@0dai-dev/cli 4.3.5 → 4.3.6

package/lib/utils/export-bundler.js

@@ -0,0 +1,285 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2026 0dai.dev
+//
+// F14 G4 Phase 2 — tarball builder for `0dai export --all`.
+//
+// Honors the layout pinned in docs/governance/data-export-contract.md
+// (F14 G4 Phase 1 / PR #3569). Phase 2 ships personas +
+// path-protect.yaml as real data, usage-ledger.jsonl when present,
+// and 6 placeholders for the rest.
+//
+// Uses `tar` shell command (always present on Linux/macOS) rather
+// than the `tar` npm module to avoid a new runtime dep.
+
+"use strict";
+
+const crypto = require("crypto");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const { spawnSync } = require("child_process");
+
+const PHASE = "F14 G4 Phase 2";
+const SCHEMA_VERSION = "1";
+
+const PLACEHOLDER_SURFACES = [
+  // (surface name, tarball relative path)
+  ["knowledge-graph", "knowledge-graph/entries.jsonl"],
+  ["audit-log", "audit-log/events.jsonl"],
+  ["team-config", "team/config.yaml"],
+  ["repo-links", "repo-links.json"],
+  ["webhooks", "webhooks.yaml"],
+  ["feature-flags", "feature-flags.yaml"],
+];
+
+function sha256OfFile(filePath) {
+  const hash = crypto.createHash("sha256");
+  const fd = fs.openSync(filePath, "r");
+  const buf = Buffer.allocUnsafe(1024 * 1024);
+  try {
+    let n = 0;
+    do {
+      n = fs.readSync(fd, buf, 0, buf.length, null);
+      if (n > 0) hash.update(buf.subarray(0, n));
+    } while (n > 0);
+  } finally {
+    fs.closeSync(fd);
+  }
+  return hash.digest("hex");
+}
+
+function sha256OfBytes(bytes) {
+  return crypto.createHash("sha256").update(bytes).digest("hex");
+}
+
+function listPersonas(sourceRoot) {
+  const personasDir = path.join(sourceRoot, "ai", "personas");
+  if (!fs.existsSync(personasDir)) return [];
+  return fs.readdirSync(personasDir)
+    .filter((name) => name.endsWith(".yaml") || name.endsWith(".yml"))
+    .map((name) => ({
+      name,
+      sourcePath: path.join(personasDir, name),
+    }));
+}
+
+function pathProtectPath(sourceRoot) {
+  const p = path.join(sourceRoot, "ai", "policy", "path-protect.yaml");
+  return fs.existsSync(p) ? p : null;
+}
+
+function usageLedgerPath(sourceRoot) {
+  const p = path.join(sourceRoot, "ai", "telemetry", "usage-ledger.jsonl");
+  return fs.existsSync(p) ? p : null;
+}
+
+function readme(tenantId) {
+  return `# 0dai export bundle
+
+Generated by \`0dai export --all\` (F14 G4 Phase 2).
+
+Verify per docs/governance/data-export-contract.md.
+
+Tenant: ${tenantId}
+Schema version: ${SCHEMA_VERSION}
+`;
+}
+
+function placeholderPayload(surface) {
+  return JSON.stringify({
+    _status: "not-implemented",
+    _surface: surface,
+    _since: PHASE,
+    _note: "Phase 3 will populate this surface; today it ships as a placeholder so re-import tooling can validate the layout.",
+  }, null, 2) + "\n";
+}
+
+async function buildExportTarball({ sourceRoot, outputPath }) {
+  if (!sourceRoot || !fs.existsSync(sourceRoot)) {
+    throw new Error(`source root not found: ${sourceRoot}`);
+  }
+  const outDir = path.dirname(path.resolve(outputPath));
+  if (!fs.existsSync(outDir)) {
+    throw new Error(`output dir does not exist: ${outDir}`);
+  }
+
+  const stagingRoot = fs.mkdtempSync(path.join(os.tmpdir(), "0dai-export-"));
+  try {
+    // README.md
+    const tenantId = path.basename(sourceRoot);
+    const readmeBytes = Buffer.from(readme(tenantId), "utf8");
+    fs.writeFileSync(path.join(stagingRoot, "README.md"), readmeBytes);
+
+    // tenant.json (stub — Phase 3 populates from API)
+    const tenantBytes = Buffer.from(JSON.stringify({
+      _status: "stub",
+      _since: PHASE,
+      tenant_id: tenantId,
+      exported_at: new Date().toISOString(),
+    }, null, 2) + "\n", "utf8");
+    fs.writeFileSync(path.join(stagingRoot, "tenant.json"), tenantBytes);
+
+    // personas/<name>.yaml (real data)
+    const personasOutDir = path.join(stagingRoot, "personas");
+    fs.mkdirSync(personasOutDir, { recursive: true });
+    const personas = listPersonas(sourceRoot);
+    const personaManifest = [];
+    for (const p of personas) {
+      const dest = path.join(personasOutDir, p.name);
+      fs.copyFileSync(p.sourcePath, dest);
+      personaManifest.push({
+        path: `personas/${p.name}`,
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      });
+    }
+
+    // path-protect.yaml (real data, if present)
+    const pp = pathProtectPath(sourceRoot);
+    let pathProtectManifest = null;
+    if (pp) {
+      const dest = path.join(stagingRoot, "path-protect.yaml");
+      fs.copyFileSync(pp, dest);
+      pathProtectManifest = {
+        path: "path-protect.yaml",
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      };
+    }
+
+    // usage/history.jsonl (real data from ai/telemetry/usage-ledger.jsonl, if present)
+    // Schema is the LedgerEntry dataclass in scripts/usage_ledger.py (~line 92):
+    // ts, task_id, agent, model, model_tier, tokens_input/output/total, cost_usd, plan, ...
+    const ul = usageLedgerPath(sourceRoot);
+    let usageLedgerManifest = null;
