groove-dev 0.10.10 → 0.12.0

package/packages/daemon/src/api.js

@@ -11,7 +11,7 @@ import { validateAgentConfig } from './validate.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
 export function createApi(app, daemon) {
-  // CORS — restrict to localhost origins only
+  // CORS — restrict to localhost + bound interface origins
   app.use((req, res, next) => {
     const origin = req.headers.origin;
     const allowed = [
@@ -19,6 +19,10 @@ export function createApi(app, daemon) {
       `http://127.0.0.1:${daemon.port}`,
       'http://localhost:3142', // Vite dev server
     ];
+    // Allow the bound interface (for Tailscale/LAN access)
+    if (daemon.host && daemon.host !== '127.0.0.1') {
+      allowed.push(`http://${daemon.host}:${daemon.port}`);
+    }
     if (!origin || allowed.includes(origin)) {
       res.header('Access-Control-Allow-Origin', origin || '*');
     }
@@ -52,6 +56,7 @@ export function createApi(app, daemon) {
     try {
       const config = validateAgentConfig(req.body);
       const agent = await daemon.processes.spawn(config);
+      daemon.audit.log('agent.spawn', { id: agent.id, role: agent.role, provider: agent.provider });
       res.status(201).json(agent);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -81,6 +86,7 @@ export function createApi(app, daemon) {
         daemon.registry.remove(req.params.id);
       }
 
+      daemon.audit.log('agent.kill', { id: agent.id, role: agent.role, purged: req.query.purge === 'true' || !isAlive });
       res.json({ ok: true, purged: req.query.purge === 'true' || !isAlive });
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -89,7 +95,9 @@ export function createApi(app, daemon) {
 
   // Kill all agents
   app.delete('/api/agents', async (req, res) => {
+    const count = daemon.processes.getRunningCount();
     await daemon.processes.killAll();
+    daemon.audit.log('agent.kill_all', { count });
     res.json({ ok: true });
   });
 
@@ -122,11 +130,13 @@ export function createApi(app, daemon) {
   app.post('/api/credentials/:provider', (req, res) => {
     if (!req.body.key) return res.status(400).json({ error: 'key is required' });
     daemon.credentials.setKey(req.params.provider, req.body.key);
+    daemon.audit.log('credential.set', { provider: req.params.provider });
     res.json({ ok: true, masked: daemon.credentials.mask(req.body.key) });
   });
 
   app.delete('/api/credentials/:provider', (req, res) => {
     daemon.credentials.deleteKey(req.params.provider);
+    daemon.audit.log('credential.delete', { provider: req.params.provider });
     res.json({ ok: true });
   });
 
@@ -157,6 +167,7 @@ export function createApi(app, daemon) {
       uptime: process.uptime(),
       agents: daemon.registry.getAll().length,
       running: daemon.processes.getRunningCount(),
+      host: daemon.host,
       port: daemon.port,
       projectDir: daemon.projectDir,
     });
@@ -174,6 +185,7 @@ export function createApi(app, daemon) {
   app.post('/api/teams', (req, res) => {
     try {
       const team = daemon.teams.save(req.body.name);
+      daemon.audit.log('team.save', { name: req.body.name });
       res.status(201).json(team);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -183,6 +195,7 @@ export function createApi(app, daemon) {
   app.post('/api/teams/:name/load', async (req, res) => {
     try {
       const result = await daemon.teams.load(req.params.name);
+      daemon.audit.log('team.load', { name: req.params.name });
       res.json(result);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -192,6 +205,7 @@ export function createApi(app, daemon) {
   app.delete('/api/teams/:name', (req, res) => {
     try {
       daemon.teams.delete(req.params.name);
+      daemon.audit.log('team.delete', { name: req.params.name });
       res.json({ ok: true });
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -210,6 +224,7 @@ export function createApi(app, daemon) {
   app.post('/api/teams/import', (req, res) => {
     try {
       const team = daemon.teams.import(JSON.stringify(req.body));
+      daemon.audit.log('team.import', { name: team.name });
       res.status(201).json(team);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -229,12 +244,14 @@ export function createApi(app, daemon) {
   app.post('/api/approvals/:id/approve', (req, res) => {
     const result = daemon.supervisor.approve(req.params.id);
     if (!result) return res.status(404).json({ error: 'Approval not found' });
+    daemon.audit.log('approval.approve', { id: req.params.id });
     res.json(result);
   });
 
   app.post('/api/approvals/:id/reject', (req, res) => {
     const result = daemon.supervisor.reject(req.params.id, req.body.reason);
     if (!result) return res.status(404).json({ error: 'Approval not found' });
+    daemon.audit.log('approval.reject', { id: req.params.id, reason: req.body.reason });
     res.json(result);
   });
 
