zooid 0.1.0 → 0.1.1

package/dist/index.js

@@ -482,10 +482,6 @@ async function runChannelList(client) {
   const c = client ?? createClient();
   return c.listChannels();
 }
-async function runChannelAddPublisher(channelId, name, client) {
-  const c = client ?? createClient();
-  return c.addPublisher(channelId, name);
-}
 async function runChannelUpdate(channelId, options, client) {
   const c = client ?? createClient();
   return c.updateChannel(channelId, options);
@@ -637,6 +633,9 @@ function printError(message) {
 function printInfo(label, value) {
   console.log(`  ${label}: ${value}`);
 }
+function printStep(message) {
+  console.log(`  ${message}`);
+}
 function formatRelative(isoString) {
   const diff = Date.now() - new Date(isoString).getTime();
   const minutes = Math.floor(diff / 6e4);
@@ -947,6 +946,17 @@ async function runServerSet(fields, client) {
   return c.updateServerMeta(fields);
 }
 
+// src/commands/token.ts
+async function runTokenMint(scope, options) {
+  const client = createClient();
+  const body = { scope };
+  if (options.channels?.length) body.channels = options.channels;
+  if (options.sub) body.sub = options.sub;
+  if (options.name) body.name = options.name;
+  if (options.expiresIn) body.expires_in = options.expiresIn;
+  return client.mintToken(body);
+}
+
 // src/commands/dev.ts
 import { execSync, spawn } from "child_process";
 import crypto2 from "crypto";
@@ -986,6 +996,34 @@ async function createAdminToken(secret) {
   const signature = base64url(Buffer.from(sig));
   return `${data}.${signature}`;
 }
+async function createEdDSAAdminToken(privateKeyJwk, kid) {
+  const header = base64url(
+    Buffer.from(JSON.stringify({ alg: "EdDSA", typ: "JWT", kid }))
+  );
+  const payload = base64url(
+    Buffer.from(
+      JSON.stringify({
+        scope: "admin",
+        iat: Math.floor(Date.now() / 1e3)
+      })
+    )
+  );
+  const message = `${header}.${payload}`;
+  const privateKey = await crypto.subtle.importKey(
+    "jwk",
+    privateKeyJwk,
+    { name: "Ed25519" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign(
+    "Ed25519",
+    privateKey,
+    new TextEncoder().encode(message)
+  );
+  const signature = base64url(Buffer.from(sig));
+  return `${message}.${signature}`;
+}
 
 // src/commands/dev.ts
 function findServerDir() {
@@ -1337,7 +1375,7 @@ async function runDeploy() {
     console.log("");
     printInfo("Deploy type", "First deploy \u2014 setting up database and secrets");
     console.log("");
-    console.log(`Creating D1 database (${dbName})...`);
+    printStep(`Creating D1 database (${dbName})...`);
     const d1Output = wrangler(`d1 create ${dbName}`, stagingDir, creds);
     const dbIdMatch = d1Output.match(/database_id\s*=\s*"([^"]+)"/);
     if (!dbIdMatch) {
@@ -1370,7 +1408,7 @@ async function runDeploy() {
     printSuccess("Configured wrangler.toml");
     const schemaPath = path5.join(stagingDir, "src/db/schema.sql");
     if (fs6.existsSync(schemaPath)) {
-      console.log("Running database schema migration...");
+      printStep("Running database schema migration...");
       wrangler(
         `d1 execute ${dbName} --remote --file=${schemaPath}`,
         stagingDir,
@@ -1378,8 +1416,7 @@ async function runDeploy() {
       );
       printSuccess("Database schema initialized");
     }
-    console.log("Generating secrets...");
-    const jwtSecret = crypto3.randomBytes(32).toString("base64");
+    printStep("Generating secrets...");
     const keyPair = await crypto3.subtle.generateKey("Ed25519", true, [
       "sign",
       "verify"
@@ -1392,12 +1429,16 @@ async function runDeploy() {
       "raw",
       keyPair.publicKey
     );
+    const privateKeyJwk = await crypto3.subtle.exportKey(
+      "jwk",
+      keyPair.privateKey
+    );
+    const publicKeyJwk = await crypto3.subtle.exportKey(
+      "jwk",
+      keyPair.publicKey
+    );
     const privateKeyB64 = Buffer.from(privateKeyRaw).toString("base64");
     const publicKeyB64 = Buffer.from(publicKeyRaw).toString("base64");
-    wrangler("secret put ZOOID_JWT_SECRET", stagingDir, creds, {
