wave-agent-sdk 0.16.9 → 0.16.12

package/src/services/authService.ts

@@ -12,6 +12,7 @@ import {
   chmodSync,
   rmSync,
   mkdirSync,
+  statSync,
 } from "fs";
 import * as path from "path";
 import * as os from "os";
@@ -20,7 +21,8 @@ import { createServer, Server } from "http";
 import { URL } from "url";
 import { execFile } from "child_process";
 import { promisify } from "util";
-import type { AuthConfig, AuthUser } from "../types/auth.js";
+import type { AuthConfig, AuthUser, TokenResponse } from "../types/auth.js";
+import { logger } from "../utils/globalLogger.js";
 
 /** Persistent anonymous ID for telemetry fallback when SSO is not authenticated. */
 let _anonymousId: string | undefined;
@@ -32,6 +34,9 @@ export class AuthService {
   private _serverUrl: string | undefined;
   private onAuthChangeCallbacks: Array<(event: "login" | "logout") => void> =
     [];
+  private _refreshPromise: Promise<boolean> | null = null;
+  private _authFileMtime: number = 0;
+  private static readonly REFRESH_BUFFER_MS = 5 * 60 * 1000;
 
   static getInstance(): AuthService {
     if (!AuthService.instance) {
@@ -83,6 +88,12 @@ export class AuthService {
     }
     try {
       const content = readFileSync(authPath, "utf-8");
+      // Best-effort mtime tracking for multi-process detection
+      try {
+        this._authFileMtime = statSync(authPath).mtimeMs;
+      } catch {
+        // ignore stat errors
+      }
       return JSON.parse(content) as AuthConfig;
     } catch {
       return {};
@@ -97,11 +108,19 @@ export class AuthService {
     }
     writeFileSync(authPath, JSON.stringify(config, null, 2), "utf-8");
     chmodSync(authPath, 0o600);
+    // Update mtime after write
+    try {
+      this._authFileMtime = statSync(authPath).mtimeMs;
+    } catch {
+      // ignore stat errors
+    }
   }
 
   clearAuth(): void {
     const config = this.loadAuth();
     delete config.SSO_TOKEN;
+    delete config.SSO_REFRESH_TOKEN;
+    delete config.SSO_TOKEN_EXPIRES_AT;
     if (Object.keys(config).length === 0) {
       const authPath = this.getAuthPath();
       if (existsSync(authPath)) {
@@ -145,11 +164,22 @@ export class AuthService {
     });
 
     // Exchange authorization code for JWT (includes user info)
-    const { token, user } = await this.exchangeCode(serverUrl, code);
+    const { token, refreshToken, expiresIn, user } = await this.exchangeCode(
+      serverUrl,
+      code,
+    );
 
     // Save the token and user info (preserve existing keys)
     const existing = this.loadAuth();
-    this.saveAuth({ ...existing, SSO_TOKEN: token, user });
+    this.saveAuth({
+      ...existing,
+      SSO_TOKEN: token,
+      SSO_REFRESH_TOKEN: refreshToken,
+      SSO_TOKEN_EXPIRES_AT: expiresIn
+        ? Date.now() + expiresIn * 1000
+        : undefined,
+      user,
+    });
 
     this.notifyAuthChange("login");
 
@@ -158,32 +188,31 @@ export class AuthService {
 
   /**
    * Exchange a short-lived authorization code for a JWT token.
-   * Returns both the token and user info.
+   * Returns token, optional refresh token, optional expiresIn, and user info.
    */
   private async exchangeCode(
     serverUrl: string,
     code: string,
-  ): Promise<{ token: string; user: AuthUser }> {
-    const exchangeUrl = `${serverUrl}/api/auth/exchange`;
+  ): Promise<TokenResponse> {
+    const exchangeUrl = `${serverUrl}/api/auth/token`;
+    logger.info(`[Auth] Exchanging authorization code at ${exchangeUrl}`);
     const response = await fetch(exchangeUrl, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ code }),
+      body: JSON.stringify({ grant_type: "authorization_code", code }),
     });
 
     if (!response.ok) {
       const text = await response.text();
+      logger.info(
+        `[Auth] Authorization code exchange failed (${response.status}): ${text}`,
+      );
       throw new Error(`Token exchange failed (${response.status}): ${text}`);
     }
 
