeoutMs = 30_000, pollIntervalMs = 500) {
         const deadline = Date.now() + timeoutMs;
+        let pollCount = 0;
         while (Date.now() < deadline) {
-            if (this.isAgentRegistered(name)) {
+            pollCount++;
+            const connected = this.isAgentConnected(name);
+            const recentlySeen = this.isAgentRecentlySeen(name);
+            // Log first few polls and every 10th poll after that
+            if (pollCount <= 3 || pollCount % 10 === 0) {
+                log.info(`Registration poll #${pollCount} for ${name}: connected=${connected} recentlySeen=${recentlySeen} agentsPath=${this.agentsPath}`);
+            }
+            if (connected && recentlySeen) {
+                log.info(`Agent ${name} registered after ${pollCount} polls`);
                 return true;
             }
             await sleep(pollIntervalMs);
         }
+        log.info(`Registration timeout for ${name} after ${pollCount} polls`);
         return false;
     }
     isAgentRegistered(name) {
         return this.isAgentConnected(name) && this.isAgentRecentlySeen(name);
     }
     isAgentConnected(name) {
-        if (!this.agentsPath)
+        const debug = process.env.DEBUG_SPAWN === '1';
+        if (!this.agentsPath) {
+            if (debug)
+                log.debug(`isAgentConnected(${name}): no agentsPath`);
             return false;
-        if (!fs.existsSync(this.agentsPath))
+        }
+        if (!fs.existsSync(this.agentsPath)) {
+            if (debug)
+                log.debug(`isAgentConnected(${name}): file not found: ${this.agentsPath}`);
             return false;
+        }
         try {
             const raw = JSON.parse(fs.readFileSync(this.agentsPath, 'utf-8'));
             // connected-agents.json format: { agents: string[], users: string[], updatedAt: number }
@@ -1293,6 +1342,9 @@ export class AgentSpawner {
             const agents = Array.isArray(raw?.agents) ? raw.agents : [];
             const updatedAt = typeof raw?.updatedAt === 'number' ? raw.updatedAt : 0;
             const isFresh = Date.now() - updatedAt <= AgentSpawner.ONLINE_THRESHOLD_MS;
+            if (debug) {
+                log.debug(`isAgentConnected(${name}): path=${this.agentsPath} agents=${agents.join(',')} updatedAt=${updatedAt} isFresh=${isFresh}`);
+            }
             if (!isFresh)
                 return false;
             // Case-insensitive check to match router behavior
@@ -1300,7 +1352,7 @@ export class AgentSpawner {
             return agents.some((a) => typeof a === 'string' && a.toLowerCase() === lowerName);
         }
         catch (err) {
-            log.error('Failed to read connected-agents.json', { error: err.message });
+            log.error('Failed to read connected-agents.json', { error: err.message, path: this.agentsPath });
             return false;
         }
     }

package/packages/bridge/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-relay/bridge",
-  "version": "2.0.19",
+  "version": "2.0.21",
   "description": "Multi-project bridge client utilities for Relay",
   "type": "module",
   "main": "dist/index.js",
@@ -22,13 +22,13 @@
     "test:watch": "vitest"
   },
   "dependencies": {
-    "@agent-relay/protocol": "2.0.19",
-    "@agent-relay/config": "2.0.19",
-    "@agent-relay/utils": "2.0.19",
-    "@agent-relay/policy": "2.0.19",
-    "@agent-relay/user-directory": "2.0.19",
-    "@agent-relay/wrapper": "2.0.19",
-    "@agent-relay/mcp": "2.0.19"
+    "@agent-relay/protocol": "2.0.21",
+    "@agent-relay/config": "2.0.21",
+    "@agent-relay/utils": "2.0.21",
+    "@agent-relay/policy": "2.0.21",
+    "@agent-relay/user-directory": "2.0.21",
+    "@agent-relay/wrapper": "2.0.21",
+    "@agent-relay/mcp": "2.0.21"
   },
   "devDependencies": {
     "@types/node": "^22.19.3",

