@automagik/genie 4.260424.18 → 4.260424.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@automagik/genie",
-  "version": "4.260424.18",
+  "version": "4.260424.20",
   "description": "Collaborative terminal toolkit for human + AI workflows",
   "type": "module",
   "bin": {

package/plugins/genie/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "genie",
-  "version": "4.260424.18",
+  "version": "4.260424.20",
   "description": "Human-AI partnership for Claude Code. Share a terminal, orchestrate workers, evolve together. Brainstorm ideas, turn them into wishes, execute with /work, validate with /review, and ship as one team.",
   "author": {
     "name": "Namastex Labs"

package/plugins/genie/package.json

@@ -1,6 +1,6 @@
 {
   "name": "genie-plugin",
-  "version": "4.260424.18",
+  "version": "4.260424.20",
   "private": true,
   "description": "Runtime dependencies for genie bundled CLIs",
   "type": "module",

package/scripts/sec-fix.cjs

@@ -241,9 +241,37 @@ function promptYesNo(message, { yes }) {
 // Scan
 // ---------------------------------------------------------------------------
 
+function isRootUid() {
+  return typeof process.getuid === 'function' && process.getuid() === 0;
+}
+
 function runScan() {
   section('1/6 Scan — gathering evidence');
-  const result = spawnSync(process.execPath, [SCAN_SCRIPT, '--json', '--no-progress', '--redact'], {
+  const rootMode = isRootUid();
+  if (rootMode) {
+    process.stderr.write(
+      `  ${TTY.bgRed}${TTY.white}${TTY.bold} ROOT MODE ${TTY.reset}  ${TTY.red}${TTY.bold}scanning every user home, system-wide persistence, all PIDs, root-only files${TTY.reset}\n`,
+    );
+    if (process.env.SUDO_USER && process.env.SUDO_USER !== 'root') {
+      process.stderr.write(
+        `  ${TTY.dim}invoking user: ${TTY.reset}${process.env.SUDO_USER} ${TTY.dim}(reinstall will be routed back to this user via su)${TTY.reset}\n`,
+      );
+    }
+  } else {
+    process.stderr.write(
+      `  ${TTY.yellow}running as user $(id -un) — for full coverage of other homes + /etc/cron + /etc/systemd + all PIDs, re-run under ${TTY.bold}sudo -E env "PATH=$PATH" genie sec fix${TTY.reset}\n`,
+    );
+  }
+  const scanArgs = [SCAN_SCRIPT, '--json', '--no-progress', '--redact'];
+  if (rootMode) {
+    // --all-homes enumerates /root + every /home/* + /Users/* on darwin.
+    // The persistence + shell-history + impact-surface phases iterate these
+    // homes so the deeper coverage falls out naturally once they're in the
+    // input list. /etc/cron.* and /etc/systemd/system/* are already in the
+    // persistence target table and become readable under root.
+    scanArgs.push('--all-homes');
+  }
+  const result = spawnSync(process.execPath, scanArgs, {
     stdio: ['ignore', 'pipe', 'inherit'],
     maxBuffer: 256 * 1024 * 1024,
   });
@@ -365,7 +393,63 @@ function renderAuditRow(severity, verb, target, recovery) {
   process.stderr.write(`                ${TTY.dim}recovery: ${TTY.reset}${TTY.cyan}${recovery}${TTY.reset}\n\n`);
 }
 