@@ -247,7 +264,9 @@ export function createApi(app, daemon) {
   // Rotate an agent
   app.post('/api/agents/:id/rotate', async (req, res) => {
     try {
+      const oldAgent = daemon.registry.get(req.params.id);
       const newAgent = await daemon.rotator.rotate(req.params.id);
+      daemon.audit.log('agent.rotate', { oldId: req.params.id, newId: newAgent.id, role: oldAgent?.role });
       res.json(newAgent);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -268,10 +287,12 @@ export function createApi(app, daemon) {
 
       // Try session resume first (zero cold-start)
       // Falls back to rotation if no session ID or provider doesn't support resume
-      const newAgent = agent.sessionId
+      const resumed = !!agent.sessionId;
+      const newAgent = resumed
         ? await daemon.processes.resume(req.params.id, message.trim())
         : await daemon.rotator.rotate(req.params.id, { additionalPrompt: message.trim() });
 
+      daemon.audit.log('agent.instruct', { id: req.params.id, newId: newAgent.id, resumed });
       res.json(newAgent);
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -341,6 +362,27 @@ export function createApi(app, daemon) {
     res.json(daemon.adaptive.getAllProfiles());
   });
 
+  // --- Codebase Indexer ---
+
+  app.get('/api/indexer', (req, res) => {
+    res.json(daemon.indexer.getStatus());
+  });
+
+  app.get('/api/indexer/workspaces', (req, res) => {
+    res.json({
+      workspaces: daemon.indexer.getWorkspaces(),
+    });
+  });
+
+  app.post('/api/indexer/rescan', (req, res) => {
+    try {
+      daemon.indexer.scan();
+      res.json({ ok: true, ...daemon.indexer.getStatus() });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
   // --- Project Manager (AI Review Gate) ---
 
   // Agent knocks on PM before risky operations (Auto permission mode)
@@ -401,11 +443,13 @@ export function createApi(app, daemon) {
           provider: config.provider || 'claude-code',
           model: config.model || 'auto',
           permission: config.permission || 'auto',
+          workingDir: config.workingDir || undefined,
         });
         const agent = await daemon.processes.spawn(validated);
         spawned.push({ id: agent.id, name: agent.name, role: agent.role });
       }
 
+      daemon.audit.log('team.launch', { count: spawned.length, agents: spawned.map((a) => a.role) });
       res.json({ launched: spawned.length, agents: spawned });
     } catch (err) {
       res.status(500).json({ error: err.message });
@@ -502,6 +546,87 @@ export function createApi(app, daemon) {
     });
   });
 
+  // --- Federation ---
+
+  // Federation status
+  app.get('/api/federation', (req, res) => {
+    res.json(daemon.federation.getStatus());
+  });
+
+  // List peers
+  app.get('/api/federation/peers', (req, res) => {
+    res.json(daemon.federation.getPeers());
+  });
+
+  // Initiate pairing (local CLI calls this with the remote URL)
+  app.post('/api/federation/initiate', async (req, res) => {
+    try {
+      const { remoteUrl } = req.body;
+      if (!remoteUrl || typeof remoteUrl !== 'string') {
+        return res.status(400).json({ error: 'remoteUrl is required' });
+      }
+      const result = await daemon.federation.initiatePairing(remoteUrl);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Accept pairing (remote daemon calls this during key exchange)
+  app.post('/api/federation/pair', (req, res) => {
+    try {
+      const result = daemon.federation.acceptPairing(req.body);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Unpair a peer
+  app.delete('/api/federation/peers/:id', (req, res) => {
+    try {
+      daemon.federation.unpair(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Receive a signed contract from a peer
+  app.post('/api/federation/contract', (req, res) => {
+    try {
+      const { senderId, payload, signature } = req.body;
+      if (!senderId || !payload || !signature) {
+        return res.status(400).json({ error: 'senderId, payload, and signature are required' });
+      }
+      const result = daemon.federation.receiveContract(senderId, payload, signature);
+      res.json(result);
+    } catch (err) {
+      res.status(403).json({ error: err.message });
+    }
+  });
+
+  // Send a contract to a peer (local agents call this)
+  app.post('/api/federation/contract/send', async (req, res) => {
+    try {
+      const { peerId, contract } = req.body;
+      if (!peerId || !contract) {
+        return res.status(400).json({ error: 'peerId and contract are required' });
+      }
+      const result = await daemon.federation.sendContract(peerId, contract);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // --- Audit Log ---
+
+  app.get('/api/audit', (req, res) => {
+    const limit = Math.min(parseInt(req.query.limit, 10) || 50, 500);
+    res.json(daemon.audit.recent(limit));
+  });
+
   // --- Config ---
 
