groove-dev 0.27.51 → 0.27.53

package/node_modules/@groove-dev/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/cli",
-  "version": "0.27.51",
+  "version": "0.27.53",
   "description": "GROOVE CLI — manage AI coding agents from your terminal",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/daemon",
-  "version": "0.27.51",
+  "version": "0.27.53",
   "description": "GROOVE daemon — agent orchestration engine",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/src/api.js

@@ -3866,7 +3866,14 @@ Keep responses concise. Help them think, don't lecture them about the system the
   // so revoked or expired codes lock the feature automatically. Non-blocking.
   daemon.revalidateBetaCode = async function revalidateBetaCode() {
     const cfg = daemon.config?.networkBeta;
-    if (!cfg?.unlocked || !cfg?.code) return;
+    if (!cfg?.unlocked) return;
+    if (!cfg?.code) {
+      daemon.config.networkBeta = { ...cfg, unlocked: false, expiresAt: null, features: [] };
+      await persistConfig();
+      daemon.audit.log('beta.revoked', { reason: 'missing code' });
+      daemon.broadcast({ type: 'config:updated' });
+      return;
+    }
     const remote = await validateCodeWithServer(cfg.code);
     // If we couldn't reach the server, keep the current unlocked state —
     // network failures must not lock out beta users.
@@ -4017,6 +4024,9 @@ Keep responses concise. Help them think, don't lecture them about the system the
     if (!existsSync(deployPath)) {
       return res.status(400).json({ error: `Deploy path not found: ${deployPath}` });
     }
+    if (!isInsideGrooveHome(deployPath) && !deployPath.startsWith(resolve(process.env.HOME || '', 'Desktop'))) {
+      return res.status(400).json({ error: 'Deploy path outside allowed directories' });
+    }
 
     const signalFlag = supportsSignalFlag(cfg.version) ? '--signal' : '--relay';
     const args = [
@@ -4205,11 +4215,57 @@ Keep responses concise. Help them think, don't lecture them about the system the
             ...(total_layers !== undefined ? { totalLayers: total_layers } : {}),
           };
         }) : [];
+        const primaryModel = Array.isArray(data.models) && data.models[0] ? data.models[0] : {};
+
+        // Enrich local node state from signal's authoritative topology.
+        // Signal truncates IDs (e.g. "0xf608fd..."), so match by prefix.
+        if (daemon.networkNode?.active && daemon.networkNode.nodeId) {
+          const selfId = daemon.networkNode.nodeId;
+          const signalNodes = Array.isArray(data.nodes) ? data.nodes : [];
+          const self = signalNodes.find((n) => {
+            const nid = n.node_id || n.nodeId || '';
+            const prefix = nid.replace(/\.{2,}$/, '');
+            return selfId === nid || (prefix.length >= 6 && selfId.startsWith(prefix));
+          });
+          let changed = false;
+          if (self) {
+            if (Array.isArray(self.layers) && self.layers.length === 2) {
+              daemon.networkNode.layers = self.layers;
+              changed = true;
+            }
+            if (self.device) {
+              daemon.networkNode.hardware = {
+                device: self.device,
+                memory: daemon.networkNode.hardware?.memory || null,
+                gpu: daemon.networkNode.hardware?.gpu || null,
+              };
+              changed = true;
+            }
+          }
+          const availModel = Array.isArray(data.models)
+            ? data.models.find((m) => m && m.available !== false)
+            : null;
+          if (availModel && !daemon.networkNode.model) {
+            daemon.networkNode.model = availModel.name || null;
+            changed = true;
+          }
+          if (changed) broadcastNodeStatus();
+        }
+
+        const capStr = (s, max = 200) => (typeof s === 'string' ? s.slice(0, max) : s);
+        const safeNodes = (Array.isArray(data.nodes) ? data.nodes : []).map((n) => ({
+          node_id: capStr(n.node_id || n.nodeId),
+          device: capStr(n.device),
+          layers: Array.isArray(n.layers) ? n.layers.slice(0, 2) : n.layers,
+          status: capStr(n.status, 50),
+          active_sessions: n.active_sessions ?? 0,
+        }));
+
         return res.json({
-          nodes: Array.isArray(data.nodes) ? data.nodes : [],
+          nodes: safeNodes,
           models,
-          coverage: data.covered_layers ?? data.coverage ?? 0,
-          totalLayers: data.total_layers ?? data.totalLayers ?? 24,
+          coverage: data.covered_layers ?? primaryModel.covered_layers ?? data.coverage ?? 0,
+          totalLayers: data.total_layers ?? primaryModel.total_layers ?? data.totalLayers ?? 24,
           activeSessions: data.active_sessions ?? data.activeSessions ?? 0,
           totalNodes: data.total_nodes ?? data.totalNodes ?? (Array.isArray(data.nodes) ? data.nodes.length : 0),
         });
@@ -4312,15 +4368,8 @@ Keep responses concise. Help them think, don't lecture them about the system the
       };
 
