groove-dev 0.11.0 → 0.12.0

package/node_modules/@groove-dev/cli/bin/groove.js

@@ -16,6 +16,10 @@ import { teamSave, teamLoad, teamList, teamDelete, teamExport, teamImport } from
 import { approvals, approve, reject } from '../src/commands/approve.js';
 import { providers, setKey } from '../src/commands/providers.js';
 import { configShow, configSet } from '../src/commands/config.js';
+import { connect } from '../src/commands/connect.js';
+import { disconnect } from '../src/commands/disconnect.js';
+import { audit } from '../src/commands/audit.js';
+import { federationPair, federationUnpair, federationList, federationStatus } from '../src/commands/federation.js';
 
 program
   .name('groove')
@@ -26,6 +30,7 @@ program
   .command('start')
   .description('Start the GROOVE daemon')
   .option('-p, --port <port>', 'Port to run on', '31415')
+  .option('-H, --host <host>', 'Host/IP to bind to (use "tailscale" for auto-detect)', '127.0.0.1')
   .action(start);
 
 program
@@ -90,6 +95,33 @@ program
 program.command('providers').description('List available AI providers').action(providers);
 program.command('set-key <provider> <key>').description('Set API key for a provider').action(setKey);
 
+// Remote
+program
+  .command('connect <target>')
+  .description('Connect to a remote GROOVE daemon via SSH tunnel')
+  .option('-i, --identity <keyfile>', 'SSH private key file')
+  .option('--no-browser', 'Don\'t open browser automatically')
+  .action(connect);
+
+program
+  .command('disconnect')
+  .description('Disconnect from remote GROOVE daemon')
+  .action(disconnect);
+
+// Audit
+program
+  .command('audit')
+  .description('View audit log of state-changing operations')
+  .option('-n, --limit <count>', 'Number of entries to show', '25')
+  .action(audit);
+
+// Federation
+const federation = program.command('federation').description('Manage daemon-to-daemon federation');
+federation.command('pair <target>').description('Pair with a remote GROOVE daemon (ip or ip:port)').action(federationPair);
+federation.command('unpair <id>').description('Remove a paired peer').action(federationUnpair);
+federation.command('list').description('List paired peers').action(federationList);
+federation.command('status').description('Show federation status').action(federationStatus);
+
 // Config
 const config = program.command('config').description('View and modify configuration');
 config.command('show').description('Show current configuration').action(configShow);

package/node_modules/@groove-dev/cli/src/commands/audit.js

@@ -0,0 +1,60 @@
+// GROOVE CLI — audit command
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import chalk from 'chalk';
+import { apiCall } from '../client.js';
+
+const ACTION_COLORS = {
+  'agent.spawn': 'green',
+  'agent.kill': 'red',
+  'agent.kill_all': 'red',
+  'agent.rotate': 'yellow',
+  'agent.instruct': 'cyan',
+  'team.save': 'blue',
+  'team.load': 'blue',
+  'team.delete': 'red',
+  'team.import': 'blue',
+  'team.launch': 'green',
+  'config.set': 'yellow',
+  'credential.set': 'yellow',
+  'credential.delete': 'red',
+  'approval.approve': 'green',
+  'approval.reject': 'red',
+};
+
+function formatEntry(entry) {
+  const time = entry.t ? new Date(entry.t).toLocaleTimeString() : '??:??:??';
+  const color = ACTION_COLORS[entry.action] || 'white';
+  const action = chalk[color](entry.action.padEnd(20));
+
+  // Build detail string from remaining fields
+  const { t, action: _, ...detail } = entry;
+  const detailStr = Object.entries(detail)
+    .map(([k, v]) => `${k}=${typeof v === 'string' ? v : JSON.stringify(v)}`)
+    .join(' ');
+
+  return `  ${chalk.dim(time)}  ${action} ${chalk.dim(detailStr)}`;
+}
+
+export async function audit(options) {
+  try {
+    const limit = parseInt(options.limit, 10) || 25;
+    const entries = await apiCall('GET', `/api/audit?limit=${limit}`);
+
+    console.log('');
+    if (entries.length === 0) {
+      console.log(chalk.dim('  No audit entries yet.'));
+    } else {
+      console.log(chalk.bold(`  Audit Log`) + chalk.dim(` (${entries.length} entries, newest first)`));
+      console.log('');
+      for (const entry of entries) {
+        console.log(formatEntry(entry));
+      }
+    }
+    console.log('');
+  } catch {
+    console.log('');
+    console.log(chalk.yellow('  Daemon not running.'));
+    console.log('');
+  }
+}

