codeam-cli 2.39.30 → 2.39.32

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to `codeam-cli` are documented here.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.39.31] — 2026-06-18
+
+### Fixed
+
+- **cli:** Host-agent re-enrollment + self-heal on deleted host
+
+## [2.39.30] — 2026-06-18
+
+### Added
+
+- **cli:** Report real system metrics in host-agent heartbeat
+
 ## [2.39.29] — 2026-06-18
 
 ### Added

package/dist/index.js

@@ -498,7 +498,7 @@ var import_qrcode_terminal = __toESM(require("qrcode-terminal"));
 // package.json
 var package_default = {
   name: "codeam-cli",
-  version: "2.39.30",
+  version: "2.39.32",
   description: "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device \u2014 async. The terminal companion for CodeAgent Mobile.",
   type: "commonjs",
   main: "dist/index.js",
@@ -5908,7 +5908,7 @@ function readAnonId() {
 }
 function superProperties() {
   return {
-    cliVersion: true ? "2.39.30" : "0.0.0-dev",
+    cliVersion: true ? "2.39.32" : "0.0.0-dev",
     nodeVersion: process.version,
     platform: process.platform,
     arch: process.arch,
@@ -26283,6 +26283,31 @@ function saveHostIdentity(identity) {
   });
   fs41.chmodSync(file, 384);
 }
+var HostHttpError = class extends Error {
+  constructor(message, status2) {
+    super(message);
+    this.status = status2;
+    this.name = "HostHttpError";
+  }
+  status;
+  /**
+   * True iff this is a genuine auth-rejection of the host identity:
+   * 401 (token invalid), 403 (forbidden), 404 (host not found / deleted).
+   * Transient failures (5xx, timeouts, network errors) are NOT rejections.
+   */
+  get isAuthRejection() {
+    return this.status === 401 || this.status === 403 || this.status === 404;
+  }
+};
+function isHostAuthRejection(err) {
+  return err instanceof HostHttpError && err.isAuthRejection;
+}
+function deleteHostIdentity() {
+  try {
+    fs41.rmSync(hostIdentityPath(), { force: true });
+  } catch {
+  }
+}
 async function postJson(pathname, body) {
   const res = await fetch(`${apiBase()}${pathname}`, {
     method: "POST",
@@ -26292,8 +26317,9 @@ async function postJson(pathname, body) {
   const json = await res.json();
   if (!res.ok || !json.success) {
     const err = !json.success ? json.error : void 0;
-    throw new Error(
-      `${pathname} failed (${err?.code ?? `HTTP_${res.status}`}): ${err?.message ?? res.statusText}`
+    throw new HostHttpError(
+      `${pathname} failed (${err?.code ?? `HTTP_${res.status}`}): ${err?.message ?? res.statusText}`,
+      res.status
     );
   }
   return json.data;
@@ -26367,6 +26393,30 @@ async function reportProgress(auth, step, message) {
   } catch {
   }
 }
+async function reportDeployProgress(auth, deployId, step, message, sessionId) {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), PROGRESS_TIMEOUT_MS);
+    timer.unref?.();
+    try {
+      await fetch(`${apiBase()}/api/self-hosted/deploy-progress`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...vercelBypassHeader() },
+        body: JSON.stringify({
+          ...auth,
+          deployId,
+          step,
+          message,
+          ...sessionId ? { sessionId } : {}
+        }),
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch {
+  }
+}
 
 // src/commands/host.ts
 function readTokenFlag(args2) {
@@ -26429,12 +26479,46 @@ function isAbsolutePathTarget(target) {
 function selfHostedWorkspaceRoot() {
   return path54.join(os33.homedir(), ".codeam", "self-hosted");
