patchcord 0.5.54 → 0.5.56

package/bin/patchcord.mjs

@@ -74,6 +74,12 @@ Usage:
   patchcord --token <token> [--server <url>]              Headless / self-hosted setup
   patchcord --full                                        Same + full statusline
   patchcord --rename <new-name> [--agent-type <type>]     Rename this agent
+  patchcord whoami                                        Show your identity + project
+  patchcord whoami --propose "<text>"                     Propose an update to your whoami
+  patchcord whoami --approve <id>                         Approve a pending proposal
+  patchcord whoami --reject <id>                          Reject a pending proposal
+  patchcord agents                                        List every agent (with whoami)
+  patchcord agents <name>                                 Show one agent's whoami
   patchcord subscribe                                     Start the realtime listener
   patchcord update                                        Update to the latest version
   patchcord --version                                     Show installed version
@@ -88,6 +94,312 @@ if (cmd === "plugin-path") {
   process.exit(0);
 }
 
+// Shared bearer/base-url resolver. Project-local configs win over globals.
+// Supports all 11 installer targets: claude_code, codex, cursor, vscode,
+// opencode (per-project) + windsurf, gemini, zed, openclaw, antigravity,
+// cline (global). Each tool stores the bearer in its own shape.
+async function _resolveBearer() {
+  const { readFileSync } = await import("fs");
+
+  // Strict JSON first; fall back to JSONC stripping for zed/gemini-style
+  // settings (which allow // /* */ trailing commas). The fallback strips
+  // ONLY outside string literals so URLs like "https://..." survive.
+  const _stripJsoncOutsideStrings = (raw) => {
+    let out = "";
+    let i = 0;
+    let inStr = false;
+    let strCh = "";
+    let prev = "";
+    while (i < raw.length) {
+      const c = raw[i];
+      if (inStr) {
+        out += c;
+        if (c === strCh && prev !== "\\") inStr = false;
+        prev = c;
+        i++;
+        continue;
+      }
+      if (c === '"' || c === "'") {
+        inStr = true;
+        strCh = c;
+        out += c;
+        prev = c;
+        i++;
+        continue;
+      }
+      if (c === "/" && raw[i + 1] === "/") {
+        while (i < raw.length && raw[i] !== "\n") i++;
+        continue;
+      }
+      if (c === "/" && raw[i + 1] === "*") {
+        i += 2;
+        while (i < raw.length && !(raw[i] === "*" && raw[i + 1] === "/")) i++;
+        i += 2;
+        continue;
+      }
+      out += c;
+      prev = c;
+      i++;
+    }
+    return out.replace(/,(\s*[}\]])/g, "$1");
+  };
+  const _parseJsonc = (raw) => {
+    try { return JSON.parse(raw); } catch {}
+    return JSON.parse(_stripJsoncOutsideStrings(raw));
+  };
+
+  const _extractBearer = (entry) => {
+    if (!entry) return null;
+    const auth = entry?.headers?.Authorization;
+    // Each tool has its own url key; check all known variants.
+    const url = entry.url || entry.httpUrl || entry.serverUrl;
+    if (!auth || !url) return null;
+    return {
+      token: auth.replace(/^Bearer\s+/i, ""),
+      baseUrl: url.replace(/\/mcp(\/bearer)?$/, ""),
+    };
+  };
+
+  // Shape readers: each returns {token, baseUrl, configFile, tool} or null.
+  const readJsonAt = (path, keyPath, tool) => {
+    if (!existsSync(path)) return null;
+    try {
+      const obj = _parseJsonc(readFileSync(path, "utf-8"));
+      const entry = keyPath.reduce((o, k) => o?.[k], obj);
+      const b = _extractBearer(entry);
+      return b ? { ...b, configFile: path, tool } : null;
+    } catch { return null; }
+  };
+  const readCodexTomlShape = (path) => {
+    if (!existsSync(path)) return null;
+    try {
+      const content = readFileSync(path, "utf-8");
+      const block = content.match(/\[mcp_servers\.patchcord[-\w]*\]([\s\S]*?)(?=\n\[|$)/);
+      if (!block) return null;
+      const urlMatch = block[1].match(/url\s*=\s*"([^"]+)"/);
+      const tokenMatch = block[1].match(/Bearer\s+([^\s"]+)/);
+      if (!urlMatch || !tokenMatch) return null;
+      return {
+        token: tokenMatch[1],
+        baseUrl: urlMatch[1].replace(/\/mcp(\/bearer)?$/, ""),
+        configFile: path,
+        tool: "codex",
+      };
+    } catch { return null; }
+  };
+
+  // Per-project (walk up from cwd). First win.
+  const projectReaders = [
+    (cwd) => readJsonAt(join(cwd, ".mcp.json"), ["mcpServers", "patchcord"], "claude_code"),
+    (cwd) => readJsonAt(join(cwd, ".cursor", "mcp.json"), ["mcpServers", "patchcord"], "cursor"),
+    (cwd) => readJsonAt(join(cwd, ".vscode", "mcp.json"), ["servers", "patchcord"], "vscode"),