package/packages/cli-tester/README.md

@@ -0,0 +1,277 @@
+# @agent-relay/cli-tester
+
+Manual interactive testing environment for CLI authentication flows.
+
+## Purpose
+
+This package provides a Docker-based environment for testing CLI authentication with real OAuth providers. It's designed for:
+
+- **Debugging auth issues** - Isolate problems with specific CLIs (e.g., "Cursor doesn't work")
+- **Testing auth flows** - Verify OAuth flows work end-to-end
+- **Message injection** - Test relay-pty message delivery
+- **Credential verification** - Check that credentials are saved correctly
+
+## Quick Start
+
+From the relay repo root:
+
+```bash
+# Start the test environment (drops into container shell)
+npm run cli-tester:start
+
+# Start with clean credentials (removes any cached auth)
+npm run cli-tester:start:clean
+
+# Start with daemon for full integration testing
+npm run cli-tester:start:daemon
+```
+
+## Inside the Container
+
+### Test a CLI
+
+```bash
+# Test Claude CLI with relay-pty
+./scripts/test-cli.sh claude
+
+# Test Codex with device auth
+./scripts/test-cli.sh codex --device-auth
+
+# Test with debug output
+DEBUG=1 ./scripts/test-cli.sh cursor
+```
+
+### Verify Credentials
+
+```bash
+# Check if credentials exist (after authenticating)
+./scripts/verify-auth.sh claude
+./scripts/verify-auth.sh codex
+./scripts/verify-auth.sh gemini
+```
+
+### Inject Messages
+
+In a second terminal (while CLI is running):
+
+```bash
+# Send a message via relay-pty socket
+./scripts/inject-message.sh test-claude "What is 2+2?"
+```
+
+### Clear Credentials
+
+```bash
+# Clear credentials for fresh testing
+./scripts/clear-auth.sh claude
+./scripts/clear-auth.sh all  # Clear all CLIs
+```
+
+## Advanced: Testing Spawn Flow
+
+The simple `test-cli.sh` tests the CLI in isolation. For debugging issues where the CLI works in isolation but fails when spawned via the application (e.g., registration timeout), use these advanced tests:
+
+### Test Spawn Behavior
+
+Simulates what `AgentSpawner.spawn()` does, including CLI-specific flags:
+
+```bash
+# Test with same flags as spawner (--force for cursor, --dangerously-skip-permissions for claude)
+./scripts/test-spawn.sh cursor
+
+# Test in interactive mode (without auto-accept flags)
+./scripts/test-spawn.sh cursor --interactive
+
+# With verbose debug output
+DEBUG_SPAWN=1 ./scripts/test-spawn.sh cursor
+```
+
+### Test Registration Flow
+
+Monitors the registration files that the spawner polls. This is the step that times out:
+
+```bash
+# Watch registration with 60 second timeout
+./scripts/test-registration.sh cursor 60
+
+# With debug output
+DEBUG_SPAWN=1 ./scripts/test-registration.sh cursor
+```
+
+### Full Daemon Integration Test
+
+Starts a real daemon and tests the complete flow:
+
+```bash
+# Full end-to-end test with daemon
+./scripts/test-with-daemon.sh cursor
+
+# With debug output
+DEBUG=1 ./scripts/test-with-daemon.sh cursor
+```
+
+**Note:** Requires the daemon to be built: `cd packages/daemon && npm run build`
+
+## Debugging a Broken CLI
+
+When a CLI isn't working, use this workflow:
+
+```bash
+# 1. Start fresh
+npm run cli-tester:start:clean
+
+# 2. Test the problematic CLI
+./scripts/test-cli.sh cursor
+
+# 3. Observe the output for:
+#    - Auth URLs being printed
+#    - Error messages
+#    - Prompt patterns
+
+# 4. Check credentials
+./scripts/verify-auth.sh cursor
+ls -la ~/.cursor/
+
+# 5. Compare with a working CLI
+./scripts/test-cli.sh claude
+```
+
+## Debugging Registration Timeout
+
+If a CLI works in isolation but times out when spawned ("Agent registration timeout"), the issue is in the daemon registration flow.
+
+### Quick Test (Run This First)
+
+```bash
+# Test the EXACT setup flow - this is what TerminalProviderSetup.tsx does
+DEBUG=1 ./scripts/test-full-spawn.sh cursor true
+```
+
+This simulates:
+- `interactive: true` (no --force flag, like setup terminal)
+- 30 second registration timeout
+- Verbose logging of what's happening
+
+### Understanding the Flow
+
