npm - thinkpool-pair - Versions diffs - 0.7.2 → 0.7.4 - Mend

thinkpool-pair 0.7.2 → 0.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/account.mjs ADDED Viewed

@@ -0,0 +1,148 @@
+/* account.mjs — account-mode bridge (Phase 1).
+   One `npx thinkpool-pair` per ACCOUNT instead of per room:
+     login   — link this device to your ThinkPool account (realtime handoff).
+     bind    — map a room code → a working directory on THIS machine.
+     account — discover your code sessions and serve each one (a headless child
+               bridge per room, run in its bound directory). Reuses the proven
+               single-room bridge verbatim; the supervisor only adds discovery.
+   Spec: docs/specs/2026-06-16-account-bridge.md */
+import { spawn } from 'node:child_process'
+import { fileURLToPath } from 'node:url'
+import { randomUUID } from 'node:crypto'
+import path from 'node:path'
+import fs from 'node:fs'
+import { createClient } from '@supabase/supabase-js'
+import os from 'node:os'
+import { saveAuth, loadAuth, clearAuth, loadDirs, bindDir } from './auth-store.mjs'
+const VERSION = (() => { try { return JSON.parse(fs.readFileSync(new URL('./package.json', import.meta.url), 'utf8')).version } catch { return null } })()
+const BRIDGE = fileURLToPath(new URL('./bridge.mjs', import.meta.url))
+// ── login: OAuth-style DEVICE-CODE flow (hardened) ──────────────────────────
+// The bridge asks Postgres (start_device_code) for a secret device_code + a short
+// human user_code, prints the user_code + URL, then POLLS claim_device_code with
+// the secret until the signed-in web has approved (approve_device_code stores the
+// browser's session). The session is delivered only over authenticated TLS RPCs
+// + a single-use secret — never broadcast on a public channel.
+export async function runLogin(SUPABASE_URL, SUPABASE_ANON, WEB_BASE) {
+  const sb = createClient(SUPABASE_URL, SUPABASE_ANON, { auth: { persistSession: false } })
+  const { data, error } = await sb.rpc('start_device_code')
+  const row = Array.isArray(data) ? data[0] : data
+  if (error || !row?.device_code) { process.stderr.write(`\n  ✗ couldn't start login: ${error?.message || 'no response'}\n`); process.exit(1) }
+  const { device_code, user_code } = row
+  const url = `${WEB_BASE}/code/link?c=${encodeURIComponent(user_code)}`
+  process.stderr.write(`\n  ◆ Link this device to your ThinkPool account.\n    Open (signed in) and approve:\n\n    ${url}\n\n    code:  ${user_code}\n\n  Waiting…\n`)
+  const started = Date.now()
+  const poll = async () => {
+    if (Date.now() - started > 5 * 60 * 1000) { process.stderr.write('\n  ◇ link timed out — run `npx thinkpool-pair login` again.\n'); process.exit(1) }
+    try {
+      const { data: r } = await sb.rpc('claim_device_code', { p_device_code: device_code })
+      if (r?.status === 'approved' && r.session?.refresh_token) {
+        saveAuth(r.session)
+        process.stderr.write(`\n  ◆ linked as ${r.session.email || 'your account'}. You can close the browser tab.\n    Now run:  npx thinkpool-pair\n`)
+        process.exit(0)
+      }
+      if (r?.status === 'expired' || r?.status === 'not_found') { process.stderr.write('\n  ◇ link expired — run `npx thinkpool-pair login` again.\n'); process.exit(1) }
+    } catch { /* transient — keep polling */ }
+    setTimeout(poll, 3000)
+  }
+  poll()
+  await new Promise(() => {})
+}
+// Exchange the stored refresh token for a live session + authed client.
