palmier 0.7.4 → 0.7.7

package/palmier-server/server/src/index.ts

@@ -13,6 +13,7 @@ import fcmRoutes from "./routes/fcm.js";
 import deviceRoutes from "./routes/device.js";
 import { notifyClients } from "./notify.js";
 import { sendFcmToClients, sendFcmToDevice } from "./fcm.js";
+import { createPairingCredentials, createPwaCredentials } from "./nats-jwt.js";
 
 const PORT = parseInt(process.env.PORT || "3000", 10);
 
@@ -446,6 +447,61 @@ async function main(): Promise<void> {
     }
   })();
 
+  // Subscribe to email requests from hosts
+  (async () => {
+    try {
+      const conn = await getNatsConnection();
+      const sub = conn.subscribe("host.*.fcm.email");
+      console.log("Listening for FCM email requests");
+
+      for await (const msg of sub) {
+        try {
+          const data = JSON.parse(sc.decode(msg.data)) as {
+            hostId: string;
+            requestId: string;
+            fcmToken?: string;
+            [key: string]: string | undefined;
+          };
+
+          const subjectHostId = msg.subject.split(".")[1];
+          if (data.hostId !== subjectHostId) {
+            if (msg.reply) {
+              msg.respond(sc.encode(JSON.stringify({ error: "hostId mismatch" })));
+            }
+            continue;
+          }
+
+          const fcmPayload: Record<string, string> = {
+            type: "send-email",
+            requestId: data.requestId,
+            hostId: data.hostId,
+          };
+          for (const key of ["to", "subject", "body", "cc", "bcc"]) {
+            if (data[key]) fcmPayload[key] = data[key]!;
+          }
+
+          console.log(`[FCM] Sending email request for host ${data.hostId}`);
+          if (data.fcmToken) {
+            await sendFcmToDevice(data.fcmToken, fcmPayload);
+          } else {
+            await sendFcmToClients(data.hostId, fcmPayload);
+          }
+
+          if (msg.reply) {
+            msg.respond(sc.encode(JSON.stringify({ ok: true })));
+          }
+        } catch (err) {
+          console.error("[FCM] Error handling email request:", err);
+          if (msg.reply) {
+            msg.respond(sc.encode(JSON.stringify({ error: String(err) })));
+          }
+        }
+      }
+    } catch (err) {
+      console.error("Failed to subscribe to FCM email requests:", err);
+    }
+  })();
+
   // Subscribe to battery requests from hosts
   (async () => {
     try {
@@ -569,11 +625,36 @@ async function main(): Promise<void> {
   app.use("/api/fcm", fcmRoutes);
   app.use("/api/device", deviceRoutes);
 
-  // Public NATS config endpoint (used by PWA for pairing)
+  // Public NATS config endpoint — returns pairing-only credentials.
+  // These can only publish to pair.* subjects (no RPC, no event subscriptions).
   app.get("/api/config", (_req, res) => {
+    const accountSeed = process.env.NATS_ACCOUNT_SEED;
+    if (!accountSeed) {
+      res.status(500).json({ error: "Server NATS auth not configured" });
+      return;
+    }
+    const creds = createPairingCredentials(accountSeed);
+    res.json({
+      natsWsUrl: process.env.NATS_WS_URL || "",
+      natsJwt: creds.jwt,
+      natsNkeySeed: creds.nkeySeed,
+    });
+  });
+
+  // Host-scoped NATS credentials — returns JWT scoped to a single host's subjects.
+  // Called by the PWA after pairing to get credentials for RPC + event subscriptions.
+  app.get("/api/nats-credentials/:hostId", (req, res) => {
+    const accountSeed = process.env.NATS_ACCOUNT_SEED;
+    if (!accountSeed) {
+      res.status(500).json({ error: "Server NATS auth not configured" });
+      return;
+    }
+    const { hostId } = req.params;
+    const creds = createPwaCredentials(accountSeed, hostId);
     res.json({
       natsWsUrl: process.env.NATS_WS_URL || "",
-      natsToken: process.env.NATS_TOKEN || "",
+      natsJwt: creds.jwt,
+      natsNkeySeed: creds.nkeySeed,
     });
   });
 

