convene-cli 1.11.0 → 1.12.0

package/dist/api.js

@@ -42,6 +42,8 @@ class ConveneApi {
                 headers['x-convene-session-instance'] = this.instance;
             if (opts.idempotencyKey)
                 headers['idempotency-key'] = opts.idempotencyKey;
+            if (opts.headers)
+                Object.assign(headers, opts.headers);
             const res = await fetch(`${this.baseUrl}${brand_1.BRAND.apiBase}${apiPath}`, {
                 method,
                 headers,
@@ -154,6 +156,14 @@ class ConveneApi {
     join(slug, body, timeoutMs) {
         return this.request('POST', `/projects/${encodeURIComponent(slug)}/join`, { body, timeoutMs });
     }
+    /** Device enrollment — start (no bearer). Emails the member a confirm link if one exists. */
+    enrollStart(body, timeoutMs) {
+        return this.request('POST', '/enroll/device/start', { body, timeoutMs });
+    }
+    /** Device enrollment — poll for the minted key, presenting the raw device secret (no bearer). */
+    enrollPoll(enrollmentId, rawSecret, timeoutMs) {
+        return this.request('GET', `/enroll/device/poll?id=${encodeURIComponent(String(enrollmentId))}`, { headers: { 'x-device-secret': rawSecret }, timeoutMs });
+    }
     /** Self-recovery: re-grant your own membership via the committed join token (no bearer
      *  auth required). Restores OWNER only from a server-recorded prior-owner row. */
     reclaim(slug, body, timeoutMs) {

package/dist/brand.js

@@ -13,8 +13,8 @@ exports.BRAND = {
     product: 'Convene',
     slug: 'convene',
     bin: 'convene',
-    domain: 'dev.convene.live',
-    baseUrl: 'https://dev.convene.live',
+    domain: 'convene.live',
+    baseUrl: 'https://convene.live',
     /** Public product / front-door base URL for human-facing links (dashboard, /start, docs). */
     siteDomain: 'convene.live',
     siteUrl: 'https://convene.live',

