fix(cli): restore leader identity from server

saltbo · saltbo · commit ec7df3aee30d · 2026-04-14T15:09:45.000-04:00
diff --git a/packages/cli/src/agent/identity.ts b/packages/cli/src/agent/identity.ts
@@ -1,5 +1,8 @@
+import { createHash } from "node:crypto";
 import { mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
+import { getCredentials } from "../config.js";
+import { generateDeviceId } from "../device.js";
 import { IDENTITIES_DIR } from "../paths.js";
 
 export interface StoredIdentity {
@@ -8,28 +11,47 @@ export interface StoredIdentity {
   fingerprint: string;
 }
 
-function identityPath(runtime: string): string {
+function legacyIdentityPath(runtime: string): string {
   return join(IDENTITIES_DIR, `${runtime}.json`);
 }
 
+function scopedIdentityPath(runtime: string): string {
+  const { apiUrl } = getCredentials();
+  const deviceId = generateDeviceId();
+  const scope = createHash("sha256").update(`${apiUrl}\n${deviceId}\n${runtime}`).digest("hex").slice(0, 16);
+  return join(IDENTITIES_DIR, `${runtime}-${scope}.json`);
+}
+
 export function loadIdentity(runtime: string): StoredIdentity | null {
   try {
-    return JSON.parse(readFileSync(identityPath(runtime), "utf-8"));
-  } catch {
-    return null;
-  }
+    return JSON.parse(readFileSync(scopedIdentityPath(runtime), "utf-8"));
+  } catch {}
+
+  // Migrate the old runtime-only identity on first access into the new
+  // api-url + machine + runtime scoped location.
+  try {
+    const identity = JSON.parse(readFileSync(legacyIdentityPath(runtime), "utf-8")) as StoredIdentity;
+    saveIdentity(runtime, identity);
+    return identity;
+  } catch {}
+
+  return null;
 }
 
 export function saveIdentity(runtime: string, identity: StoredIdentity): void {
   mkdirSync(IDENTITIES_DIR, { recursive: true });
-  writeFileSync(identityPath(runtime), `${JSON.stringify(identity, null, 2)}\n`);
+  writeFileSync(scopedIdentityPath(runtime), `${JSON.stringify(identity, null, 2)}\n`);
 }
 
 export function removeIdentity(runtime: string): boolean {
-  try {
-    rmSync(identityPath(runtime));
-    return true;
-  } catch {
-    return false;
+  let removed = false;
+  for (const path of [scopedIdentityPath(runtime), legacyIdentityPath(runtime)]) {
+    try {
+      rmSync(path);
+      removed = true;
+    } catch {
+      // ignore
+    }
   }
+  return removed;
 }
diff --git a/packages/cli/src/agent/leader.ts b/packages/cli/src/agent/leader.ts
@@ -20,21 +20,52 @@ function isDaemonAlive(): boolean {
   }
 }
 
-async function ensureIdentity(runtime: AgentRuntime, client: MachineClient): Promise<StoredIdentity> {
-  const existing = loadIdentity(runtime);
-  if (existing) return existing;
+function missingIdentityMessage(runtime: AgentRuntime): string {
+  return [
+    `No identity found for runtime "${runtime}".`,
+    "",
+    "Create one explicitly with:",
+    "  ak identity create --username <username> [--name <name>]",
+    "",
+    "Choose the identity values yourself:",
+    "  --username  required, user-like handle chosen by the agent",
+    "  --name      optional full name shown in the UI",
+    "",
+    `This identity is reused for the same api-url + machine + runtime (${runtime}).`,
+    "",
+    "Examples:",
+    "  ak identity create --username alex",
+    '  ak identity create --username alex --name "Alex Chen"',
+  ].join("\n");
+}
 
