npm - groove-dev - Versions diffs - 0.27.42 → 0.27.45 - Mend

groove-dev 0.27.42 → 0.27.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/default/groovedev-beta-auth-endpoint.md ADDED Viewed

@@ -0,0 +1,166 @@
+# Groove Network Beta — Auth Endpoint Setup
+Instructions for setting up the invite code validation endpoint on groovedev.ai.
+---
+## Endpoint
+```
+POST https://groovedev.ai/api/beta/validate
+```
+## Request
+```json
+{
+  "code": "GROOVE-NET-ALPHA-001",
+  "machineId": "sha256-of-hostname-and-mac"
+}
+```
+- `code` — the invite code the user entered
+- `machineId` — hashed machine identifier so you can track activations per device (the daemon already generates this for credential encryption)
+## Response — Valid Code
+```json
+{
+  "valid": true,
+  "expiresAt": "2026-07-18T00:00:00Z",
+  "features": ["network-node", "network-consumer"],
+  "message": "Welcome to the Groove Network beta"
+}
+```
+- `expiresAt` — when this code stops working (null = never expires)
+- `features` — which beta features this code unlocks (future-proofs for gating individual features)
+- `message` — optional message shown to the user on activation
+## Response — Invalid Code
+```json
+{
+  "valid": false,
+  "message": "Invalid invite code"
+}
+```
+HTTP 200 for both valid and invalid — don't leak info through status codes.
+## Response — Rate Limited
+```json
+{
+  "valid": false,
+  "message": "Too many attempts, try again later"
+}
+```
+HTTP 429. Rate limit: 5 attempts per IP per hour.
+---
+## Code Management
+### Database Schema (or KV store, whatever groovedev.ai uses)
+```sql
+CREATE TABLE beta_codes (
+  code        TEXT PRIMARY KEY,
+  created_at  TIMESTAMP DEFAULT NOW(),
+  expires_at  TIMESTAMP,
+  max_uses    INTEGER DEFAULT 1,
+  used_count  INTEGER DEFAULT 0,
+  features    JSONB DEFAULT '["network-node", "network-consumer"]',
+  notes       TEXT
+);
+CREATE TABLE beta_activations (
+  id          SERIAL PRIMARY KEY,
+  code        TEXT REFERENCES beta_codes(code),
+  machine_id  TEXT,
+  activated_at TIMESTAMP DEFAULT NOW(),
+  ip_address  TEXT
+);
+```
+### Generating Codes
+Codes should be human-friendly, uppercase, with dashes. Format: `GROOVE-NET-<WORD>-<3 DIGITS>`
+Examples:
+- GROOVE-NET-ALPHA-001
+- GROOVE-NET-BETA-042
+- GROOVE-NET-EARLY-777
+Generate a batch to start:
+```sql
+INSERT INTO beta_codes (code, expires_at, max_uses, notes) VALUES
+  ('GROOVE-NET-ALPHA-001', '2026-07-18', 1, 'Rok - testing'),
+  ('GROOVE-NET-ALPHA-002', '2026-07-18', 1, 'Tommy'),
+  ('GROOVE-NET-ALPHA-003', '2026-07-18', 1, 'Reserved'),
+  ('GROOVE-NET-ALPHA-004', '2026-07-18', 1, 'Reserved'),
+  ('GROOVE-NET-ALPHA-005', '2026-07-18', 1, 'Reserved');
+```
+### Validation Logic
+```
+1. Look up code in beta_codes
+2. If not found → { valid: false }
+3. If expires_at < NOW() → { valid: false, message: "Code expired" }
+4. If used_count >= max_uses → { valid: false, message: "Code already used" }
+5. Insert into beta_activations
+6. Increment used_count
+7. Return { valid: true, expiresAt, features, message }
+```
+### Admin
+You'll want a way to:
+- Generate new codes (one-off or batch)
+- Revoke a code (delete or set expires_at to past)
+- See who activated (query beta_activations)
+- Set max_uses > 1 for codes you want to share more broadly
+A simple admin page at groovedev.ai/admin/beta or even just direct DB access works for now.
+---
+## How the Daemon Uses This
+The daemon (packages/daemon/src/api.js) calls this endpoint when a user submits an invite code:
+```javascript
+// POST /api/beta/activate handler
+const response = await fetch('https://groovedev.ai/api/beta/validate', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ code, machineId: daemon.getMachineId() })
+});
+const result = await response.json();
+if (result.valid) {
+  config.set('networkBeta.unlocked', true);
+  config.set('networkBeta.code', code);
+  config.set('networkBeta.features', result.features);
+  config.set('networkBeta.expiresAt', result.expiresAt);
+  daemon.broadcast({ type: 'config:updated' });
+}
+```
+Offline fallback: if the daemon can't reach groovedev.ai, it falls back to a hardcoded allowlist (the 5 ALPHA codes). This way beta testers aren't locked out by network issues. The hardcoded list gets removed when the server endpoint is live.
+Re-validation: on daemon startup, if networkBeta.unlocked is true, optionally re-validate the stored code against the server. If the code was revoked or expired, lock the feature. Don't block startup on this — do it async.
+---
+## Security Notes
+- Never log the full code in server logs — log first 10 chars only
+- Rate limit by IP, not by code (prevents enumeration)
+- Codes are not passwords — they're single-use invites. No hashing needed, but don't expose the full list in any public API
+- The machineId is a hash, not PII — safe to store
+- HTTPS only, obviously

package/node_modules/@groove-dev/cli/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/cli",
-  "version": "0.27.42",
+  "version": "0.27.45",
   "description": "GROOVE CLI — manage AI coding agents from your terminal",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/daemon",
-  "version": "0.27.42",
+  "version": "0.27.45",
   "description": "GROOVE daemon — agent orchestration engine",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",