package/palmier-server/server/src/nats-jwt.ts

@@ -0,0 +1,299 @@
+/**
+ * NATS JWT/NKey utilities for decentralized authentication.
+ *
+ * NATS supports a decentralized auth model where authorization is embedded in
+ * signed JWTs rather than managed in server config files. This means new hosts
+ * can be onboarded without restarting or reconfiguring the NATS server.
+ *
+ * Key hierarchy:
+ *
+ *   Operator (root of trust)
+ *     └─ signs Account JWT → embedded in NATS server config (one-time)
+ *          └─ Account (runtime signing key, held by palmier-server)
+ *               ├─ signs Host User JWTs → scoped to host.{id}.* subjects
+ *               ├─ signs PWA User JWTs  → scoped to RPC + pairing subjects
+ *               └─ signs Server User JWT → full access for relaying
+ *
+ * JWT format (NATS-specific, not standard JWT):
+ *   Header:    {"typ":"JWT","alg":"ed25519-nkey"}
+ *   Payload:   NATS claims (issuer, subject, permissions)
+ *   Signature: Ed25519(header.payload, signing_key)
+ *
+ * Subject permission model:
+ *
+ *   | Role              | Publish                  | Subscribe              |
+ *   |-------------------|--------------------------|------------------------|
+ *   | Host (X)          | host-event.X.>, host.X.> | host.X.>, pair.*       |
+ *   | PWA (pairing)     | pair.*                   | (none)                 |
+ *   | PWA (connected X) | host.X.rpc.>             | host-event.X.>         |
+ *   | Server            | > (full)                 | > (full)               |
+ *
+ * Request/reply inbox subjects (_INBOX.>) are allowed automatically via the
+ * `resp` field in the JWT claims.
+ */
+
+import { createOperator, createAccount, createUser, fromSeed, type KeyPair } from "nkeys.js";
+import crypto from "crypto";
+
+// ---------------------------------------------------------------------------
+// Base64url helpers
+// ---------------------------------------------------------------------------
+
+function base64urlEncode(data: Uint8Array): string {
+  return Buffer.from(data).toString("base64url");
+}
+
+function base64urlEncodeStr(str: string): string {
+  return Buffer.from(str, "utf-8").toString("base64url");
+}
+
+// ---------------------------------------------------------------------------
+// NKey seed ↔ string helpers
+// ---------------------------------------------------------------------------
+
+export function seedToString(seed: Uint8Array): string {
+  return new TextDecoder().decode(seed);
+}
+
+export function seedFromString(seed: string): Uint8Array {
+  return new TextEncoder().encode(seed);
+}
+
+// ---------------------------------------------------------------------------
+// JWT signing
+// ---------------------------------------------------------------------------
+
+/** Sign a NATS JWT: base64url(header).base64url(claims).base64url(ed25519_sig). */
+function signJwt(claims: Record<string, unknown>, signingKey: KeyPair): string {
+  const header = base64urlEncodeStr(JSON.stringify({ typ: "JWT", alg: "ed25519-nkey" }));
+  const payload = base64urlEncodeStr(JSON.stringify(claims));
+  const sigInput = new TextEncoder().encode(`${header}.${payload}`);
+  const signature = base64urlEncode(signingKey.sign(sigInput));
+  return `${header}.${payload}.${signature}`;
+}
+
+// ---------------------------------------------------------------------------
+// Account JWT
+// ---------------------------------------------------------------------------
+
+/** Create an Operator JWT (self-signed). Used in the NATS server `operator` field. */
+export function createOperatorJwt(operatorSeed: string): string {
+  const operatorKp = fromSeed(seedFromString(operatorSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: operatorKp.getPublicKey(),
+    name: "palmier-operator",
+    sub: operatorKp.getPublicKey(),
+    nats: {
+      type: "operator",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, operatorKp);
+  operatorKp.clear();
+  return jwt;
+}
+
+/** Create an Account JWT signed by the operator. Embedded in NATS server config. */
+export function createAccountJwt(operatorSeed: string, accountPublicKey: string): string {
+  const operatorKp = fromSeed(seedFromString(operatorSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: operatorKp.getPublicKey(),
+    name: "palmier",
+    sub: accountPublicKey,
+    nats: {
+      limits: {
+        subs: -1,
+        data: -1,
+        payload: -1,
+        imports: -1,
+        exports: -1,
+        wildcards: true,
+        conn: -1,
+        leaf: -1,
+      },
+      type: "account",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, operatorKp);
+  operatorKp.clear();
+  return jwt;
+}
+
+// ---------------------------------------------------------------------------
+// User JWT (generic)
+// ---------------------------------------------------------------------------
+
+interface UserPermissions {