+**Normal spawn (non-interactive):**
+```bash
+./scripts/test-full-spawn.sh cursor       # Has --force flag
+```
+
+**Setup terminal (interactive):**
+```bash
+./scripts/test-full-spawn.sh cursor true  # NO --force flag
+```
+
+The key difference is `interactive: true` **skips auto-accept flags**. Setup terminals expect the user to respond to prompts in the browser terminal.
+
+### What the Tests Show
+
+1. **test-full-spawn.sh** - Simulates spawner's 30s registration timeout
+   - Shows poll count (like spawner logs)
+   - Shows socket status
+   - Captures CLI output to log file
+   - Tells you exactly where things fail
+
+2. **test-setup-flow.sh** - Identical to what TerminalProviderSetup.tsx does
+   - Uses `__setup__cursor-xxx` naming
+   - No CLI flags (interactive mode)
+
+### Debugging Steps
+
+```bash
+# 1. Test in isolation (verify CLI starts)
+./scripts/test-cli.sh cursor
+
+# 2. Test NON-INTERACTIVE spawn (with --force)
+DEBUG=1 ./scripts/test-full-spawn.sh cursor
+
+# 3. Test INTERACTIVE spawn (setup terminal flow)
+DEBUG=1 ./scripts/test-full-spawn.sh cursor true
+
+# 4. Watch the log file in another terminal
+tail -f /tmp/relay-spawn-*.log
+```
+
+### Common Causes
+
+| Symptom | Cause | Fix |
+|---------|-------|-----|
+| CLI exits immediately | Not installed or crash | Check `which agent` |
+| Socket never created | CLI stuck on early prompt | Check log for prompts |
+| 30s timeout | CLI waiting for user input | Respond to prompts (trust, etc.) |
+| 30s timeout | No daemon to register with | Run with daemon profile |
+
+### The Registration Flow
+
+The spawner waits for TWO conditions:
+1. Agent in `connected-agents.json` (daemon updates this when CLI connects)
+2. Agent in `agents.json` (relay-pty hook updates this)
+
+Without a running daemon, both files are empty → timeout.
+
+## Available CLIs
+
+The container includes these pre-installed CLIs:
+
+| CLI | Command | Auth Command | Credential Path |
+|-----|---------|--------------|-----------------|
+| Claude | `claude` | (auto) | `~/.claude/.credentials.json` |
+| Codex | `codex` | `login` | `~/.codex/auth.json` |
+| Gemini | `gemini` | (auto) | `~/.gemini/credentials.json` |
+| Cursor | `agent` | (auto) | `~/.cursor/auth.json` |
+| OpenCode | `opencode` | `auth login` | `~/.local/share/opencode/auth.json` |
+| Droid | `droid` | `--login` | `~/.droid/auth.json` |
+| Copilot | `copilot` | `auth login` | `~/.config/gh/hosts.yml` |
+
+**Note:** Cursor CLI installs as `agent`, not `cursor`. The test scripts handle this mapping automatically.
+
+## How It Works
+
+1. **relay-pty** wraps the CLI and provides:
+   - Unix socket for message injection
+   - Output parsing for relay commands
+   - Idle detection for message timing
+
+2. **Docker volumes** persist credentials between runs so you don't have to re-authenticate each time.
+
+3. **Shell scripts** provide simple commands for common operations.
+
+## TypeScript API
+
+For programmatic use:
+
+```typescript
+import { RelayPtyClient, checkCredentials } from '@agent-relay/cli-tester';
+
+// Check credentials
+const result = checkCredentials('claude');
+console.log(result.exists, result.valid, result.hasAccessToken);
+
+// Inject messages via socket
+const client = new RelayPtyClient('/tmp/relay-pty-test-claude.sock');
+await client.connect();
+await client.inject({ from: 'Test', body: 'Hello' });
+```
+
+## File Structure
+
+```
+packages/cli-tester/
+├── docker/
+│   ├── Dockerfile           # Test environment image
+│   └── docker-compose.yml   # Container configuration
+├── scripts/
+│   ├── start.sh             # Start container
+│   ├── test-cli.sh          # Test a CLI with relay-pty
+│   ├── verify-auth.sh       # Check credentials
+│   ├── inject-message.sh    # Send message via socket
+│   └── clear-auth.sh        # Clear credentials
+├── src/
+│   └── utils/
+│       ├── socket-client.ts     # relay-pty socket communication
+│       └── credential-check.ts  # Credential file utilities
+└── tests/
+    └── credential-check.test.ts
+```