 }
-function repoCloneUrl(repoRef) {
+function nonInteractiveGitEnv() {
+  return {
+    ...process.env,
+    GIT_TERMINAL_PROMPT: "0",
+    GIT_ASKPASS: "",
+    GCM_INTERACTIVE: "never"
+  };
+}
+function githubOwnerRepo(repoRef) {
   const trimmed = repoRef.trim();
+  const shorthand = /^([^/\s]+)\/([^/\s]+?)(?:\.git)?$/.exec(trimmed);
+  if (shorthand && !/^https?:\/\//.test(trimmed) && !trimmed.startsWith("git@")) {
+    return { owner: shorthand[1], repo: shorthand[2] };
+  }
+  const httpsMatch = /^https?:\/\/github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/.exec(trimmed);
+  if (httpsMatch) return { owner: httpsMatch[1], repo: httpsMatch[2] };
+  return null;
+}
+function repoCloneUrl(repoRef, cloneToken) {
+  const trimmed = repoRef.trim();
+  if (cloneToken) {
+    const gh = githubOwnerRepo(trimmed);
+    if (gh) {
+      return `https://x-access-token:${cloneToken}@github.com/${gh.owner}/${gh.repo}.git`;
+    }
+  }
   if (/^https?:\/\//.test(trimmed) || trimmed.startsWith("git@")) return trimmed;
   return `https://github.com/${trimmed.replace(/\.git$/, "")}.git`;
 }
-async function prepareWorkspace(repoOrPath, deployId) {
+function maskCloneUrl(url) {
+  return url.replace(/(https?:\/\/)[^@/]+@/, "$1***@");
+}
+function maskToken(text, cloneToken) {
+  const masked = maskCloneUrl(text);
+  if (cloneToken && cloneToken.length > 0) {
+    return masked.split(cloneToken).join("***");
+  }
+  return masked;
+}
+async function prepareWorkspace(repoOrPath, deployId, cloneToken) {
   if (isAbsolutePathTarget(repoOrPath)) {
     if (!fs42.existsSync(repoOrPath)) {
       throw new Error(`deploy target path does not exist: ${repoOrPath}`);
@@ -26446,10 +26530,17 @@ async function prepareWorkspace(repoOrPath, deployId) {
     return dest;
   }
   fs42.mkdirSync(selfHostedWorkspaceRoot(), { recursive: true, mode: 448 });
-  await execFileP9("git", ["clone", "--depth", "1", repoCloneUrl(repoOrPath), dest], {
-    timeout: 12e4,
-    maxBuffer: 16 * 1024 * 1024
-  });
+  const cloneUrl = repoCloneUrl(repoOrPath, cloneToken);
+  try {
+    await execFileP9("git", ["clone", "--depth", "1", cloneUrl, dest], {
+      timeout: 12e4,
+      maxBuffer: 16 * 1024 * 1024,
+      env: nonInteractiveGitEnv()
+    });
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    throw new Error(`git clone failed for ${maskCloneUrl(cloneUrl)}: ${maskToken(reason, cloneToken)}`);
+  }
   return dest;
 }
 
@@ -26534,6 +26625,9 @@ function isDeployPayload(p2) {
   if (typeof p2.deployId !== "string" || typeof p2.repoOrPath !== "string" || typeof p2.agentId !== "string" || typeof p2.autoPairToken !== "string") {
     return false;
   }
+  if (p2.cloneToken !== void 0 && typeof p2.cloneToken !== "string") {
+    return false;
+  }
   const hasHouse = isHouseProxy(p2.houseProxy);
   const hasSealed = typeof p2.sealedAgentAuth === "string";
   return hasHouse || hasSealed;
@@ -26552,9 +26646,20 @@ var CONTROL_AGENT_META = {
 var defaultSpawner = (env, cwd, args2 = []) => (0, import_node_child_process13.spawn)(process.execPath, [process.argv[1], "pair-auto", ...args2], {
   cwd,
   env: { ...process.env, ...env },
-  stdio: "ignore",
+  stdio: ["ignore", "pipe", "pipe"],
   detached: false
 });
+var defaultOnIdentityRejected = () => {
+  deleteHostIdentity();
+  log.warn("host-agent", "host identity rejected by backend \u2014 wiped sealed identity, exiting");
+  process.exit(1);
+};
+var defaultDisableService = () => {