-      input: jwtSecret
-    });
-    printSuccess("Set ZOOID_JWT_SECRET");
     wrangler("secret put ZOOID_SIGNING_KEY", stagingDir, creds, {
       input: privateKeyB64
     });
@@ -1406,8 +1447,17 @@ async function runDeploy() {
       input: publicKeyB64
     });
     printSuccess("Set ZOOID_PUBLIC_KEY (Ed25519 public)");
-    adminToken = await createAdminToken(jwtSecret);
-    printSuccess("Admin token generated");
+    const kid = "local-1";
+    const xValue = publicKeyJwk.x;
+    const insertSql = `INSERT INTO trusted_keys (kid, x, issuer) VALUES ('${kid}', '${xValue}', 'local');`;
+    wrangler(
+      `d1 execute ${dbName} --remote --command="${insertSql}"`,
+      stagingDir,
+      creds
+    );
+    printSuccess(`Registered EdDSA public key (kid: ${kid})`);
+    adminToken = await createEdDSAAdminToken(privateKeyJwk, kid);
+    printSuccess("EdDSA admin token generated");
   } else {
     console.log("");
     printInfo("Deploy type", "Redeploying existing server");
@@ -1439,8 +1489,87 @@ async function runDeploy() {
     } catch {
     }
     fs6.writeFileSync(wranglerTomlPath, tomlContent);
-    const existingConfig = loadConfig();
-    adminToken = existingConfig.admin_token;
+    const schemaPath = path5.join(stagingDir, "src/db/schema.sql");
+    if (fs6.existsSync(schemaPath)) {
+      printStep("Running schema migration...");
+      wrangler(
+        `d1 execute ${dbName} --remote --file=${schemaPath}`,
+        stagingDir,
+        creds
+      );
+      printSuccess("Schema up to date");
+    }
+    const migrations = ["ALTER TABLE events ADD COLUMN publisher_name TEXT"];
+    for (const sql of migrations) {
+      try {
+        wrangler(
+          `d1 execute ${dbName} --remote --command="${sql}"`,
+          stagingDir,
+          creds
+        );
+      } catch {
+      }
+    }
+    try {
+      const keysOutput = wrangler(
+        `d1 execute ${dbName} --remote --json --command="SELECT kid FROM trusted_keys WHERE issuer = 'local' LIMIT 1"`,
+        stagingDir,
+        creds
+      );
+      const keysResult = JSON.parse(keysOutput);
+      const hasLocalKey = keysResult?.[0]?.results?.length > 0;
+      if (!hasLocalKey) {
+        printStep("Upgrading to EdDSA auth...");
+        const keyPair = await crypto3.subtle.generateKey("Ed25519", true, [
+          "sign",
+          "verify"
+        ]);
+        const privateKeyRaw = await crypto3.subtle.exportKey(
+          "pkcs8",
+          keyPair.privateKey
+        );
+        const publicKeyRaw = await crypto3.subtle.exportKey(
+          "raw",
+          keyPair.publicKey
+        );
+        const privateKeyJwk = await crypto3.subtle.exportKey(
+          "jwk",
+          keyPair.privateKey
+        );
+        const publicKeyJwk = await crypto3.subtle.exportKey(
+          "jwk",
+          keyPair.publicKey
+        );
+        const privateKeyB64 = Buffer.from(privateKeyRaw).toString("base64");
+        const publicKeyB64 = Buffer.from(publicKeyRaw).toString("base64");
+        wrangler("secret put ZOOID_SIGNING_KEY", stagingDir, creds, {
+          input: privateKeyB64
+        });
+        wrangler("secret put ZOOID_PUBLIC_KEY", stagingDir, creds, {
+          input: publicKeyB64
+        });
+        const kid = "local-1";
+        const xValue = publicKeyJwk.x;
+        const insertSql = `INSERT INTO trusted_keys (kid, x, issuer) VALUES ('${kid}', '${xValue}', 'local');`;
+        wrangler(
+          `d1 execute ${dbName} --remote --command="${insertSql}"`,
+          stagingDir,
+          creds
+        );
+        printSuccess("EdDSA keypair generated and registered");
+        adminToken = await createEdDSAAdminToken(privateKeyJwk, kid);
+        printSuccess("Upgraded to EdDSA admin token");
+      }
+    } catch {
+      printInfo(
+        "Note",
+        "Could not check EdDSA key status, keeping existing token"
+      );
+    }
+    if (!adminToken) {
+      const existingConfig = loadConfig();
+      adminToken = existingConfig.admin_token;
+    }
     if (!adminToken) {
       printError(
