@claude-flow/cli 3.5.2 → 3.5.4

package/dist/src/appliance/rvfa-runner.js

@@ -0,0 +1,237 @@
+/**
+ * RVFA Runner -- Boot and run self-contained Ruflo appliances.
+ *
+ * Supports three run modes (cli, mcp, verify) and two isolation
+ * strategies (native Node.js, container via Docker).
+ *
+ * @module @claude-flow/cli/appliance/rvfa-runner
+ */
+import { writeFile, mkdir, rm } from 'node:fs/promises';
+import { join } from 'node:path';
+import { spawn } from 'node:child_process';
+import { tmpdir } from 'node:os';
+import { RvfaReader } from './rvfa-format.js';
+// ── Internal helpers ────────────────────────────────────────
+/** Spawn a child process and capture stdout/stderr. */
+function spawnAsync(cmd, args, opts) {
+    return new Promise((resolve) => {
+        const start = performance.now();
+        const out = [];
+        const err = [];
+        const child = spawn(cmd, args, {
+            cwd: opts.cwd, env: { ...process.env, ...opts.env }, stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        child.stdout.on('data', (c) => { out.push(c); if (opts.verbose)
+            process.stdout.write(c); });
+        child.stderr.on('data', (c) => { err.push(c); if (opts.verbose)
+            process.stderr.write(c); });
+        child.on('close', (code) => resolve({
+            exitCode: code ?? 1, stdout: Buffer.concat(out).toString(), stderr: Buffer.concat(err).toString(),
+            duration: performance.now() - start,
+        }));
+        child.on('error', (e) => resolve({
+            exitCode: 1, stdout: '', stderr: e.message, duration: performance.now() - start,
+        }));
+    });
+}
+const fail = (stderr) => ({ exitCode: 1, stdout: '', stderr, duration: 0 });
+const cleanup = (dir) => rm(dir, { recursive: true, force: true }).catch(() => { });
+/** Check whether the reader has a section with the given id. */
+function hasSection(reader, id) {
+    return reader.getSections().some((s) => s.id === id);
+}
+/** Safely extract a section, returning null if absent. */
+function tryExtract(reader, id) {
+    try {
+        return reader.extractSection(id);
+    }
+    catch {
+        return null;
+    }
+}
+// ── Runner ──────────────────────────────────────────────────
+export class RvfaRunner {
+    reader;
+    header;
+    constructor(reader) {
+        this.reader = reader;
+        this.header = reader.getHeader();
+    }
+    /** Read and parse an RVFA file from disk. Throws on invalid input. */
+    static async fromFile(rvfaPath) {
+        const reader = await RvfaReader.fromFile(rvfaPath);
+        return new RvfaRunner(reader);
+    }
+    /** Create a runner from an already-loaded buffer. */
+    static fromBuffer(buf) {
+        return new RvfaRunner(RvfaReader.fromBuffer(buf));
+    }
+    /**
+     * Boot the appliance: verify integrity, then dispatch to the
+     * requested isolation strategy and run mode.
+     */
+    async boot(options) {
+        const { valid, errors } = this.reader.verify();
+        if (!valid) {
+            return fail(`Integrity check failed:\n${errors.join('\n')}`);
+        }
+        if (options.mode === 'verify')
+            return this.runVerify(options);
+        if (options.isolation === 'container')
+            return this.runContainer(options);
+        return this.runNative(options);
+    }
+    /**
+     * Run natively via Node.js: extract RUFLO section to a temp dir,
+     * configure env vars, optionally decrypt API-key vault, and spawn.
