teleportation-cli 1.1.4 → 1.1.5

package/.claude/hooks/config-loader.mjs

@@ -1,6 +1,7 @@
 #!/usr/bin/env bun
 // Shared config loader for all hooks
 // Reads from encrypted credentials (~/.teleportation/credentials), then ~/.teleportation-config.json, then env vars
+// PRD-0019: Supports JWT authentication with automatic token refresh
 
 import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
@@ -12,6 +13,33 @@ import { fileURLToPath } from 'node:url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
+// Path resolution helper for auth modules
+const AUTH_MODULE_PATHS = [
+  // If hook is still in project directory
+  () => join(process.cwd(), 'lib', 'auth'),
+  // If installed globally, try common locations
+  () => join(homedir(), '.teleportation', 'lib', 'auth'),
+  // Try relative to hook location (if hooks are symlinked)
+  () => join(__dirname, '..', '..', 'lib', 'auth')
+];
+
+/**
+ * Try to import a module from multiple possible paths
+ */
+async function tryImportModule(moduleName) {
+  for (const getPath of AUTH_MODULE_PATHS) {
+    const modulePath = join(getPath(), moduleName);
+    try {
+      const module = await import(modulePath);
+      return module;
+    } catch (e) {
+      // Try next path
+      continue;
+    }
+  }
+  return null;
+}
+
 export async function loadConfig() {
   // Test override: allow forcing config to be loaded from environment variables only
   // This is useful for unit tests that mock the relay API.
@@ -20,46 +48,70 @@ export async function loadConfig() {
       relayApiUrl: env.RELAY_API_URL || '',
       relayApiKey: env.RELAY_API_KEY || '',
       userToken: env.DETACH_USER_TOKEN || '',
-      slackWebhookUrl: env.SLACK_WEBHOOK_URL || ''
+      slackWebhookUrl: env.SLACK_WEBHOOK_URL || '',
+      authMethod: 'env'
     };
   }
 
-  // Priority 1: Try to load from encrypted credentials file
+  // Priority 1: Try JWT authentication (PRD-0019)
+  // This provides automatic token refresh for short-lived access tokens
   try {
-    // Try multiple possible paths for the credential manager
-    const possiblePaths = [
-      // If hook is still in project directory
-      join(process.cwd(), 'lib', 'auth', 'credentials.js'),
-      // If installed globally, try common locations
-      join(homedir(), '.teleportation', 'lib', 'auth', 'credentials.js'),
-      // Development path (if running from workspace)
-      join(homedir(), 'dev_env', 'teleporter', 'teleportation', 'lib', 'auth', 'credentials.js'),
-      // Try relative to hook location (if hooks are symlinked)
-      join(__dirname, '..', '..', 'lib', 'auth', 'credentials.js')
-    ];
-    
-    let CredentialManager = null;
-    for (const credentialsPath of possiblePaths) {
-      try {
-        const module = await import(credentialsPath);
-        CredentialManager = module.CredentialManager;
-        if (CredentialManager) break;
-      } catch (e) {
-        // Try next path
-        continue;
+    const tokenRefreshModule = await tryImportModule('token-refresh.js');
+    if (tokenRefreshModule && tokenRefreshModule.getValidAccessToken) {
+      const { getValidAccessToken, getAuthMethod } = tokenRefreshModule;
+
+      // Check if JWT credentials are available
+      const authInfo = await getAuthMethod();
+      if (authInfo.method === 'jwt') {
+        // Get a valid access token (refreshes automatically if needed)
+        const accessToken = await getValidAccessToken();
+
+        // Load credentials for other config values
+        const credentialsModule = await tryImportModule('credentials.js');
+        let relayApiUrl = '';
+        let slackWebhookUrl = '';
+
+        if (credentialsModule && credentialsModule.CredentialManager) {
+          const manager = new credentialsModule.CredentialManager();
+          const credentials = await manager.load();
+          if (credentials) {
+            relayApiUrl = credentials.relayApiUrl || credentials.relay_api_url || '';
+            slackWebhookUrl = credentials.slackWebhookUrl || credentials.slack_webhook_url || '';
+          }
+        }
+
+        return {
+          relayApiUrl,
+          relayApiKey: accessToken, // JWT access token used as Bearer token
+          userToken: '',
+          slackWebhookUrl,
+          authMethod: 'jwt'
+        };
       }
     }
-    
-    if (CredentialManager) {
-      const manager = new CredentialManager();
+  } catch (e) {
+    // JWT auth failed (token refresh error, etc.) - fall back to legacy auth
+    // Common errors: session expired, network issues, etc.
+    if (env.DEBUG) {
+      console.error(`[ConfigLoader] JWT auth failed: ${e.message}`);
+    }
+  }
+
+  // Priority 2: Try to load from encrypted credentials file (legacy API key)
+  try {
+    const credentialsModule = await tryImportModule('credentials.js');
+
+    if (credentialsModule && credentialsModule.CredentialManager) {
+      const manager = new credentialsModule.CredentialManager();
       const credentials = await manager.load();
-      
+
       if (credentials) {
         return {
           relayApiUrl: credentials.relayApiUrl || credentials.relay_api_url || '',
           relayApiKey: credentials.relayApiKey || credentials.apiKey || credentials.relay_api_key || '',
           userToken: credentials.userToken || credentials.user_token || '',
-          slackWebhookUrl: credentials.slackWebhookUrl || credentials.slack_webhook_url || ''
+          slackWebhookUrl: credentials.slackWebhookUrl || credentials.slack_webhook_url || '',
+          authMethod: 'api-key'
         };
       }
     }
@@ -67,9 +119,9 @@ export async function loadConfig() {
     // Credential manager not available or credentials don't exist, continue to fallback
   }
   