       try {
-        // Build clone URL with optional PAT
         const pat = daemon.credentials?.getKey?.('github-pat') || null;
-        const cloneUrl = pat
-          ? NETWORK_REPO_URL.replace('https://', `https://${pat}@`)
-          : NETWORK_REPO_URL;
 
-        // Resolve the latest released tag so fresh installs track new releases
-        // without requiring a code change. Falls back to NETWORK_VERSION if the
-        // remote lookup fails (offline, rate-limited, no tags yet).
         let installVersion;
         try {
           installVersion = (await getLatestNetworkTag()) || NETWORK_VERSION;
@@ -4330,10 +4379,16 @@ Keep responses concise. Help them think, don't lecture them about the system the
 
         broadcastInstallProgress('cloning', `Cloning network package ${installVersion}...`, 0);
 
-        const cloneArgs = ['clone', '--branch', installVersion, '--depth', '1', cloneUrl, installPath];
+        const cloneArgs = ['clone', '--branch', installVersion, '--depth', '1', NETWORK_REPO_URL, installPath];
+        const cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0' };
+        if (pat) {
+          cloneEnv.GIT_CONFIG_COUNT = '1';
+          cloneEnv.GIT_CONFIG_KEY_0 = 'http.extraHeader';
+          cloneEnv.GIT_CONFIG_VALUE_0 = `Authorization: token ${pat}`;
+        }
         const clone = spawn('git', cloneArgs, {
           stdio: ['ignore', 'pipe', 'pipe'],
-          env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
+          env: cloneEnv,
         });
 
         const stripCredentials = (s) => s.replace(/https:\/\/[^@]+@/g, 'https://***@');

package/node_modules/@groove-dev/daemon/src/firstrun.js

@@ -155,5 +155,5 @@ export function loadConfig(grooveDir) {
 }
 
 export function saveConfig(grooveDir, config) {
-  writeFileSync(resolve(grooveDir, 'config.json'), JSON.stringify(config, null, 2));
+  writeFileSync(resolve(grooveDir, 'config.json'), JSON.stringify(config, null, 2), { mode: 0o600 });
 }

package/node_modules/@groove-dev/daemon/src/process.js

@@ -740,7 +740,7 @@ For normal file edits within your scope, proceed without review.
     }
 
     const spawnCmd = provider.buildSpawnCommand(spawnConfig);
-    const { command, args, env, stdin: stdinData } = spawnCmd;
+    const { command, args, env, stdin: stdinData, cwd: providerCwd } = spawnCmd;
 
     // Log the spawn command (mask anything that looks like an API key)
     const maskArg = (a) => /^(sk-|AIza|key-|token-)/.test(a) ? '***' : a;
@@ -765,7 +765,7 @@ For normal file edits within your scope, proceed without review.
 
