groove-dev 0.27.14 → 0.27.17

package/node_modules/@groove-dev/daemon/src/providers/index.js

@@ -1,12 +1,29 @@
 // GROOVE — Provider Registry
 // FSL-1.1-Apache-2.0 — see LICENSE
 
+import { execSync } from 'child_process';
 import { ClaudeCodeProvider } from './claude-code.js';
 import { CodexProvider } from './codex.js';
 import { GeminiProvider } from './gemini.js';
 import { OllamaProvider } from './ollama.js';
 import { LocalProvider } from './local.js';
 
+// Electron forks may not inherit the full shell PATH, causing `which` to miss
+// globally-installed CLI tools. Augment PATH with common npm global bin dirs.
+(function augmentPath() {
+  const extra = ['/usr/local/bin', '/opt/homebrew/bin'];
+  try {
+    const npmPrefix = execSync('npm config get prefix 2>/dev/null', { encoding: 'utf8', timeout: 5000 }).trim();
+    const npmGlobal = npmPrefix ? `${npmPrefix}/bin` : '';
+    if (npmGlobal) extra.push(npmGlobal);
+  } catch { /* npm itself may not be in PATH yet */ }
+  const home = process.env.HOME || '';
+  if (home) extra.push(`${home}/.npm-global/bin`);
+  const cur = process.env.PATH || '';
+  const toAdd = extra.filter(p => p && !cur.split(':').includes(p));
+  if (toAdd.length) process.env.PATH = [...toAdd, cur].join(':');
+})();
+
 const providers = {
   'claude-code': new ClaudeCodeProvider(),
   'codex': new CodexProvider(),

package/node_modules/@groove-dev/daemon/src/registry.js

@@ -12,9 +12,18 @@ export class Registry extends EventEmitter {
   }
 
   add(config) {
+    let name = config.name || `${config.role}-${this.agents.size + 1}`;
+    // Dedup: ensure name is unique within the same team
+    const teamId = config.teamId || null;
+    const existing = this.getAll();
+    if (existing.some((a) => a.name === name && a.teamId === teamId)) {
+      let suffix = 2;
+      while (existing.some((a) => a.name === `${name}-${suffix}` && a.teamId === teamId)) suffix++;
+      name = `${name}-${suffix}`;
+    }
     const agent = {
       id: randomUUID().slice(0, 8),
-      name: config.name || `${config.role}-${this.agents.size + 1}`,
+      name,
       role: config.role,
       scope: config.scope || [],
       provider: config.provider || 'claude-code',

package/node_modules/@groove-dev/daemon/src/rotator.js

@@ -4,14 +4,23 @@
 import { EventEmitter } from 'events';
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { resolve } from 'path';
+import { getProvider } from './providers/index.js';
 
-const DEFAULT_THRESHOLD = 0.75;
-const HARD_CEILING = 0.85;  // Force rotate at 85% — no idle check, prevents compaction
+const DEFAULT_THRESHOLD = 0.65;      // For non-self-managing providers (was 0.75)
+const HARD_CEILING = 0.80;           // Force rotate (was 0.85) — only for non-self-managing
 const CHECK_INTERVAL = 15_000;
 const QUALITY_THRESHOLD = 40;   // Score below this triggers quality rotation
 const MIN_EVENTS = 10;          // Minimum classifier events before scoring
 const MIN_AGE_SEC = 120;        // Minimum agent age before quality rotation
 const SCORE_HISTORY_MAX = 40;   // ~10 min at 15s intervals
+const COOLDOWN_MS = 5 * 60 * 1000;   // 5 minutes between rotations per agent
+const TOKEN_CEILING = 5_000_000;     // 5M tokens per agent (non-self-managing only)
+const ROLE_MULTIPLIERS = {
+  planner: 10,
+  fullstack: 4,
+  security: 4,
+  analyst: 5,
+};
 
 export class Rotator extends EventEmitter {
   constructor(daemon) {
@@ -20,6 +29,7 @@ export class Rotator extends EventEmitter {
     this.interval = null;
     this.rotationHistory = [];
     this.rotating = new Set();
+    this.lastRotationTime = new Map(); // agentId -> timestamp of last rotation
     this.enabled = false;
     this.liveScores = {};
     this.scoreHistory = {};
@@ -91,6 +101,17 @@ export class Rotator extends EventEmitter {
     this.enabled = false;
   }
 