package/dist/cache.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OVERRIDE_TTL_MS = exports.writeWatchHighWater = exports.LIVE_SESSION_RECENT_SEC = exports.LIVE_SESSION_WINDOW_SEC = void 0;
+exports.OVERRIDE_TTL_MS = exports.LIVE_SESSION_RECENT_SEC = exports.LIVE_SESSION_WINDOW_SEC = void 0;
 exports.readCache = readCache;
 exports.writeCache = writeCache;
 exports.ageSeconds = ageSeconds;
@@ -25,11 +25,8 @@ exports.announceAlreadyPosted = announceAlreadyPosted;
 exports.markAnnounced = markAnnounced;
 exports.readLastBroadcastSha = readLastBroadcastSha;
 exports.writeLastBroadcastSha = writeLastBroadcastSha;
-exports.readWatchHighWater = readWatchHighWater;
-exports.persistHighWater = persistHighWater;
-exports.appendWatchEntry = appendWatchEntry;
-exports.appendWatch = appendWatch;
-exports.readWatchSince = readWatchSince;
+exports.readWatchCursor = readWatchCursor;
+exports.persistWatchCursor = persistWatchCursor;
 exports.touchWatchHeartbeat = touchWatchHeartbeat;
 exports.watchHeartbeatAgeSec = watchHeartbeatAgeSec;
 exports.writeWatchPid = writeWatchPid;
@@ -390,19 +387,32 @@ function writeLastBroadcastSha(slug, sha) {
         /* best-effort */
     }
 }
-function watchFile(slug) {
-    return slugFile(slug, 'watch.jsonl');
-}
-function watchHighWaterFile(slug) {
+// ── watch poll resume cursor (WP12) ──────────────────────────────────────────
+// The `convene watch` daemon (cli/src/commands/watch.ts) long-polls the bus,
+// stamps a liveness heartbeat each iteration (the health line reads its age), and
+// optionally desktop-notifies on a directed halt. It persists a MONOTONIC poll
+// cursor here so a relaunch (every SessionStart) resumes incrementally instead of
+// re-scanning the backlog from zero.
+//
+// The daemon does NOT render anything into agent-facing context: directed halts
+// reach the agent via the server-truth PULL surfaces (fetch / session-open /
+// lane-state), which query the server — the single authority for halt state. (The
+// daemon formerly APPENDED matched halts to a per-slug `.watch.jsonl` for a reader
+// to drain, but that reader was never wired into any surface, and a local cache
+// could drift from server truth and mislead. The jsonl was removed in favor of the
+// pull path; only this resume cursor + the heartbeat remain.)
+function watchCursorFile(slug) {
+    // Legacy `.watch.hw` (high-water) extension retained so existing caches aren't
+    // orphaned on upgrade — the file is now the daemon's own poll resume cursor.
     return slugFile(slug, 'watch.hw');
 }
 function watchHeartbeatFile(slug) {
     return slugFile(slug, 'watch.hb');
 }
-/** Read the persisted high-water seq for the watch jsonl (0 if none). */
-function readWatchHighWater(slug) {
+/** Read the daemon's persisted poll resume cursor (0 if none). */
+function readWatchCursor(slug) {
     try {
-        const n = parseInt(node_fs_1.default.readFileSync(watchHighWaterFile(slug), 'utf8').trim(), 10);
+        const n = parseInt(node_fs_1.default.readFileSync(watchCursorFile(slug), 'utf8').trim(), 10);
         return Number.isFinite(n) ? n : 0;
     }
     catch {
@@ -410,87 +420,21 @@ function readWatchHighWater(slug) {
     }
 }
 /**
- * Persist the high-water seq for the watch jsonl — MONOTONIC. A lower seq is
- * ignored (GREATEST semantics) so a reader can never rewind past material it
- * already drained. NEVER truncates the jsonl.
+ * Persist the daemon's poll resume cursor — MONOTONIC. A lower seq is ignored
+ * (GREATEST semantics) so a relaunch never rewinds the cursor and re-scans
+ * material it already polled past. Best-effort; never throws.
  */
-function persistHighWater(slug, seq) {
+function persistWatchCursor(slug, seq) {
     try {
         node_fs_1.default.mkdirSync(config_1.CACHE_DIR, { recursive: true, mode: 0o700 });
-        const cur = readWatchHighWater(slug);
+        const cur = readWatchCursor(slug);
         if (seq > cur)
-            node_fs_1.default.writeFileSync(watchHighWaterFile(slug), String(seq) + '\n', { mode: 0o600 });
+            node_fs_1.default.writeFileSync(watchCursorFile(slug), String(seq) + '\n', { mode: 0o600 });
     }
     catch {
         /* best-effort */
     }
 }
-/** Back-compat alias for the WP2 stub name; identical monotonic behavior. */
-exports.writeWatchHighWater = persistHighWater;
-/**
- * APPEND a watch entry to the jsonl (append-only — never rewrites the file).
- * The append is atomic at the OS level for a single small write, so a concurrent
- * reader sees whole lines. Best-effort; never throws (the watch daemon is
- * fail-open). Entries WITHOUT a finite numeric seq are dropped — an un-keyed
- * entry can't participate in the high-water drain and would be re-rendered
- * forever.
- */
-function appendWatchEntry(slug, entry) {
-    if (!entry || typeof entry.seq !== 'number' || !Number.isFinite(entry.seq))
-        return;
-    try {
-        node_fs_1.default.mkdirSync(config_1.CACHE_DIR, { recursive: true, mode: 0o700 });
-        node_fs_1.default.appendFileSync(watchFile(slug), JSON.stringify(entry) + '\n', { mode: 0o600 });
-    }
-    catch {
-        /* best-effort */
-    }
-}
-/** Back-compat alias for the WP2 stub name. */
-function appendWatch(slug, entry) {
-    appendWatchEntry(slug, entry);
-}
-/**
- * Read all watch entries with seq > highWater, ascending by seq, de-duplicated
- * on seq (the daemon may re-append the same entry after a resume — the reader
- * tolerates duplicates by keeping the first per seq). Does NOT advance the
- * high-water and does NOT truncate — the caller decides what was actually
- * rendered and calls persistHighWater(slug, lastRenderedSeq). A malformed line
- * is skipped, never fatal.
- */
-function readWatchSince(slug, highWater) {
-    let raw;
-    try {
-        raw = node_fs_1.default.readFileSync(watchFile(slug), 'utf8');
-    }
-    catch {
-        return [];
-    }
-    const seen = new Set();
-    const out = [];
-    for (const line of raw.split('\n')) {
-        const s = line.trim();
-        if (!s)
-            continue;
-        let e;
-        try {
-            e = JSON.parse(s);
-        }
-        catch {
-            continue; // a torn/partial line — skip, the next drain re-reads it whole
-        }
-        if (typeof e.seq !== 'number' || !Number.isFinite(e.seq))
-            continue;
-        if (e.seq <= highWater)
-            continue;
-        if (seen.has(e.seq))
-            continue;
-        seen.add(e.seq);
-        out.push(e);
-    }
-    out.sort((a, b) => a.seq - b.seq);
-    return out;
-}
 // ── watch heartbeat (WP12) ───────────────────────────────────────────────────
 // The daemon stamps a heartbeat each loop iteration; the health line / doctor
 // read its age. A stale/absent heartbeat ⇒ watch is down ⇒ surface DEGRADED.