-  // Priority 2: Try to load from legacy config file
+  // Priority 3: Try to load from legacy config file
   const configPath = join(homedir(), '.teleportation-config.json');
-  
+
   try {
     const content = await readFile(configPath, 'utf8');
     const config = JSON.parse(content);
@@ -77,17 +129,19 @@ export async function loadConfig() {
       relayApiUrl: config.relay_api_url || '',
       relayApiKey: config.relay_api_key || '',
       userToken: config.user_token || '',
-      slackWebhookUrl: config.slack_webhook_url || ''
+      slackWebhookUrl: config.slack_webhook_url || '',
+      authMethod: 'legacy-config'
     };
   } catch (e) {
     // Config file doesn't exist, continue to fallback
   }
-  
-  // Priority 3: Fall back to environment variables
+
+  // Priority 4: Fall back to environment variables
   return {
     relayApiUrl: env.RELAY_API_URL || '',
     relayApiKey: env.RELAY_API_KEY || '',
     userToken: env.DETACH_USER_TOKEN || '',
-    slackWebhookUrl: env.SLACK_WEBHOOK_URL || ''
+    slackWebhookUrl: env.SLACK_WEBHOOK_URL || '',
+    authMethod: 'env'
   };
 }

package/.claude/hooks/permission_request.mjs

@@ -234,12 +234,14 @@ const fetchJson = async (url, opts) => {
       }
 
       if (lastUserMessage) {
+        const CONTEXT_LIMIT = 2000;
+        const truncated = lastUserMessage.length > CONTEXT_LIMIT;
         conversation_context = {
-          user_last_message: lastUserMessage.slice(0, 500), // Truncate to 500 chars
+          user_last_message: truncated ? lastUserMessage.slice(0, CONTEXT_LIMIT) + '...' : lastUserMessage,
           claude_reasoning: null, // Phase 2: extract Claude's reasoning
           timestamp: Date.now()
         };
-        log(`Extracted conversation context: user_message="${lastUserMessage.slice(0, 50)}..."`);
+        log(`Extracted conversation context (truncated: ${truncated}): user_message="${conversation_context.user_last_message.slice(0, 50)}..."`);
       }
     } catch (e) {
       log(`Warning: Failed to extract conversation context: ${e.message}`);
@@ -247,11 +249,31 @@ const fetchJson = async (url, opts) => {
   }
 
   // Fallback: Generate tool_use_id if not provided (defensive programming)
-  const effective_tool_use_id = tool_use_id || `tool_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+  const effective_tool_use_id = tool_use_id || `tool_${crypto.randomUUID()}`;
   if (!tool_use_id) {
     log(`Warning: tool_use_id not provided, generated fallback: ${effective_tool_use_id}`);
   }
 