+  pub: { allow: string[] };
+  sub: { allow: string[] };
+}
+
+/**
+ * Create a User JWT signed by the account key.
+ * _INBOX.> is added to subscribe permissions so request/reply works.
+ * Unlimited values (-1) for subs/data/payload mean no artificial caps.
+ */
+function createUserJwt(
+  accountSeed: string,
+  userPublicKey: string,
+  name: string,
+  permissions: UserPermissions,
+): string {
+  const accountKp = fromSeed(seedFromString(accountSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: accountKp.getPublicKey(),
+    name,
+    sub: userPublicKey,
+    nats: {
+      pub: { allow: [...permissions.pub.allow, "_INBOX.>"] },
+      sub: { allow: [...permissions.sub.allow, "_INBOX.>"] },
+      subs: -1,
+      data: -1,
+      payload: -1,
+      type: "user",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, accountKp);
+  accountKp.clear();
+  return jwt;
+}
+
+// ---------------------------------------------------------------------------
+// Role-specific JWT generators
+// ---------------------------------------------------------------------------
+
+export interface NatsCredentials {
+  jwt: string;
+  nkeySeed: string;
+}
+
+/**
+ * Create credentials for a host daemon, scoped to the host's own subjects.
+ *
+ * A host with id X can only:
+ *   - Publish to: host-event.X.> (task events), host.X.> (FCM requests, push)
+ *   - Subscribe to: host.X.> (RPC, device responses), pair.* (during pairing)
+ *
+ * It cannot access any other host's subjects.
+ */
+export function createHostCredentials(accountSeed: string, hostId: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `host-${hostId}`, {
+    pub: { allow: [`host-event.${hostId}.>`, `host.${hostId}.>`] },
+    sub: { allow: [`host.${hostId}.>`, "pair.*"] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create pairing-only credentials for the PWA. Used during the pairing flow
+ * before the PWA knows which host it will connect to.
+ *
+ * Minimal permissions:
+ *   - Publish to: pair.* (send pairing request)
+ *   - Subscribe to: (none — reply inbox handled by `resp`)
+ */
+export function createPairingCredentials(accountSeed: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "pwa-pairing", {
+    pub: { allow: ["pair.*"] },
+    sub: { allow: [] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create host-scoped credentials for a PWA client after pairing.
+ *
+ * Scoped to a single host:
+ *   - Publish to: host.{hostId}.rpc.> (send RPC to paired host)
+ *   - Subscribe to: host-event.{hostId}.> (receive task events from paired host)
+ *
+ * A PWA client cannot see events or send RPC to any other host.
+ */
+export function createPwaCredentials(accountSeed: string, hostId: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `pwa-${hostId}`, {
+    pub: { allow: [`host.${hostId}.rpc.>`] },
+    sub: { allow: [`host-event.${hostId}.>`] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create credentials for the palmier server itself (full access for relaying).
+ */
+export function createServerCredentials(accountSeed: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "server", {
+    pub: { allow: [">"] },
+    sub: { allow: [">"] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+// ---------------------------------------------------------------------------
+// Setup: generate operator + account keys and NATS config
+// ---------------------------------------------------------------------------
+
+export interface NatsSetupResult {
+  operatorSeed: string;
+  operatorPublicKey: string;
+  accountSeed: string;
+  accountPublicKey: string;
+  operatorJwt: string;
+  accountJwt: string;
+  natsConfig: string;
+}
+
+/**
+ * Generate all keys and the NATS server config snippet for JWT auth.
+ * Run once during initial deployment, then store seeds as env vars.
+ *
+ * The `operator` field in nats.conf requires a full JWT (not a public key) —
+ * NATS treats non-JWT strings as file paths.
+ */
+export function generateNatsSetup(): NatsSetupResult {
+  const operatorKp = createOperator();
+  const accountKp = createAccount();
+
+  const operatorSeed = seedToString(operatorKp.getSeed());
+  const operatorPublicKey = operatorKp.getPublicKey();
+  const accountSeed = seedToString(accountKp.getSeed());
+  const accountPublicKey = accountKp.getPublicKey();
+
+  const operatorJwt = createOperatorJwt(operatorSeed);
+  const accountJwt = createAccountJwt(operatorSeed, accountPublicKey);
+
+  const natsConfig = [
+    `# NATS JWT auth configuration`,
+    `# Generated by palmier nats-setup`,
+    ``,
+    `operator: ${operatorJwt}`,
+    `resolver: MEMORY`,
+    `resolver_preload: {`,
+    `  ${accountPublicKey}: ${accountJwt}`,
+    `}`,
+  ].join("\n");
+
+  operatorKp.clear();
+  accountKp.clear();
+
+  return { operatorSeed, operatorPublicKey, accountSeed, accountPublicKey, operatorJwt, accountJwt, natsConfig };
+}