     // Spawn the process (use pipe for stdin if provider needs to send prompt via stdin)
     const proc = cpSpawn(command, args, {
-      cwd: agent.workingDir || this.daemon.projectDir,
+      cwd: providerCwd || agent.workingDir || this.daemon.projectDir,
       env: { ...process.env, ...env, ...integrationEnv, GROOVE_AGENT_ID: agent.id, GROOVE_AGENT_NAME: agent.name, GROOVE_DAEMON_HOST: this.daemon.host || '127.0.0.1', GROOVE_DAEMON_PORT: String(this.daemon.port || 31415) },
       stdio: [stdinData ? 'pipe' : 'ignore', 'pipe', 'pipe'],
       detached: false,

package/node_modules/@groove-dev/daemon/src/providers/groove-network.js

@@ -66,6 +66,11 @@ function stripScheme(url) {
   return url.replace(/^wss?:\/\//i, '').replace(/\/.*$/, '');
 }
 
+function isAllowedSignalHost(host) {
+  const h = (host || '').replace(/^(wss?|https?):\/\//i, '').replace(/\/.*$/, '').toLowerCase();
+  return h === 'signal.groovedev.ai' || h.endsWith('.groovedev.ai');
+}
+
 export class GrooveNetworkProvider extends Provider {
   static name = 'groove-network';
   static displayName = 'Groove Network';
@@ -88,6 +93,7 @@ export class GrooveNetworkProvider extends Provider {
   buildSpawnCommand(agent) {
     const cfg = getConfig() || {};
     const signal = stripScheme(cfg.signalUrl);
+    if (!isAllowedSignalHost(signal)) throw new Error('Invalid signal host');
     const model = agent.model || GrooveNetworkProvider.models[0].id;
     const maxTokens = agent.maxTokens || 500;
     const prompt = agent.prompt || '';
@@ -115,6 +121,7 @@ export class GrooveNetworkProvider extends Provider {
   buildHeadlessCommand(prompt, model) {
     const cfg = getConfig() || {};
     const signal = stripScheme(cfg.signalUrl);
+    if (!isAllowedSignalHost(signal)) throw new Error('Invalid signal host');
     const m = model || GrooveNetworkProvider.models[0].id;
     const deployPath = expandHome(cfg.deployPath) || resolve(homedir(), 'Desktop/groove-deploy');
     return {
@@ -145,19 +152,31 @@ export class GrooveNetworkProvider extends Provider {
     }
     try {
       const msg = JSON.parse(trimmed);
-      if (msg && typeof msg === 'object' && typeof msg.type === 'string') {
-        return {
-          type: msg.type,
-          text: msg.text,
-          sessionId: msg.session_id,
-          tokensGenerated: msg.tokens_generated,
-          error: msg.error,
-          signal: msg.signal,
-          nodesAvailable: msg.nodes_available,
-          nodes: msg.nodes,
-          raw: msg,
-        };
+      if (!msg || typeof msg !== 'object' || typeof msg.type !== 'string') {
+        return { type: 'activity', data: trimmed };
+      }
+
+      if (msg.type === 'token' && msg.text) {
+        return { type: 'activity', subtype: 'text', data: msg.text, tokensGenerated: msg.tokens_generated };
+      }
+      if (msg.type === 'complete' || msg.type === 'result') {
+        return { type: 'result', text: msg.text || '', tokensGenerated: msg.tokens_generated, sessionId: msg.session_id };
       }
+      if (msg.type === 'error') {
+        return { type: 'activity', subtype: 'error', data: msg.error || msg.message || 'Unknown error' };
+      }
+
+      const labels = {
+        signal_connected: `Connected to ${msg.signal || 'signal'}`,
+        matched: `Matched with ${Array.isArray(msg.nodes) ? msg.nodes.length : '?'} nodes`,
+        connected: `Session ${(msg.session_id || '').slice(0, 8) || 'started'}`,
+        pipeline: `Pipeline ready — ${Array.isArray(msg.nodes) ? msg.nodes.length : '?'} nodes`,
+      };
+      if (labels[msg.type]) {
+        return { type: 'activity', data: labels[msg.type], sessionId: msg.session_id };
+      }
+
+      return { type: 'activity', data: msg.text || msg.message || msg.type, raw: msg };
     } catch { /* not JSON, fall through */ }
     return { type: 'activity', data: trimmed };
   }