-    const data = (await response.json()) as {
-      token: string;
-      user: { id: string; email?: string };
-    };
-    return {
-      token: data.token,
-      user: { id: data.user.id, email: data.user.email },
-    };
+    const data = (await response.json()) as TokenResponse;
+    logger.info("[Auth] Authorization code exchanged successfully");
+    return data;
   }
 
   private startLocalAuthServer(
@@ -306,7 +335,149 @@ export class AuthService {
   }
 
   isSSOAuthenticated(): boolean {
-    return this.getSSOToken() !== undefined;
+    const config = this.loadAuth();
+    if (!config.SSO_TOKEN) return false;
+    if (
+      config.SSO_TOKEN_EXPIRES_AT &&
+      Date.now() >= config.SSO_TOKEN_EXPIRES_AT
+    )
+      return false;
+    return true;
+  }
+
+  /**
+   * Check if the current token is expired or within the refresh buffer.
+   * Returns false if no expiry info (backward compat — treated as never-expiring).
+   */
+  isTokenExpired(): boolean {
+    const config = this.loadAuth();
+    if (!config.SSO_TOKEN_EXPIRES_AT) return false;
+    const expiresAt = config.SSO_TOKEN_EXPIRES_AT;
+    const bufferMs = AuthService.REFRESH_BUFFER_MS;
+    const now = Date.now();
+    const remaining = expiresAt - now;
+    const expired = now >= expiresAt - bufferMs;
+    if (expired) {
+      logger.info(
+        `[Auth] Token expired or within refresh buffer: remaining=${Math.round(remaining / 1000)}s, buffer=${bufferMs / 1000}s`,
+      );
+    }
+    return expired;
+  }
+
+  /**
+   * Check if the token needs refresh and refresh it if possible.
+   * Deduplicates concurrent refresh calls (401 dedup).
+   */
+  async checkAndRefreshTokenIfNeeded(): Promise<boolean> {
+    if (!this.isTokenExpired()) return true;
+    // Dedup: if a refresh is already in-flight, reuse the same promise
+    if (this._refreshPromise) {
+      logger.info(
+        "[Auth] Token refresh already in-flight, reusing existing promise",
+      );
+      return this._refreshPromise;
+    }
+    logger.info("[Auth] Starting token refresh");
+    this._refreshPromise = this.refreshToken();
+    try {
+      return await this._refreshPromise;
+    } finally {
+      this._refreshPromise = null;
+    }
+  }
+
+  /**
+   * Refresh the access token using the stored refresh token.
+   * Returns true on success, false on failure.
+   */
+  private async refreshToken(): Promise<boolean> {
+    const config = this.loadAuth();
+    if (!config.SSO_REFRESH_TOKEN) {
+      logger.info("[Auth] No refresh token available, cannot refresh");
+      return false;
+    }
+
+    const serverUrl = this.getServerUrl();
+    try {
+      logger.info(`[Auth] Refreshing token via ${serverUrl}/api/auth/token`);
+      const response = await fetch(`${serverUrl}/api/auth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          grant_type: "refresh_token",
+          refresh_token: config.SSO_REFRESH_TOKEN,
+        }),
+      });
+
+      if (response.status === 400 || response.status === 401) {
+        // Refresh token revoked — clear auth
+        logger.info(
+          `[Auth] Refresh token rejected (${response.status}), clearing auth`,
+        );
+        this.clearAuth();
+        return false;
+      }
+
+      if (!response.ok) {
+        logger.info(
+          `[Auth] Token refresh failed with status ${response.status}`,
+        );
+        return false;
+      }
+
+      const data = (await response.json()) as TokenResponse;
+      const newExpiresAt = data.expiresIn
+        ? Date.now() + data.expiresIn * 1000
+        : undefined;
+      this.saveAuth({
+        ...config,
+        SSO_TOKEN: data.token,
+        SSO_REFRESH_TOKEN: data.refreshToken ?? config.SSO_REFRESH_TOKEN,
+        SSO_TOKEN_EXPIRES_AT: newExpiresAt,
+        user: data.user
+          ? { id: data.user.id, email: data.user.email }
+          : config.user,
+      });
+      logger.info(
+        `[Auth] Token refreshed successfully, new token expires at ${newExpiresAt ? new Date(newExpiresAt).toISOString() : "never"}`,
+      );
+      this.notifyAuthChange("login");
+      return true;
+    } catch (err) {
+      // Network error — don't clear auth (might be transient)
+      logger.info(`[Auth] Token refresh failed with network error: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Check if another process has refreshed the token on disk.
+   * Returns true if a fresh token was found and loaded.
+   */
+  /** @internal Check if another process has refreshed the token on disk */
+  tryReadRefreshedTokenFromDisk(): boolean {
+    try {
+      const authPath = this.getAuthPath();
+      if (!existsSync(authPath)) return false;
+      const stat = statSync(authPath);
+      if (stat.mtimeMs <= this._authFileMtime) return false;
+      // File was modified by another process — check if token is fresh
+      const config = this.loadAuth();
+      if (
+        config.SSO_TOKEN_EXPIRES_AT &&
+        Date.now() < config.SSO_TOKEN_EXPIRES_AT
+      ) {
+        logger.info(
+          `[Auth] Detected token refreshed by another process (auth.json mtime changed)`,
+        );
+        this._authFileMtime = stat.mtimeMs;
+        return true;
+      }
+      return false;
+    } catch {
+      return false;
+    }
   }
 