   app.get('/api/config', (req, res) => {
@@ -521,6 +646,7 @@ export function createApi(app, daemon) {
     }
     const { saveConfig } = await import('./firstrun.js');
     saveConfig(daemon.grooveDir, daemon.config);
+    daemon.audit.log('config.set', { keys: Object.keys(req.body) });
     res.json(daemon.config);
   });
 

package/packages/daemon/src/audit.js

@@ -0,0 +1,65 @@
+// GROOVE — Audit Logger
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { appendFileSync, readFileSync, existsSync, renameSync, statSync } from 'fs';
+import { resolve } from 'path';
+
+const MAX_LOG_SIZE = 5 * 1024 * 1024; // 5MB
+
+export class AuditLogger {
+  constructor(grooveDir) {
+    this.logPath = resolve(grooveDir, 'audit.log');
+  }
+
+  /**
+   * Append an audit entry.
+   * @param {string} action — e.g. 'agent.spawn', 'config.set', 'team.load'
+   * @param {object} detail — action-specific metadata (keep it small)
+   */
+  log(action, detail = {}) {
+    const entry = JSON.stringify({
+      t: new Date().toISOString(),
+      action,
+      ...detail,
+    });
+    try {
+      // Rotate if log exceeds 5MB
+      if (existsSync(this.logPath)) {
+        try {
+          const size = statSync(this.logPath).size;
+          if (size > MAX_LOG_SIZE) {
+            const rotated = this.logPath + '.1';
+            renameSync(this.logPath, rotated);
+          }
+        } catch { /* ignore rotation errors */ }
+      }
+      appendFileSync(this.logPath, entry + '\n', { mode: 0o600 });
+    } catch {
+      // Audit must never crash the daemon
+    }
+  }
+
+  /**
+   * Read recent entries (newest first).
+   * @param {number} limit — max entries to return
+   * @returns {object[]}
+   */
+  recent(limit = 50) {
+    if (!existsSync(this.logPath)) return [];
+    try {
+      const lines = readFileSync(this.logPath, 'utf8')
+        .trim()
+        .split('\n')
+        .filter(Boolean);
+      return lines
+        .slice(-limit)
+        .reverse()
+        .map((line) => {
+          try { return JSON.parse(line); } catch { return null; }
+        })
+        .filter(Boolean);
+    } catch {
+      return [];
+    }
+  }
+}

