svamp-cli 0.2.60 → 0.2.65

package/dist/{serveCommands-CMSmcjsp.mjs → serveCommands-sRps4L_A.mjs}

@@ -54,17 +54,20 @@ async function handleServeCommand() {
   }
 }
 async function serveAdd(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-B0kLKYmc.mjs');
+  const { connectAndGetMachine } = await import('./commands-CgirOjun.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
-    console.error("Usage: svamp serve [add] <name> [directory] [--public | --access email1,email2]");
+    console.error("Usage: svamp serve [add] <name> [directory] [--public | --owner | --access email1,email2]");
+    console.error("  Default: capability URL (link mode) \u2014 anyone with the URL can view, no login required.");
     process.exit(1);
   }
   const directory = path.resolve(pos[1] || ".");
-  let access = "owner";
+  let access = "link";
   if (hasFlag(args, "--public")) {
     access = "public";
+  } else if (hasFlag(args, "--owner")) {
+    access = "owner";
   } else {
     const accessFlag = getFlag(args, "--access");
     if (accessFlag) {
@@ -75,8 +78,12 @@ async function serveAdd(args, machineId) {
   try {
     const result = await machine.serveAdd({ name, directory, access });
     console.log(`Mount added: ${name} \u2192 ${directory}`);
-    console.log(`Access: ${access === "public" ? "public" : access === "owner" ? "owner only" : access.join(", ")}`);
+    const accessLabel = access === "public" ? "public (no auth)" : access === "link" ? "link (capability URL \u2014 anyone with the URL can view)" : access === "owner" ? "owner only (Hypha login)" : `${access.join(", ")} (Hypha login)`;
+    console.log(`Access: ${accessLabel}`);
     console.log(`URL: ${result.url}`);
+    if (access === "link") {
+      console.log(`(URL embeds a long capability token; keep it secret to keep the mount private.)`);
+    }
   } catch (err) {
     console.error(`Error: ${err.message || err}`);
     process.exit(1);
@@ -86,7 +93,7 @@ async function serveAdd(args, machineId) {
   }
 }
 async function serveApply(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-B0kLKYmc.mjs');
+  const { connectAndGetMachine } = await import('./commands-CgirOjun.mjs');
   const fs = await import('fs');
   const yaml = await import('yaml');
   const file = positionalArgs(args)[0];
@@ -107,7 +114,10 @@ async function serveApply(args, machineId) {
     console.error("    warmup_timeout_ms: 30000");
     console.error("    idle_timeout_sec: 600   # 0 = always running");
     console.error("    wake_on_request: true   # spawn lazily on first request");
-    console.error("  access: public            # public | owner (default) | [emails]");
+    console.error("  access: link              # link (default) | public | owner | [emails]");
+    console.error("  # link  \u2014 capability URL, anyone with the URL can view");
+    console.error("  # public \u2014 fully open, short URL");
+    console.error("  # owner / [emails] \u2014 Hypha login required");
     process.exit(1);
   }
   if (!fs.existsSync(file)) {
@@ -150,7 +160,8 @@ async function serveApply(args, machineId) {
     directory: parsed.directory ? path.resolve(parsed.directory) : void 0,
     process: proc,
     sessionId: parsed.sessionId ?? parsed.session_id,
-    access: parsed.access ?? "owner",
+    access: parsed.access ?? "link",
+    // default flipped from 'owner' to 'link' (capability URL)
     ownerEmail: parsed.ownerEmail ?? parsed.owner_email
   };
   const { machine, server } = await connectAndGetMachine(machineId);
@@ -171,7 +182,7 @@ async function serveApply(args, machineId) {
   }
 }
 async function serveRemove(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-B0kLKYmc.mjs');
+  const { connectAndGetMachine } = await import('./commands-CgirOjun.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -191,7 +202,7 @@ async function serveRemove(args, machineId) {
   }
 }
 async function serveList(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-B0kLKYmc.mjs');
+  const { connectAndGetMachine } = await import('./commands-CgirOjun.mjs');
   const all = hasFlag(args, "--all", "-a");
   const json = hasFlag(args, "--json");
   const sessionId = getFlag(args, "--session");
@@ -224,7 +235,7 @@ async function serveList(args, machineId) {
   }
 }
 async function serveInfo(machineId) {
-  const { connectAndGetMachine } = await import('./commands-B0kLKYmc.mjs');
+  const { connectAndGetMachine } = await import('./commands-CgirOjun.mjs');
   const { machine, server } = await connectAndGetMachine(machineId);
   try {
     const info = await machine.serveInfo();
@@ -258,10 +269,14 @@ Usage:
   svamp serve list [--all] [--json]    List mounts (default: current session only)
   svamp serve info                     Show server status and URL
 
-Access control (default: owner only):
-  --public                  Allow anyone to access (no auth)
-  --access email1,email2    Allow specific users (comma-separated emails)
-  (no flag)                 Owner only \u2014 requires Hypha login
+Access tiers (default: link):
+  (no flag)                 Capability URL \u2014 anyone with the URL can view.
+                            URL embeds a long random token (~192-bit entropy)
+                            as the first path segment. No login required.
+                            Best for embedding in agent artifact iframes.
+  --public                  Fully public \u2014 no auth, short URL.
+  --owner                   Hypha login required, owner-only.
+  --access email1,email2    Hypha login required, specific allowed emails.
 