+  // Fetch session to get owner_id (PRD-0018: Multi-tenancy)
+  let owner_id = null;
+  try {
+    log(`Fetching session ${session_id} to get owner_id for approval`);
+    const sessionResponse = await fetch(`${RELAY_API_URL}/api/sessions/${session_id}`, {
+      headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
+    });
+    
+    if (sessionResponse.ok) {
+      const session = await sessionResponse.json();
+      owner_id = session.owner_id;
+      log(`Retrieved owner_id: ${owner_id} from session`);
+    } else {
+      log(`Warning: Failed to fetch session (HTTP ${sessionResponse.status}). Creating orphan approval.`);
+    }
+  } catch (e) {
+    log(`Warning: Failed to fetch session owner_id: ${e.message}`);
+    // Continue without owner_id - will create orphan approval
+  }
+
   // Create approval request with metadata and context (PRD-0013)
   let approvalId;
   try {
@@ -261,6 +283,7 @@ const fetchJson = async (url, opts) => {
       tool_input,
       meta,
       tool_use_id: effective_tool_use_id,
+      owner_id,  // PRD-0018: Associate approval with user
     };
     // Only include conversation_context if not null
     // API validation expects it to be an object, not null
@@ -272,7 +295,7 @@ const fetchJson = async (url, opts) => {
     // if (transcript_excerpt !== null) payload.transcript_excerpt = transcript_excerpt;
 
     log(`Creating approval with payload: ${JSON.stringify(payload).substring(0, 500)}`);
-    const created = await fetchJson(`${RELAY_API_URL}/api/approvals`, {
+    const approvalRes = await fetch(`${RELAY_API_URL}/api/approvals`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
@@ -280,12 +303,23 @@ const fetchJson = async (url, opts) => {
       },
       body: JSON.stringify(payload)
     });
+
+    const created = await approvalRes.json();
+    if (!approvalRes.ok) {
+      throw new Error(created.error || `HTTP ${approvalRes.status}`);
+    }
+
+    if (created.warning === 'orphan_approval') {
+      process.stderr.write('⚠️  Warning: Approval created without owner context. It may not be visible in all devices.\n');
+    }
+
     approvalId = created.id;
-    log(`Approval created: ${approvalId} (tool_use_id: ${effective_tool_use_id})`);
+    log(`Created approval: ${approvalId}`);
   } catch (e) {
-    log(`ERROR creating approval: ${e.message}`);
-    log(`Error stack: ${e.stack}`);
-    return exit(0); // Let Claude Code handle it
+    log(`ERROR: Failed to create approval: ${e.message}`);
+    process.stderr.write(`[teleportation] Error: Could not request remote approval: ${e.message}\n`);
+    // Fall back to local prompt if approval creation fails
+    return process.stdout.write(JSON.stringify({ decision: 'ask', reason: `Remote approval request failed: ${e.message}` }));
   }
 
   // If user is PRESENT: return immediately and let Claude Code show its native prompt
@@ -313,27 +347,36 @@ const fetchJson = async (url, opts) => {
       if (status.status === 'allowed') {
         log('Remote approval: ALLOWED');
         // Acknowledge on the fast-path to prevent duplicate daemon execution.
-        try {
-          const ackRes = await fetch(`${RELAY_API_URL}/api/approvals/${approvalId}/ack`, {
-            method: 'POST',
-            headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
-          });
-          if (!ackRes.ok) {
-            throw new Error(`ACK returned ${ackRes.status}`);
+        // PRD-0016: Implement 3-attempt exponential backoff for ACK
+        let ackSuccess = false;
+        let ackAttempts = 0;
+        const MAX_ACK_ATTEMPTS = 3;
+
+        while (!ackSuccess && ackAttempts < MAX_ACK_ATTEMPTS) {
+          ackAttempts++;
+          try {
+            const ackRes = await fetch(`${RELAY_API_URL}/api/approvals/${approvalId}/ack`, {
+              method: 'POST',
+              headers: { 'Authorization': `Bearer ${RELAY_API_KEY}` }
+            });
+            if (ackRes.ok) {
+              ackSuccess = true;
+            } else {
+              throw new Error(`ACK returned ${ackRes.status}`);
+            }
+          } catch (e) {
+            const delay = Math.pow(2, ackAttempts) * 100;
+            log(`Warning: ACK attempt ${ackAttempts} failed: ${e.message}. Retrying in ${delay}ms...`);
+            if (ackAttempts < MAX_ACK_ATTEMPTS) {
+              await sleep(delay);
+            }
           }
-        } catch (e) {
-          log(`ERROR: Failed to ack approval ${approvalId}: ${e.message} - aborting to prevent duplicate execution`);
-          const out = {
-            hookSpecificOutput: {
-              hookEventName: 'PermissionRequest',
-              permissionDecision: 'deny',
-              permissionDecisionReason: '⚠️ Teleportation: Approval received but acknowledgment failed. Request handed to daemon to prevent duplicate execution.'
-            },
-            suppressOutput: true
-          };
-          stdout.write(JSON.stringify(out));
-          return exit(0);
         }
+
+        if (!ackSuccess) {
+          log(`ERROR: All ${MAX_ACK_ATTEMPTS} ACK attempts failed for ${approvalId}. Allowing locally anyway to prevent total stall, though duplicate execution risk exists.`);
+        }
+
         const out = {
           hookSpecificOutput: {
             hookEventName: 'PermissionRequest',