package/palmier-server/server/src/nats-setup.ts

@@ -0,0 +1,48 @@
+/**
+ * One-time setup script for NATS JWT authentication.
+ *
+ * Run this once when deploying Palmier for the first time (or when rotating keys).
+ * It generates the cryptographic keys and config needed for NATS to enforce
+ * per-host subject isolation.
+ *
+ * Usage:
+ *   cd server && pnpm nats-setup
+ *
+ * What it generates:
+ *
+ *   Operator NKey pair
+ *     └─ Signs the Account JWT (one-time). Store the seed securely as a backup —
+ *        you only need it again if you regenerate the account JWT.
+ *
+ *   Account NKey pair
+ *     └─ Signs User JWTs at runtime. The server uses NATS_ACCOUNT_SEED to create
+ *        scoped credentials for each host (during registration) and each PWA session.
+ *
+ *   Account JWT
+ *     └─ Embedded in the NATS server config (resolver_preload). Tells the NATS server
+ *        to trust User JWTs signed by this account key.
+ *
+ *   NATS config snippet
+ *     └─ Drop-in replacement for the authorization block in nats.conf.
+ *
+ * See PRODUCTION.md for the full deployment flow.
+ */
+
+import { generateNatsSetup } from "./nats-jwt.js";
+
+const setup = generateNatsSetup();
+
+console.log("=== NATS JWT Auth Setup ===\n");
+
+console.log("NATS_ACCOUNT_SEED (add to server/.env):\n");
+console.log(`  ${setup.accountSeed}\n`);
+
+console.log("nats.conf auth section (replace any existing auth block):\n");
+console.log(setup.natsConfig);
+console.log();
+
+console.log("Keys (store securely, do not commit):\n");
+console.log(`  Operator seed:       ${setup.operatorSeed}`);
+console.log(`  Operator public key: ${setup.operatorPublicKey}`);
+console.log(`  Account seed:        ${setup.accountSeed}`);
+console.log(`  Account public key:  ${setup.accountPublicKey}`);

package/palmier-server/server/src/nats.ts

@@ -1,4 +1,5 @@
-import { connect, NatsConnection } from "nats";
+import { connect, jwtAuthenticator, NatsConnection } from "nats";
+import { createServerCredentials, seedFromString } from "./nats-jwt.js";
 
 let nc: NatsConnection | null = null;
 
@@ -6,14 +7,21 @@ export async function connectNats(): Promise<NatsConnection> {
   if (nc) return nc;
 
   const url = process.env.NATS_URL || "nats://localhost:4222";
-  const token = process.env.NATS_TOKEN;
+  const accountSeed = process.env.NATS_ACCOUNT_SEED;
+
+  if (!accountSeed) {
+    throw new Error("NATS_ACCOUNT_SEED is required for JWT auth");
+  }
+
+  // Generate server credentials with full access
+  const creds = createServerCredentials(accountSeed);
 
   nc = await connect({
     servers: url,
-    ...(token ? { token } : {}),
+    authenticator: jwtAuthenticator(creds.jwt, seedFromString(creds.nkeySeed)),
   });
 
-  console.log(`Connected to NATS at ${url}`);
+  console.log(`Connected to NATS at ${url} (JWT auth)`);
   return nc;
 }
 

package/palmier-server/server/src/routes/device.ts

@@ -197,4 +197,28 @@ router.post("/ringer-response", async (req: Request, res: Response) => {
   }
 });
 