package/dist/commands/enroll.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enrollDevice = enrollDevice;
+/**
+ * `convene enroll-device` — connect THIS machine to your EXISTING identity without
+ * copying a key. Proves email ownership (an emailed confirm link) + device ownership
+ * (a CLI-held secret), then the server mints a fresh per-device key that ONLY this
+ * CLI can claim. Also auto-invoked by `convene setup`/`join` when the bus reports an
+ * identity already exists for your email (EMAIL_TAKEN).
+ */
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const node_os_1 = __importDefault(require("node:os"));
+const api_1 = require("../api");
+const config_1 = require("../config");
+const git_1 = require("../git");
+const ctx_1 = require("../ctx");
+const log = (m) => process.stdout.write(m + '\n');
+const sha256 = (s) => node_crypto_1.default.createHash('sha256').update(s, 'utf8').digest('hex');
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+/**
+ * Run the device-enrollment flow. Returns true once a fresh key is saved to the
+ * local config; on timeout / expiry it prints guidance and exits the process.
+ */
+async function enrollDevice(opts) {
+    const top = (0, git_1.gitToplevel)();
+    const proj = (0, config_1.loadProjectConfig)(top);
+    const cfg = (0, config_1.resolveConfigForRepo)(top, proj);
+    const baseUrl = (opts.baseUrl || cfg.baseUrl).replace(/\/$/, '');
+    const email = opts.email || (0, git_1.gitUserEmail)(top ?? undefined) || undefined;
+    if (!email)
+        (0, ctx_1.die)('no email to enroll — pass `--email <you@example.com>` (or set git user.email)');
+    // CLI-held secret: send only its hash to start; present the raw secret at poll so
+    // ONLY this process can claim the minted key (a browser that clicks the link cannot).
+    const rawSecret = node_crypto_1.default.randomBytes(32).toString('base64url');
+    const secretHash = sha256(rawSecret);
+    const label = (opts.label || node_os_1.default.hostname() || 'cli').slice(0, 80);
+    const api = new api_1.ConveneApi(baseUrl, null);
+    const start = await api.enrollStart({ email: email, secret_hash: secretHash, device_label: label }, 10_000);
+    if (!start.ok || !start.json) {
+        (0, ctx_1.die)(`could not start device enrollment (${start.status}): ${start.error ?? 'unreachable'}`);
+    }
+    const { enrollment_id, poll_interval_ms, expires_in_s } = start.json;
+    const ttlS = expires_in_s ?? 900;
+    const mins = Math.max(1, Math.round(ttlS / 60));
+    log('');
+    log(`📧  We emailed a confirmation link to ${email}.`);
+    log(`    Open it and click "Authorize device" to connect this machine (expires in ${mins} min).`);
+    log(`    Waiting…`);
+    const intervalMs = Math.max(1000, poll_interval_ms ?? 2000);
+    const deadline = Date.now() + ttlS * 1000;
+    while (Date.now() < deadline) {
+        await sleep(intervalMs);
+        const poll = await api.enrollPoll(enrollment_id, rawSecret, 8000);
+        const st = poll.json?.status;
+        if (st === 'ok' && poll.json?.api_key) {
+            const member = poll.json.member?.handle ?? '';
+            (0, config_1.saveFileConfig)({ apiKey: poll.json.api_key, baseUrl, member });
+            log('');
+            log(`✓  Authorized as ${member}. This machine is connected (config saved 0600).`);
+            return true;
+        }
+        if (st === 'expired') {
+            (0, ctx_1.die)('the confirmation link expired or was already used — run `convene setup` again to retry.');
+        }
+        // 'pending' / 'not_found' → the human hasn't confirmed yet; keep waiting.
+    }
+    (0, ctx_1.die)('timed out waiting for email confirmation — run `convene setup` again to retry.');
+    return false; // unreachable: die() exits.
+}