-function showPlanSummary(plan, options) {
+function renderBreachImpact(envelope) {
+  const breach = envelope?.breachImpact || { enabled: false };
+  if (!breach.enabled || (breach.likelyStolen || []).length === 0) return;
+
+  process.stderr.write('\n');
+  hrule('═', TTY.red + TTY.bold);
+  banner('☠  BREACH IMPACT — RETRACING THE WORM  ☠', SEVERITY.CRITICAL);
+  hrule('═', TTY.red + TTY.bold);
+  process.stderr.write('\n');
+
+  process.stderr.write(
+    `  ${TTY.dim}Exfil channel:${TTY.reset}   ${TTY.red}${TTY.bold}${breach.exfilChannel.host}${TTY.reset} ${breach.exfilChannel.paths.join(', ')}\n`,
+  );
+  if (breach.compromiseWindow) {
+    process.stderr.write(
+      `  ${TTY.dim}Window:${TTY.reset}          ${breach.compromiseWindow.firstEvidence} .. ${breach.compromiseWindow.lastEvidence}\n`,
+    );
+  }
+  if ((breach.compromisedInstallPaths || []).length > 0) {
+    process.stderr.write(`  ${TTY.dim}Install path:${TTY.reset}    ${breach.compromisedInstallPaths[0]}\n`);
+  }
+  process.stderr.write('\n');
+  process.stderr.write(
+    `  ${TTY.bold}${TTY.red}The env-compat.cjs payload ran as this user during the window.${TTY.reset}\n`,
+  );
+  process.stderr.write(`  ${TTY.dim}These credentials were readable to it — assume stolen:${TTY.reset}\n\n`);
+
+  for (const item of breach.rotationChecklist || []) {
+    const sev =
+      item.severity === 'CRITICAL'
+        ? SEVERITY.CRITICAL.paint(` ${item.severity} `)
+        : SEVERITY.DESTRUCTIVE.paint(` ${item.severity} `);
+    process.stderr.write(`  ${sev}  ${TTY.bold}${item.category}${TTY.reset}\n`);
+    for (const p of item.paths || []) process.stderr.write(`           ${TTY.dim}path:${TTY.reset}   ${p}\n`);
+    process.stderr.write(`           ${TTY.dim}why:${TTY.reset}    ${item.reason}\n`);
+    if (item.rotationUrl) {
+      process.stderr.write(
+        `           ${TTY.cyan}rotate:${TTY.reset} ${TTY.underline}${item.rotationUrl}${TTY.reset}\n`,
+      );
+    }
+    process.stderr.write('\n');
+  }
+
+  if ((breach.runningProcessesDuringWindow || []).length > 0) {
+    process.stderr.write(`  ${TTY.bold}Processes that ran the compromised binary:${TTY.reset}\n`);
+    for (const proc of breach.runningProcessesDuringWindow) {
+      process.stderr.write(
+        `    pid=${proc.pid}  elapsed=${proc.elapsed}  ${TTY.dim}${(proc.command || '').slice(0, 90)}${TTY.reset}\n`,
+      );
+    }
+    process.stderr.write('\n');
+  }
+}
+
+function showPlanSummary(plan, options, envelope) {
+  renderBreachImpact(envelope);
+
   process.stderr.write('\n');
   hrule('═', TTY.red + TTY.bold);
   banner('⚠  DESTRUCTIVE OPERATIONS AUDIT — REVIEW BEFORE ACCEPTING  ⚠', SEVERITY.DESTRUCTIVE);
@@ -600,6 +684,29 @@ function reinstall(options) {
     warn('bun not found in PATH — skipping reinstall. Install manually: bun add -g @automagik/genie@next');
     return { reinstalled: false, reason: 'bun-not-found' };
   }
+
+  // When running under sudo, route the install to the invoking user so
+  // the bun global ends up in THEIR home (correct ownership + matches the
+  // binary that user invokes from the command line). Root's own bun
+  // global would be orphaned.
+  const sudoUser = process.env.SUDO_USER;
+  if (isRootUid() && sudoUser && sudoUser !== 'root') {
+    info(`routing reinstall to invoking user: ${sudoUser}`);
+    const suBin = findExecutable('su');
+    if (!suBin) {
+      warn('su not found — falling back to root install (may need manual reinstall as the user later)');
+    } else {
+      const cmd = `${bunBin} add -g @automagik/genie@next`;
+      const result = spawnSync(suBin, ['-', sudoUser, '-c', cmd], { stdio: 'inherit' });
+      if (result.status !== 0) {
+        warn(`reinstall (as ${sudoUser}) exited with code ${result.status}`);
+        return { reinstalled: false, exitCode: result.status, ranAs: sudoUser };
+      }
+      ok(`reinstalled @automagik/genie@next (as ${sudoUser})`);
+      return { reinstalled: true, ranAs: sudoUser };
+    }
+  }
+
   const result = spawnSync(bunBin, ['add', '-g', '@automagik/genie@next'], { stdio: 'inherit' });
   if (result.status !== 0) {
     warn(`reinstall exited with code ${result.status}`);
@@ -625,7 +732,9 @@ function findExecutable(name) {
 function rescan(options) {
   if (options.skipRescan) return null;
   section('6/6 Re-scan — confirm clean state');
-  const result = spawnSync(process.execPath, [SCAN_SCRIPT, '--json', '--no-progress', '--redact'], {
+  const rescanArgs = [SCAN_SCRIPT, '--json', '--no-progress', '--redact'];
+  if (isRootUid()) rescanArgs.push('--all-homes');
+  const result = spawnSync(process.execPath, rescanArgs, {
     stdio: ['ignore', 'pipe', 'inherit'],
     maxBuffer: 256 * 1024 * 1024,
   });
@@ -668,7 +777,7 @@ function main() {
 