+export async function authedClient(SUPABASE_URL, SUPABASE_ANON) {
+  const a = loadAuth()
+  if (!a?.refresh_token) return null
+  const sb = createClient(SUPABASE_URL, SUPABASE_ANON, { auth: { persistSession: false, autoRefreshToken: false } })
+  try {
+    const { data, error } = await sb.auth.refreshSession({ refresh_token: a.refresh_token })
+    if (error || !data?.session) return null
+    saveAuth(data.session)   // rotate the refresh token
+    return { sb, session: data.session }
+  } catch { return null }
+}
+export function runBind(room, dir) {
+  const r = (room || '').toUpperCase().trim()
+  if (!r) { console.error('usage: npx thinkpool-pair bind <ROOM> <directory>'); process.exit(1) }
+  const abs = path.resolve(dir || '.')
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) { console.error(`✗ not a directory: ${abs}`); process.exit(1) }
+  bindDir(r, abs)
+  console.error(`✓ bound ${r} → ${abs}\n  Run \`npx thinkpool-pair\` (or restart it) to serve this session.`)
+  process.exit(0)
+}
+// ── account supervisor: a headless child bridge per bound room, in its dir ──
+export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
+  const auth = await authedClient(SUPABASE_URL, SUPABASE_ANON)
+  if (!auth) {
+    clearAuth()
+    console.error('\n  Not linked (or the link expired). Run:\n\n    npx thinkpool-pair login\n')
+    process.exit(1)
+  }
+  const { sb, session } = auth
+  const email = session.user?.email || 'your account'
+  // Owner-gate (Contract C-CODE-2): hosting a code session — spawning the agent and
+  // burning compute on this machine — requires Pro or Enterprise. This is the layer
+  // with teeth on cost; the start_code_session RPC gates the web create flow, this
+  // stops a crafted-row bypass from ever serving. Invited partners don't run a bridge.
+  let plan = 'free'
+  try {
+    const { data } = await sb.from('profiles').select('plan').eq('id', session.user.id).single()
+    plan = data?.plan || 'free'
+  } catch { /* transient read — fall through to the gate, fail closed */ }
+  if (plan !== 'pro' && plan !== 'enterprise') {
+    process.stderr.write(`\n  ◇ ThinkPool Code requires a Pro or Enterprise plan to host a session.\n    Your account (${email}) is on the ${plan} plan.\n    Upgrade:  https://thinkpool.io/pro\n\n    (Anyone you invite can still join and steer a Pro host's session for free.)\n`)
+    process.exit(1)
+  }
+  process.stderr.write(`\n  ◆ thinkpool-pair — account mode · ${email}\n    Serving your code sessions. Add a session's directory with \`bind\`.\n`)
+  const children = new Map()   // room -> child process
+  const warned = new Set()
+  // Account presence — so the web dashboard can show "● Bridge active" for this
+  // account without per-room probing. We TRACK this machine (name + served room
+  // codes + version) on a per-account channel; the dashboard subscribes read-only.