+     */
+    async runNative(options) {
+        const workDir = join(tmpdir(), `rvfa-${this.header.name}-${Date.now()}`);
+        try {
+            await mkdir(workDir, { recursive: true });
+            const ruflo = tryExtract(this.reader, 'ruflo');
+            if (!ruflo)
+                return fail('RVFA appliance does not contain a "ruflo" section');
+            const entryFile = join(workDir, 'ruflo-bundle.js');
+            await writeFile(entryFile, ruflo);
+            const env = {
+                ...this.header.boot.env,
+                RVFA_APPLIANCE_NAME: this.header.name,
+                RVFA_APPLIANCE_VERSION: this.header.appVersion,
+                RVFA_RUN_MODE: options.mode,
+                RVFA_PROFILE: this.header.profile,
+            };
+            if (options.passphrase && this.header.models.provider !== 'ruvllm') {
+                const vault = tryExtract(this.reader, 'models');
+                if (vault) {
+                    const keys = await this.decryptVault(vault, options.passphrase);
+                    if (keys)
+                        Object.assign(env, keys);
+                }
+            }
+            const args = [...this.header.boot.args];
+            if (options.mode === 'mcp')
+                args.push('--mcp', '--transport', 'stdio');
+            return spawnAsync(this.header.boot.entrypoint || 'node', [entryFile, ...args], {
+                cwd: workDir, env, verbose: options.verbose,
+            });
+        }
+        finally {
+            await cleanup(workDir);
+        }
+    }
+    /**
+     * Run in a Docker container: generate a Dockerfile from the
+     * extracted sections, build the image, and run it.
+     */
+    async runContainer(options) {
+        const dockerCheck = await spawnAsync('docker', ['info'], { verbose: false });
+        if (dockerCheck.exitCode !== 0) {
+            return fail('Docker is not available. Install Docker or use isolation: "native".');
+        }
+        const workDir = join(tmpdir(), `rvfa-container-${Date.now()}`);
+        try {
+            await mkdir(workDir, { recursive: true });
+            const ruflo = tryExtract(this.reader, 'ruflo');
+            if (!ruflo)
+                return fail('RVFA appliance does not contain a "ruflo" section');
+            await writeFile(join(workDir, 'ruflo-bundle.js'), ruflo);
+            const data = tryExtract(this.reader, 'data');
+            if (data)
+                await writeFile(join(workDir, 'data.bin'), data);
+            const envFlags = [];
+            for (const [k, v] of Object.entries(this.header.boot.env))
+                envFlags.push('-e', `${k}=${v}`);
+            envFlags.push('-e', `RVFA_RUN_MODE=${options.mode}`, '-e', `RVFA_PROFILE=${this.header.profile}`);
+            const baseImage = this.header.platform === 'alpine' ? 'node:20-alpine' : 'node:20-slim';
+            const cmdArgs = this.header.boot.args.map((a) => `, "${a}"`).join('');
+            const dockerfile = [
+                `FROM ${baseImage}`, 'WORKDIR /app', 'COPY ruflo-bundle.js .',
+                data ? 'COPY data.bin .' : '', `CMD ["node", "ruflo-bundle.js"${cmdArgs}]`,
+            ].filter(Boolean).join('\n');
+            await writeFile(join(workDir, 'Dockerfile'), dockerfile);
+            const imageName = `rvfa-${this.header.name}:${this.header.appVersion}`.toLowerCase();
+            const build = await spawnAsync('docker', ['build', '-t', imageName, '.'], {
+                cwd: workDir, verbose: options.verbose,
+            });
+            if (build.exitCode !== 0) {
+                return { ...build, stderr: `Docker build failed:\n${build.stderr}` };
+            }
+            return spawnAsync('docker', ['run', '--rm', ...envFlags, imageName], { verbose: options.verbose });
+        }
+        finally {
+            await cleanup(workDir);
+        }
+    }
+    /**
+     * Run the verification suite. Extracts the VERIFY section and
+     * executes it; falls back to a basic integrity report.
+     */
+    async runVerify(options) {
+        const start = performance.now();
+        const verifyPayload = tryExtract(this.reader, 'verify');
+        if (!verifyPayload) {
+            const { valid, errors } = this.reader.verify();
+            const lines = [
+                `Appliance: ${this.header.name} v${this.header.appVersion}`,
+                `Profile:   ${this.header.profile}`,
+                `Sections:  ${this.header.sections.length}`,
+                `Integrity: ${valid ? 'PASS' : 'FAIL'}`,
+                ...errors.map((e) => `  FAIL: ${e}`),
+                errors.length === 0 ? '  All checks PASS' : '',
+            ];
+            return {
+                exitCode: valid ? 0 : 1,
+                stdout: lines.filter(Boolean).join('\n'), stderr: '',
+                duration: performance.now() - start,
+            };
+        }
+        const workDir = join(tmpdir(), `rvfa-verify-${Date.now()}`);
+        try {
+            await mkdir(workDir, { recursive: true });
+            await writeFile(join(workDir, 'verify.js'), verifyPayload);
+            return spawnAsync('node', [join(workDir, 'verify.js')], {
+                cwd: workDir, verbose: options.verbose,
+                env: { RVFA_APPLIANCE_NAME: this.header.name, RVFA_APPLIANCE_VERSION: this.header.appVersion },
+            });
+        }
+        finally {
+            await cleanup(workDir);
+        }
+    }
+    /** Return appliance metadata without booting. */
+    getInfo() {
+        const sections = this.reader.getSections();
+        const totalSize = sections.reduce((sum, s) => sum + s.size, 0);
+        return {
+            header: { ...this.header },
+            sections: sections.map((s) => ({ id: s.id, size: s.size, originalSize: s.originalSize })),
+            totalSize,
+        };
+    }
+    // ── Private ───────────────────────────────────────────────
+    /**
+     * Decrypt an API-key vault (AES-256-GCM).