         "No admin token found in ~/.zooid/config.json for this server"
@@ -1452,7 +1581,7 @@ async function runDeploy() {
       process.exit(1);
     }
   }
-  console.log("Deploying worker...");
+  printStep("Deploying worker...");
   const deployOutput = wranglerVerbose("deploy", stagingDir, creds);
   const { workerUrl, customDomain } = parseDeployUrls(deployOutput);
   printSuccess("Worker deployed");
@@ -1730,16 +1859,6 @@ channelCmd.command("list").description("List all channels").action(async () => {
     handleError("channel list", err);
   }
 });
-channelCmd.command("add-publisher <channel>").description("Add a publisher to a channel").requiredOption("--name <name>", "Publisher name").action(async (channel, opts) => {
-  try {
-    const result = await runChannelAddPublisher(channel, opts.name);
-    printSuccess(`Added publisher: ${result.name}`);
-    printInfo("Publisher ID", result.id);
-    printInfo("Publish token", result.publish_token);
-  } catch (err) {
-    handleError("channel add-publisher", err);
-  }
-});
 channelCmd.command("delete <id>").description("Delete a channel and all its data").option("-y, --yes", "Skip confirmation prompt").action(async (id, opts) => {
   try {
     if (!opts.yes) {
@@ -1750,7 +1869,7 @@ channelCmd.command("delete <id>").description("Delete a channel and all its data
       });
       const answer = await new Promise((resolve) => {
         rl.question(
-          `Delete channel "${id}" and all its events, webhooks, and publishers? [y/N] `,
+          `Delete channel "${id}" and all its events and webhooks? [y/N] `,
           resolve
         );
       });
@@ -1907,6 +2026,27 @@ serverCmd.command("set").description("Update server metadata").option("--name <n
     handleError("server set", err);
   }
 });
+program.command("token <scope>").description("Mint a new token (admin, publish, or subscribe)").argument("[channels...]", "Channels to scope the token to").option("--sub <sub>", "Subject identifier (e.g. publisher ID)").option("--name <name>", "Display name (used for publisher identity)").option("--expires-in <duration>", "Token expiry (e.g. 5m, 1h, 7d, 30d)").action(async (scope, channels, opts) => {
+  try {
+    if (!["admin", "publish", "subscribe"].includes(scope)) {
+      throw new Error(
+        `Invalid scope "${scope}". Must be one of: admin, publish, subscribe`
+      );
+    }
+    const result = await runTokenMint(
+      scope,
+      {
+        channels: channels.length > 0 ? channels : void 0,
+        sub: opts.sub,
+        name: opts.name,
+        expiresIn: opts.expiresIn
+      }
+    );
+    console.log(result.token);
+  } catch (err) {
+    handleError("token", err);
+  }
+});
 program.command("status").description("Check server status").action(async () => {
   try {
     const { discovery, identity } = await runStatus();
@@ -1922,7 +2062,7 @@ program.command("status").description("Check server status").action(async () =>
     handleError("status", err);
   }
 });
-program.command("history").description("Show tail/subscribe history across all servers").option("-n, --limit <n>", "Max entries to show", "20").option("--json", "Output as JSON").action((opts) => {
+program.command("history").description("Show tail/subscribe history").option("-n, --limit <n>", "Max entries to show", "20").option("--json", "Output as JSON").action((opts) => {
   try {
     const entries = runHistory();
     const limit = parseInt(opts.limit, 10);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zooid",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Open-source pub/sub server for AI agents. Publish signals, subscribe via webhook, WebSocket, polling, or RSS.",
   "type": "module",
   "license": "MIT",
@@ -24,9 +24,9 @@
   "dependencies": {
     "@inquirer/checkbox": "^5.0.7",
     "commander": "^14.0.3",
-    "@zooid/sdk": "^0.1.0",
-    "@zooid/types": "^0.1.0",
-    "@zooid/server": "^0.1.0"
+    "@zooid/sdk": "^0.1.1",
+    "@zooid/types": "^0.1.1",
+    "@zooid/server": "^0.1.1"
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "^0.8.34",