+    if (ul) {
+      const usageOutDir = path.join(stagingRoot, "usage");
+      fs.mkdirSync(usageOutDir, { recursive: true });
+      const dest = path.join(usageOutDir, "history.jsonl");
+      fs.copyFileSync(ul, dest);
+      usageLedgerManifest = {
+        path: "usage/history.jsonl",
+        bytes: fs.statSync(dest).size,
+        sha256: sha256OfFile(dest),
+      };
+    }
+
+    // 6 placeholder surfaces
+    const placeholderManifest = [];
+    for (const [surface, relPath] of PLACEHOLDER_SURFACES) {
+      const dest = path.join(stagingRoot, relPath);
+      fs.mkdirSync(path.dirname(dest), { recursive: true });
+      const payload = placeholderPayload(surface);
+      fs.writeFileSync(dest, payload, "utf8");
+      placeholderManifest.push({
+        path: relPath,
+        bytes: Buffer.byteLength(payload, "utf8"),
+        sha256: sha256OfBytes(Buffer.from(payload, "utf8")),
+        status: "not-implemented",
+      });
+    }
+
+    // MANIFEST.json (must come last so other files' checksums are settled)
+    const manifest = {
+      schema_version: SCHEMA_VERSION,
+      generated_at: new Date().toISOString(),
+      since: PHASE,
+      tenant_id: tenantId,
+      files: [
+        { path: "README.md", bytes: readmeBytes.length, sha256: sha256OfBytes(readmeBytes) },
+        { path: "tenant.json", bytes: tenantBytes.length, sha256: sha256OfBytes(tenantBytes) },
+        ...personaManifest,
+        ...(pathProtectManifest ? [pathProtectManifest] : []),
+        ...(usageLedgerManifest ? [usageLedgerManifest] : []),
+        ...placeholderManifest,
+      ],
+    };
+    fs.writeFileSync(
+      path.join(stagingRoot, "MANIFEST.json"),
+      JSON.stringify(manifest, null, 2) + "\n",
+      "utf8",
+    );
+
+    // Create gzipped tarball.
+    const r = spawnSync("tar", ["-czf", path.resolve(outputPath), "-C", stagingRoot, "."]);
+    if (r.status !== 0) {
+      const stderr = r.stderr ? r.stderr.toString("utf8") : "(no stderr)";
+      throw new Error(`tar exited ${r.status}: ${stderr}`);
+    }
+
+    // F14 G4 Phase 3 — try cosign keyless signing. Falls back to
+    // empty .sig + .crt stubs (preserving the layout contract)
+    // when cosign is absent or the operator opts out.
+    const sigPath = `${outputPath}.sig`;
+    const crtPath = `${outputPath}.crt`;
+    const signResult = trySignTarball({
+      tarballPath: path.resolve(outputPath),
+      sigPath,
+      crtPath,
+    });
+
+    return {
+      tarballPath: path.resolve(outputPath),
+      sigPath,
+      crtPath,
+      sha256: sha256OfFile(outputPath),
+      signed: signResult.signed,
+      signSkipReason: signResult.skipReason,
+      counts: {
+        personas: personaManifest.length,
+        pathProtect: pathProtectManifest ? 1 : 0,
+        usageLedger: usageLedgerManifest ? 1 : 0,
+        placeholders: placeholderManifest.length,
+      },
+    };
+  } finally {
+    // Best-effort cleanup; ignore errors.
+    try { fs.rmSync(stagingRoot, { recursive: true, force: true }); } catch { /* ignore */ }
+  }
+}
+
+function trySignTarball({ tarballPath, sigPath, crtPath }) {
+  // F14 G4 Phase 3. Trust anchor matches the F16 G2 release-signing
+  // pipeline (release-artifact-signing.yml from PR #3521).
+  //
+  // Skipped when:
+  //   - ODAI_EXPORT_SKIP_SIGN=1 is set (explicit opt-out)
+  //   - cosign binary is not on PATH (local dev without sigstore)
+  //   - cosign exits non-zero (Fulcio OIDC unavailable, etc.)
+  // In every skip case we write empty .sig + .crt stubs so the
+  // tarball layout contract from F14 G4 Phase 1 (#3569) holds.
+  if (process.env.ODAI_EXPORT_SKIP_SIGN === "1") {
+    fs.writeFileSync(sigPath, "");
+    fs.writeFileSync(crtPath, "");
+    return { signed: false, skipReason: "ODAI_EXPORT_SKIP_SIGN=1" };
+  }
+  // Probe for cosign on PATH without bombing the export when absent.
+  const probe = spawnSync("cosign", ["version"], { stdio: ["ignore", "pipe", "pipe"] });
+  if (probe.error || probe.status !== 0) {
+    fs.writeFileSync(sigPath, "");
+    fs.writeFileSync(crtPath, "");
+    return { signed: false, skipReason: "cosign not on PATH" };
+  }
+  const env = { ...process.env, COSIGN_EXPERIMENTAL: process.env.COSIGN_EXPERIMENTAL || "1" };
+  const r = spawnSync(
+    "cosign",
+    [
+      "sign-blob",
+      "--yes",
+      "--output-signature", sigPath,
+      "--output-certificate", crtPath,
+      tarballPath,
+    ],
+    { env, stdio: ["ignore", "pipe", "pipe"] },
+  );
+  if (r.status !== 0) {
+    // Leave (or write) empty stubs so the layout still holds.
+    try { fs.writeFileSync(sigPath, ""); } catch { /* ignore */ }
+    try { fs.writeFileSync(crtPath, ""); } catch { /* ignore */ }
+    const stderr = r.stderr ? r.stderr.toString("utf8").trim().slice(0, 200) : `exit ${r.status}`;
+    return { signed: false, skipReason: `cosign sign-blob failed: ${stderr}` };
+  }
+  return { signed: true, skipReason: null };
+}
+
+module.exports = { buildExportTarball, listPersonas, pathProtectPath, usageLedgerPath, trySignTarball, PLACEHOLDER_SURFACES, PHASE, SCHEMA_VERSION };