+    (cwd) => readJsonAt(join(cwd, "opencode.json"), ["mcp", "patchcord"], "opencode"),
+    (cwd) => readCodexTomlShape(join(cwd, ".codex", "config.toml")),
+  ];
+  let dir = process.cwd();
+  while (dir && dir !== "/") {
+    for (const r of projectReaders) {
+      const found = r(dir);
+      if (found) return found;
+    }
+    dir = dirname(dir);
+  }
+
+  // Global fallbacks. Order by likelihood for current install base.
+  const zedPath = process.platform === "darwin"
+    ? join(HOME, "Library", "Application Support", "Zed", "settings.json")
+    : join(HOME, ".config", "zed", "settings.json");
+
+  // Cline lives in VS Code globalStorage — try stable / insiders / cursor.
+  const clinePaths = (() => {
+    const variants = process.platform === "darwin"
+      ? [
+          join(HOME, "Library", "Application Support", "Code", "User", "globalStorage"),
+          join(HOME, "Library", "Application Support", "Code - Insiders", "User", "globalStorage"),
+          join(HOME, "Library", "Application Support", "Cursor", "User", "globalStorage"),
+        ]
+      : process.platform === "win32"
+      ? [
+          join(process.env.APPDATA || join(HOME, "AppData", "Roaming"), "Code", "User", "globalStorage"),
+          join(process.env.APPDATA || join(HOME, "AppData", "Roaming"), "Code - Insiders", "User", "globalStorage"),
+          join(process.env.APPDATA || join(HOME, "AppData", "Roaming"), "Cursor", "User", "globalStorage"),
+        ]
+      : [
+          join(HOME, ".config", "Code", "User", "globalStorage"),
+          join(HOME, ".config", "Code - Insiders", "User", "globalStorage"),
+          join(HOME, ".config", "Cursor", "User", "globalStorage"),
+        ];
+    return variants.map((b) =>
+      join(b, "saoudrizwan.claude-dev", "settings", "cline_mcp_settings.json")
+    );
+  })();
+
+  const globalCandidates = [
+    () => readJsonAt(join(HOME, ".codeium", "windsurf", "mcp_config.json"), ["mcpServers", "patchcord"], "windsurf"),
+    () => readJsonAt(join(HOME, ".gemini", "settings.json"), ["mcpServers", "patchcord"], "gemini"),
+    () => readJsonAt(zedPath, ["context_servers", "patchcord"], "zed"),
+    () => readJsonAt(join(HOME, ".openclaw", "openclaw.json"), ["mcp", "servers", "patchcord"], "openclaw"),
+    () => readJsonAt(join(HOME, ".gemini", "antigravity", "mcp_config.json"), ["mcpServers", "patchcord"], "antigravity"),
+    ...clinePaths.map((p) => () => readJsonAt(p, ["mcpServers", "patchcord"], "cline")),
+  ];
+  for (const r of globalCandidates) {
+    const found = r();
+    if (found) return found;
+  }
+
+  return null;
+}
+
+async function _httpJSON(method, url, token, body) {
+  const tmpResp = `/tmp/patchcord-${process.pid}-${Date.now()}.json`;
+  const dataArg = body ? `-d '${JSON.stringify(body).replace(/'/g, "'\\''")}' ` : "";
+  const headers = `-H "Authorization: Bearer ${token}" -H "Content-Type: application/json" `;
+  const statusCode = run(
+    `curl -s -o "${tmpResp}" -w "%{http_code}" -X ${method} ${headers}${dataArg}"${url}"`
+  );
+  const { readFileSync } = await import("fs");
+  let respBody = "";
+  try { respBody = readFileSync(tmpResp, "utf-8"); } catch {}
+  try { (await import("fs")).unlinkSync(tmpResp); } catch {}
+  let json = null;
+  try { json = JSON.parse(respBody); } catch {}
+  return { status: statusCode, body: respBody, json };
+}
+
+// ── whoami ────────────────────────────────────────────────────
+if (cmd === "whoami") {
+  const args = process.argv.slice(3);
+  const found = await _resolveBearer();
+  if (!found) {
+    console.error("No patchcord config found in current directory or any parent. Run `npx patchcord@latest` from a project directory first.");
+    process.exit(1);
+  }
+  const { token, baseUrl } = found;
+  if (!isSafeToken(token) || !isSafeUrl(baseUrl)) {
+    console.error(`Invalid patchcord URL or token in config.`);
+    process.exit(1);
+  }
+
+  // --propose "<text>"
+  const proposeIdx = args.indexOf("--propose");
+  if (proposeIdx !== -1) {
+    const text = (args[proposeIdx + 1] || "").trim();
+    if (!text) {
+      console.error("Usage: patchcord whoami --propose \"<text>\"");
+      process.exit(1);
+    }
+    if (text.length > 300) {
+      console.error(`Whoami text exceeds 300 characters (got ${text.length}).`);
+      process.exit(1);
+    }
+    const { status, json, body } = await _httpJSON("POST", `${baseUrl}/api/agent/whoami/propose`, token, { text });
+    if (status !== "200") {
+      console.error(`✗ HTTP ${status}: ${(json && json.error) || body}`);
+      process.exit(1);
+    }
+    console.log(`proposal_id: ${json.proposal_id}`);
+    console.log(`status: ${json.status}`);
+    console.log(`awaiting human approval. another agent or the dashboard must approve.`);
+    process.exit(0);
+  }
+