+  _isOnCooldown(agentId) {
+    const lastTime = this.lastRotationTime.get(agentId);
+    if (!lastTime) return false;
+    return (Date.now() - lastTime) < COOLDOWN_MS;
+  }
+
+  _getTokenCeiling(agent) {
+    const multiplier = ROLE_MULTIPLIERS[agent.role] || 1;
+    return TOKEN_CEILING * multiplier;
+  }
+
   _idleMs(agent) {
     return agent.lastActivity
       ? Date.now() - new Date(agent.lastActivity).getTime()
@@ -131,27 +152,49 @@ export class Rotator extends EventEmitter {
     for (const agent of running) {
       if (this.rotating.has(agent.id)) continue;
 
-      // Hard ceiling — force rotate to prevent compaction, even if agent is busy
-      if (agent.contextUsage >= HARD_CEILING) {
-        console.log(`  Rotator: ${agent.name} at ${Math.round(agent.contextUsage * 100)}% — FORCE rotating (hard ceiling)`);
-        await this.rotate(agent.id, { reason: 'hard_ceiling' });
-        continue;
-      }
+      // Determine if provider manages its own context (e.g. Claude Code compacts internally)
+      const providerInstance = getProvider(agent.provider);
+      const selfManagesContext = providerInstance?.constructor?.managesOwnContext ?? false;
 
-      const threshold = this.daemon.adaptive
-        ? this.daemon.adaptive.getThreshold(agent.provider, agent.role)
-        : DEFAULT_THRESHOLD;
+      if (!selfManagesContext) {
+        // Non-Claude: threshold + ceiling + quality rotation
+        // These providers fill up linearly and degrade without external rotation
 
-      // Context-based rotation (original)
-      if (agent.contextUsage >= threshold) {
-        if (this._idleMs(agent) > 10_000) {
-          console.log(`  Rotator: ${agent.name} at ${Math.round(agent.contextUsage * 100)}% — rotating (context)`);
-          await this.rotate(agent.id, { reason: 'context_threshold' });
+        // Hard ceiling — force rotate, no idle check, bypasses cooldown (safety override)
+        if (agent.contextUsage >= HARD_CEILING) {
+          console.log(`  Rotator: ${agent.name} at ${Math.round(agent.contextUsage * 100)}% — FORCE rotating (hard ceiling)`);
+          await this.rotate(agent.id, { reason: 'hard_ceiling' });
           continue;
         }
+
+        // Token ceiling — force rotate when total tokens exceed ceiling, bypasses cooldown
+        const tokenCeiling = this._getTokenCeiling(agent);
+        if (agent.tokensUsed >= tokenCeiling) {
+          console.log(`  Rotator: ${agent.name} at ${(agent.tokensUsed || 0).toLocaleString()} tokens — FORCE rotating (token ceiling ${tokenCeiling.toLocaleString()})`);
+          await this.rotate(agent.id, { reason: 'token_ceiling', tokensUsed: agent.tokensUsed, ceiling: tokenCeiling });
+          continue;
+        }
+
+        // Cooldown — skip threshold/quality rotation if recently rotated
+        if (this._isOnCooldown(agent.id)) continue;
+
+        // Context threshold — rotate when idle
+        const threshold = this.daemon.adaptive
+          ? this.daemon.adaptive.getThreshold(agent.provider, agent.role)
+          : DEFAULT_THRESHOLD;
+        if (agent.contextUsage >= threshold) {
+          if (this._idleMs(agent) > 10_000) {
+            console.log(`  Rotator: ${agent.name} at ${Math.round(agent.contextUsage * 100)}% — rotating (context)`);
+            await this.rotate(agent.id, { reason: 'context_threshold' });
+            continue;
+          }
+        }
       }
 
-      // Quality-based rotation — detects degradation before tokens are wasted
+      // Cooldown — skip quality rotation for self-managing providers if recently rotated
+      if (this._isOnCooldown(agent.id)) continue;
+
+      // All providers: quality-based rotation — detects degradation before tokens are wasted
       const quality = this.scoreLiveSession(agent);
       if (quality.hasEnoughData && quality.score < QUALITY_THRESHOLD) {
         if (this._idleMs(agent) > 10_000) {
@@ -208,12 +251,12 @@ export class Rotator extends EventEmitter {
         this.daemon.memory.appendHandoffBrief(agent.role, {
           timestamp: new Date().toISOString(),
           agentId: agent.id,
-          newAgentId: null, // filled after respawn completes
+          newAgentId: null,
           reason: options.reason || 'manual',
           oldTokens: agent.tokensUsed,
           contextUsage: agent.contextUsage,
           brief: brief.slice(0, 4000),
-        });
+        }, agent.workingDir);
       }
 
       const record = {
@@ -233,17 +276,28 @@ export class Rotator extends EventEmitter {
       const routingMode = this.daemon.router.getMode(agentId);
       const respawnModel = routingMode.mode === 'auto' ? 'auto' : agent.model;
 