package/lib/utils/identity.js

@@ -148,6 +148,19 @@ function detectStackHint(projectFiles, manifestContents) {
   return "unknown";
 }
 
+/**
+ * Return a {filename: sha256hex} map for the given manifest contents.
+ * The raw content never leaves the machine — only the hash is exported.
+ */
+function hashManifestFiles(manifestContents) {
+  const crypto = require("crypto");
+  const hashes = {};
+  for (const [name, content] of Object.entries(manifestContents)) {
+    hashes[name] = crypto.createHash("sha256").update(content, "utf8").digest("hex");
+  }
+  return hashes;
+}
+
 function collectMetadata(target) {
   const projectFiles = [];
   const manifestContents = {};
@@ -201,5 +214,5 @@ module.exports = {
   deviceFingerprint, registerProject, projectIdFor, projectIdSeed,
   scrubRemoteUrl, readProjectManifest, readDiscovery,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@0dai-dev/cli",
-  "version": "4.3.5",
-  "description": "One config layer for seven AI coding agents — Claude Code, Codex, OpenCode, Gemini, Aider, Qoder",
+  "version": "4.3.6",
+  "description": "One config layer for seven AI coding agents \u2014 Claude Code, Codex, OpenCode, Gemini, Aider, Qoder",
   "bin": {
     "0dai": "./bin/0dai.js"
   },