teleportation-cli 1.1.3 → 1.1.5

package/.claude/hooks/config-loader.mjs

@@ -1,6 +1,7 @@
 #!/usr/bin/env bun
 // Shared config loader for all hooks
 // Reads from encrypted credentials (~/.teleportation/credentials), then ~/.teleportation-config.json, then env vars
+// PRD-0019: Supports JWT authentication with automatic token refresh
 
 import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
@@ -12,6 +13,33 @@ import { fileURLToPath } from 'node:url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
+// Path resolution helper for auth modules
+const AUTH_MODULE_PATHS = [
+  // If hook is still in project directory
+  () => join(process.cwd(), 'lib', 'auth'),
+  // If installed globally, try common locations
+  () => join(homedir(), '.teleportation', 'lib', 'auth'),
+  // Try relative to hook location (if hooks are symlinked)
+  () => join(__dirname, '..', '..', 'lib', 'auth')
+];
+
+/**
+ * Try to import a module from multiple possible paths
+ */
+async function tryImportModule(moduleName) {
+  for (const getPath of AUTH_MODULE_PATHS) {
+    const modulePath = join(getPath(), moduleName);
+    try {
+      const module = await import(modulePath);
+      return module;
+    } catch (e) {
+      // Try next path
+      continue;
+    }
+  }
+  return null;
+}
+
 export async function loadConfig() {
   // Test override: allow forcing config to be loaded from environment variables only
   // This is useful for unit tests that mock the relay API.
@@ -20,46 +48,70 @@ export async function loadConfig() {
       relayApiUrl: env.RELAY_API_URL || '',
       relayApiKey: env.RELAY_API_KEY || '',
       userToken: env.DETACH_USER_TOKEN || '',
-      slackWebhookUrl: env.SLACK_WEBHOOK_URL || ''
+      slackWebhookUrl: env.SLACK_WEBHOOK_URL || '',
+      authMethod: 'env'
     };
   }
 
-  // Priority 1: Try to load from encrypted credentials file
+  // Priority 1: Try JWT authentication (PRD-0019)
+  // This provides automatic token refresh for short-lived access tokens
   try {
-    // Try multiple possible paths for the credential manager
-    const possiblePaths = [
-      // If hook is still in project directory
-      join(process.cwd(), 'lib', 'auth', 'credentials.js'),
-      // If installed globally, try common locations
-      join(homedir(), '.teleportation', 'lib', 'auth', 'credentials.js'),
-      // Development path (if running from workspace)
-      join(homedir(), 'dev_env', 'teleporter', 'teleportation', 'lib', 'auth', 'credentials.js'),
-      // Try relative to hook location (if hooks are symlinked)
-      join(__dirname, '..', '..', 'lib', 'auth', 'credentials.js')
-    ];
-    
-    let CredentialManager = null;
-    for (const credentialsPath of possiblePaths) {
-      try {
-        const module = await import(credentialsPath);
-        CredentialManager = module.CredentialManager;
-        if (CredentialManager) break;
-      } catch (e) {
-        // Try next path
-        continue;
+    const tokenRefreshModule = await tryImportModule('token-refresh.js');
+    if (tokenRefreshModule && tokenRefreshModule.getValidAccessToken) {
+      const { getValidAccessToken, getAuthMethod } = tokenRefreshModule;
+
+      // Check if JWT credentials are available
+      const authInfo = await getAuthMethod();
+      if (authInfo.method === 'jwt') {
+        // Get a valid access token (refreshes automatically if needed)
+        const accessToken = await getValidAccessToken();
+
+        // Load credentials for other config values
+        const credentialsModule = await tryImportModule('credentials.js');
+        let relayApiUrl = '';
+        let slackWebhookUrl = '';
+
+        if (credentialsModule && credentialsModule.CredentialManager) {
+          const manager = new credentialsModule.CredentialManager();
+          const credentials = await manager.load();
+          if (credentials) {
+            relayApiUrl = credentials.relayApiUrl || credentials.relay_api_url || '';
+            slackWebhookUrl = credentials.slackWebhookUrl || credentials.slack_webhook_url || '';
+          }
+        }
+
+        return {
+          relayApiUrl,
+          relayApiKey: accessToken, // JWT access token used as Bearer token
+          userToken: '',
+          slackWebhookUrl,
+          authMethod: 'jwt'
+        };
       }
     }
-    
-    if (CredentialManager) {
-      const manager = new CredentialManager();
+  } catch (e) {
+    // JWT auth failed (token refresh error, etc.) - fall back to legacy auth
+    // Common errors: session expired, network issues, etc.
+    if (env.DEBUG) {
+      console.error(`[ConfigLoader] JWT auth failed: ${e.message}`);
+    }
+  }
+
+  // Priority 2: Try to load from encrypted credentials file (legacy API key)
+  try {
+    const credentialsModule = await tryImportModule('credentials.js');
+
+    if (credentialsModule && credentialsModule.CredentialManager) {
+      const manager = new credentialsModule.CredentialManager();
       const credentials = await manager.load();
-      
+
       if (credentials) {
         return {
           relayApiUrl: credentials.relayApiUrl || credentials.relay_api_url || '',
           relayApiKey: credentials.relayApiKey || credentials.apiKey || credentials.relay_api_key || '',
           userToken: credentials.userToken || credentials.user_token || '',
-          slackWebhookUrl: credentials.slackWebhookUrl || credentials.slack_webhook_url || ''
+          slackWebhookUrl: credentials.slackWebhookUrl || credentials.slack_webhook_url || '',
+          authMethod: 'api-key'
         };
       }
     }
@@ -67,9 +119,9 @@ export async function loadConfig() {
     // Credential manager not available or credentials don't exist, continue to fallback
   }
   