package/dist/commands/join.js

@@ -15,6 +15,7 @@ const config_1 = require("../config");
 const git_1 = require("../git");
 const hook_1 = require("../hook");
 const githook_1 = require("../githook");
+const enroll_1 = require("./enroll");
 const ctx_1 = require("../ctx");
 const log = (m) => process.stdout.write(m + '\n');
 async function join(opts) {
@@ -34,8 +35,25 @@ async function join(opts) {
     // unauthenticated mode otherwise (creates a new identity + key).
     const api = new api_1.ConveneApi(baseUrl, cfg.apiKey ?? null);
     const res = await api.join(slug, { token, handle, email, display_name: handle, tool: 'cli' }, 10_000);
-    if (res.status === 409)
-        (0, ctx_1.die)(`the handle "${handle}" is already taken — re-run with --handle <unique-handle>`);
+    if (res.status === 409) {
+        const code = res.json?.code;
+        const keyHint = `paste your key (Settings → API key at ${brand_1.BRAND.siteUrl}/settings, or ~/.convene/config.json on your other machine)`;
+        if (code === 'EMAIL_TAKEN') {
+            // Same human, new machine: connect THIS machine to the existing identity with NO key
+            // copying — prove email ownership via an emailed link, then re-run join authenticated
+            // so the (now-known) member is added to this project (idempotent if already a member).
+            log(`An identity already exists for ${email ?? 'your email'} — connecting this machine to it (no key copying needed).`);
+            const ok = await (0, enroll_1.enrollDevice)({ email, baseUrl });
+            if (ok)
+                return join(opts);
+            return; // enrollDevice prints guidance + exits on failure
+        }
+        (0, ctx_1.die)(`The handle "${handle}" is already taken on this bus.\n` +
+            `If that's you (same person, another machine), connect to your existing identity:\n` +
+            `  convene login --api-key -    # ${keyHint}\n` +
+            `If you want a SEPARATE identity here, pick a different handle via your email:\n` +
+            `  convene setup --email <a-different-email>   # the handle is derived from the email's local part`);
+    }
     if (res.status === 401 && cfg.apiKey)
         (0, ctx_1.die)('join token is invalid/expired/revoked, or your saved key is bad — ask an owner');
     if (res.status === 401)