+  try {
+    (0, import_node_child_process13.execFileSync)("systemctl", ["disable", "--now", "codeam-host-agent"], { stdio: "ignore" });
+  } catch {
+  }
+};
 var HostAgentSupervisor = class {
   constructor(identity, deps = {}) {
     this.identity = identity;
@@ -26562,6 +26667,8 @@ var HostAgentSupervisor = class {
     this.spawnChild = deps.spawnChild ?? defaultSpawner;
     this.resolveAgentAuth = deps.resolveAgentAuth ?? unsealAgentAuth;
     this.metrics = deps.metricsCollector ?? new MetricsCollector();
+    this.onIdentityRejected = deps.onIdentityRejected ?? defaultOnIdentityRejected;
+    this.disableService = deps.disableService ?? defaultDisableService;
   }
   identity;
   deps;
@@ -26574,6 +26681,12 @@ var HostAgentSupervisor = class {
   reportedConnected = false;
   /** Live-metrics collector — stateful across beats (CPU delta + latency). */
   metrics;
+  /** Self-heal action when the backend rejects this identity. */
+  onIdentityRejected;
+  /** Best-effort systemd de-provision used by `self_hosted_wipe`. */
+  disableService;
+  /** Guards against firing the self-heal more than once. */
+  healing = false;
   /** Open the control channel (reusing the relay) + start heartbeats. */
   start() {
     const make = this.deps.makeRelay ?? ((pluginId, onCommand, meta) => new CommandRelayService(pluginId, onCommand, meta));
@@ -26622,6 +26735,14 @@ var HostAgentSupervisor = class {
         );
       }
     } catch (err) {
+      if (isHostAuthRejection(err)) {
+        if (!this.healing) {
+          this.healing = true;
+          log.warn("host-agent", "heartbeat rejected \u2014 host deleted/revoked, self-healing", err);
+          this.onIdentityRejected();
+        }
+        return;
+      }
       log.trace("host-agent", "heartbeat failed", err);
     }
   }
@@ -26651,6 +26772,16 @@ var HostAgentSupervisor = class {
       this.stopChild(cmd.payload.sessionId);
       return;
     }
+    if (cmd.type === "self_hosted_wipe") {
+      log.warn("host-agent", `self_hosted_wipe received id=${cmd.id} \u2014 de-provisioning`);
+      this.stop();
+      this.disableService();
+      if (!this.healing) {
+        this.healing = true;
+        this.onIdentityRejected();
+      }
+      return;
+    }
     log.trace("host-agent", `ignoring unsupported command type=${cmd.type}`);
   }
   /**
@@ -26668,43 +26799,86 @@ var HostAgentSupervisor = class {
       "host-agent",
       `deploy id=${payload.deployId.slice(0, 8)} agent=${payload.agentId} target=${payload.repoOrPath}`
     );
-    const cwd = await prepareWorkspace(payload.repoOrPath, payload.deployId);
-    let childEnv;
-    let extraArgs = [];
-    if (payload.houseProxy) {
-      const { baseUrl, token, agentKind } = payload.houseProxy;
-      childEnv = {
-        ANTHROPIC_BASE_URL: baseUrl,
-        ANTHROPIC_AUTH_TOKEN: token,
-        ANTHROPIC_MODEL: "MiniMax-M3",
-        ANTHROPIC_DEFAULT_SONNET_MODEL: "MiniMax-M3",
-        ANTHROPIC_DEFAULT_OPUS_MODEL: "MiniMax-M3",
-        ANTHROPIC_DEFAULT_HAIKU_MODEL: "MiniMax-M3",
-        CLAUDE_CODE_AUTO_COMPACT_WINDOW: "512000",
-        API_TIMEOUT_MS: "3000000",
-        CODEAM_AUTO_TOKEN: payload.autoPairToken
-      };
-      extraArgs = [`--agent=${agentKind || "claude"}`];
-    } else {
-      const auth = await this.resolveAgentAuth(this.identity, payload.sealedAgentAuth);
-      const credEnv = provisionAgentCredentials(payload.agentId, auth, void 0);
-      childEnv = {