-      const newAgent = await processes.spawn({
-        role: agent.role,
-        scope: agent.scope,
-        provider: agent.provider,
-        model: respawnModel,
-        prompt: brief,
-        permission: agent.permission || 'full',
-        workingDir: agent.workingDir,
-        name: agent.name,
-        teamId: agent.teamId,
-      });
+      let newAgent;
+      try {
+        newAgent = await processes.spawn({
+          role: agent.role,
+          scope: agent.scope,
+          provider: agent.provider,
+          model: respawnModel,
+          prompt: brief,
+          permission: agent.permission || 'full',
+          workingDir: agent.workingDir,
+          name: agent.name,
+          teamId: agent.teamId,
+        });
+      } catch (spawnErr) {
+        // Spawn failed — old agent still in registry with 'killed' status.
+        // Don't lose it — the user can see and retry.
+        console.error(`[Groove] Rotation spawn failed for ${agent.name}: ${spawnErr.message}`);
+        throw spawnErr;
+      }
+
+      // Spawn succeeded — safe to remove old agent entry
+      registry.remove(agentId);
 
       if (agent.tokensUsed > 0) {
         registry.update(newAgent.id, { tokensUsed: agent.tokensUsed });
@@ -254,6 +308,7 @@ export class Rotator extends EventEmitter {
 
       record.newAgentId = newAgent.id;
       record.newTokens = 0;
+      this.lastRotationTime.set(newAgent.id, Date.now());
       this.rotationHistory.push(record);
 
       if (this.rotationHistory.length > 100) {
@@ -358,6 +413,7 @@ export class Rotator extends EventEmitter {
     const contextRotations = this.rotationHistory.filter((r) => r.reason === 'context_threshold').length;
     const naturalCompactions = this.rotationHistory.filter((r) => r.reason === 'natural_compaction').length;
     const hardCeilingRotations = this.rotationHistory.filter((r) => r.reason === 'hard_ceiling').length;
+    const tokenCeilingRotations = this.rotationHistory.filter((r) => r.reason === 'token_ceiling').length;
     return {
       enabled: this.enabled,
       totalRotations,
@@ -366,9 +422,16 @@ export class Rotator extends EventEmitter {
       contextRotations,
       naturalCompactions,
       hardCeilingRotations,
+      tokenCeilingRotations,
       rotating: Array.from(this.rotating),
       liveScores: this.liveScores,
       scoreHistory: this.scoreHistory,
+      defaultThreshold: DEFAULT_THRESHOLD,
+      hardCeiling: HARD_CEILING,
+      qualityThreshold: QUALITY_THRESHOLD,
+      cooldownMs: COOLDOWN_MS,
+      tokenCeiling: TOKEN_CEILING,
+      roleMultipliers: ROLE_MULTIPLIERS,
     };
   }
 }

package/node_modules/@groove-dev/daemon/src/skills.js

@@ -37,6 +37,9 @@ export class SkillStore {
 
     // Fetch full registry from live API in background
     this._refreshRegistry();
+
+    // Sync subscription cache from stored user on startup
+    this._syncSubscriptionCache(this.getUser());
   }
 
   // --- Auth ---
@@ -69,22 +72,45 @@ export class SkillStore {
         return null; // Invalid token
       }
     } catch {
-      // Can't validate — store anyway, will revalidate later
-      user = { id: 'unknown' };
+      // Can't validate — keep existing stored user so subscription data survives
+      const existingUser = this.getUser();
+      user = existingUser || { id: 'unknown' };
     }
 
     this.daemon.config.marketplace = { token, user };
     const { saveConfig } = await import('./firstrun.js');
     saveConfig(this.daemon.grooveDir, this.daemon.config);
     this.daemon.audit.log('marketplace.login', { userId: user?.id });
+    this._syncSubscriptionCache(user);
     return user;
   }
 