package/.claude/hooks/pre_tool_use.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
 
 import { stdin, stdout, exit, env } from 'node:process';
-import { appendFileSync } from 'node:fs';
+import fs, { appendFileSync } from 'node:fs';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 import { homedir, tmpdir } from 'os';
@@ -68,20 +68,33 @@ const fetchJson = async (url, opts) => {
     }
   };
 
-  log('=== Hook invoked ===');
-  
-  const raw = await readStdin();
-  let input;
-  try { input = JSON.parse(raw || '{}'); }
-  catch (e) {
-    log(`ERROR: Invalid JSON: ${e.message}`);
-    return exit(0);
+  const rawInput = await readStdin();
+  let input = {};
+  try {
+    input = JSON.parse(rawInput || '{}');
+  } catch (e) {
+    log(`Warning: Failed to parse input JSON: ${e.message}`);
   }
 
   let { session_id, tool_name, tool_input } = input || {};
   tool_input = tool_input && typeof tool_input === 'object' ? tool_input : {};
   let claude_session_id = session_id; // Keep original ID
 
+  // 1. Recursion Guard (Critical Stability Fix)
+  // Prevent infinite hook-triggered tool loops
+  // Whitelist safe tools at higher depths to avoid breaking workflows
+  const SAFE_TOOLS = ['read', 'glob', 'grep', 'websearch', 'bashoutput', 'ls', 'pwd', 'git status'];
+  const RECURSION_DEPTH = parseInt(env.TELEPORTATION_HOOK_DEPTH || '0', 10) || 0;
+  
+  if (RECURSION_DEPTH > 5 && !SAFE_TOOLS.includes(tool_name?.toLowerCase())) {
+    log(`[RECURSION] Depth limit reached (${RECURSION_DEPTH}) for tool "${tool_name}", auto-allowing to prevent infinite loop.`);
+    process.stdout.write(JSON.stringify({ decision: 'allow', reason: 'Recursion guard depth limit' }));
+    return exit(0);
+  }
+
+  // Update environment for child processes
+  process.env.TELEPORTATION_HOOK_DEPTH = (RECURSION_DEPTH + 1).toString();
+
   log(`Session ID: ${session_id}, Tool: ${tool_name}, Input: ${JSON.stringify(tool_input).substring(0, 100)}`);
 
   // Check for /away and /back commands (user typing in Claude Code)
@@ -299,15 +312,19 @@ const fetchJson = async (url, opts) => {
   const meta = await getSessionMetadata(cwd);
   log(`Session metadata: project=${meta.project_name}, hostname=${meta.hostname}, branch=${meta.current_branch}, model=${meta.current_model || 'default'}`);
 
-  // Check if model has changed since last tool use
-  // This detects when user runs /model to switch models mid-session
-  const LAST_MODEL_FILE = join(tmpdir(), `teleportation-last-model-${session_id}.txt`);
+  // Detect model change (PRD-0014)
+  // Store model in ~/.teleportation/sessions/ to persist across reboots
+  const sessionDir = join(homedir(), '.teleportation', 'sessions');
+  if (!fs.existsSync(sessionDir)) {
+    fs.mkdirSync(sessionDir, { recursive: true, mode: 0o700 });
+  }
+  const modelFile = join(sessionDir, `model_${session_id}.txt`);
   let modelChanged = false;
   try {
     const { readFile, writeFile } = await import('fs/promises');
     let lastModel = null;
     try {
-      lastModel = (await readFile(LAST_MODEL_FILE, 'utf8')).trim();
+      lastModel = (await readFile(modelFile, 'utf8')).trim();
     } catch (e) {
       // File doesn't exist yet - first tool use
     }
@@ -344,7 +361,7 @@ const fetchJson = async (url, opts) => {
 