+async function restoreIdentity(runtime: AgentRuntime, client: MachineClient): Promise<StoredIdentity | null> {
   const agents = (await client.listAgents()) as Agent[];
-  const match = agents.find((a) => a.runtime === runtime && a.kind === "leader");
-  if (match) {
-    const identity: StoredIdentity = { agent_id: match.id, name: match.name, fingerprint: match.fingerprint };
-    saveIdentity(runtime, identity);
-    return identity;
+  const leaders = agents.filter((agent) => agent.kind === "leader" && agent.runtime === runtime);
+  if (leaders.length !== 1) return null;
+  const leader = leaders[0];
+  const identity: StoredIdentity = { agent_id: leader.id, name: leader.name, fingerprint: leader.fingerprint };
+  saveIdentity(runtime, identity);
+  return identity;
+}
+
+export async function createIdentity(input: { runtime: AgentRuntime; username: string; name?: string }): Promise<StoredIdentity> {
+  const existing = loadIdentity(input.runtime);
+  if (existing) {
+    throw new Error(`Identity for runtime "${input.runtime}" already exists.`);
   }
 
-  const agent = (await client.createAgent({ name: runtime, runtime, kind: "leader" })) as Agent;
+  const client = new MachineClient();
+  const payload: { username: string; name?: string; runtime: AgentRuntime; kind: "leader" } = {
+    username: input.username,
+    runtime: input.runtime,
+    kind: "leader",
+  };
+  if (input.name) payload.name = input.name;
+
+  const agent = (await client.createAgent(payload)) as Agent;
   const identity: StoredIdentity = { agent_id: agent.id, name: agent.name, fingerprint: agent.fingerprint };
-  saveIdentity(runtime, identity);
+  saveIdentity(input.runtime, identity);
   return identity;
 }
 
@@ -72,13 +103,20 @@ export async function createClient(): Promise<ApiClient> {
     return cachedLeaderClient;
   }
 
+  let identity = loadIdentity(runtime);
+  const machineClient = new MachineClient();
+  if (!identity) {
+    identity = await restoreIdentity(runtime, machineClient);
+  }
+  if (!identity) {
+    throw new Error(missingIdentityMessage(runtime));
+  }
+
   if (!isDaemonAlive()) {
     throw new Error("Daemon is not running. Start it with: ak start");
   }
 
-  // First call — auto-init leader session
-  const machineClient = new MachineClient();
-  const identity = await ensureIdentity(runtime, machineClient);
+  // First call — create a leader session for an existing identity
   const { publicKey, privateKey } = (await crypto.subtle.generateKey({ name: "Ed25519" } as any, true, ["sign", "verify"])) as CryptoKeyPair;
   const pubJwk = await crypto.subtle.exportKey("jwk", publicKey);
   const privJwk = await crypto.subtle.exportKey("jwk", privateKey);
diff --git a/packages/cli/src/client/base.ts b/packages/cli/src/client/base.ts
@@ -148,8 +148,8 @@ export abstract class ApiClient {
     return this.request<any[]>("GET", `/api/agents/${agentId}/sessions`);
   }
   createAgent(input: {
-    name: string;
-    username?: string;
+    name?: string;
+    username: string;
     bio?: string;
     soul?: string;
     role?: string;
diff --git a/packages/cli/src/commands/start.ts b/packages/cli/src/commands/start.ts
@@ -3,7 +3,7 @@ import { existsSync, mkdirSync, openSync, readdirSync, readFileSync, renameSync,
 import { join } from "node:path";
 import type { Command } from "commander";
 import { getCredentials, saveCredentials, setCurrent } from "../config.js";
-import { DAEMON_STATE_FILE, IDENTITIES_DIR, LOGS_DIR, PID_FILE, SESSIONS_DIR, STATE_DIR } from "../paths.js";
+import { DAEMON_STATE_FILE, LOGS_DIR, PID_FILE, SESSIONS_DIR, STATE_DIR } from "../paths.js";
 import { getAvailableProviders } from "../providers/registry.js";
 import { listSessions } from "../session/store.js";
 import { getVersion } from "../version.js";
@@ -131,14 +131,11 @@ export function registerStartCommand(program: Command) {
         process.exit(1);
       }
 
