wwtools

dohertj2/wwtools

Fork 0

Commit Graph

Author	SHA1	Message	Date
Joseph Doherty	68eb9adae7	mxaccesscli: catch ArgumentException from AuthenticateUser as auth-failed Under eOSUserBased galaxy security mode the LMXProxyServer raises ArgumentException("Value does not fall within the expected range") for bad credentials instead of silently returning 0 like permissive (eNone) galaxies do. Both shapes mean "auth failed"; MxSession.Authenticate now normalizes them into a 0 return so WriteCommand reports a clean "authentication-failed" envelope and exits 1 — instead of crashing with a stack trace. Verified live against the ZB galaxy in eOSUserBased mode: bad password -> ok=false, error="authentication-failed", exit 1 good password -> ok=true, auth_user_id=1, exit 0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 23:43:55 -04:00
Joseph Doherty	0d25ec445f	mxaccesscli: add --username / --domain / --password to write Wraps LMXProxyServer.AuthenticateUser at the session level (MxSession.Authenticate) and surfaces three new options on the write command: -u, --username <name> galaxy / OS user --domain <name> composed as <domain>\<username>; omit for galaxy-authenticated logins or UPN forms -p, --password <pwd> redacted to "***" in the JSON query echo The CLI calls AuthenticateUser before AddItem so an auth failure (userId == 0) bails out cleanly without leaving a half-set-up item. On success the resolved userId flows into Write(hServer, hItem, value, userId) and is reflected in: - human output: "[OK ] write <tag> = <val> (as <verify-user>, userId=N)" - LLM-JSON results[]: { "authenticated": true, "auth_user_id": N } Verified live against TestChildObject.TestInt with credentials DESKTOP-6JL3KKO\dohertj / Sonamu89: read -> 99 write 7 with --username/--domain/--password -> ok, auth_user_id=1 read -> 7 write 99 with same auth -> ok read -> 99 (restored) Important behavior surfaced and documented in docs/usage.md "Authentication" section: on a galaxy configured in permissive (Free Access) mode, AuthenticateUser returns a non-zero userId regardless of credentials — verified by intentionally passing a wrong password and an unknown user, both of which still resolved to userId=1 and the write went through. The CLI's auth path is wired correctly; the galaxy just isn't strict. To exercise real authentication, target a galaxy with galaxyAuthenticationMode and attribute-level security above Free Access. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 22:00:06 -04:00
Joseph Doherty	ab202a1fa1	mxaccesscli: read/write/subscribe System Platform tags via MxAccess New tool wrapping ArchestrA.MxAccess.LMXProxyServerClass (the same COM proxy aaObjectViewer / WindowViewer use) as a CliFx CLI for LLM-driven debugging. Commands: - mxa info — loaded MxAccess assembly identity, supported value types, MxStatusCategory enum. - mxa read — fetch one or more tag values; subscribes briefly, captures first OnDataChange per tag, tears down. - mxa write — write a value with optional --type coercion; advises first to resolve the attribute type, then waits for OnWriteComplete with a per-call timeout. - mxa subscribe — stream OnDataChange events for --seconds; JSON Lines under --llm-json for piped agent consumption. - mxa diag — minimal smoke test on a private STA thread; bypasses the CliFx pipeline for diagnosing apartment / pump issues. Implementation notes documented in docs/api-notes.md (reverse-engineered because AVEVA does not publish a single canonical MxAccess reference): - Net48 / x86 / [STAThread] are non-negotiable. The CLI runs the entire CliFx pipeline on a dedicated STA thread. - COM events are dispatched as Win32 messages; AutoResetEvent.WaitOne alone does not pump them on this configuration. MxSession.WaitForUpdate loops Application.DoEvents() + drain + Sleep(20ms) instead. - Write requires the target attribute's type to be resolved first. WriteCommand advises and waits for the initial OnDataChange before calling LMXProxyServerClass.Write to avoid ArgumentException "Value does not fall within the expected range". - Errors carry the full MXSTATUS_PROXY[] from MxAccess (Success, Category, DetectedBy, Detail) so an agent can tell exactly which layer rejected a request. Verified against the live ZB galaxy with a writeable tag identified via grdb (TestChildObject.TestInt, mx_attribute_category=10): read: 99 (q=192, MxCategoryOk) write 7: round-tripped — read returned 7 — written back to 99 write str: TestChildObject.TestString round-tripped a timestamp subscribe: captured initial value plus subsequent change from a separate process The vendored ArchestrA.MxAccess.dll is gitignored — it is copied from C:\Program Files (x86)\ArchestrA\Framework\Bin\ on any System Platform install per the README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 20:02:51 -04:00

Author

SHA1

Message

Date

Joseph Doherty

68eb9adae7

mxaccesscli: catch ArgumentException from AuthenticateUser as auth-failed

Under eOSUserBased galaxy security mode the LMXProxyServer raises
ArgumentException("Value does not fall within the expected range")
for bad credentials instead of silently returning 0 like permissive
(eNone) galaxies do. Both shapes mean "auth failed"; MxSession.Authenticate
now normalizes them into a 0 return so WriteCommand reports a clean
"authentication-failed" envelope and exits 1 — instead of crashing
with a stack trace.