-  // Priority 2: Try to load from legacy config file
+  // Priority 3: Try to load from legacy config file
   const configPath = join(homedir(), '.teleportation-config.json');
-  
+
   try {
     const content = await readFile(configPath, 'utf8');
     const config = JSON.parse(content);
@@ -77,17 +129,19 @@ export async function loadConfig() {
       relayApiUrl: config.relay_api_url || '',
       relayApiKey: config.relay_api_key || '',
       userToken: config.user_token || '',
-      slackWebhookUrl: config.slack_webhook_url || ''
+      slackWebhookUrl: config.slack_webhook_url || '',
+      authMethod: 'legacy-config'
     };
   } catch (e) {
     // Config file doesn't exist, continue to fallback
   }
-  
-  // Priority 3: Fall back to environment variables
+
+  // Priority 4: Fall back to environment variables
   return {
     relayApiUrl: env.RELAY_API_URL || '',
     relayApiKey: env.RELAY_API_KEY || '',
     userToken: env.DETACH_USER_TOKEN || '',
-    slackWebhookUrl: env.SLACK_WEBHOOK_URL || ''
+    slackWebhookUrl: env.SLACK_WEBHOOK_URL || '',
+    authMethod: 'env'
   };
 }

package/.claude/hooks/permission_request.mjs

@@ -84,7 +84,16 @@ const isValidSessionId = (id) => {
 
 const fetchJson = async (url, opts) => {
   const res = await fetch(url, opts);
-  if (!res.ok) throw new Error(`HTTP ${res.status}`);
+  if (!res.ok) {
+    let errorBody = '';
+    try {
+      const errorData = await res.json();
+      errorBody = JSON.stringify(errorData);
+    } catch (e) {
+      errorBody = await res.text();
+    }
+    throw new Error(`HTTP ${res.status}: ${errorBody}`);
+  }
   return res.json();
 };
 
@@ -225,12 +234,14 @@ const fetchJson = async (url, opts) => {
       }
 
       if (lastUserMessage) {
+        const CONTEXT_LIMIT = 2000;
+        const truncated = lastUserMessage.length > CONTEXT_LIMIT;
         conversation_context = {
-          user_last_message: lastUserMessage.slice(0, 500), // Truncate to 500 chars
+          user_last_message: truncated ? lastUserMessage.slice(0, CONTEXT_LIMIT) + '...' : lastUserMessage,
           claude_reasoning: null, // Phase 2: extract Claude's reasoning
           timestamp: Date.now()
         };
-        log(`Extracted conversation context: user_message="${lastUserMessage.slice(0, 50)}..."`);
+        log(`Extracted conversation context (truncated: ${truncated}): user_message="${conversation_context.user_last_message.slice(0, 50)}..."`);
       }
     } catch (e) {
       log(`Warning: Failed to extract conversation context: ${e.message}`);
@@ -238,36 +249,77 @@ const fetchJson = async (url, opts) => {
   }
 
   // Fallback: Generate tool_use_id if not provided (defensive programming)
-  const effective_tool_use_id = tool_use_id || `tool_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+  const effective_tool_use_id = tool_use_id || `tool_${crypto.randomUUID()}`;
   if (!tool_use_id) {
     log(`Warning: tool_use_id not provided, generated fallback: ${effective_tool_use_id}`);
   }
 