package/node_modules/@groove-dev/cli/src/commands/connect.js

@@ -0,0 +1,279 @@
+// GROOVE CLI — connect command (SSH tunnel to remote daemon)
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { execFileSync, spawn } from 'child_process';
+import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
+import { resolve } from 'path';
+import { createConnection } from 'net';
+import chalk from 'chalk';
+
+const REMOTE_PORT = 31415;
+const DEFAULT_LOCAL_PORT = 31416;
+const MAX_PORT_ATTEMPTS = 10;
+
+// Allow user@host OR plain hostname (SSH config aliases like "groove-ai")
+const SSH_TARGET_PATTERN = /^([a-zA-Z0-9._-]+@)?[a-zA-Z0-9._-]+$/;
+
+function validateTarget(target) {
+  if (!target || typeof target !== 'string') {
+    throw new Error('SSH target is required (e.g., user@host or ssh-config-alias)');
+  }
+  // Block injection characters
+  if (/[;|&`$(){}[\]<>!#\n\r\\]/.test(target)) {
+    throw new Error('Invalid characters in SSH target');
+  }
+  if (!SSH_TARGET_PATTERN.test(target)) {
+    throw new Error('Invalid SSH target format. Expected: user@hostname or ssh-config-alias');
+  }
+  if (target.length > 253) {
+    throw new Error('SSH target too long');
+  }
+}
+
+function grooveDir() {
+  const dir = resolve(process.cwd(), '.groove');
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+function pidFile() {
+  return resolve(grooveDir(), 'tunnel.pid');
+}
+
+function tunnelInfoFile() {
+  return resolve(grooveDir(), 'tunnel.json');
+}
+
+function isPortInUse(port) {
+  return new Promise((resolve) => {
+    const conn = createConnection({ host: '127.0.0.1', port });
+    conn.setTimeout(3000);
+    conn.on('connect', () => { conn.destroy(); resolve(true); });
+    conn.on('error', () => resolve(false));
+    conn.on('timeout', () => { conn.destroy(); resolve(false); });
+  });
+}
+
+async function findAvailablePort() {
+  for (let port = DEFAULT_LOCAL_PORT; port < DEFAULT_LOCAL_PORT + MAX_PORT_ATTEMPTS; port++) {
+    if (!(await isPortInUse(port))) return port;
+  }
+  throw new Error(`No available local port found (tried ${DEFAULT_LOCAL_PORT}-${DEFAULT_LOCAL_PORT + MAX_PORT_ATTEMPTS - 1})`);
+}
+
+function preflight(target, keyFile) {
+  // SSH in and check if daemon is listening on remote
+  // Use curl to health endpoint — works on both Linux and macOS
+  const args = [
+    ...(keyFile ? ['-i', keyFile] : []),
+    '-o', 'ConnectTimeout=10',
+    '-o', 'StrictHostKeyChecking=accept-new',
+    '-o', 'BatchMode=yes',
+    target,
+    `curl -sf http://localhost:${REMOTE_PORT}/api/health >/dev/null 2>&1 || echo __GROOVE_NOT_RUNNING__`,
+  ];
+
+  try {
+    const result = execFileSync('ssh', args, {
+      encoding: 'utf8',
+      timeout: 15000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    if (result.includes('__GROOVE_NOT_RUNNING__')) {
+      return { running: false };
+    }
+    return { running: true };
+  } catch (err) {
+    const stderr = err.stderr?.toString() || '';
+    if (stderr.includes('Permission denied')) {