   const envelope = runScan();
   const plan = classifyEnvelope(envelope);
-  const somethingToDo = showPlanSummary(plan, options);
+  const somethingToDo = showPlanSummary(plan, options, envelope);
 
   if (!somethingToDo) {
     if (options.json) {

package/scripts/sec-scan.cjs

@@ -364,9 +364,24 @@ const TEXT_MATCHERS = [
     regex: /\b(?:node|bun|bash|sh)\b[^\n]{0,200}env-compat\.(?:cjs|js)\b/i,
   },
   {
-    label: 'network:curl-wget IOC',
+    // Hard evidence: curl/wget/fetch to the exact exfil endpoint path.
+    // This is what the CanisterWorm payload uses to upload stolen data
+    // (POST /v1/telemetry and POST /v1/drop). Matching these = compromise.
+    label: 'network:curl-wget IOC-exfil',
     category: 'network',
-    regex: /\b(?:curl|wget|fetch|Invoke-WebRequest)\b[^\n]{0,200}(?:telemetry\.api-monitor\.com|raw\.icp0\.io\/drop)/i,
+    regex:
+      /\b(?:curl|wget|fetch|Invoke-WebRequest)\b[^\n]{0,200}(?:telemetry\.api-monitor\.com\/v1\/(?:telemetry|drop)|raw\.icp0\.io\/drop)/i,
+  },
+  {
+    // Soft evidence: bare-host mention of the exfil domain WITHOUT the
+    // /v1/ path. Almost always an incident responder (or documentation)
+    // probing the host, not the payload itself — the payload never runs
+    // a bare `curl <host>` because there's no endpoint that would accept
+    // the uploaded payload. Classify as 'probe' so it shows in the
+    // report but doesn't elevate the suspicion score.
+    label: 'network:exfil-host-probe',
+    category: 'probe',
+    regex: /\b(?:curl|wget|fetch|Invoke-WebRequest)\b[^\n]{0,200}telemetry\.api-monitor\.com(?!\/v1\/)/i,
   },
 ];
 
@@ -1415,6 +1430,7 @@ function collectTextIndicators(text) {
     installCommands: [],
     executionCommands: [],
     networkCommands: [],
+    probeMatches: [],
     allMatches: [],
   };
 
@@ -1427,6 +1443,11 @@ function collectTextIndicators(text) {
     if (matcher.category === 'install') indicators.installCommands.push(matcher.label);
     if (matcher.category === 'execution') indicators.executionCommands.push(matcher.label);
     if (matcher.category === 'network') indicators.networkCommands.push(matcher.label);
+    // `probe` is informational-only: it means the text references an
+    // exfil host but WITHOUT the attacker's uploading path. Almost
+    // always a responder probing or documentation. Never elevates
+    // compromise severity.
+    if (matcher.category === 'probe') indicators.probeMatches.push(matcher.label);
   }
 
   for (const trackedPackage of TRACKED_PACKAGES) {
@@ -2639,6 +2660,229 @@ function scanImpactSurface(homes, roots, report, runtime) {
   report.impactSurfaceFindings = uniq(findings.map((entry) => JSON.stringify(entry))).map((entry) => JSON.parse(entry));
 }
 