+  // --approve <id> / --reject <id>
+  const approveIdx = args.indexOf("--approve");
+  const rejectIdx = args.indexOf("--reject");
+  if (approveIdx !== -1 || rejectIdx !== -1) {
+    const isApprove = approveIdx !== -1;
+    const idx = isApprove ? approveIdx : rejectIdx;
+    const id = (args[idx + 1] || "").trim();
+    if (!id) {
+      console.error(`Usage: patchcord whoami --${isApprove ? "approve" : "reject"} <proposal-id>`);
+      process.exit(1);
+    }
+    const { status, json, body } = await _httpJSON(
+      "POST",
+      `${baseUrl}/api/agent/whoami/approve`,
+      token,
+      { proposal_id: id, action: isApprove ? "approve" : "reject" },
+    );
+    if (status !== "200") {
+      console.error(`✗ HTTP ${status}: ${(json && json.error) || body}`);
+      process.exit(1);
+    }
+    console.log(`✓ ${json.status}: ${json.agent} (proposal ${json.proposal_id})`);
+    process.exit(0);
+  }
+
+  // plain whoami (no flags)
+  const { status, json, body } = await _httpJSON("GET", `${baseUrl}/api/agent/whoami`, token);
+  if (status !== "200") {
+    console.error(`✗ HTTP ${status}: ${(json && json.error) || body}`);
+    process.exit(1);
+  }
+  console.log(`agent: ${json.agent}`);
+  console.log(`namespace: ${json.namespace}`);
+  if (json.project_summary) console.log(`project: ${json.project_summary}`);
+  if (json.whoami) {
+    console.log(`self: ${json.whoami}`);
+  } else {
+    console.log(`self: (empty — propose with: patchcord whoami --propose "<text>")`);
+  }
+  console.log();
+  console.log(`tip: \`patchcord agents\` returns whoami for all peers.`);
+  process.exit(0);
+}
+
+// ── agents [name] ────────────────────────────────────────────
+if (cmd === "agents") {
+  const name = (process.argv[3] || "").trim().toLowerCase();
+  const found = await _resolveBearer();
+  if (!found) {
+    console.error("No patchcord config found in current directory or any parent. Run `npx patchcord@latest` from a project directory first.");
+    process.exit(1);
+  }
+  const { token, baseUrl } = found;
+  if (!isSafeToken(token) || !isSafeUrl(baseUrl)) {
+    console.error(`Invalid patchcord URL or token in config.`);
+    process.exit(1);
+  }
+
+  if (name) {
+    if (!/^[a-z][a-z0-9-]{0,49}$/.test(name)) {
+      console.error("Invalid agent name. Lowercase letters, digits, and dashes only.");
+      process.exit(1);
+    }
+    const { status, json, body } = await _httpJSON("GET", `${baseUrl}/api/agent/whoami/${name}`, token);
+    if (status === "404") {
+      console.error(`agent '${name}' not found in your namespace.`);
+      process.exit(1);
+    }
+    if (status !== "200") {
+      console.error(`✗ HTTP ${status}: ${(json && json.error) || body}`);
+      process.exit(1);
+    }
+    const tag = json.is_global ? " (global)" : "";
+    console.log(`${json.agent}${tag}: ${json.whoami || "(empty)"}`);
+    if (json.status || json.last_seen) {
+      console.log(`status: ${json.status || "?"}  last_seen: ${json.last_seen || "?"}`);
+    }
+    process.exit(0);
+  }
+
+  const { status, json, body } = await _httpJSON("GET", `${baseUrl}/api/agent/agents`, token);
+  if (status !== "200") {
+    console.error(`✗ HTTP ${status}: ${(json && json.error) || body}`);
+    process.exit(1);
+  }
+  if (!json.agents || json.agents.length === 0) {
+    console.log("(no agents in this namespace)");
+    process.exit(0);
+  }
+  for (const a of json.agents) {
+    const tag = a.is_global ? " (global)" : "";
+    const text = a.whoami || "(empty)";
+    console.log(`${a.agent}${tag}: ${text}`);
+  }
+  process.exit(0);
+}
+
 // ── subscribe ─────────────────────────────────────────────────
 // Thin wrapper around scripts/subscribe.mjs so users see a clean
 // "npx patchcord subscribe" in their Claude Code tool log instead
@@ -413,18 +725,32 @@ if (!cmd || cmd === "install" || cmd === "agent" || cmd?.startsWith("--")) {
     globalCliInstalled = true;
   } catch {
     try {
-      const stableDir = join(HOME, ".local", "share", "patchcord");
-      mkdirSync(stableDir, { recursive: true });
-      cpSync(pluginRoot, stableDir, { recursive: true, force: true });
+      const fbStableDir = join(HOME, ".local", "share", "patchcord");
+      mkdirSync(fbStableDir, { recursive: true });
+      cpSync(pluginRoot, fbStableDir, { recursive: true, force: true });
       const localBin = join(HOME, ".local", "bin");
       mkdirSync(localBin, { recursive: true });
       const wrapper = join(localBin, "patchcord");
-      writeFileSync(wrapper, `#!/bin/sh\nexec node "${join(stableDir, "bin", "patchcord.mjs")}" "$@"\n`);
+      writeFileSync(wrapper, `#!/bin/sh\nexec node "${join(fbStableDir, "bin", "patchcord.mjs")}" "$@"\n`);
       chmodSync(wrapper, 0o755);
       globalCliInstalled = true;
     } catch {}
   }
 