-        ...credEnv,
-        CODEAM_AUTO_TOKEN: payload.autoPairToken
+    const report = (step, message) => {
+      void reportDeployProgress(
+        { hostId: this.identity.hostId, hostToken: this.identity.hostToken },
+        payload.deployId,
+        step,
+        message
+      );
+    };
+    try {
+      report("preparing", "preparing workspace");
+      if (!isAbsolutePathTarget(payload.repoOrPath)) {
+        report("cloning", "cloning repository");
+      }
+      const cwd = await prepareWorkspace(payload.repoOrPath, payload.deployId, payload.cloneToken);
+      let childEnv;
+      let extraArgs = [];
+      if (payload.houseProxy) {
+        const { baseUrl, token, agentKind } = payload.houseProxy;
+        childEnv = {
+          ANTHROPIC_BASE_URL: baseUrl,
+          ANTHROPIC_AUTH_TOKEN: token,
+          ANTHROPIC_MODEL: "MiniMax-M3",
+          ANTHROPIC_DEFAULT_SONNET_MODEL: "MiniMax-M3",
+          ANTHROPIC_DEFAULT_OPUS_MODEL: "MiniMax-M3",
+          ANTHROPIC_DEFAULT_HAIKU_MODEL: "MiniMax-M3",
+          CLAUDE_CODE_AUTO_COMPACT_WINDOW: "512000",
+          API_TIMEOUT_MS: "3000000",
+          CODEAM_AUTO_TOKEN: payload.autoPairToken
+        };
+        extraArgs = [`--agent=${agentKind || "claude"}`];
+      } else {
+        const auth = await this.resolveAgentAuth(this.identity, payload.sealedAgentAuth);
+        const credEnv = provisionAgentCredentials(payload.agentId, auth, void 0);
+        childEnv = {
+          ...credEnv,
+          CODEAM_AUTO_TOKEN: payload.autoPairToken
+        };
+      }
+      report("spawning", "starting agent");
+      const proc = this.spawnChild(childEnv, cwd, extraArgs);
+      const child = { deployId: payload.deployId, proc };
+      this.children.set(payload.deployId, child);
+      let tail = "";
+      const appendTail = (buf) => {
+        tail = (tail + buf.toString("utf8")).slice(-2e3);
       };
-    }
-    const proc = this.spawnChild(childEnv, cwd, extraArgs);
-    const child = { deployId: payload.deployId, sessionId: payload.deployId, proc };
-    this.children.set(payload.deployId, child);
-    proc.once("exit", () => {
-      if (this.children.get(payload.deployId)?.proc === proc) {
+      proc.stdout?.on("data", appendTail);
+      proc.stderr?.on("data", appendTail);
+      report("agent_starting", "agent process started");
+      proc.once("exit", (code) => {
+        const tracked = this.children.get(payload.deployId)?.proc === proc;
+        if (tracked) {
+          this.children.delete(payload.deployId);
+        }
+        if (tracked && typeof code === "number" && code !== 0) {
+          const detail = tail.trim().slice(-500);
+          report("failed", detail ? `agent exited (${code}): ${detail}` : `agent exited (${code})`);
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      log.warn("host-agent", `deploy ${payload.deployId.slice(0, 8)} failed: ${message}`);
+      const existing = this.children.get(payload.deployId);
+      if (existing) {
+        try {
+          existing.proc.kill("SIGTERM");
+        } catch {
+        }
         this.children.delete(payload.deployId);
       }
-    });
+      report("failed", message);
+    }
   }
-  /** Kill the child matching `sessionId` (or its deployId). No-op if absent. */
+  /**
+   * Kill the child for the given id. The backend correlates the session it
+   * sends to this deploy, so the id matches the deployId we keyed on. No-op
+   * if absent.