package/packages/daemon/src/federation.js

@@ -0,0 +1,352 @@
+// GROOVE — Federation (Ed25519 key exchange + contract signing)
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey, createHash } from 'crypto';
+import { existsSync, mkdirSync, writeFileSync, readFileSync, unlinkSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+
+// Peer IDs must be safe for filenames — hex only (from SHA-256 fingerprint)
+const PEER_ID_PATTERN = /^[a-f0-9]{1,64}$/;
+
+function validatePeerId(id) {
+  if (!id || typeof id !== 'string' || !PEER_ID_PATTERN.test(id)) {
+    throw new Error(`Invalid peer ID: must be lowercase hex (got: ${String(id).slice(0, 20)})`);
+  }
+}
+
+export class Federation {
+  constructor(daemon) {
+    this.daemon = daemon;
+    this.fedDir = resolve(daemon.grooveDir, 'federation');
+    this.peersDir = resolve(this.fedDir, 'peers');
+    mkdirSync(this.peersDir, { recursive: true });
+
+    // Load or generate this daemon's keypair
+    this.keyPath = resolve(this.fedDir, 'identity.key');
+    this.pubPath = resolve(this.fedDir, 'identity.pub');
+    this._ensureKeypair();
+
+    // In-memory peer cache
+    this.peers = this._loadPeers();
+
+    // Pending pairing requests (in-memory, short-lived)
+    this.pendingPairs = new Map();
+  }
+
+  // --- Key Management ---
+
+  _ensureKeypair() {
+    if (existsSync(this.keyPath) && existsSync(this.pubPath)) {
+      this.privateKey = createPrivateKey(readFileSync(this.keyPath));
+      this.publicKey = createPublicKey(readFileSync(this.pubPath));
+      return;
+    }
+
+    const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+      publicKeyEncoding: { type: 'spki', format: 'pem' },
+      privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+    });
+
+    writeFileSync(this.keyPath, privateKey, { mode: 0o600 });
+    writeFileSync(this.pubPath, publicKey, { mode: 0o644 });
+
+    this.privateKey = createPrivateKey(privateKey);
+    this.publicKey = createPublicKey(publicKey);
+  }
+
+  getPublicKeyPem() {
+    return readFileSync(this.pubPath, 'utf8');
+  }
+
+  // --- Signing / Verification ---
+
+  /**
+   * Sign a payload (contract or message).
+   * @param {object} payload — JSON-serializable data
+   * @returns {{ payload: object, signature: string }}
+   */
+  sign(payload) {
+    const data = Buffer.from(JSON.stringify(payload), 'utf8');
+    const sig = sign(null, data, this.privateKey);
+    return {
+      payload,
+      signature: sig.toString('base64'),
+    };
+  }
+
+  /**
+   * Verify a signed message from a peer.
+   * @param {string} peerId — the peer's ID
+   * @param {object} payload — the original payload
+   * @param {string} signature — base64 signature
+   * @returns {boolean}
+   */
+  verify(peerId, payload, signature) {
+    const peer = this.peers.get(peerId);
+    if (!peer) return false;
+
+    try {
+      const data = Buffer.from(JSON.stringify(payload), 'utf8');
+      const sig = Buffer.from(signature, 'base64');
+      const pubKey = createPublicKey(peer.publicKey);
+      return verify(null, data, pubKey, sig);
+    } catch {
+      return false;
+    }
+  }
+
+  // --- Peer Management ---
+
+  _loadPeers() {
+    const peers = new Map();
+    if (!existsSync(this.peersDir)) return peers;
+
+    for (const file of readdirSync(this.peersDir)) {
+      if (!file.endsWith('.json')) continue;
+      try {
+        const data = JSON.parse(readFileSync(resolve(this.peersDir, file), 'utf8'));
+        peers.set(data.id, data);
+      } catch { /* skip corrupt files */ }
+    }
+    return peers;
+  }
+
+  _savePeer(peer) {
+    validatePeerId(peer.id);
+    const file = resolve(this.peersDir, `${peer.id}.json`);
+    writeFileSync(file, JSON.stringify(peer, null, 2), { mode: 0o600 });
+    this.peers.set(peer.id, peer);
+  }
+
+  _removePeer(peerId) {
+    validatePeerId(peerId);
+    const file = resolve(this.peersDir, `${peerId}.json`);
+    if (existsSync(file)) unlinkSync(file);
+    this.peers.delete(peerId);
+  }
+
+  /**
+   * Initiate pairing with a remote daemon.
+   * Sends our public key + daemon info to the remote.
+   * @param {string} remoteUrl — http://<ip>:<port> of remote daemon
+   * @returns {object} pairing result
+   */
+  async initiatePairing(remoteUrl) {
+    const localInfo = this._localInfo();
+
+    // Send our public key to the remote daemon's pairing endpoint
+    const res = await fetch(`${remoteUrl}/api/federation/pair`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        id: localInfo.id,
+        name: localInfo.name,
+        host: localInfo.host,
+        port: localInfo.port,
+        publicKey: this.getPublicKeyPem(),
+      }),
+    });
+
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(err.error || `Pairing failed: HTTP ${res.status}`);
+    }
+
+    const remote = await res.json();
+
+    // Validate remote response before trusting it
+    if (!remote.id || !remote.publicKey) {
+      throw new Error('Remote returned invalid pairing response');
+    }
+    validatePeerId(remote.id);
+    try {
+      createPublicKey(remote.publicKey);
+    } catch {
+      throw new Error('Remote returned invalid public key');
+    }
+