package/dist/commands/watch.js

@@ -17,21 +17,24 @@ exports.watch = watch;
  *   - A bounded run (no live config / not on the bus) exits 0 silently so a
  *     SessionStart launch on a non-bus repo is a no-op.
  *
- * APPEND-ONLY + HIGH-WATER (awareness/concurrency #5 — the lost-interrupt race):
- *   - Each matched halt/interrupt is APPENDED to a per-slug jsonl via
- *     appendWatchEntry. The daemon NEVER truncates the log.
- *   - Readers (fetch / doctor / the health line) render entries with seq >
- *     high-water and advance a MONOTONIC high-water with persistHighWater. The
- *     reader, not the writer, owns the cursor, so a read can never race an append
- *     into losing an interrupt.
+ * RENDERING IS NOT THIS DAEMON'S JOB. Directed halts reach the agent's context
+ * via the server-truth PULL surfaces (fetch / session-open / lane-state), which
+ * query the server — the single authority for halt state. This daemon only:
+ *   - stamps a liveness heartbeat each iteration (the health line reads its age,
+ *     surfacing DEGRADED if the watcher is down);
+ *   - optionally fires a best-effort desktop notification per matched halt
+ *     (--notify; off by default — never enabled by the SessionStart spawn);
+ *   - persists a MONOTONIC poll cursor so a relaunch (every SessionStart) resumes
+ *     incrementally instead of re-scanning the backlog.
+ * It formerly appended matched halts to a per-slug jsonl for a reader to drain,
+ * but that reader was never wired up and a local cache could drift from server
+ * truth and mislead — so the jsonl was removed in favor of the pull path.
  *
- * TRUST: the daemon writes the message TYPE + server-derived routing/handles +
- * the (UNTRUSTED) body verbatim into the jsonl. The body is NEVER interpreted
- * here — the consumer renders it inert. The block DECISION is the guard's, from
- * lane-state; watch only narrows the window for non-deploy turns.
+ * TRUST: the block DECISION is the guard's, from lane-state. A halt body is
+ * UNTRUSTED and is NEVER interpreted here — the notification is a fixed template
+ * that never splices the body. watch only narrows the window for non-deploy turns.
  *
- * --notify: best-effort desktop ping per surfaced halt (delegates to the notify
- * verb's mechanism if present; otherwise silently skipped). Never blocks the loop.
+ * --notify: best-effort desktop ping per matched halt. Never blocks the loop.
  */
 const node_child_process_1 = require("node:child_process");
 const git_1 = require("../git");
@@ -80,30 +83,12 @@ function watchShouldExit(args) {
 }
 const HALT_TYPES = new Set(['halt', 'interrupt']);
 const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
-/** Map a server feed/poll message to an inert WatchEntry. Returns null for non-halts. */
-function toEntry(m) {
-    if (!m || typeof m !== 'object')
-        return null;
-    const type = typeof m.type === 'string' ? m.type : '';
-    if (!HALT_TYPES.has(type))
-        return null;
-    // seq is the messages.id (enrich exposes it as `seq`, falling back to numeric id).
-    const seq = typeof m.seq === 'number' ? m.seq : typeof m.id === 'number' ? m.id : Number(m.id);
-    if (!Number.isFinite(seq))
-        return null;
-    return {
-        seq,
-        type,
-        short_id: typeof m.short_id === 'string' ? m.short_id : null,
-        // from/to/body are DISPLAY/UNTRUSTED — copied verbatim, never interpreted here.
-        from: typeof m.from_handle === 'string' ? m.from_handle : typeof m.from === 'string' ? m.from : null,
-        to: typeof m.to === 'string' ? m.to : typeof m.to_member === 'string' ? m.to_member : null,
-        body: typeof m.body === 'string' ? m.body : null,
-        at: typeof m.created_at === 'string' ? m.created_at : null,
-    };
+/** True if a server feed/poll message is a halt/interrupt control message. */
+function isHaltMessage(m) {
+    return !!m && typeof m === 'object' && typeof m.type === 'string' && HALT_TYPES.has(m.type);
 }
 /** Best-effort desktop notification; never blocks or throws. */
-function notifyBestEffort(entry) {
+function notifyBestEffort() {
     try {
         if (process.platform === 'darwin') {
             // A halt is a control signal; the body is UNTRUSTED so we do NOT splice it
@@ -132,10 +117,9 @@ async function loop(opts) {
         return 0; // can't authenticate → silent no-op
     const instance = (0, cache_1.ensureSessionInstance)(slug);
     const api = new api_1.ConveneApi(cfg.baseUrl, cfg.apiKey, session, cfg.tool, instance);
-    // Resume cursor: start from the persisted high-water so a relaunch never
-    // re-reads material the reader already drained. (The reader's high-water is the
-    // canonical "already surfaced" mark; the daemon resumes from there.)
-    let cursor = (0, cache_1.readWatchHighWater)(slug);
+    // Resume from the persisted poll cursor so a relaunch (every SessionStart)
+    // resumes incrementally instead of re-scanning the backlog from zero.
+    let cursor = (0, cache_1.readWatchCursor)(slug);
     let backoff = BACKOFF_BASE_MS;
     let iterations = 0;
     const limit = typeof opts.maxIterations === 'number' ? opts.maxIterations : Infinity;
@@ -195,19 +179,17 @@ async function loop(opts) {
             backoff = BACKOFF_BASE_MS; // recovered
             const msgs = Array.isArray(res.json.messages) ? res.json.messages : [];
             for (const m of msgs) {
-                const entry = toEntry(m);
-                if (!entry)
+                if (!isHaltMessage(m))
                     continue;
-                (0, cache_1.appendWatchEntry)(slug, entry);
                 if (opts.notify)
-                    notifyBestEffort(entry);
+                    notifyBestEffort();
             }
-            // Advance the resume cursor to the server's reported cursor (monotonic). This
-            // is the long-poll resume seq, NOT the reader's high-water — the daemon must
-            // move past EVERY message it saw (incl. non-halts) or it would re-fetch them
-            // forever. The reader's high-water only advances over rendered halts.
-            if (typeof res.json.cursor === 'number' && res.json.cursor > cursor)
+            // Advance the resume cursor past EVERY message seen (incl. non-halts) so the
+            // daemon never re-fetches them, and PERSIST it so a relaunch resumes here.
+            if (typeof res.json.cursor === 'number' && res.json.cursor > cursor) {
                 cursor = res.json.cursor;
+                (0, cache_1.persistWatchCursor)(slug, cursor);
+            }
             iterations++;
         }
     }