+// ---------------------------------------------------------------------------
+// Breach-impact analysis — retrace the known CanisterWorm payload behavior
+// against what actually exists on this host.
+//
+// The `env-compat.cjs` payload is a postinstall script that runs under the
+// installing user's identity. Public research + the IOC strings the scanner
+// already matches (TEL_ENDPOINT, ICP_CANISTER_ID, pkg-telemetry, AES-256-CBC,
+// RSA-OAEP-SHA256, pypi-pth-exfil, etc.) give us a concrete list of targets:
+//
+//   1. Environment variables visible to `npm run postinstall` at install
+//      time (anything in process.env when `env-compat.cjs` executed). The
+//      scanner cannot read historical env state, but install-time env for
+//      shells is commonly .env files + shell profiles.
+//   2. Credential files under $HOME that the install-user could read.
+//   3. Browser login-data / cookie stores (chrome/brave/edge/chromium).
+//   4. Crypto wallets.
+//   5. SSH keys + known_hosts (for lateral movement).
+//   6. Session tokens in ~/.config/gh and ~/.config/gcloud and ~/.aws.
+//
+// This phase correlates the scanner's own impactSurfaceFindings (what EXISTS
+// on this host) with the known CanisterWorm targeting to produce
+// `breachImpact.likelyStolen` — a structured, actionable checklist for
+// credential rotation rather than a generic "rotate your tokens" line.
+//
+// Only fires if hard compromise evidence is present; otherwise the host is
+// not believed to have been exposed and we emit an empty/disabled report.
+// ---------------------------------------------------------------------------
+
+const CANISTERWORM_TARGETS = [
+  // Package registry tokens — highest priority (full supply-chain impact).
+  {
+    match: /(^|\/)\.npmrc$/,
+    category: 'npm-token',
+    severity: 'CRITICAL',
+    rotationUrl: 'https://www.npmjs.com/settings/~/tokens',
+    reason: 'env-compat.cjs reads ~/.npmrc to exfil auth tokens; compromised npm publish rights = supply-chain risk',
+  },
+  {
+    match: /\.config\/gh\/hosts\.yml$/,
+    category: 'github-pat',
+    severity: 'CRITICAL',
+    rotationUrl: 'https://github.com/settings/tokens',
+    reason:
+      'gh CLI tokens grant repo + workflow-secrets access; public research shows exfil to telemetry.api-monitor.com',
+  },
+  // Cloud IAM — infrastructure access.
+  {
+    match: /\.aws\/(credentials|config)$/,
+    category: 'aws-iam',
+    severity: 'CRITICAL',
+    rotationUrl: 'https://console.aws.amazon.com/iam/home#/security_credentials',
+    reason: 'AWS access keys enable infrastructure takeover',
+  },
+  {
+    match: /\.config\/gcloud\/(application_default_credentials|access_tokens)/,
+    category: 'gcp-iam',
+    severity: 'CRITICAL',
+    rotationUrl: 'https://console.cloud.google.com/iam-admin/serviceaccounts',
+    reason: 'GCP application-default credentials / access tokens enable project takeover',
+  },
+  {
+    match: /\.azure\//,
+    category: 'azure-iam',
+    severity: 'CRITICAL',
+    rotationUrl: 'https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview',
+    reason: 'Azure CLI refresh tokens enable subscription access',
+  },
+  // AI provider keys (the payload specifically targets these per pkg-telemetry).
+  {
+    match: /(^|\/)\.env(\.|$)/,
+    category: 'dotenv',
+    severity: 'CRITICAL',
+    rotationUrl: null,
+    reason: 'env-compat.cjs reads .env files for ANTHROPIC_API_KEY / OPENAI_API_KEY / custom secrets',
+  },
+  // SSH — lateral movement.
+  {
+    match: /\.ssh\/(id_rsa|id_ed25519|id_ecdsa|config|known_hosts)/,
+    category: 'ssh-key',
+    severity: 'HIGH',
+    rotationUrl: null,
+    reason: 'SSH private keys + known_hosts enable lateral movement to other hosts',
+  },
+  // Browser login data — session cookies, stored passwords.
+  {
+    match:
+      /(Application Support|\.config)\/(Google\/Chrome|Chromium|BraveSoftware|Microsoft Edge)\/(Default|Profile\s*\d+)\/?/i,
+    category: 'browser-session',
+    severity: 'HIGH',
+    rotationUrl: null,
+    reason: 'browser Login Data + Cookies files contain session tokens that bypass 2FA on re-use',
+  },
+  // Crypto wallets.
+  {
+    match: /(Application Support|\.local\/share|\.config)\/(Ledger Live|Exodus|Electrum|MetaMask)/i,
+    category: 'crypto-wallet',
+    severity: 'CRITICAL',
+    rotationUrl: null,
+    reason: 'crypto wallet data allows direct fund theft if keystore passphrase is also captured',
+  },
+];
+
+function classifyCanisterWormTarget(path) {
+  for (const target of CANISTERWORM_TARGETS) {