+// POST /api/device/email-response - Receive email response from Android, relay to host via NATS
+router.post("/email-response", async (req: Request, res: Response) => {
+  try {
+    const { requestId, hostId, result } = req.body;
+
+    if (!requestId || !hostId) {
+      res.status(400).json({ error: "requestId and hostId are required" });
+      return;
+    }
+
+    const conn = await getNatsConnection();
+    const sc = StringCodec();
+    conn.publish(
+      `host.${hostId}.email.${requestId}`,
+      sc.encode(JSON.stringify(result)),
+    );
+
+    res.json({ ok: true });
+  } catch (err) {
+    console.error("Device email response relay error:", err);
+    res.status(500).json({ error: "Internal server error" });
+  }
+});
+
 export default router;

package/palmier-server/server/src/routes/hosts.ts

@@ -1,6 +1,7 @@
 import { Router, Request, Response } from "express";
 import type { Router as RouterType } from "express";
 import { pool } from "../db.js";
+import { createHostCredentials } from "../nats-jwt.js";
 
 const router: RouterType = Router();
 
@@ -9,6 +10,13 @@ const router: RouterType = Router();
 // so re-initializing a host doesn't create a duplicate entry.
 router.post("/register", async (req: Request, res: Response) => {
   try {
+    const accountSeed = process.env.NATS_ACCOUNT_SEED;
+    if (!accountSeed) {
+      console.error("NATS_ACCOUNT_SEED not configured");
+      res.status(500).json({ error: "Server NATS auth not configured" });
+      return;
+    }
+
     const requestedId: string | undefined = req.body?.hostId;
 
     let hostId: string;
@@ -26,15 +34,18 @@ router.post("/register", async (req: Request, res: Response) => {
       hostId = result.rows[0].id;
     }
 
+    // Generate per-host NATS credentials (scoped to this host's subjects)
+    const creds = createHostCredentials(accountSeed, hostId);
+
     const natsUrl = process.env.NATS_HOST_URL || process.env.NATS_URL || "nats://localhost:4222";
     const natsWsUrl = process.env.NATS_WS_URL || "";
-    const natsToken = process.env.NATS_TOKEN || "";
 
     res.status(201).json({
       hostId,
       natsUrl,
       natsWsUrl,
-      natsToken,
+      natsJwt: creds.jwt,
+      natsNkeySeed: creds.nkeySeed,
     });
   } catch (err) {
     console.error("Register host error:", err);

package/palmier-server/spec.md

@@ -59,9 +59,9 @@ Each host machine is provisioned via `palmier init`, an interactive wizard that
 `palmier init` is an interactive wizard that:
 
 1. Detects installed agent CLIs.
-2. Asks whether to enable LAN access and which HTTP port to use (default 9966).
+2. Asks whether to enable LAN access and which HTTP port to use (default 7256).
 3. Shows a summary of task storage directory, local access URL, LAN URL (if enabled), detected agents, and any existing tasks to recover. Asks for confirmation before proceeding.
-4. Registers with the Palmier server via `POST <url>/api/hosts/register` — server returns `{ hostId, natsUrl, natsWsUrl, natsToken }`.
+4. Registers with the Palmier server via `POST <url>/api/hosts/register` — server returns `{ hostId, natsUrl, natsWsUrl, natsJwt, natsNkeySeed }`.
 5. Saves config to `~/.config/palmier/host.json` (includes `httpPort`, `lanEnabled`, NATS credentials).
 6. Installs a systemd user service (Linux) or Task Scheduler entry (Windows) and auto-enters pair mode.
 
@@ -273,7 +273,7 @@ The PWA connects to **one host at a time**. A host menu (hamburger drawer) lets
 
 1. PWA loads. If no hosts are paired, it shows an empty state with a "Pair Host" button.
 
-2. If hosts are paired, PWA fetches NATS credentials from `GET /api/config` (returns `{ natsWsUrl, natsToken }`) and connects to NATS via WebSocket.
+2. If hosts are paired, PWA fetches host-scoped NATS credentials from `GET /api/nats-credentials/<hostId>` (returns `{ natsWsUrl, natsJwt, natsNkeySeed }`) and connects to NATS via WebSocket using JWT auth. The credentials are scoped to the paired host's subjects only.
 
 3. PWA sends a `task.list` request to `host.<host_id>.rpc.task.list` using NATS request-reply, including the `clientToken` in the payload.
 
