Dont terminate on archive

Send terminate error messages
Add pending
2026-05-25 18:23:11 +00:00 · 2026-01-16 17:06:16 -08:00 · 2026-01-16 14:57:54 -08:00 · 2026-01-16 14:37:06 -08:00 · 2026-01-16 14:19:36 -08:00
14 changed files with 130 additions and 16 deletions
--- a/2
+++ b/2
@@ -77,6 +77,8 @@ COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs

 COPY server/db/names.json ./dist/names.json
+COPY server/db/ios_models.json ./dist/ios_models.json
+COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public

 # OCI Image Labels
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -19,6 +19,7 @@ import logger from "@server/logger";
 import { sendTerminateClient } from "@server/routers/client/terminate";
 import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
 import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
+import { OlmErrorCodes } from "@server/routers/olm/error";

 export async function calculateUserClientsForOrgs(
    userId: string,
@@ -305,6 +306,8 @@ async function cleanupOrphanedClients(
            if (deletedClient.olmId) {
                await sendTerminateClient(
                    deletedClient.clientId,
+                    OlmErrorCodes.TERMINATED_DELETED,
+                    "Deleted",
                    deletedClient.olmId
                );
            }
--- a/server/private/routers/re-key/reGenerateClientSecret.ts
+++ b/server/private/routers/re-key/reGenerateClientSecret.ts
@@ -24,6 +24,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { hashPassword } from "@server/auth/password";
 import { disconnectClient, sendToClient } from "#private/routers/ws";
+import { OlmErrorCodes, sendOlmError } from "@server/routers/olm/error";

 const reGenerateSecretParamsSchema = z.strictObject({
    clientId: z.string().transform(Number).pipe(z.int().positive())
@@ -119,7 +120,10 @@ export async function reGenerateClientSecret(
        if (disconnect) {
            const payload = {
                type: `olm/terminate`,
-                data: {}
+                data: {
+                    code: OlmErrorCodes.TERMINATED_REKEYED,
+                    message: "Client secret has been regenerated"
+                }
            };
            // Don't await this to prevent blocking the response
            sendToClient(existingOlms[0].olmId, payload).catch((error) => {
--- a/server/routers/client/archiveClient.ts
+++ b/server/routers/client/archiveClient.ts
@@ -11,6 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { sendTerminateClient } from "./terminate";
+import { OlmErrorCodes } from "../olm/error";

 const archiveClientSchema = z.strictObject({
    clientId: z.string().transform(Number).pipe(z.int().positive())
@@ -79,11 +80,6 @@ export async function archiveClient(

            // Rebuild associations to clean up related data
            await rebuildClientAssociationsFromClient(client, trx);
-
-            // Send terminate signal if there's an associated OLM
-            if (client.olmId) {
-                await sendTerminateClient(client.clientId, client.olmId);
-            }
        });

        return response(res, {
--- a/server/routers/client/blockClient.ts
+++ b/server/routers/client/blockClient.ts
@@ -10,6 +10,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { sendTerminateClient } from "./terminate";
+import { OlmErrorCodes } from "../olm/error";

 const blockClientSchema = z.strictObject({
    clientId: z.string().transform(Number).pipe(z.int().positive())
@@ -78,7 +79,7 @@ export async function blockClient(

            // Send terminate signal if there's an associated OLM and it's connected
            if (client.olmId && client.online) {
-                await sendTerminateClient(client.clientId, client.olmId);
+                await sendTerminateClient(client.clientId, OlmErrorCodes.TERMINATED_BLOCKED, "Blocked", client.olmId);
            }
        });

--- a/server/routers/client/deleteClient.ts
+++ b/server/routers/client/deleteClient.ts
@@ -11,6 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { sendTerminateClient } from "./terminate";
+import { OlmErrorCodes } from "../olm/error";

 const deleteClientSchema = z.strictObject({
    clientId: z.string().transform(Number).pipe(z.int().positive())
@@ -91,7 +92,7 @@ export async function deleteClient(
            await rebuildClientAssociationsFromClient(deletedClient, trx);

            if (olm) {
-                await sendTerminateClient(deletedClient.clientId, olm.olmId); //  the olmId needs to be provided because it cant look it up after deletion
+                await sendTerminateClient(deletedClient.clientId, OlmErrorCodes.TERMINATED_DELETED, "Deleted", olm.olmId); //  the olmId needs to be provided because it cant look it up after deletion
            }
        });