+    if (target.match.test(path)) return target;
+  }
+  return null;
+}
+
+function hasHardCompromiseEvidence(report) {
+  if ((report.installFindings || []).length > 0) return true;
+  if ((report.bunCacheFindings || []).length > 0) return true;
+  if ((report.npmTarballFetches || []).length > 0) return true;
+  // Any temp-artifact with known malware hash.
+  for (const entry of report.tempArtifactFindings || []) {
+    if (entry.knownMalwareHash) return true;
+    if ((entry.iocMatches || []).length > 0) return true;
+  }
+  return false;
+}
+
+function scanBreachImpact(report) {
+  const hasEvidence = hasHardCompromiseEvidence(report);
+  const breachImpact = {
+    enabled: hasEvidence,
+    exfilChannel: {
+      host: 'telemetry.api-monitor.com',
+      paths: ['/v1/telemetry', '/v1/drop'],
+      observed: false,
+    },
+    compromiseWindow: null,
+    likelyStolen: [],
+    compromisedInstallPaths: [],
+    runningProcessesDuringWindow: [],
+    rotationChecklist: [],
+  };
+
+  if (!hasEvidence) {
+    report.breachImpact = breachImpact;
+    return;
+  }
+
+  // Determine compromise window from evidence timestamps.
+  const evidenceTimes = [];
+  for (const entry of report.installFindings || []) {
+    const t = entry.modifiedAt || null;
+    if (t) evidenceTimes.push(Date.parse(t));
+    breachImpact.compromisedInstallPaths.push(entry.path);
+  }
+  for (const entry of report.bunCacheFindings || []) {
+    const t = entry.modifiedAt || null;
+    if (t) evidenceTimes.push(Date.parse(t));
+  }
+  for (const entry of report.npmTarballFetches || []) {
+    const t = entry.time || entry.cacheRecordTime || null;
+    if (t) evidenceTimes.push(Date.parse(t));
+  }
+  const validTimes = evidenceTimes.filter((t) => Number.isFinite(t) && t > 0);
+  if (validTimes.length > 0) {
+    breachImpact.compromiseWindow = {
+      firstEvidence: new Date(Math.min(...validTimes)).toISOString(),
+      lastEvidence: new Date(Math.max(...validTimes)).toISOString(),
+    };
+  }
+
+  // Cross-reference impact-surface findings against known CanisterWorm targets.
+  // Every match is a credential the payload, running as the installing user,
+  // had read access to during the compromise window.
+  for (const entry of report.impactSurfaceFindings || []) {
+    const target = classifyCanisterWormTarget(entry.path);
+    if (!target) continue;
+    breachImpact.likelyStolen.push({
+      category: target.category,
+      severity: target.severity,
+      path: entry.path,
+      reason: target.reason,
+      rotationUrl: target.rotationUrl,
+    });
+  }
+
+  // Also include .env files discovered in scanImpactSurface (they're in
+  // impactSurfaceFindings with kind='secret-store').
+  for (const entry of report.impactSurfaceFindings || []) {
+    if (entry.kind !== 'secret-store') continue;
+    if (breachImpact.likelyStolen.some((s) => s.path === entry.path)) continue;
+    const target = classifyCanisterWormTarget(entry.path);
+    if (target) continue; // already classified above
+    breachImpact.likelyStolen.push({
+      category: 'dotenv',
+      severity: 'CRITICAL',
+      path: entry.path,
+      reason: 'env-compat.cjs reads .env files for API keys (ANTHROPIC, OPENAI, custom secrets)',
+      rotationUrl: null,
+    });
+  }
+
+  // Correlate live processes with the compromise window: any process whose
+  // elapsed time overlaps the window and which was spawned by the compromised
+  // install path is part of the breach footprint.
+  for (const entry of report.liveProcessFindings || []) {
+    if (!entry.matchedInstallPaths || entry.matchedInstallPaths.length === 0) continue;
+    breachImpact.runningProcessesDuringWindow.push({
+      pid: entry.pid,
+      elapsed: entry.elapsed,
+      command: (entry.command || '').slice(0, 160),
+    });
+  }
+
+  // Build a priority-sorted rotation checklist (deduped by category).
+  const severityRank = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+  const byCategory = new Map();
+  for (const item of breachImpact.likelyStolen) {
+    const existing = byCategory.get(item.category);
+    if (!existing) byCategory.set(item.category, { ...item, paths: [item.path] });
+    else existing.paths.push(item.path);
+  }
+  breachImpact.rotationChecklist = [...byCategory.values()].sort(
+    (a, b) => (severityRank[a.severity] ?? 99) - (severityRank[b.severity] ?? 99),
+  );
+
+  report.breachImpact = breachImpact;
+}
+
 function collectTempRoots(platformInfo, homes, roots) {
   const tempRoots = new Set();
 