+      throw new Error('SSH authentication failed. Check your key or credentials.');
+    }
+    if (stderr.includes('Connection refused') || stderr.includes('Connection timed out') || stderr.includes('No route to host')) {
+      throw new Error(`Cannot reach ${target}. Check the hostname and that SSH is running.`);
+    }
+    throw new Error(`SSH preflight failed: ${stderr.trim() || err.message}`);
+  }
+}
+
+function isSshProcess(pid) {
+  // Verify the PID belongs to an SSH process (not a random reused PID)
+  try {
+    const cmd = execFileSync('ps', ['-p', String(pid), '-o', 'command='], {
+      encoding: 'utf8',
+      timeout: 3000,
+    }).trim();
+    return cmd.includes('ssh');
+  } catch {
+    return false;
+  }
+}
+
+function existingTunnel() {
+  const pf = pidFile();
+  if (!existsSync(pf)) return null;
+  const pid = parseInt(readFileSync(pf, 'utf8').trim(), 10);
+  if (isNaN(pid)) return null;
+  // Check if process is still alive AND is an SSH process
+  try {
+    process.kill(pid, 0);
+    if (!isSshProcess(pid)) {
+      // PID was reused by a different process — stale tunnel files
+      return null;
+    }
+    // Read tunnel info if available
+    const infoPath = tunnelInfoFile();
+    if (existsSync(infoPath)) {
+      const info = JSON.parse(readFileSync(infoPath, 'utf8'));
+      return { pid, ...info };
+    }
+    return { pid };
+  } catch {
+    return null;
+  }
+}
+
+function openBrowser(url) {
+  const platform = process.platform;
+  try {
+    if (platform === 'darwin') {
+      execFileSync('open', [url], { stdio: 'ignore' });
+    } else if (platform === 'win32') {
+      execFileSync('cmd', ['/c', 'start', '', url], { stdio: 'ignore' });
+    } else {
+      execFileSync('xdg-open', [url], { stdio: 'ignore' });
+    }
+  } catch {
+    // Browser open is best-effort
+  }
+}
+
+export async function connect(target, options) {
+  console.log('');
+
+  // Validate SSH target
+  try {
+    validateTarget(target);
+  } catch (err) {
+    console.log(chalk.red('  Error: ') + err.message);
+    console.log('');
+    return;
+  }
+
+  // Check for existing tunnel
+  const existing = existingTunnel();
+  if (existing) {
+    console.log(chalk.yellow('  Tunnel already active') + ` (PID ${existing.pid})`);
+    if (existing.target) {
+      console.log(`  Target:  ${existing.target}`);
+    }
+    if (existing.localPort) {
+      console.log(`  GUI:     ${chalk.cyan(`http://localhost:${existing.localPort}`)}`);
+    }
+    console.log('');
+    console.log(`  Run ${chalk.bold('groove disconnect')} first to close it.`);
+    console.log('');
+    return;
+  }
+
+  // Preflight — check daemon is running on remote
+  console.log(chalk.dim('  Checking remote daemon...'));
+  try {
+    const check = preflight(target, options.identity);
+    if (!check.running) {
+      console.log(chalk.red('  Daemon not running on remote.'));
+      console.log(`  SSH into ${chalk.bold(target)} and run ${chalk.bold('groove start')} first.`);