+    // Store the remote's public key as a trusted peer
+    this._savePeer({
+      id: remote.id,
+      name: remote.name,
+      host: remote.host,
+      port: remote.port,
+      publicKey: remote.publicKey,
+      pairedAt: new Date().toISOString(),
+    });
+
+    this.daemon.audit.log('federation.pair', { peerId: remote.id, peerHost: remote.host });
+
+    return {
+      peerId: remote.id,
+      peerName: remote.name,
+      peerHost: remote.host,
+    };
+  }
+
+  /**
+   * Handle incoming pairing request from a remote daemon.
+   * @param {object} remoteInfo — { id, name, host, port, publicKey }
+   * @returns {object} our info + public key for the remote to store
+   */
+  acceptPairing(remoteInfo) {
+    if (!remoteInfo.id || !remoteInfo.publicKey) {
+      throw new Error('Invalid pairing request: missing id or publicKey');
+    }
+
+    validatePeerId(remoteInfo.id);
+
+    // Validate the public key is parseable PEM
+    try {
+      createPublicKey(remoteInfo.publicKey);
+    } catch {
+      throw new Error('Invalid pairing request: publicKey is not valid PEM');
+    }
+
+    // Store the remote peer
+    this._savePeer({
+      id: remoteInfo.id,
+      name: remoteInfo.name || remoteInfo.id,
+      host: remoteInfo.host,
+      port: remoteInfo.port,
+      publicKey: remoteInfo.publicKey,
+      pairedAt: new Date().toISOString(),
+    });
+
+    this.daemon.audit.log('federation.pair', { peerId: remoteInfo.id, peerHost: remoteInfo.host });
+
+    // Return our info so the remote can store us
+    const localInfo = this._localInfo();
+    return {
+      id: localInfo.id,
+      name: localInfo.name,
+      host: localInfo.host,
+      port: localInfo.port,
+      publicKey: this.getPublicKeyPem(),
+    };
+  }
+
+  /**
+   * Remove a peer.
+   */
+  unpair(peerId) {
+    if (!this.peers.has(peerId)) {
+      throw new Error(`Peer not found: ${peerId}`);
+    }
+    const peer = this.peers.get(peerId);
+    this._removePeer(peerId);
+    this.daemon.audit.log('federation.unpair', { peerId, peerHost: peer.host });
+  }
+
+  // --- Contracts ---
+
+  /**
+   * Send a signed contract to a peer daemon.
+   * @param {string} peerId — target peer
+   * @param {object} contract — { type, spec, from, to }
+   * @returns {object} remote response
+   */
+  async sendContract(peerId, contract) {
+    const peer = this.peers.get(peerId);
+    if (!peer) throw new Error(`Unknown peer: ${peerId}`);
+
+    const envelope = this.sign({
+      ...contract,
+      from: this._localInfo().id,
+      timestamp: new Date().toISOString(),
+    });
+
+    const url = `http://${peer.host}:${peer.port}/api/federation/contract`;
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ senderId: this._localInfo().id, ...envelope }),
+    });
+
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(err.error || `Contract delivery failed: HTTP ${res.status}`);
+    }
+
+    this.daemon.audit.log('federation.contract.send', { peerId, type: contract.type });
+
+    return res.json();
+  }
+
+  /**
+   * Receive and verify a contract from a peer.
+   * @param {string} senderId — claimed sender
+   * @param {object} payload — the contract data
+   * @param {string} signature — base64 Ed25519 signature
+   * @returns {object} verified contract
+   */
+  receiveContract(senderId, payload, signature) {
+    if (!this.peers.has(senderId)) {
+      throw new Error(`Unknown sender: ${senderId}. Not a paired peer.`);
+    }
+
+    if (!this.verify(senderId, payload, signature)) {
+      throw new Error(`Signature verification failed for sender: ${senderId}`);
+    }
+
+    // Replay protection — reject contracts older than 5 minutes
+    if (payload.timestamp) {
+      const age = Date.now() - new Date(payload.timestamp).getTime();
+      if (age > 5 * 60 * 1000) {
+        throw new Error(`Contract too old (${Math.round(age / 1000)}s). Possible replay.`);
+      }
+      if (age < -60 * 1000) {
+        throw new Error('Contract timestamp is in the future. Clock skew?');
+      }
+    }
+
+    this.daemon.audit.log('federation.contract.recv', {
+      senderId,
+      type: payload.type,
+    });
+
+    return { verified: true, contract: payload };
+  }
+
+  // --- Info / Status ---
+
+  _localInfo() {
+    return {
+      id: this._daemonId(),
+      name: this._daemonId(),
+      host: this.daemon.host,
+      port: this.daemon.port,
+    };
+  }
+
+  _daemonId() {
+    // Stable ID derived from keypair — fingerprint of public key
+    const idPath = resolve(this.fedDir, 'daemon.id');
+    if (existsSync(idPath)) {
+      return readFileSync(idPath, 'utf8').trim();
+    }
+    const pubPem = this.getPublicKeyPem();
+    const id = createHash('sha256').update(pubPem).digest('hex').slice(0, 12);
+    writeFileSync(idPath, id, { mode: 0o600 });
+    return id;
+  }
+
+  getPeers() {
+    return Array.from(this.peers.values()).map((p) => ({
+      id: p.id,
+      name: p.name,
+      host: p.host,
+      port: p.port,
+      pairedAt: p.pairedAt,
+    }));
+  }
+
+  getStatus() {
+    return {
+      id: this._daemonId(),
+      peers: this.getPeers(),
+      peerCount: this.peers.size,
+      hasKeypair: existsSync(this.keyPath),
+    };
+  }
+}