package/packages/cli-tester/dist/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * CLI Auth Tester - Manual interactive testing for CLI authentication flows
+ *
+ * This package provides utilities for testing CLI authentication in a Docker container.
+ * Primary use case is debugging auth issues with various CLI tools (Claude, Codex, Gemini, etc.)
+ *
+ * @example
+ * ```bash
+ * # Start the test environment
+ * npm run cli-tester:start
+ *
+ * # Inside container, test a CLI
+ * ./scripts/test-cli.sh claude
+ *
+ * # Verify credentials
+ * ./scripts/verify-auth.sh claude
+ * ```
+ */
+export { RelayPtyClient, createClient, getSocketPath, type InjectRequest, type InjectResponse, type StatusRequest, type StatusResponse, type RelayPtyResponse, } from './utils/socket-client.js';
+export { checkCredentials, clearCredentials, checkAllCredentials, clearAllCredentials, getCredentialPath, getConfigPaths, type CLIType, type CredentialCheck, } from './utils/credential-check.js';
+//# sourceMappingURL=index.d.ts.map

package/packages/cli-tester/dist/index.js

@@ -0,0 +1,21 @@
+/**
+ * CLI Auth Tester - Manual interactive testing for CLI authentication flows
+ *
+ * This package provides utilities for testing CLI authentication in a Docker container.
+ * Primary use case is debugging auth issues with various CLI tools (Claude, Codex, Gemini, etc.)
+ *
+ * @example
+ * ```bash
+ * # Start the test environment
+ * npm run cli-tester:start
+ *
+ * # Inside container, test a CLI
+ * ./scripts/test-cli.sh claude
+ *
+ * # Verify credentials
+ * ./scripts/verify-auth.sh claude
+ * ```
+ */
+export { RelayPtyClient, createClient, getSocketPath, } from './utils/socket-client.js';
+export { checkCredentials, clearCredentials, checkAllCredentials, clearAllCredentials, getCredentialPath, getConfigPaths, } from './utils/credential-check.js';
+//# sourceMappingURL=index.js.map

package/packages/cli-tester/dist/utils/credential-check.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Credential checking utilities for CLI authentication testing
+ * Verifies and parses credential files for various CLI tools
+ */
+export type CLIType = 'claude' | 'codex' | 'gemini' | 'cursor' | 'opencode' | 'droid';
+export interface CredentialCheck {
+    /** CLI type being checked */
+    cli: CLIType;
+    /** Whether the credential file exists */
+    exists: boolean;
+    /** Whether the credentials appear valid (have required fields) */
+    valid: boolean;
+    /** Whether an access token is present */
+    hasAccessToken: boolean;
+    /** Whether a refresh token is present */
+    hasRefreshToken: boolean;
+    /** Token expiration date if available */
+    expiresAt?: Date;
+    /** Path to the credential file */
+    filePath: string;
+    /** Raw credential data (tokens redacted) */
+    data?: Record<string, unknown>;
+    /** Error message if check failed */
+    error?: string;
+}
+/**
+ * Get the credential file path for a CLI
+ */
+export declare function getCredentialPath(cli: CLIType): string;
+/**
+ * Get all config paths for a CLI (for clearing)
+ */
+export declare function getConfigPaths(cli: CLIType): string[];
+/**
+ * Check credentials for a specific CLI
+ */
+export declare function checkCredentials(cli: CLIType): CredentialCheck;
+/**
+ * Clear credentials for a specific CLI
+ */
+export declare function clearCredentials(cli: CLIType): {
+    cleared: string[];
+    errors: string[];
+};
+/**
+ * Clear all CLI credentials
+ */
+export declare function clearAllCredentials(): Record<CLIType, {
+    cleared: string[];
+    errors: string[];
+}>;
+/**
+ * Check all CLI credentials
+ */
+export declare function checkAllCredentials(): Record<CLIType, CredentialCheck>;
+//# sourceMappingURL=credential-check.d.ts.map