+      console.log('');
+      return;
+    }
+  } catch (err) {
+    console.log(chalk.red('  ' + err.message));
+    console.log('');
+    return;
+  }
+
+  console.log(chalk.dim('  Remote daemon is running.'));
+
+  // Find available local port
+  let localPort;
+  try {
+    localPort = await findAvailablePort();
+  } catch (err) {
+    console.log(chalk.red('  ' + err.message));
+    console.log('');
+    return;
+  }
+
+  if (localPort !== DEFAULT_LOCAL_PORT) {
+    console.log(chalk.yellow(`  Port ${DEFAULT_LOCAL_PORT} in use, using ${localPort} instead.`));
+  }
+
+  // Spawn SSH tunnel
+  const sshArgs = [
+    '-N',                                            // No remote command
+    '-L', `127.0.0.1:${localPort}:localhost:${REMOTE_PORT}`,  // Local bind to 127.0.0.1 only
+    '-o', 'ServerAliveInterval=30',                  // Keepalive every 30s
+    '-o', 'ServerAliveCountMax=3',                   // Die after 3 missed keepalives
+    '-o', 'ExitOnForwardFailure=yes',                // Fail if port forward fails
+    '-o', 'StrictHostKeyChecking=accept-new',
+    ...(options.identity ? ['-i', options.identity] : []),
+    target,
+  ];
+
+  const tunnel = spawn('ssh', sshArgs, {
+    stdio: ['ignore', 'ignore', 'pipe'],
+    detached: true,
+  });
+
+  // Capture stderr for early errors
+  let stderrBuf = '';
+  tunnel.stderr.on('data', (chunk) => { stderrBuf += chunk.toString(); });
+
+  // Wait a moment to catch immediate failures (bad key, connection refused)
+  await new Promise((resolve) => setTimeout(resolve, 2000));
+
+  // Check if tunnel is still alive
+  if (tunnel.exitCode !== null) {
+    console.log(chalk.red('  Tunnel failed to start.'));
+    if (stderrBuf.trim()) {
+      console.log(chalk.dim('  ' + stderrBuf.trim()));
+    }
+    console.log('');
+    return;
+  }
+
+  // Verify the tunnel is actually forwarding
+  const tunnelUp = await isPortInUse(localPort);
+  if (!tunnelUp) {
+    console.log(chalk.red('  Tunnel started but port forward not active.'));
+    try { process.kill(tunnel.pid); } catch { /* ignore */ }
+    console.log('');
+    return;
+  }
+
+  // Detach and save PID
+  tunnel.unref();
+  writeFileSync(pidFile(), String(tunnel.pid), { mode: 0o600 });
+  writeFileSync(tunnelInfoFile(), JSON.stringify({
+    target,
+    localPort,
+    remotePort: REMOTE_PORT,
+    startedAt: new Date().toISOString(),
+  }), { mode: 0o600 });
+
+  const url = `http://localhost:${localPort}`;
+
+  console.log('');
+  console.log(chalk.green('  Connected!'));
+  console.log('');
+  console.log(`  Target:  ${chalk.bold(target)}`);
+  console.log(`  Tunnel:  localhost:${localPort} → ${target}:${REMOTE_PORT}`);
+  console.log(`  GUI:     ${chalk.cyan(url)}`);
+  console.log(`  PID:     ${tunnel.pid}`);
+  console.log('');
+
+  // Open browser (Commander: --no-browser sets options.browser = false)
+  if (options.browser !== false) {
+    openBrowser(url);
+  }
+}