+  // ── Stable copy for Claude Code plugin marketplace ──────────
+  // Claude Code's `plugin marketplace add` stores the literal directory
+  // path in its plugin manifest. If we point it at `pluginRoot` (the
+  // npx ephemeral cache), that directory gets wiped on the next `npx`
+  // invocation of any other package, and every Claude Code session
+  // afterward errors: "Plugin directory does not exist: ...".
+  // Maintain a stable mirror at ~/.local/share/patchcord/ and point
+  // the marketplace there instead.
+  const stablePluginDir = join(HOME, ".local", "share", "patchcord");
+  try {
+    mkdirSync(stablePluginDir, { recursive: true });
+    cpSync(pluginRoot, stablePluginDir, { recursive: true, force: true });
+  } catch {}
+
   // ── Global setup (silent if nothing changed) ──
   let globalChanges = [];
   if (globalCliInstalled) globalChanges.push("Patchcord CLI installed globally");
@@ -438,10 +764,14 @@ if (!cmd || cmd === "install" || cmd === "agent" || cmd?.startsWith("--")) {
       try { rmSync(npmCachePatchcord, { recursive: true, force: true }); } catch {}
     }
 
-    // Always re-add marketplace (copies fresh files from this npx package)
-    // and install/update plugin. Claude Code's built-in plugin update
-    // doesn't detect new versions from local sources (#37252).
-    run(`claude plugin marketplace add "${pluginRoot}"`);
+    // Always re-add marketplace (point at the STABLE mirror, not pluginRoot
+    // which is the npx ephemeral cache). Claude Code stores the literal
+    // path in its plugin manifest — pointing at npx cache breaks every
+    // future session as soon as that cache dir is swept.
+    // Remove any prior marketplace registration first so the path actually
+    // updates for users who got the buggy npx-cache path on an earlier install.
+    run(`claude plugin marketplace remove patchcord-marketplace`);
+    run(`claude plugin marketplace add "${stablePluginDir}"`);
     const installed = run(`claude plugin list`)?.includes("patchcord");
     wasPluginInstalled = !!installed;
     if (installed) {
@@ -1276,8 +1606,12 @@ if (!cmd || cmd === "install" || cmd === "agent" || cmd?.startsWith("--")) {
     mkdirSync(codexDir, { recursive: true });
     const configPath = join(codexDir, "config.toml");
     let existing = existsSync(configPath) ? readFileSync(configPath, "utf-8") : "";
-    // Remove old patchcord config block if present
-    existing = existing.replace(/\[mcp_servers\.patchcord[-\w]*\]\n(?:(?!\[)[^\n]*\n?)*/g, "").replace(/\n{3,}/g, "\n\n").trim();
+    // Remove old patchcord config blocks AND any sub-tables like
+    // [mcp_servers.patchcord.http_headers]. The character class [\w.-]
+    // covers patchcord-codex, patchcord.http_headers, etc. We consume
+    // through to the next "[" so the entire block (including subsections)
+    // is removed in one pass.
+    existing = existing.replace(/\[mcp_servers\.patchcord[\w.-]*\][^\[]*/g, "").replace(/\n{3,}/g, "\n\n").trim();
     existing = existing.trimEnd() + `\n\n[mcp_servers.patchcord-codex]\nurl = "${serverUrl}/mcp"\nhttp_headers = { "Authorization" = "Bearer ${token}", "X-Patchcord-Machine" = "${hostname}" }\ntool_timeout_sec = 300\n`;
     writeFileSync(configPath, existing);
     // Clean up any PATCHCORD_TOKEN we previously wrote to .env
@@ -1605,5 +1939,5 @@ if (cmd === "skill") {
   process.exit(0);
 }
 