 Options:
   -m, --machine <id>    Target a specific machine
@@ -270,12 +285,13 @@ Options:
   --json                Output as JSON
 
 Examples:
-  svamp serve my-report ./output               # Owner-only (default)
-  svamp serve dashboard ./dist --public        # Anyone can access
-  svamp serve data ./csv --access a@x.com,b@y.com  # Specific users
-  svamp serve apply my-app.yaml                # Declarative apply
-  svamp serve list --all                       # Show all mounts
-  svamp serve remove my-report                 # Stop serving
+  svamp serve my-report ./output                   # Default: capability URL
+  svamp serve dashboard ./dist --public            # Anyone, short URL
+  svamp serve data ./csv --owner                   # Hypha login required
+  svamp serve data ./csv --access a@x.com,b@y.com  # Specific Hypha users
+  svamp serve apply my-app.yaml                    # Declarative apply
+  svamp serve list --all                           # Show all mounts
+  svamp serve remove my-report                     # Stop serving
 
 Declarative apply (svamp serve apply <yaml>):
   name: my-app

package/dist/{serveManager-C9pzi-2O.mjs → serveManager-pDviHaH8.mjs}

@@ -1,14 +1,15 @@
 import { spawn } from 'child_process';
+import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as http from 'http';
 import * as net from 'net';
 import * as path from 'path';
-import { S as ServeAuth, h as hasCookieToken } from './run-Dhliie9Z.mjs';
+import { S as ServeAuth, h as hasCookieToken } from './run-EPzdDXeY.mjs';
 import 'os';
 import 'fs/promises';
 import 'url';
-import 'crypto';
 import 'node:fs';
+import 'util';
 import 'node:crypto';
 import 'node:path';
 import 'node:child_process';
@@ -21,6 +22,9 @@ import 'zod';
 import 'node:fs/promises';
 import 'node:util';
 
+function generateLinkToken() {
+  return crypto.randomBytes(16).toString("hex");
+}
 function findFreePort() {
   return new Promise((resolve, reject) => {
     const srv = net.createServer();
@@ -88,7 +92,7 @@ class ServeManager {
    * Throws if a mount with the same name already exists, preserving the
    * pre-existing semantics that callers may depend on.
    */
-  async addMount(name, directory, sessionId, access = "owner", ownerEmail) {
+  async addMount(name, directory, sessionId, access = "link", ownerEmail) {
     if (this.mounts.has(name)) {
       throw new Error(`Mount '${name}' already exists. Remove it first or choose a different name.`);
     }
@@ -123,13 +127,18 @@ class ServeManager {
     if (this.mounts.has(spec.name)) {
       await this.removeMount(spec.name);
     }
+    const access = spec.access ?? "link";
     const mount = {
       name: spec.name,
       directory: resolvedDir,
       process: spec.process,
       sessionId: spec.sessionId,
       ownerEmail: spec.ownerEmail,
-      access: spec.access ?? "owner",
+      access,
+      // Generate a capability token if access is 'link' and we don't
+      // already have one from persisted state (token is stable across
+      // restarts).
+      linkToken: access === "link" ? spec.linkToken || generateLinkToken() : void 0,
       addedAt: Date.now()
     };
     this.mounts.set(spec.name, mount);
@@ -432,11 +441,18 @@ class ServeManager {
     }, 3e4);
   }
   // ── Internal ─────────────────────────────────────────────────────────
-  /** Get the public URL for a mount (mount-specific subdomain). */
+  /**
+   * Get the public URL for a mount (mount-specific subdomain).
+   * For `access: 'link'` mounts, the subdomain itself carries the capability —
+   * the tunnel registers a long random suffix (~128 bits of entropy), so the
+   * URL is identical in shape to other tiers, just longer. Content serves
+   * from the root, so HTML with absolute paths (`/style.css`, `/app.js`)
+   * works unchanged.
+   */
   getMountUrl(name) {
     const tunnel = this.mountTunnels.get(name);
-    const url = tunnel?.getUrls().get(this.port);
-    if (url) return `${url}/`;
+    const tunnelUrl = tunnel?.getUrls().get(this.port);
+    if (tunnelUrl) return `${tunnelUrl}/`;
     if (this.port) return `http://127.0.0.1:${this.port}/${name}/`;
     return null;
   }
@@ -523,7 +539,7 @@ class ServeManager {
           res.end(html);
           return;
         }
-        if (mount && mount.access !== "public") {
+        if (mount && mount.access !== "public" && mount.access !== "link") {
           const userEmail = this.auth ? await this.auth.authenticate(req).catch(() => null) : null;
           const allowed = this.auth ? this.auth.isAuthorized(userEmail, mount.access, mount.ownerEmail) : false;
           if (!allowed) {
@@ -668,12 +684,15 @@ class ServeManager {
     if (!this.port) throw new Error("Auth proxy not running \u2014 call ensureRunning() first");
     const subdomainSafe = mountName.toLowerCase().replace(/[^a-z0-9-]/g, "-");
     const tunnelName = `static-${subdomainSafe}`;
+    const mount = this.mounts.get(mountName);
+    const subdomainOverride = mount?.access === "link" && mount.linkToken ? /* @__PURE__ */ new Map([[this.port, `static-${subdomainSafe}-${mount.linkToken}`]]) : void 0;
     try {
       const { FrpcTunnel } = await import('./frpc-j60b46eU.mjs');
       let tunnel;
       tunnel = new FrpcTunnel({
         name: tunnelName,
         ports: [this.port],
+        subdomains: subdomainOverride,
         // End-to-end probe: the daemon's health loop watches probe.ok
         // to detect ghosted tunnel registrations (frpc says "connected"
         // but no traffic actually flows). The sentinel route is served