package/node_modules/@groove-dev/cli/src/commands/disconnect.js

@@ -0,0 +1,91 @@
+// GROOVE CLI — disconnect command (kill SSH tunnel)
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { execFileSync } from 'child_process';
+import { existsSync, readFileSync, unlinkSync } from 'fs';
+import { resolve } from 'path';
+import chalk from 'chalk';
+
+function pidFile() {
+  return resolve(process.cwd(), '.groove', 'tunnel.pid');
+}
+
+function tunnelInfoFile() {
+  return resolve(process.cwd(), '.groove', 'tunnel.json');
+}
+
+function cleanup() {
+  try { if (existsSync(pidFile())) unlinkSync(pidFile()); } catch { /* ignore */ }
+  try { if (existsSync(tunnelInfoFile())) unlinkSync(tunnelInfoFile()); } catch { /* ignore */ }
+}
+
+export async function disconnect() {
+  console.log('');
+
+  const pf = pidFile();
+  if (!existsSync(pf)) {
+    console.log(chalk.yellow('  No active tunnel found.'));
+    console.log('');
+    return;
+  }
+
+  const pid = parseInt(readFileSync(pf, 'utf8').trim(), 10);
+  if (isNaN(pid)) {
+    console.log(chalk.yellow('  Invalid tunnel PID file. Cleaning up.'));
+    cleanup();
+    console.log('');
+    return;
+  }
+
+  // Read tunnel info for display
+  let info = {};
+  try {
+    const infoPath = tunnelInfoFile();
+    if (existsSync(infoPath)) {
+      info = JSON.parse(readFileSync(infoPath, 'utf8'));
+    }
+  } catch { /* ignore */ }
+
+  // Check if process is alive
+  try {
+    process.kill(pid, 0);
+  } catch {
+    console.log(chalk.yellow('  Tunnel process already dead. Cleaning up.'));
+    cleanup();
+    console.log('');
+    return;
+  }
+
+  // Verify the PID belongs to an SSH process (not a random reused PID after reboot)
+  try {
+    const cmd = execFileSync('ps', ['-p', String(pid), '-o', 'command='], {
+      encoding: 'utf8', timeout: 3000,
+    }).trim();
+    if (!cmd.includes('ssh')) {
+      console.log(chalk.yellow('  PID no longer belongs to an SSH tunnel. Cleaning up stale files.'));
+      cleanup();
+      console.log('');
+      return;
+    }
+  } catch {
+    // ps failed — proceed cautiously, don't kill
+    console.log(chalk.yellow('  Cannot verify tunnel process. Cleaning up stale files.'));
+    cleanup();
+    console.log('');
+    return;
+  }
+
+  // Kill the tunnel
+  try {
+    process.kill(pid, 'SIGTERM');
+    console.log(chalk.green('  Tunnel disconnected.'));
+    if (info.target) {
+      console.log(`  Was connected to: ${chalk.dim(info.target)}`);
+    }
+  } catch (err) {
+    console.log(chalk.red('  Failed to kill tunnel: ') + err.message);
+  }
+
+  cleanup();
+  console.log('');
+}