+  _syncSubscriptionCache(user) {
+    const sub = user?.subscription;
+    if (!this.daemon) return;
+    if (!sub) {
+      console.log(`[Groove:Sub] No subscription data on user — cache unchanged (plan: ${this.daemon.subscriptionCache?.plan || 'unknown'})`);
+      return;
+    }
+    this.daemon.subscriptionCache = {
+      plan: sub.plan || 'community',
+      status: sub.status || (sub.plan !== 'community' ? 'active' : 'none'),
+      active: sub.status === 'active' || (sub.plan && sub.plan !== 'community'),
+      features: sub.features || [],
+      seats: sub.seats || 1,
+      periodEnd: sub.periodEnd || null,
+      cancelAtPeriodEnd: sub.cancelAtPeriodEnd || false,
+      validatedAt: Date.now(),
+    };
+    this.daemon.broadcast({ type: 'subscription:updated', data: this.daemon.subscriptionCache });
+  }
+
   /** Clear stored auth */
   async clearAuth() {
     delete this.daemon.config.marketplace;
     const { saveConfig } = await import('./firstrun.js');
     saveConfig(this.daemon.grooveDir, this.daemon.config);
+    this.daemon.subscriptionCache = { plan: 'community', status: 'none', features: [], active: false, validatedAt: 0 };
     this.daemon.audit.log('marketplace.logout');
   }
 
@@ -98,7 +124,11 @@ export class SkillStore {
         headers: { 'Authorization': `Bearer ${token}` },
         signal: AbortSignal.timeout(8000),
       });
-      if (res.ok) return await res.json();
+      if (res.ok) {
+        const user = await res.json();
+        this._syncSubscriptionCache(user);
+        return user;
+      }
     } catch { /* offline — assume valid */ return this.getUser(); }
 
     // 401 — token expired, clear it

package/node_modules/@groove-dev/daemon/src/terminal-pty.js

@@ -115,7 +115,7 @@ export class TerminalManager {
       stdio: ['pipe', 'pipe', 'pipe'],
     });
 
-    const session = { proc, ws, id };
+    const session = { proc, ws, id, label: options.label || '' };
     this.sessions.set(id, session);
 
     proc.stdout.on('data', (data) => {
@@ -160,6 +160,14 @@ export class TerminalManager {
     session.proc.stdin.write(`\x1b]7;${rows};${cols}\x07`);
   }
 
+  rename(id, label) {
+    const session = this.sessions.get(id);
+    if (!session) return false;
+    if (typeof label !== 'string' || label.length > 100) return false;
+    session.label = label;
+    return true;
+  }
+
   kill(id) {
     const session = this.sessions.get(id);
     if (!session) return;

package/node_modules/@groove-dev/daemon/src/tool-executor.js

@@ -2,7 +2,7 @@
 // FSL-1.1-Apache-2.0 — see LICENSE
 
 import { readFileSync, writeFileSync, readdirSync, statSync, mkdirSync, existsSync } from 'fs';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import { resolve, relative, dirname, sep } from 'path';
 import { minimatch } from 'minimatch';
 
@@ -242,12 +242,15 @@ export class ToolExecutor {
     const timeoutMs = Math.min(timeout || 30000, 120000);
 
     try {
-      const output = execSync(command, {
+      // Split command safely for shell: false — avoids shell injection
+      const parts = command.split(/\s+/);
+      const cmd = parts[0];
+      const cmdArgs = parts.slice(1);
+      const output = execFileSync(cmd, cmdArgs, {
         cwd: execCwd,
-        encoding: 'utf8',
         timeout: timeoutMs,
-        maxBuffer: 2 * 1024 * 1024, // 2MB
-        shell: true,
+        maxBuffer: 1024 * 1024,
+        encoding: 'utf8',
         env: { ...process.env, GROOVE_AGENT_ID: this.agentId },
       });
       // Cap output to prevent context window blowup
@@ -292,6 +295,9 @@ export class ToolExecutor {
   }
 
   searchContent({ pattern, path: searchPath, glob: globFilter }) {
+    if (!/^[a-zA-Z0-9_.\-\/\\*?[\]{}()|^$+\s]+$/.test(pattern)) {
+      throw new Error('Invalid search pattern');
+    }
     const searchDir = searchPath ? this._resolvePath(searchPath) : this.workingDir;
 