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svamp-cli",
-  "version": "0.2.60",
+  "version": "0.2.65",
   "description": "Svamp CLI — AI workspace daemon on Hypha Cloud",
   "author": "Amun AI AB",
   "license": "SEE LICENSE IN LICENSE",
@@ -20,7 +20,7 @@
   "scripts": {
     "build": "rm -rf dist bin/skills && mkdir -p bin/skills && cp -r ../../skills/artifact bin/skills/artifact && tsc --noEmit && pkgroll",
     "typecheck": "tsc --noEmit",
-    "test": "npx tsx test/test-authorize.mjs && npx tsx test/test-normalize-allowed-user.mjs && npx tsx test/test-share-url.mjs && npx tsx test/test-update-sharing-normalization.mjs && npx tsx test/test-staged-homes-sweep.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-isolation-decision.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-claude-auth.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-supervisor-lock.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
+    "test": "npx tsx test/test-context-window.mjs && npx tsx test/test-authorize.mjs && npx tsx test/test-normalize-allowed-user.mjs && npx tsx test/test-share-url.mjs && npx tsx test/test-update-sharing-normalization.mjs && npx tsx test/test-staged-homes-sweep.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-isolation-decision.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-claude-auth.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-supervisor-lock.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
     "test:hypha": "node --no-warnings test/test-hypha-service.mjs",
     "dev": "tsx src/cli.ts",
     "dev:daemon": "tsx src/cli.ts daemon start-sync",

package/dist/package-B7BB3yVn.mjs

@@ -1,63 +0,0 @@
-var name = "svamp-cli";
-var version = "0.2.60";
-var description = "Svamp CLI — AI workspace daemon on Hypha Cloud";
-var author = "Amun AI AB";
-var license = "SEE LICENSE IN LICENSE";
-var type = "module";
-var bin = {
-	svamp: "./bin/svamp.mjs"
-};
-var files = [
-	"dist",
-	"bin"
-];
-var main = "./dist/index.mjs";
-var exports$1 = {
-	".": "./dist/index.mjs",
-	"./cli": "./dist/cli.mjs"
-};
-var scripts = {
-	build: "rm -rf dist bin/skills && mkdir -p bin/skills && cp -r ../../skills/artifact bin/skills/artifact && tsc --noEmit && pkgroll",
-	typecheck: "tsc --noEmit",
-	test: "npx tsx test/test-authorize.mjs && npx tsx test/test-normalize-allowed-user.mjs && npx tsx test/test-share-url.mjs && npx tsx test/test-update-sharing-normalization.mjs && npx tsx test/test-staged-homes-sweep.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-isolation-decision.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-claude-auth.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-supervisor-lock.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
-	"test:hypha": "node --no-warnings test/test-hypha-service.mjs",
-	dev: "tsx src/cli.ts",
-	"dev:daemon": "tsx src/cli.ts daemon start-sync",
-	"test:e2e": "node --no-warnings test/e2e-session-tests.mjs",
-	"test:frpc": "npx tsx test/test-frpc-e2e.mjs"
-};
-var dependencies = {
-	"@agentclientprotocol/sdk": "^0.14.1",
-	"@modelcontextprotocol/sdk": "^1.25.3",
-	"hypha-rpc": "0.21.40",
-	"node-pty": "1.2.0-beta.11",
-	ws: "^8.18.0",
-	yaml: "^2.8.2",
-	zod: "^3.24.4"
-};
-var devDependencies = {
-	"@types/node": ">=20",
-	"@types/ws": "^8.5.14",
-	pkgroll: "^2.14.2",
-	tsx: "^4.20.6",
-	typescript: "5.9.3"
-};
-var packageManager = "yarn@1.22.22";
-var _package = {
-	name: name,
-	version: version,
-	description: description,
-	author: author,
-	license: license,
-	type: type,
-	bin: bin,
-	files: files,
-	main: main,
-	exports: exports$1,
-	scripts: scripts,
-	dependencies: dependencies,
-	devDependencies: devDependencies,
-	packageManager: packageManager
-};
-
-export { author, bin, _package as default, dependencies, description, devDependencies, exports$1 as exports, files, license, main, name, packageManager, scripts, type, version };