--- a/server/routers/client/terminate.ts
+++ b/server/routers/client/terminate.ts
@@ -1,9 +1,12 @@
 import { sendToClient } from "#dynamic/routers/ws";
 import { db, olms } from "@server/db";
 import { eq } from "drizzle-orm";
+import { OlmErrorCodes } from "../olm/error";

 export async function sendTerminateClient(
    clientId: number,
+    code: (typeof OlmErrorCodes)[keyof typeof OlmErrorCodes],
+    message: string,
    olmId?: string | null
 ) {
    if (!olmId) {
@@ -20,6 +23,9 @@ export async function sendTerminateClient(

    await sendToClient(olmId, {
        type: `olm/terminate`,
-        data: {}
+        data: {
+            code,
+            message
+        }
    });
 }
--- a/server/routers/olm/archiveUserOlm.ts
+++ b/server/routers/olm/archiveUserOlm.ts
@@ -10,6 +10,7 @@ import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { sendTerminateClient } from "../client/terminate";
+import { OlmErrorCodes } from "./error";

 const paramsSchema = z
    .object({
@@ -52,7 +53,7 @@ export async function archiveUserOlm(
                    .where(eq(clients.clientId, client.clientId));

                await rebuildClientAssociationsFromClient(client, trx);
-                await sendTerminateClient(client.clientId, olmId);
+                await sendTerminateClient(client.clientId, OlmErrorCodes.TERMINATED_ARCHIVED, "Archived", olmId);
            }

            // Archive the OLM (set archived to true)
--- a/server/routers/olm/deleteUserOlm.ts
+++ b/server/routers/olm/deleteUserOlm.ts
@@ -11,6 +11,7 @@ import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { sendTerminateClient } from "../client/terminate";
+import { OlmErrorCodes } from "./error";

 const paramsSchema = z
    .object({
@@ -76,6 +77,8 @@ export async function deleteUserOlm(
                if (olm) {
                    await sendTerminateClient(
                        deletedClient.clientId,
+                        OlmErrorCodes.TERMINATED_DELETED,
+                        "Deleted",
                        olm.olmId
                    ); //  the olmId needs to be provided because it cant look it up after deletion
                }
--- a/server/routers/olm/error.ts
+++ b/server/routers/olm/error.ts
@@ -0,0 +1,35 @@
+import { sendToClient } from "#dynamic/routers/ws";
+// Error codes for registration failures
+export const OlmErrorCodes = {
+    OLM_NOT_FOUND: "OLM_NOT_FOUND",
+    CLIENT_ID_NOT_FOUND: "CLIENT_ID_NOT_FOUND",
+    CLIENT_NOT_FOUND: "CLIENT_NOT_FOUND",
+    CLIENT_BLOCKED: "CLIENT_BLOCKED",
+    CLIENT_PENDING: "CLIENT_PENDING",
+    ORG_NOT_FOUND: "ORG_NOT_FOUND",
+    USER_ID_NOT_FOUND: "USER_ID_NOT_FOUND",
+    INVALID_USER_SESSION: "INVALID_USER_SESSION",
+    USER_ID_MISMATCH: "USER_ID_MISMATCH",
+    ACCESS_POLICY_DENIED: "ACCESS_POLICY_DENIED",
+    TERMINATED_REKEYED: "TERMINATED_REKEYED",
+    TERMINATED_ORG_DELETED: "TERMINATED_ORG_DELETED",
+    TERMINATED_INACTIVITY: "TERMINATED_INACTIVITY",
+    TERMINATED_DELETED: "TERMINATED_DELETED",
+    TERMINATED_ARCHIVED: "TERMINATED_ARCHIVED",
+    TERMINATED_BLOCKED: "TERMINATED_BLOCKED"
+} as const;
+
+// Helper function to send registration error
+export async function sendOlmError(
+    code: string,
+    errorMessage: string,
+    olmId: string
+) {
+    sendToClient(olmId, {
+        type: "olm/error",
+        data: {
+            code,
+            message: errorMessage
+        }
+    });
+}
--- a/server/routers/olm/getUserOlm.ts
+++ b/server/routers/olm/getUserOlm.ts
@@ -8,8 +8,8 @@ import response from "@server/lib/response";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import { OpenAPITags, registry } from "@server/openApi";
 import { getUserDeviceName } from "@server/db/names";
+// import { OpenAPITags, registry } from "@server/openApi";

 const paramsSchema = z
    .object({
@@ -101,7 +101,7 @@ export async function getUserOlm(
        const model = result.fingerprints?.deviceModel || null;
        const newName = getUserDeviceName(model, olm.name);

-        const responseData = blocked !== undefined 
+        const responseData = blocked !== undefined
            ? { ...olm, name: newName, blocked }
            : { ...olm, name: newName };

--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -10,6 +10,7 @@ import { sendTerminateClient } from "../client/terminate";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { sendOlmSyncMessage } from "./sync";
+import { OlmErrorCodes } from "./error";