   getAuthUser(): AuthUser | undefined {
@@ -317,6 +488,62 @@ export class AuthService {
 
 export const authService = AuthService.getInstance();
 
+/**
+ * Create a fetch wrapper that handles SSO token refresh transparently.
+ *
+ * 1. Proactive refresh: calls checkAndRefreshTokenIfNeeded() before each request
+ * 2. Updates Authorization header with fresh token
+ * 3. Reactive 401/403 recovery: tries disk refresh then force refresh, retries once
+ */
+export function createAuthAwareFetch(innerFetch: typeof fetch): typeof fetch {
+  return async (input: RequestInfo | URL, init?: RequestInit) => {
+    // Proactive refresh
+    await authService.checkAndRefreshTokenIfNeeded();
+
+    // Update Authorization header with fresh token
+    const freshToken = authService.getSSOToken();
+    const headers = new Headers(init?.headers);
+    if (freshToken) {
+      headers.set("Authorization", `Bearer ${freshToken}`);
+    }
+    const modifiedInit = { ...init, headers };
+
+    const response = await innerFetch(input, modifiedInit);
+
+    // Reactive 401/403 recovery (single retry)
+    if (response.status === 401 || response.status === 403) {
+      logger.info(
+        `[Auth] Received ${response.status}, attempting token recovery`,
+      );
+      // Try disk refresh first (another process may have refreshed)
+      if (authService.tryReadRefreshedTokenFromDisk()) {
+        const retryToken = authService.getSSOToken();
+        const retryHeaders = new Headers(init?.headers);
+        if (retryToken) {
+          retryHeaders.set("Authorization", `Bearer ${retryToken}`);
+        }
+        logger.info("[Auth] Retrying request with disk-refreshed token");
+        return innerFetch(input, { ...init, headers: retryHeaders });
+      }
+
+      // Try force refresh
+      if (await authService.checkAndRefreshTokenIfNeeded()) {
+        const retryToken = authService.getSSOToken();
+        if (retryToken) {
+          const retryHeaders = new Headers(init?.headers);
+          retryHeaders.set("Authorization", `Bearer ${retryToken}`);
+          logger.info("[Auth] Retrying request with force-refreshed token");
+          return innerFetch(input, { ...init, headers: retryHeaders });
+        }
+      }
+
+      logger.info("[Auth] Token recovery failed, returning original response");
+    }
+
+    return response;
+  };
+}
+
 /**
  * Get or create a persistent anonymous ID for telemetry.
  *

package/src/services/configurationService.ts

@@ -44,6 +44,11 @@ import {
 } from "../utils/constants.js";
 import { ClientOptions } from "openai";
 import { parseCustomHeaders } from "../utils/stringUtils.js";
+import {
+  getRemoteSettingsSync,
+  mergeRemoteSettings,
+} from "./remoteSettingsService.js";
+import { createAuthAwareFetch } from "./authService.js";
 