@@ -430,8 +430,9 @@ All endpoints are served over HTTPS. No user authentication is required — the
 
 | Method | Path | Description |
 |--------|------|-------------|
-| `POST` | `/api/hosts/register` | Register a new host. Returns `{ hostId, natsUrl, natsWsUrl, natsToken }`. Rate-limited by IP. |
-| `GET`  | `/api/config` | Returns NATS WebSocket credentials for the PWA: `{ natsWsUrl, natsToken }`. |
+| `POST` | `/api/hosts/register` | Register a new host. Returns `{ hostId, natsUrl, natsWsUrl, natsJwt, natsNkeySeed }` with host-scoped NATS credentials. |
+| `GET`  | `/api/config` | Returns pairing-only NATS credentials: `{ natsWsUrl, natsJwt, natsNkeySeed }`. JWT can only publish to `pair.*`. |
+| `GET`  | `/api/nats-credentials/:hostId` | Returns host-scoped NATS credentials for PWA: `{ natsWsUrl, natsJwt, natsNkeySeed }`. JWT scoped to one host's RPC + events. |
 | `POST` | `/api/push/subscribe` | Register a push subscription. Body: `{ hostId, endpoint, keys: { p256dh, auth } }`. |
 | `DELETE` | `/api/push/subscribe` | Unregister a push subscription. Body: `{ hostId, endpoint }`. |
 | `GET`  | `/api/push/vapid-key` | Returns the server's VAPID public key for push subscription. |

package/src/agents/shared-prompt.ts

@@ -16,7 +16,7 @@ const AGENT_INSTRUCTIONS_TEMPLATE = fs.readFileSync(
  * Build the full agent prompt: instructions + endpoint docs + task description.
  */
 export function getAgentInstructions(task: ParsedTask, skipPermissions?: boolean): string {
-  const port = loadConfig().httpPort ?? 9966;
+  const port = loadConfig().httpPort ?? 7256;
   const taskDescription = task.frontmatter.user_prompt;
   let instructions = AGENT_INSTRUCTIONS_TEMPLATE
     .replace(/\{\{ENDPOINT_DOCS\}\}/g, generateEndpointDocs(port, task.frontmatter.id))

package/src/commands/init.ts

@@ -45,7 +45,7 @@ export async function initCommand(): Promise<void> {
     const lanAnswer = await ask("Enable LAN access (direct HTTP from local network)? (y/N): ");
     const lanEnabled = lanAnswer.trim().toLowerCase() === "y";
 
-    let httpPort = 9966;
+    let httpPort = 7256;
     const portLabel = lanEnabled ? "HTTP port for local and LAN access" : "HTTP port for local access";
     const portAnswer = await ask(`${portLabel} (default ${httpPort}): `);
     const parsed = parseInt(portAnswer.trim(), 10);
@@ -86,7 +86,7 @@ export async function initCommand(): Promise<void> {
     try { existingHostId = loadConfig().hostId; } catch { /* first init */ }
 
     const serverUrl = "https://app.palmier.me";
-    let registerResponse: { hostId: string; natsUrl: string; natsWsUrl: string; natsToken: string };
+    let registerResponse: { hostId: string; natsUrl: string; natsWsUrl: string; natsJwt: string; natsNkeySeed: string };
 
     while (true) {
       console.log(`\nRegistering host...`);
@@ -111,7 +111,8 @@ export async function initCommand(): Promise<void> {
       projectRoot: process.cwd(),
       natsUrl: registerResponse.natsUrl,
       natsWsUrl: registerResponse.natsWsUrl,
-      natsToken: registerResponse.natsToken,
+      natsJwt: registerResponse.natsJwt,
+      natsNkeySeed: registerResponse.natsNkeySeed,
       agents,
       httpPort,
       lanEnabled,
@@ -138,7 +139,7 @@ export async function initCommand(): Promise<void> {
 async function registerHost(
   serverUrl: string,
   existingHostId?: string,
-): Promise<{ hostId: string; natsUrl: string; natsWsUrl: string; natsToken: string }> {
+): Promise<{ hostId: string; natsUrl: string; natsWsUrl: string; natsJwt: string; natsNkeySeed: string }> {
   try {
     const res = await fetch(`${serverUrl}/api/hosts/register`, {
       method: "POST",
@@ -155,7 +156,8 @@ async function registerHost(
       hostId: string;
       natsUrl: string;
       natsWsUrl: string;
-      natsToken: string;
+      natsJwt: string;
+      natsNkeySeed: string;
     };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);

package/src/commands/pair.ts

@@ -67,7 +67,7 @@ function httpPairRegister(port: number, code: string): Promise<boolean> {
 export async function pairCommand(): Promise<void> {
   const config = loadConfig();
   const code = generatePairingCode();
-  const httpPort = config.httpPort ?? 9966;
+  const httpPort = config.httpPort ?? 7256;
 
   let paired = false;