Verified live against the ZB galaxy in eOSUserBased mode:
  bad password  -> ok=false, error="authentication-failed", exit 1
  good password -> ok=true,  auth_user_id=1, exit 0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 23:43:55 -04:00

Joseph Doherty

0d25ec445f

mxaccesscli: add --username / --domain / --password to write

Wraps LMXProxyServer.AuthenticateUser at the session level
(MxSession.Authenticate) and surfaces three new options on the
write command:

  -u, --username <name>   galaxy / OS user
      --domain   <name>   composed as <domain>\<username>; omit for
                          galaxy-authenticated logins or UPN forms
  -p, --password <pwd>    redacted to "***" in the JSON query echo

The CLI calls AuthenticateUser before AddItem so an auth failure
(userId == 0) bails out cleanly without leaving a half-set-up item.
On success the resolved userId flows into Write(hServer, hItem,
value, userId) and is reflected in:

  - human output: "[OK ] write <tag> = <val> (as <verify-user>, userId=N)"
  - LLM-JSON results[]: { "authenticated": true, "auth_user_id": N }

Verified live against TestChildObject.TestInt with credentials
DESKTOP-6JL3KKO\dohertj / Sonamu89:

  read   -> 99
  write 7 with --username/--domain/--password -> ok, auth_user_id=1
  read   -> 7
  write 99 with same auth -> ok
  read   -> 99 (restored)

Important behavior surfaced and documented in docs/usage.md
"Authentication" section: on a galaxy configured in permissive
(Free Access) mode, AuthenticateUser returns a non-zero userId
regardless of credentials — verified by intentionally passing a
wrong password and an unknown user, both of which still resolved
to userId=1 and the write went through. The CLI's auth path is
wired correctly; the galaxy just isn't strict. To exercise real
authentication, target a galaxy with galaxyAuthenticationMode and
attribute-level security above Free Access.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 22:00:06 -04:00

Joseph Doherty

ab202a1fa1

mxaccesscli: read/write/subscribe System Platform tags via MxAccess

New tool wrapping ArchestrA.MxAccess.LMXProxyServerClass (the same COM
proxy aaObjectViewer / WindowViewer use) as a CliFx CLI for LLM-driven
debugging.

Commands:
- mxa info      — loaded MxAccess assembly identity, supported value
                   types, MxStatusCategory enum.
- mxa read      — fetch one or more tag values; subscribes briefly,
                   captures first OnDataChange per tag, tears down.
- mxa write     — write a value with optional --type coercion; advises
                   first to resolve the attribute type, then waits for
                   OnWriteComplete with a per-call timeout.
- mxa subscribe — stream OnDataChange events for --seconds; JSON Lines
                   under --llm-json for piped agent consumption.
- mxa diag      — minimal smoke test on a private STA thread; bypasses
                   the CliFx pipeline for diagnosing apartment / pump
                   issues.

Implementation notes documented in docs/api-notes.md (reverse-engineered
because AVEVA does not publish a single canonical MxAccess reference):

- Net48 / x86 / [STAThread] are non-negotiable. The CLI runs the entire
  CliFx pipeline on a dedicated STA thread.
- COM events are dispatched as Win32 messages; AutoResetEvent.WaitOne
  alone does not pump them on this configuration. MxSession.WaitForUpdate
  loops Application.DoEvents() + drain + Sleep(20ms) instead.
- Write requires the target attribute's type to be resolved first.
  WriteCommand advises and waits for the initial OnDataChange before
  calling LMXProxyServerClass.Write to avoid ArgumentException
  "Value does not fall within the expected range".
- Errors carry the full MXSTATUS_PROXY[] from MxAccess (Success,
  Category, DetectedBy, Detail) so an agent can tell exactly which
  layer rejected a request.

Verified against the live ZB galaxy with a writeable tag identified
via grdb (TestChildObject.TestInt, mx_attribute_category=10):
  read:      99 (q=192, MxCategoryOk)
  write 7:   round-tripped — read returned 7 — written back to 99
  write str: TestChildObject.TestString round-tripped a timestamp
  subscribe: captured initial value plus subsequent change from a
             separate process

The vendored ArchestrA.MxAccess.dll is gitignored — it is copied from
C:\Program Files (x86)\ArchestrA\Framework\Bin\ on any System Platform
install per the README.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 20:02:51 -04:00

3 Commits