+   */
   stopChild(sessionId) {
-    const child = this.children.get(sessionId) ?? this.findBySessionId(sessionId);
+    const child = this.children.get(sessionId);
     if (!child) {
       log.trace("host-agent", `stop: no child for sessionId=${sessionId}`);
       return;
@@ -26716,26 +26890,34 @@ var HostAgentSupervisor = class {
     }
     this.children.delete(child.deployId);
   }
-  findBySessionId(sessionId) {
-    for (const child of this.children.values()) {
-      if (child.sessionId === sessionId) return child;
-    }
-    return void 0;
-  }
 };
 async function resolveHostIdentity(enrollToken) {
   const existing = loadHostIdentity();
+  if (enrollToken) {
+    await reportProgress({ enrollToken }, "redeeming", "redeeming enrollment token\u2026");
+    try {
+      const identity = await redeemEnrollToken(enrollToken);
+      saveHostIdentity(identity);
+      await reportProgress(
+        { hostId: identity.hostId, hostToken: identity.hostToken },
+        "enrolled",
+        "host enrolled"
+      );
+      return identity;
+    } catch (err) {
+      if (existing) {
+        log.trace(
+          "host-agent",
+          "enroll-token redeem failed; reusing sealed identity (likely a restart)",
+          err
+        );
+        return existing;
+      }
+      throw err;
+    }
+  }
   if (existing) return existing;
-  if (!enrollToken) return null;
-  await reportProgress({ enrollToken }, "redeeming", "redeeming enrollment token\u2026");
-  const identity = await redeemEnrollToken(enrollToken);
-  saveHostIdentity(identity);
-  await reportProgress(
-    { hostId: identity.hostId, hostToken: identity.hostToken },
-    "enrolled",
-    "host enrolled"
-  );
-  return identity;
+  return null;
 }
 async function hostAgent(args2 = []) {
   const tokenArg = args2.find((a) => a.startsWith("--token="));
@@ -26931,7 +27113,7 @@ function checkChokidar() {
 }
 async function doctor(args2 = []) {
   const json = args2.includes("--json");
-  const cliVersion = true ? "2.39.30" : "0.0.0-dev";
+  const cliVersion = true ? "2.39.32" : "0.0.0-dev";
   const apiBase2 = resolveApiBaseUrl();
   const diagnosticId = (0, import_node_crypto8.randomUUID)();
   log.info("doctor", `run id=${diagnosticId} cli=${cliVersion}`);
@@ -27130,7 +27312,7 @@ async function completion(args2) {
 // src/commands/version.ts
 var import_picocolors13 = __toESM(require("picocolors"));
 function version2() {
-  const v = true ? "2.39.30" : "unknown";
+  const v = true ? "2.39.32" : "unknown";
   console.log(`${import_picocolors13.default.bold("codeam-cli")} ${import_picocolors13.default.cyan(v)}`);
 }
 
@@ -27416,7 +27598,7 @@ function checkForUpdates() {
   if (process.env.CODEAM_DISABLE_UPDATE_CHECK === "1") return;
   if (process.env.CI) return;
   if (!process.stdout.isTTY) return;
-  const current = true ? "2.39.30" : null;
+  const current = true ? "2.39.32" : null;
   if (!current) return;
   const cache = readCache();
   const fresh = cache && Date.now() - cache.fetchedAt < TTL_MS;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeam-cli",
-  "version": "2.39.30",
+  "version": "2.39.32",
   "description": "Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.",
   "type": "commonjs",
   "main": "dist/index.js",