 /**
  * Default ConfigurationService implementation
@@ -101,19 +106,25 @@ export class ConfigurationService {
         };
       }
 
+      // Merge remote settings (highest priority: Remote > Local > Project > User)
+      const remoteSettings = getRemoteSettingsSync();
+      const finalConfig = remoteSettings
+        ? mergeRemoteSettings(mergedConfig, remoteSettings)
+        : mergedConfig;
+
       // Success case
-      this.currentConfiguration = mergedConfig;
+      this.currentConfiguration = finalConfig;
 
       // Set environment variables from merged config and inject system variables
       const env = {
-        ...(mergedConfig.env || {}),
+        ...(finalConfig.env || {}),
         WAVE_PROJECT_DIR: workdir,
       };
       this.setEnvironmentVars(env);
-      mergedConfig.env = env;
+      finalConfig.env = env;
 
       return {
-        configuration: mergedConfig,
+        configuration: finalConfig,
         success: true,
         sourcePath: "merged configuration",
         warnings: validation.warnings,
@@ -413,6 +424,10 @@ export class ConfigurationService {
     const ssoToken = this.readSSOToken();
     const serverUrl = this.options.serverUrl || process.env.WAVE_SERVER_URL;
     if (ssoToken && serverUrl) {
+      const baseFetch = fetch ?? this.options.fetch ?? globalThis.fetch;
+      const authAwareFetch = createAuthAwareFetch(
+        baseFetch as typeof globalThis.fetch,
+      ) as ClientOptions["fetch"];
       return {
         apiKey: ssoToken,
         baseURL: `${serverUrl}/api/v1`,
@@ -421,7 +436,7 @@ export class ConfigurationService {
             ? defaultHeaders
             : undefined,
         fetchOptions: fetchOptions ?? this.options.fetchOptions,
-        fetch: fetch ?? this.options.fetch,
+        fetch: authAwareFetch,
       };
     }
 
@@ -498,7 +513,10 @@ export class ConfigurationService {
   ): ModelConfig {
     // Resolve agent model: override > options > process.env (includes settings.json env)
     const resolvedAgentModel =
-      model || this.options.model || process.env.WAVE_MODEL;
+      model ||
+      this.options.model ||
+      process.env.WAVE_MODEL ||
+      this.currentConfiguration?.model;
 
     // Resolve fast model: override > options > process.env (includes settings.json env)
     const resolvedFastModel =
@@ -686,6 +704,28 @@ export class ConfigurationService {
    */
   setModel(model: string): void {
     this.options.model = model;
+    this.persistModelToSettings(model);
+  }
+
+  private async persistModelToSettings(model: string): Promise<void> {
+    const configPath = getUserConfigPaths()[0]; // ~/.wave/settings.json
+    const configDir = path.dirname(configPath);
+    if (!existsSync(configDir)) {
+      await fs.mkdir(configDir, { recursive: true });
+    }
+
+    let config: WaveConfiguration = {};
+    if (existsSync(configPath)) {
+      try {
+        const content = await fs.readFile(configPath, "utf-8");
+        config = JSON.parse(content);
+      } catch {
+        // Start fresh if corrupted
+      }
+    }
+
+    config.model = model;
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2), "utf-8");
   }
 
   /**
@@ -700,6 +740,11 @@ export class ConfigurationService {
       models.add(currentModel);
     }
 