+  // Fetch session to get owner_id (PRD-0018: Multi-tenancy)
+  let owner_id = null;
+  try {
+    log(`Fetching session ${session_id} to get owner_id for approval`);
+    const sessionResponse = await fetch(`${RELAY_API_URL}/api/sessions/${session_id}`, {
+      headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
+    });
+    
+    if (sessionResponse.ok) {
+      const session = await sessionResponse.json();
+      owner_id = session.owner_id;
+      log(`Retrieved owner_id: ${owner_id} from session`);
+    } else {
+      log(`Warning: Failed to fetch session (HTTP ${sessionResponse.status}). Creating orphan approval.`);
+    }
+  } catch (e) {
+    log(`Warning: Failed to fetch session owner_id: ${e.message}`);
+    // Continue without owner_id - will create orphan approval
+  }
+
   // Create approval request with metadata and context (PRD-0013)
   let approvalId;
   try {
-    const created = await fetchJson(`${RELAY_API_URL}/api/approvals`, {
+    const payload = {
+      session_id,
+      tool_name,
+      tool_input,
+      meta,
+      tool_use_id: effective_tool_use_id,
+      owner_id,  // PRD-0018: Associate approval with user
+    };
+    // Only include conversation_context if not null
+    // API validation expects it to be an object, not null
+    if (conversation_context !== null) {
+      payload.conversation_context = conversation_context;
+    }
+    // Phase 2 fields - not implemented yet, so don't include them
+    // if (task_description !== null) payload.task_description = task_description;
+    // if (transcript_excerpt !== null) payload.transcript_excerpt = transcript_excerpt;
+
+    log(`Creating approval with payload: ${JSON.stringify(payload).substring(0, 500)}`);
+    const approvalRes = await fetch(`${RELAY_API_URL}/api/approvals`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
         'Authorization': `Bearer ${RELAY_API_KEY}`
       },
-      body: JSON.stringify({
-        session_id,
-        tool_name,
-        tool_input,
-        meta,
-        tool_use_id: effective_tool_use_id,
-        conversation_context,
-        task_description: null, // Phase 2: infer multi-step tasks
-        transcript_excerpt: null // Phase 2: include recent messages
-      })
+      body: JSON.stringify(payload)
     });
+
+    const created = await approvalRes.json();
+    if (!approvalRes.ok) {
+      throw new Error(created.error || `HTTP ${approvalRes.status}`);
+    }
+
+    if (created.warning === 'orphan_approval') {
+      process.stderr.write('⚠️  Warning: Approval created without owner context. It may not be visible in all devices.\n');
+    }
+
     approvalId = created.id;
-    log(`Approval created: ${approvalId} (tool_use_id: ${effective_tool_use_id})`);
+    log(`Created approval: ${approvalId}`);
   } catch (e) {
-    log(`ERROR creating approval: ${e.message}`);
-    return exit(0); // Let Claude Code handle it
+    log(`ERROR: Failed to create approval: ${e.message}`);
+    process.stderr.write(`[teleportation] Error: Could not request remote approval: ${e.message}\n`);
+    // Fall back to local prompt if approval creation fails
+    return process.stdout.write(JSON.stringify({ decision: 'ask', reason: `Remote approval request failed: ${e.message}` }));
   }
 
   // If user is PRESENT: return immediately and let Claude Code show its native prompt
@@ -295,27 +347,36 @@ const fetchJson = async (url, opts) => {
       if (status.status === 'allowed') {
         log('Remote approval: ALLOWED');
         // Acknowledge on the fast-path to prevent duplicate daemon execution.
-        try {
-          const ackRes = await fetch(`${RELAY_API_URL}/api/approvals/${approvalId}/ack`, {
-            method: 'POST',
-            headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
-          });
-          if (!ackRes.ok) {
-            throw new Error(`ACK returned ${ackRes.status}`);
+        // PRD-0016: Implement 3-attempt exponential backoff for ACK
+        let ackSuccess = false;
+        let ackAttempts = 0;
+        const MAX_ACK_ATTEMPTS = 3;
+
+        while (!ackSuccess && ackAttempts < MAX_ACK_ATTEMPTS) {
+          ackAttempts++;
+          try {
+            const ackRes = await fetch(`${RELAY_API_URL}/api/approvals/${approvalId}/ack`, {
+              method: 'POST',
+              headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
+            });
+            if (ackRes.ok) {
+              ackSuccess = true;
+            } else {
+              throw new Error(`ACK returned ${ackRes.status}`);
+            }
+          } catch (e) {
+            const delay = Math.pow(2, ackAttempts) * 100;
+            log(`Warning: ACK attempt ${ackAttempts} failed: ${e.message}. Retrying in ${delay}ms...`);
+            if (ackAttempts < MAX_ACK_ATTEMPTS) {
+              await sleep(delay);
+            }
           }
-        } catch (e) {
-          log(`ERROR: Failed to ack approval ${approvalId}: ${e.message} - aborting to prevent duplicate execution`);
-          const out = {
-            hookSpecificOutput: {
-              hookEventName: 'PermissionRequest',
-              permissionDecision: 'deny',
-              permissionDecisionReason: '⚠️ Teleportation: Approval received but acknowledgment failed. Request handed to daemon to prevent duplicate execution.'
-            },
-            suppressOutput: true
-          };
-          stdout.write(JSON.stringify(out));
-          return exit(0);
         }
+
+        if (!ackSuccess) {
+          log(`ERROR: All ${MAX_ACK_ATTEMPTS} ACK attempts failed for ${approvalId}. Allowing locally anyway to prevent total stall, though duplicate execution risk exists.`);
+        }
+
         const out = {
           hookSpecificOutput: {
             hookEventName: 'PermissionRequest',