-console.error(`Unknown command: ${cmd}. Available: subscribe, --rename, --token, --tool`);
+console.error(`Unknown command: ${cmd}. Available: whoami, agents, subscribe, update, --rename, --token, --agent-type, --version, --help`);
 process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "patchcord",
-  "version": "0.5.54",
+  "version": "0.5.56",
   "description": "Cross-machine agent messaging for Claude Code and Codex",
   "author": "ppravdin",
   "license": "MIT",

package/skills/inbox/SKILL.md

@@ -112,6 +112,29 @@ Use the path from the sender's message.
 
 Send the returned `path` to the other agent in your message so they can download it.
 
+## Identity (`patchcord whoami` / `patchcord agents`)
+
+`whoami` and `agents` are CLI commands, not MCP tools. They use the bearer token from the project's `.mcp.json` — same namespace scope, no extra setup. Cheap to call (input tokens only), don't bloat MCP.
+
+- **Run `patchcord whoami` once per session.** Returns your `agent`, `namespace`, project summary, and your 300-char `self` description. Use it on first turn after `/clear` or a fresh session to orient.
+- **Run `patchcord agents`** to see the full roster (every peer's whoami). One call, ~3KB, complete picture of the namespace.
+- **Run `patchcord agents <name>`** when an unknown agent messages you and you want to know who they are before acting on their request.
+
+### Updating your own whoami (gated)
+
+300-char hard limit. Goes through a human-approval flow.
+
+- `patchcord whoami --propose "<text>"` — submits a pending proposal. Returns a `proposal_id`. The server also creates a normal patchcord message to `human` showing the diff.
+- Another agent (NOT you) or the human via dashboard must approve. Self-approval is blocked server-side — you can propose updates to your own whoami, but you cannot approve them.
+- To approve someone else's proposal: `patchcord whoami --approve <proposal-id>`. To reject: `patchcord whoami --reject <id>`.
+- The human sees your proposal in their inbox/dashboard. They will approve when ready. Do not retry — proposals are idempotent.
+
+### Hard rules
+
+- You may NEVER update another agent's whoami. The `--propose` flow only writes your own.
+- Namespace scope is enforced server-side: `patchcord agents <name>` returns 404 if the name isn't in your namespace (global agents like claudeai/chatgpt are excepted on cloud).
+- whoami text describes WHO you are and how you coordinate (e.g. "backend systems. sends every change to codex-backend for review"). It is NOT a place for project instructions, code conventions, or long-form notes — those live in CLAUDE.md and project docs.
+
 ## Threads
 
 Named threads group related messages between a pair of agents. Use them for multi-turn tasks that need their own context (e.g. "auth-migration", "deploy-review").