+    // Persisted model from settings (includes remote-merged)
+    if (this.currentConfiguration?.model) {
+      models.add(this.currentConfiguration.model);
+    }
+
     // Add models from merged configuration
     if (this.currentConfiguration?.models) {
       Object.keys(this.currentConfiguration.models).forEach((model) => {
@@ -1129,6 +1174,7 @@ export function loadWaveConfigFromFile(
       permissions: config.permissions || undefined,
       enabledPlugins: config.enabledPlugins || undefined,
       language: config.language || undefined,
+      model: config.model || undefined,
       autoMemoryEnabled:
         config.autoMemoryEnabled !== undefined
           ? config.autoMemoryEnabled
@@ -1258,6 +1304,11 @@ export function loadMergedWaveConfig(
       mergedConfig.language = config.language;
     }
 
+    // Merge model (last one wins)
+    if (config.model !== undefined) {
+      mergedConfig.model = config.model;
+    }
+
     // Merge autoMemoryEnabled (last one wins)
     if (config.autoMemoryEnabled !== undefined) {
       mergedConfig.autoMemoryEnabled = config.autoMemoryEnabled;
@@ -1306,6 +1357,7 @@ export function loadMergedWaveConfig(
         ? mergedConfig.enabledPlugins
         : undefined,
     language: mergedConfig.language,
+    model: mergedConfig.model,
     autoMemoryEnabled: mergedConfig.autoMemoryEnabled,
     marketplaces:
       mergedConfig.marketplaces &&

package/src/services/hook.ts

@@ -277,6 +277,21 @@ export async function executeCommands(
   return results;
 }
 
+/**
+ * Execute a CwdChanged hook
+ */
+export async function executeCwdChangedHooks(
+  oldCwd: string,
+  newCwd: string,
+  context: ExtendedHookExecutionContext,
+): Promise<HookExecutionResult[]> {
+  // CwdChanged hooks are executed through HookManager.executeCwdChangedHooks()
+  void context;
+  void oldCwd;
+  void newCwd;
+  return [];
+}
+
 /**
  * Validate command safety (basic checks)
  */

package/src/services/initializationService.ts

@@ -22,6 +22,7 @@ import type { MemoryRuleManager } from "../managers/MemoryRuleManager.js";
 import type { LiveConfigManager } from "../managers/liveConfigManager.js";
 import type { TaskManager } from "./taskManager.js";
 import type { PermissionManager } from "../managers/permissionManager.js";
+import { remoteSettingsService } from "./remoteSettingsService.js";
 
 export interface InitializationContext {
   skillManager: SkillManager;
@@ -288,6 +289,18 @@ export class InitializationService {
       // Don't throw error to prevent app startup failure - continue without live reload
     }
 
+    // Initialize remote settings (fetch server-managed config)
+    try {
+      const phaseStart = performance.now();
+      await remoteSettingsService.initialize();
+      logger?.debug(
+        `Initialization Phase [Remote Settings] took ${(performance.now() - phaseStart).toFixed(2)}ms`,
+      );
+    } catch (error) {
+      logger?.error("Failed to initialize remote settings:", error);
+      // Don't throw error to prevent app startup failure - continue without remote settings
+    }
+
     // Memory is lazy-cached on first getCombinedMemoryContent call
     // No explicit loading needed during initialization
 

package/src/services/interactionService.ts

@@ -7,7 +7,6 @@ import type { ConfigurationService } from "./configurationService.js";
 import type { AIManager } from "../managers/aiManager.js";
 import type { SubagentManager } from "../managers/subagentManager.js";
 import type { TaskManager } from "./taskManager.js";
-import type { NotificationQueue } from "../managers/notificationQueue.js";
 
 export interface InteractionContext {
   messageManager: MessageManager;
@@ -62,23 +61,6 @@ export class InteractionService {
         // Don't add to history, let normal message processing logic below handle it
       }
 
-      // Inject pending notifications from background tasks
-      const notificationQueue = context.aiManager["container"].has(
-        "NotificationQueue",
-      )
-        ? context.aiManager["container"].get<NotificationQueue>(
-            "NotificationQueue",
-          )
-        : undefined;
-      if (notificationQueue && notificationQueue.hasPending()) {
-        const notifications = notificationQueue.dequeueAll();
-        for (const notification of notifications) {
-          messageManager.addUserMessage({
-            content: notification,
-          });
-        }
-      }
-
       // Handle normal AI message
       // Add user message first, will automatically sync to UI
       messageManager.addUserMessage({