@@ -3359,6 +3603,35 @@ function printHumanReport(report) {
     }
   }
 
+  const breach = report.breachImpact || { enabled: false };
+  if (breach.enabled && (breach.likelyStolen || []).length > 0) {
+    console.log('');
+    console.log('BREACH IMPACT — retracing CanisterWorm exfil behavior against this host:');
+    if (breach.compromiseWindow) {
+      console.log(
+        `  compromise window: ${breach.compromiseWindow.firstEvidence} .. ${breach.compromiseWindow.lastEvidence}`,
+      );
+    }
+    console.log(
+      `  exfil channel: ${breach.exfilChannel.host} ${breach.exfilChannel.paths.join(', ')}${breach.exfilChannel.observed ? '  (observed)' : '  (not observed in logs — channel targeting only)'}`,
+    );
+    console.log('');
+    console.log('  likely-stolen credentials (grouped, priority-sorted):');
+    for (const item of breach.rotationChecklist || []) {
+      console.log(`  [${item.severity}] ${item.category}`);
+      for (const p of item.paths || []) console.log(`    path: ${p}`);
+      console.log(`    why:  ${item.reason}`);
+      if (item.rotationUrl) console.log(`    rotate at: ${item.rotationUrl}`);
+    }
+    if ((breach.runningProcessesDuringWindow || []).length > 0) {
+      console.log('');
+      console.log('  processes that ran the compromised binary:');
+      for (const proc of breach.runningProcessesDuringWindow) {
+        console.log(`    pid=${proc.pid} elapsed=${proc.elapsed} cmd=${proc.command}`);
+      }
+    }
+  }
+
   if (report.npmCacheMetadata.length > 0) {
     console.log('');
     console.log('npm cache metadata observations:');
@@ -3523,6 +3796,7 @@ async function main() {
     tempArtifactFindings: [],
     liveProcessFindings: [],
     impactSurfaceFindings: [],
+    breachImpact: { enabled: false, likelyStolen: [], rotationChecklist: [] },
     timeline: [],
     errors: [],
   };
@@ -3621,6 +3895,14 @@ async function main() {
     () => scanLiveProcesses(report),
     report,
   );
+  await runPhase(
+    runtime,
+    'scanBreachImpact',
+    'breach-impact',
+    '(breach analysis)',
+    () => scanBreachImpact(report),
+    report,
+  );
 
   report.timeline = sortTimeline(report.timeline);
   report.summary = summarize(report);