package/node_modules/@groove-dev/cli/src/commands/federation.js

@@ -0,0 +1,84 @@
+// GROOVE CLI — federation commands
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import chalk from 'chalk';
+import { apiCall } from '../client.js';
+
+export async function federationPair(target) {
+  // target can be: <ip>:<port>, <ip> (default port), tailscale-ip
+  let remoteUrl = target;
+  if (!remoteUrl.startsWith('http')) {
+    // Add default port if not specified
+    const hasPort = remoteUrl.includes(':') && !remoteUrl.startsWith('[');
+    remoteUrl = `http://${remoteUrl}${hasPort ? '' : ':31415'}`;
+  }
+
+  console.log('');
+  console.log(chalk.dim(`  Pairing with ${remoteUrl}...`));
+
+  try {
+    const result = await apiCall('POST', '/api/federation/initiate', { remoteUrl });
+    console.log(chalk.green('  Paired successfully!'));
+    console.log('');
+    console.log(`  Peer ID:   ${result.peerId}`);
+    console.log(`  Peer Name: ${result.peerName}`);
+    console.log(`  Peer Host: ${result.peerHost}`);
+    console.log('');
+  } catch (err) {
+    console.log(chalk.red('  Pairing failed: ') + err.message);
+    console.log('');
+  }
+}
+
+export async function federationUnpair(peerId) {
+  console.log('');
+  try {
+    await apiCall('DELETE', `/api/federation/peers/${peerId}`);
+    console.log(chalk.green(`  Unpaired peer ${peerId}.`));
+  } catch (err) {
+    console.log(chalk.red('  Unpair failed: ') + err.message);
+  }
+  console.log('');
+}
+
+export async function federationList() {
+  console.log('');
+  try {
+    const peers = await apiCall('GET', '/api/federation/peers');
+    if (peers.length === 0) {
+      console.log(chalk.dim('  No paired peers.'));
+      console.log(`  Run ${chalk.bold('groove federation pair <host>')} to pair with a remote daemon.`);
+    } else {
+      console.log(chalk.bold(`  Paired Peers`) + chalk.dim(` (${peers.length})`));
+      console.log('');
+      for (const peer of peers) {
+        const age = peer.pairedAt ? chalk.dim(` (since ${new Date(peer.pairedAt).toLocaleDateString()})`) : '';
+        console.log(`  ${chalk.cyan(peer.id)}  ${peer.host}:${peer.port}${age}`);
+      }
+    }
+  } catch {
+    console.log(chalk.yellow('  Daemon not running.'));
+  }
+  console.log('');
+}
+
+export async function federationStatus() {
+  console.log('');
+  try {
+    const status = await apiCall('GET', '/api/federation');
+    console.log(chalk.bold('  Federation'));
+    console.log('');
+    console.log(`  Daemon ID:  ${chalk.cyan(status.id)}`);
+    console.log(`  Keypair:    ${status.hasKeypair ? chalk.green('ready') : chalk.red('missing')}`);
+    console.log(`  Peers:      ${status.peerCount}`);
+    if (status.peers.length > 0) {
+      console.log('');
+      for (const peer of status.peers) {
+        console.log(`    ${chalk.cyan(peer.id)}  ${peer.host}:${peer.port}`);
+      }
+    }
+  } catch {
+    console.log(chalk.yellow('  Daemon not running.'));
+  }
+  console.log('');
+}

package/node_modules/@groove-dev/cli/src/commands/start.js

@@ -8,7 +8,10 @@ export async function start(options) {
   console.log(chalk.bold('GROOVE') + ' starting daemon...');
 
   try {
-    const daemon = new Daemon({ port: parseInt(options.port, 10) });
+    const daemon = new Daemon({
+      port: parseInt(options.port, 10),
+      host: options.host,
+    });
 
     const shutdown = async () => {
       console.log('\nShutting down...');
@@ -23,7 +26,9 @@ export async function start(options) {
     process.on('SIGTERM', shutdown);
 
     await daemon.start();
-    console.log(chalk.green('Ready.') + ` Open http://localhost:${options.port} for the GUI.`);
+    const isRemote = daemon.host !== '127.0.0.1';
+    const guiUrl = `http://${isRemote ? daemon.host : 'localhost'}:${daemon.port}`;
+    console.log(chalk.green('Ready.') + ` Open ${guiUrl} for the GUI.`);
   } catch (err) {
     console.error(chalk.red('Failed to start:'), err.message);
     process.exit(1);

package/node_modules/@groove-dev/cli/src/commands/status.js

@@ -10,13 +10,16 @@ export async function status() {
     console.log('');
     console.log(chalk.bold('  GROOVE Daemon'));
     console.log('');
+    const isRemote = s.host && s.host !== '127.0.0.1';
+    const guiHost = isRemote ? s.host : 'localhost';
     console.log(`  Status:   ${chalk.green('running')}`);
     console.log(`  PID:      ${s.pid}`);
+    console.log(`  Host:     ${s.host || '127.0.0.1'}${isRemote ? chalk.yellow(' (network)') : ''}`);
     console.log(`  Port:     ${s.port}`);
     console.log(`  Uptime:   ${formatUptime(s.uptime)}`);
     console.log(`  Agents:   ${s.agents} total, ${s.running} running`);
     console.log(`  Project:  ${s.projectDir}`);
-    console.log(`  GUI:      ${chalk.cyan(`http://localhost:${s.port}`)}`);
+    console.log(`  GUI:      ${chalk.cyan(`http://${guiHost}:${s.port}`)}`);
     console.log('');
   } catch {
     console.log('');