+  const machine = os.hostname().replace(/\.local$/, '')
+  const acct = sb.channel(`tpacct:${session.user.id}`, { config: { presence: { key: machine } } })
+  const pushPresence = () => { try { acct.track({ name: machine, version: VERSION, rooms: [...children.keys()], ts: Date.now() }) } catch { /* noop */ } }
+  await new Promise((res) => acct.subscribe((st) => { if (st === 'SUBSCRIBED') { pushPresence(); res() } }))
+  const tick = async () => {
+    let rooms = []
+    try {
+      const { data } = await sb.from('code_sessions').select('code,name,last_active_at').order('last_active_at', { ascending: false })
+      rooms = data || []
+    } catch { /* transient — keep existing children, retry next tick */ }
+    const dirs = loadDirs()
+    for (const r of rooms) {
+      const room = r.code
+      if (!room || children.has(room)) continue
+      const dir = dirs[room]
+      if (!dir) {
+        if (!warned.has(room)) { warned.add(room); process.stderr.write(`\n  ◇ session ${r.name ? `"${r.name}" ` : ''}(${room}) needs a directory:\n      npx thinkpool-pair bind ${room} <path>\n`) }
+        continue
+      }
+      if (!fs.existsSync(dir)) {
+        if (!warned.has(room)) { warned.add(room); process.stderr.write(`\n  ◇ ${room}: bound directory is gone (${dir}) — re-bind it.\n`) }
+        continue
+      }
+      warned.delete(room)
+      process.stderr.write(`\n  ◆ serving ${room}${r.name ? ` "${r.name}"` : ''}  →  ${dir}\n`)
+      const child = spawn(process.execPath, [BRIDGE, room, '--headless'], { cwd: dir, stdio: 'inherit' })
+      children.set(room, child)
+      child.on('exit', () => { children.delete(room) })   // re-served on the next tick
+    }
+    pushPresence()
+  }
+  await tick()
+  const iv = setInterval(tick, 15000)
+  const stop = (sig) => { clearInterval(iv); try { acct.untrack(); sb.removeChannel(acct) } catch { /* noop */ } for (const c of children.values()) { try { c.kill(sig) } catch { /* noop */ } } setTimeout(() => process.exit(0), 400) }
+  for (const sig of ['SIGINT', 'SIGTERM']) process.on(sig, () => stop(sig))
+  await new Promise(() => {})
+}

package/auth-store.mjs ADDED Viewed

@@ -0,0 +1,43 @@
+/* auth-store.mjs — account-mode credentials + per-session directory map for the
+   ThinkPool bridge. Files live under ~/.thinkpool-pair/ (chmod 600 for the token).
+   - auth.json: the linked account's Supabase refresh token (rotated on each use).
+   - dirs.json: per-MACHINE map of room code → absolute working directory, so one
+     account bridge can run each session's terminals in its own repo.
+   Phase 1 of the account-bridge spec (docs/specs/2026-06-16-account-bridge.md). */
+import os from 'node:os'
+import fs from 'node:fs'
+import path from 'node:path'
+const DIR  = path.join(os.homedir(), '.thinkpool-pair')
+const AUTH = path.join(DIR, 'auth.json')
+const DIRS = path.join(DIR, 'dirs.json')
+function ensureDir() { try { fs.mkdirSync(DIR, { recursive: true }) } catch { /* noop */ } }
+export function saveAuth(session) {
+  if (!session?.refresh_token) return
+  ensureDir()
+  try {
+    fs.writeFileSync(AUTH, JSON.stringify({
+      refresh_token: session.refresh_token,
+      access_token: session.access_token || null,
+      email: session.user?.email || session.email || null,
+      savedAt: Date.now(),
+    }), { mode: 0o600 })
+  } catch { /* noop */ }
+}
+export function loadAuth() { try { return JSON.parse(fs.readFileSync(AUTH, 'utf8')) } catch { return null } }
+export function clearAuth() { try { fs.unlinkSync(AUTH) } catch { /* noop */ } }
+export function loadDirs() { try { return JSON.parse(fs.readFileSync(DIRS, 'utf8')) } catch { return {} } }
+export function bindDir(room, dir) {
+  const d = loadDirs(); d[room] = dir
+  ensureDir()
+  try { fs.writeFileSync(DIRS, JSON.stringify(d, null, 2)) } catch { /* noop */ }
+  return d
+}
+export function unbindDir(room) {
+  const d = loadDirs(); delete d[room]
+  try { fs.writeFileSync(DIRS, JSON.stringify(d, null, 2)) } catch { /* noop */ }
+  return d
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "thinkpool-pair",
-  "version": "0.7.2",
+  "version": "0.7.4",
   "description": "Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.",
   "type": "module",
   "bin": {
@@ -11,6 +11,8 @@
     "claude-session.mjs",
     "session-store.mjs",
     "service.mjs",
+    "account.mjs",
+    "auth-store.mjs",
     "README.md"
   ],
   "scripts": {