     // Update last known model
     if (meta.current_model) {
-      await writeFile(LAST_MODEL_FILE, meta.current_model, { mode: 0o600 });
+      await writeFile(modelFile, meta.current_model, { mode: 0o600 });
     }
   } catch (e) {
     log(`Model change detection error: ${e.message}`);
@@ -355,11 +372,17 @@ const fetchJson = async (url, opts) => {
     try {
       log(`Registering session with relay: ${session_id}`);
       const { ensureSessionRegistered } = await import('./session-register.mjs');
-      await ensureSessionRegistered(session_id, cwd, config);
-      log(`Session registered with relay successfully`);
+      const regResult = await ensureSessionRegistered(session_id, cwd, config);
+      
+      if (typeof regResult === 'object' && regResult.error === 'orphan_api_key') {
+        console.error(`\n⚠️  Teleportation: ${regResult.message || 'API key not linked to user.'}`);
+        console.error('   Visit https://app.teleportation.dev/api-keys to claim your key.\n');
+      } else {
+        log(`Session registered with relay successfully`);
+      }
 
       // If model changed, update session metadata immediately
-      if (modelChanged) {
+      if (modelChanged && (regResult === true || (typeof regResult === 'object' && regResult.success))) {
         const { updateSessionMetadata } = await import('./session-register.mjs');
         await updateSessionMetadata(session_id, cwd, config);
         log(`Session metadata updated with new model`);

package/.claude/hooks/session-register.mjs

@@ -34,7 +34,7 @@ async function loadVersionInfo() {
  * @param {string} session_id - Session ID
  * @param {string} cwd - Current working directory
  * @param {object} config - Config object with relayApiUrl and relayApiKey
- * @returns {Promise<boolean>} - True if registered successfully
+ * @returns {Promise<boolean|object>} - True if registered successfully, or error object if orphan
  */
 export async function ensureSessionRegistered(session_id, cwd, config) {
   const RELAY_API_URL = config.relayApiUrl || '';
@@ -242,6 +242,11 @@ export async function ensureSessionRegistered(session_id, cwd, config) {
       }
 
       return true;
+    } else if (response.status === 403) {
+      const data = await response.json().catch(() => ({}));
+      if (data.error === 'orphan_api_key') {
+        return { success: false, error: 'orphan_api_key', message: data.message };
+      }
     }
   } catch (e) {
     // Registration failed - this is okay, we'll try again next time
@@ -330,4 +335,3 @@ export async function updateSessionMetadata(session_id, cwd, config) {
 
   return false;
 }
-

package/README.md

@@ -199,6 +199,13 @@ Configuration is stored in `~/.teleportation/`:
     └── teleportation     # CLI symlink
 ```
 
+## Documentation
+
+- `RUNBOOK.md` - What must be running (local/prod) + smoke checks
+- `docs/E2E_TEST_PLAN.md` - End-to-end test plan and minimum regression matrix
+- `DEPLOYMENT_GUIDE.md` - Fly.io / Cloudflare deployment steps
+- `CHANGELOG.md` - Versioned change history
+
 Environment variables:
 - `TELEPORTATION_RELAY_URL` - Custom relay server URL
 - `TELEPORTATION_API_KEY` - API key for authentication

package/lib/auth/api-key.js

@@ -70,6 +70,18 @@ export async function testApiKey(apiKey, relayApiUrl, retryOptions = {}) {
       return { valid: true, data };
     } else if (response.status === 401) {
       return { valid: false, error: 'Invalid API key - authentication failed. Please check your API key and try again.' };
+    } else if (response.status === 403) {
+      // PRD-0018: Handle orphan API keys
+      const data = await response.json().catch(() => ({}));
+      if (data.error === 'orphan_api_key') {
+        return { 
+          valid: false, 
+          error: 'Orphan API key - not linked to an account.', 
+          isOrphan: true,
+          message: data.message 
+        };
+      }
+      return { valid: false, error: `Forbidden: ${data.message || 'You do not have permission to access this resource.'}` };
     } else if (response.status >= 500) {
       return { valid: false, error: `Relay API server error (${response.status}). The server may be temporarily unavailable. Please try again later.` };
     } else {