-      // Clear identity/session cache if API URL changed. This is the ONLY
-      // place that is allowed to bulk-delete sessions — identities from the
-      // old backend are meaningless under a new apiUrl. Never add other
-      // callers: in_review session files are reject-resume entry points and
-      // must survive every other kind of restart.
+      // Clear session cache if API URL changed. Sessions are backend-specific
+      // and must not survive environment switches. Identities are now scoped
+      // by api-url + machine + runtime, so they remain valid side by side.
       const prevState = readDaemonState();
       if (prevState && prevState.apiUrl !== apiUrl) {
-        rmSync(IDENTITIES_DIR, { recursive: true, force: true });
         rmSync(SESSIONS_DIR, { recursive: true, force: true });
       }
       if (existsSync(PID_FILE)) unlinkSync(PID_FILE);
diff --git a/packages/cli/src/index.ts b/packages/cli/src/index.ts
@@ -1,6 +1,7 @@
+import { AGENT_RUNTIMES, type AgentRuntime } from "@agent-kanban/shared";
 import { Command } from "commander";
 import { loadIdentity } from "./agent/identity.js";
-import { createClient } from "./agent/leader.js";
+import { createClient, createIdentity } from "./agent/leader.js";
 import { detectRuntime } from "./agent/runtime.js";
 import { registerApplyCommand } from "./commands/apply.js";
 import { registerCreateCommand } from "./commands/create.js";
@@ -202,17 +203,56 @@ registerWaitCommand(program);
 
 // ─── Identity ───
 
+const identityCmd = program.command("identity").description("Manage leader identity for the current runtime");
+
+identityCmd
+  .command("create")
+  .description("Create and save a leader identity for the current runtime")
+  .requiredOption("--username <username>", "User-like handle chosen by the agent")
+  .option("--name <name>", "Optional full name shown in the UI")
+  .option("--runtime <runtime>", `Agent runtime: ${AGENT_RUNTIMES.join(", ")}`)
+  .action(async (opts) => {
+    const runtime = (opts.runtime || detectRuntime()) as string | null;
+    if (!runtime) {
+      console.error("No agent runtime found. Install claude, codex, or gemini CLI, or pass --runtime explicitly.");
+      process.exit(1);
+    }
+    if (!AGENT_RUNTIMES.includes(runtime as AgentRuntime)) {
+      console.error(`Unknown runtime "${runtime}" — must be one of: ${AGENT_RUNTIMES.join(", ")}`);
+      process.exit(1);
+    }
+
+    const identity = await createIdentity({
+      runtime: runtime as AgentRuntime,
+      username: opts.username,
+      name: opts.name,
+    });
+    console.log(`Created identity for ${runtime}`);
+    console.log(`Agent ID:    ${identity.agent_id}`);
+    console.log(`Name:        ${identity.name}`);
+    console.log(`Fingerprint: ${identity.fingerprint}`);
+  });
+
 program
   .command("whoami")
   .description("Show agent identity for the current runtime")
-  .action(async () => {
-    // Trigger auto-init so whoami works as first command
-    await createClient();
+  .action(() => {
     const runtime = detectRuntime();
     const runtimeKey = runtime ?? "default";
     const identity = loadIdentity(runtimeKey);
     if (!identity) {
-      console.error("Failed to resolve identity.");
+      console.error(
+        [
+          `No identity found for runtime "${runtimeKey}".`,
+          "",
+          "Create one explicitly with:",
+          "  ak identity create --username <username> [--name <name>]",
+          "",
+          "Choose the identity values yourself:",
+          "  --username  required, user-like handle chosen by the agent",
+          "  --name      optional full name shown in the UI",
+        ].join("\n"),
+      );
       process.exit(1);
     }
     console.log(`Runtime:     ${runtimeKey}`);
diff --git a/packages/cli/tests/client.test.ts b/packages/cli/tests/client.test.ts
diff --git a/packages/cli/tests/identity.test.ts b/packages/cli/tests/identity.test.ts