     // Prefer ripgrep (faster, respects .gitignore), fall back to grep

package/node_modules/@groove-dev/daemon/src/toys.js

@@ -0,0 +1,69 @@
+// GROOVE — Toys Registry & Launch Logic
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CATALOG_PATH = resolve(__dirname, '../templates/toys-catalog.json');
+const TOY_ID_PATTERN = /^[a-z0-9-]{1,64}$/;
+
+export class Toys {
+  constructor(daemon) {
+    this.daemon = daemon;
+    this.catalog = JSON.parse(readFileSync(CATALOG_PATH, 'utf8'));
+  }
+
+  list(category) {
+    if (!category) return this.catalog;
+    return this.catalog.filter((t) => t.category === category);
+  }
+
+  get(id) {
+    return this.catalog.find((t) => t.id === id) || null;
+  }
+
+  async launch(id, { apiKey, starterPrompt } = {}) {
+    if (!id || typeof id !== 'string' || !TOY_ID_PATTERN.test(id)) {
+      throw new Error('Invalid toy id');
+    }
+    if (apiKey !== undefined && apiKey !== null && typeof apiKey !== 'string') {
+      throw new Error('apiKey must be a string');
+    }
+    if (starterPrompt !== undefined && starterPrompt !== null && typeof starterPrompt !== 'string') {
+      throw new Error('starterPrompt must be a string');
+    }
+
+    const toy = this.get(id);
+    if (!toy) throw new Error(`Toy not found: ${id}`);
+
+    if (apiKey) {
+      this.daemon.credentials.setKey('toy:' + id, apiKey);
+    }
+
+    const team = this.daemon.teams.create('Toy: ' + toy.name);
+
+    const plannerPrompt =
+      'You are exploring the ' + toy.name + ' API.\n'
+      + 'Documentation: ' + toy.docsUrl + '\n'
+      + 'Base URL: ' + toy.baseUrl + '\n'
+      + (apiKey
+        ? 'API Key: ' + apiKey + ' (auth type: ' + toy.authType + ', key goes in: ' + toy.keyHeader + ')\n'
+        : 'This API requires no authentication.\n')
+      + 'Your first task: Use WebFetch to read the API documentation page at ' + toy.docsUrl + '. Study all available endpoints, data structures, parameters, and rate limits.\n'
+      + 'Then present a clear summary of what this API offers and ask the user what they would like to build.\n'
+      + (starterPrompt ? 'The user is interested in: ' + starterPrompt + '\n' : '')
+      + 'Suggest these project ideas: ' + toy.starterPrompts.join(', ');
+
+    const agent = await this.daemon.processes.spawn({
+      role: 'planner',
+      name: 'Toy-' + toy.name.replace(/\s+/g, '-'),
+      provider: 'claude-code',
+      prompt: plannerPrompt,
+      teamId: team.id,
+    });
+
+    return { team, agent, toyId: id };
+  }
+}

package/node_modules/@groove-dev/daemon/src/tunnel-manager.js

@@ -56,9 +56,21 @@ export class TunnelManager {
     );
   }
 
+  async init() {
+    for (const [id, config] of this.saved) {
+      if (config.autoConnect) {
+        try {
+          await this.connect(id);
+        } catch (err) {
+          this.daemon.broadcast({ type: 'tunnel.error', data: { id, error: err.message } });
+        }
+      }
+    }
+  }
+
   getSaved() {
     return Array.from(this.saved.values()).map(s => ({
-      ...s,
+      ...this._sanitize(s),
       active: this.active.has(s.id),
       ...(this.active.get(s.id) || {}),
     }));
@@ -149,9 +161,9 @@ export class TunnelManager {
     return merged;
   }
 
-  delete(id) {
+  async delete(id) {
     if (!this.saved.has(id)) throw new Error(`Remote ${id} not found`);
-    if (this.active.has(id)) this.disconnect(id);
+    if (this.active.has(id)) await this.disconnect(id);
     const name = this.saved.get(id).name;
     this.saved.delete(id);
     this._save();
@@ -419,17 +431,24 @@ export class TunnelManager {
     return { installed: verify.grooveInstalled, daemonRunning: verify.daemonRunning };
   }
 
+  _sanitize(entry) {
+    if (!entry) return entry;
+    const { sshKeyPath, ...safe } = entry;
+    safe.sshKeyDisplay = sshKeyPath ? sshKeyPath.split('/').pop() : null;
+    return safe;
+  }
+
   getStatus(id) {
     const saved = this.saved.get(id);
     if (!saved) return null;
     const active = this.active.get(id);
-    return { ...saved, active: !!active, ...(active || {}) };
+    return { ...this._sanitize(saved), active: !!active, ...(active || {}) };
   }
 
   getActive() {
     return Array.from(this.active.entries()).map(([id, conn]) => ({
       ...conn,
-      ...(this.saved.get(id) || {}),
+      ...this._sanitize(this.saved.get(id) || {}),
       id,
     }));
   }