package/dist/index.js

@@ -48,6 +48,7 @@ const post = __importStar(require("./commands/post"));
 const inbox_1 = require("./commands/inbox");
 const feedback_1 = require("./commands/feedback");
 const auth_1 = require("./commands/auth");
+const enroll_1 = require("./commands/enroll");
 const init_1 = require("./commands/init");
 const offboard_1 = require("./commands/offboard");
 const join_1 = require("./commands/join");
@@ -94,6 +95,15 @@ program
     .option('--api-key <key>', 'API key, or "-" to read from stdin (no shell history)')
     .option('--base-url <url>', 'Convene base URL')
     .action((opts) => (0, auth_1.login)(opts));
+program
+    .command('enroll-device')
+    .description('connect THIS machine to your existing identity via an emailed link (no key copying)')
+    .option('--email <email>', 'email of your existing identity (defaults to git user.email)')
+    .option('--base-url <url>', 'Convene base URL')
+    .option('--label <label>', 'a label for this device (defaults to hostname)')
+    .action(async (opts) => {
+    await (0, enroll_1.enrollDevice)({ email: opts.email, baseUrl: opts.baseUrl, label: opts.label });
+});
 program.command('whoami').description('show identity, base URL, session, bus status').action(() => (0, auth_1.whoami)());
 program
     .command('fetch')

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "convene-cli",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "description": "Convene CLI — AI development coordination bus client + UserPromptSubmit hook. Install: npm i -g convene-cli; then `convene setup`.",
   "license": "MIT",
-  "homepage": "https://dev.convene.live",
+  "homepage": "https://convene.live",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/alex-hawkinson/Convene.git",