 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -64,6 +65,8 @@ export const startOlmOfflineChecker = (): void => {
                try {
                    await sendTerminateClient(
                        offlineClient.clientId,
+                        OlmErrorCodes.TERMINATED_INACTIVITY,
+                        "Client terminated due to inactivity",
                        offlineClient.olmId
                    ); // terminate first
                    // wait a moment to ensure the message is sent
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -27,6 +27,7 @@ import config from "@server/lib/config";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
+import { OlmErrorCodes, sendOlmError } from "./error";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -53,6 +54,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {

    if (!olm.clientId) {
        logger.warn("Olm client ID not found");
+        sendOlmError(
+            OlmErrorCodes.CLIENT_ID_NOT_FOUND,
+            "Olm client ID not found",
+            olm.olmId
+        );
        return;
    }

@@ -64,11 +70,35 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {

    if (!client) {
        logger.warn("Client ID not found");
+        sendOlmError(
+            OlmErrorCodes.CLIENT_NOT_FOUND,
+            "Client not found in organization",
+            olm.olmId
+        );
        return;
    }

    if (client.blocked) {
-        logger.debug(`Client ${client.clientId} is blocked. Ignoring register.`);
+        logger.debug(
+            `Client ${client.clientId} is blocked. Ignoring register.`
+        );
+        sendOlmError(
+            OlmErrorCodes.CLIENT_BLOCKED,
+            "Client is blocked",
+            olm.olmId
+        );
+        return;
+    }
+
+    if (client.approvalState == "pending") {
+        logger.debug(
+            `Client ${client.clientId} approval is pending. Ignoring register.`
+        );
+        sendOlmError(
+            OlmErrorCodes.CLIENT_PENDING,
+            "Client approval is pending",
+            olm.olmId
+        );
        return;
    }

@@ -80,12 +110,22 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {

    if (!org) {
        logger.warn("Org not found");
+        sendOlmError(
+            OlmErrorCodes.ORG_NOT_FOUND,
+            "Organization not found",
+            olm.olmId
+        );
        return;
    }

    if (orgId) {
        if (!olm.userId) {
            logger.warn("Olm has no user ID");
+            sendOlmError(
+                OlmErrorCodes.USER_ID_NOT_FOUND,
+                "User ID not found for this client",
+                olm.olmId
+            );
            return;
        }

@@ -93,10 +133,20 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            await validateSessionToken(userToken);
        if (!userSession || !user) {
            logger.warn("Invalid user session for olm register");
-            return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
+            sendOlmError(
+                OlmErrorCodes.INVALID_USER_SESSION,
+                "Invalid or expired user session token",
+                olm.olmId
+            );
+            return;
        }
        if (user.userId !== olm.userId) {
            logger.warn("User ID mismatch for olm register");
+            sendOlmError(
+                OlmErrorCodes.USER_ID_MISMATCH,
+                "User ID does not match the authenticated session",
+                olm.olmId
+            );
            return;
        }

@@ -114,6 +164,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            logger.warn(
                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
            );
+            sendOlmError(
+                OlmErrorCodes.ACCESS_POLICY_DENIED,
+                `Access policy denied: ${policyCheck.error}`,
+                olm.olmId
+            );
            return;
        }
    }
@@ -151,7 +206,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            .update(clients)
            .set({
                pubKey: publicKey,
-                archived: false,
+                archived: false
            })
            .where(eq(clients.clientId, client.clientId));

--- a/server/routers/org/deleteOrg.ts
+++ b/server/routers/org/deleteOrg.ts
@@ -21,6 +21,7 @@ import { fromError } from "zod-validation-error";
 import { sendToClient } from "#dynamic/routers/ws";
 import { deletePeer } from "../gerbil/peers";
 import { OpenAPITags, registry } from "@server/openApi";
+import { OlmErrorCodes } from "../olm/error";

 const deleteOrgSchema = z.strictObject({
    orgId: z.string()
@@ -208,7 +209,10 @@ export async function deleteOrg(
        for (const olmId of olmsToTerminate) {
            sendToClient(olmId, {
                type: "olm/terminate",
-                data: {}
+                data: {
+                    code: OlmErrorCodes.TERMINATED_REKEYED,
+                    message: "Organization has been deleted"
+                }
            }).catch((error) => {
                logger.error(
                    "Failed to send termination message to olm:",
Author	SHA1	Message	Date
Owen	888f5f8bb6	Dont terminate on archive	2026-01-16 17:06:16 -08:00
Owen	9114dd5992	Send terminate error messages	2026-01-16 14:57:54 -08:00
Owen	a126494c12	Add pending	2026-01-16 14:37:06 -08:00
Owen	e2cbe11a5f	Send error codes down to olm	2026-01-16 14:19:36 -08:00