+     * Layout: [16-byte IV][ciphertext][16-byte auth-tag]
+     * Key derived via PBKDF2 with salt = "rvfa-vault-{name}".
+     */
+    async decryptVault(payload, passphrase) {
+        try {
+            const { createDecipheriv, pbkdf2Sync } = await import('node:crypto');
+            if (payload.length < 33)
+                return null;
+            const iv = payload.subarray(0, 16);
+            const tag = payload.subarray(payload.length - 16);
+            const ciphertext = payload.subarray(16, payload.length - 16);
+            const key = pbkdf2Sync(passphrase, Buffer.from(`rvfa-vault-${this.header.name}`), 100_000, 32, 'sha256');
+            const decipher = createDecipheriv('aes-256-gcm', key, iv);
+            decipher.setAuthTag(tag);
+            const dec = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+            return JSON.parse(dec.toString('utf-8'));
+        }
+        catch {
+            return null;
+        }
+    }
+}
+//# sourceMappingURL=rvfa-runner.js.map

package/dist/src/appliance/rvfa-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rvfa-runner.js","sourceRoot":"","sources":["../../../src/appliance/rvfa-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAqB9C,+DAA+D;AAE/D,uDAAuD;AACvD,SAAS,UAAU,CACjB,GAAW,EAAE,IAAc,EAC3B,IAAkE;IAElE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,GAAG,GAAa,EAAE,CAAC;QACzB,MAAM,GAAG,GAAa,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SACrF,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpG,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpG,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC;YAClC,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;YACjG,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC,CAAC;QACJ,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC;YAC/B,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SAChF,CAAC,CAAC,CAAC;IACN,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,IAAI,GAAG,CAAC,MAAc,EAAa,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;AAC/F,MAAM,OAAO,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AAE3F,gEAAgE;AAChE,SAAS,UAAU,CAAC,MAAkB,EAAE,EAAU;IAChD,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,0DAA0D;AAC1D,SAAS,UAAU,CAAC,MAAkB,EAAE,EAAU;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+DAA+D;AAE/D,MAAM,OAAO,UAAU;IACb,MAAM,CAAa;IACnB,MAAM,CAAa;IAE3B,YAAoB,MAAkB;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;IACnC,CAAC;IAED,sEAAsE;IACtE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAgB;QACpC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,qDAAqD;IACrD,MAAM,CAAC,UAAU,CAAC,GAAW;QAC3B,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,OAAmB;QAC5B,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,4BAA4B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC9D,IAAI,OAAO,CAAC,SAAS,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,OAAmB;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,QAAQ,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAE1C,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC,mDAAmD,CAAC,CAAC;YAE7E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;YACnD,MAAM,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YAElC,MAAM,GAAG,GAA2B;gBAClC,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;gBACvB,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;gBACrC,sBAAsB,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;gBAC9C,aAAa,EAAE,OAAO,CAAC,IAAI;gBAC3B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;aAClC,CAAC;YAEF,IAAI,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACnE,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAChD,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;oBAChE,IAAI,IAAI;wBAAE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK;gBAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;YAEvE,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,MAAM,EAAE,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,EAAE;gBAC7E,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO;aAC5C,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,OAAmB;QACpC,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7E,IAAI,WAAW,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,qEAAqE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC/D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAE1C,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC,mDAAmD,CAAC,CAAC;YAC7E,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,KAAK,CAAC,CAAC;YAEzD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,IAAI;gBAAE,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC5F,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,iBAAiB,OAAO,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,gBAAgB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAElG,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,cAAc,CAAC;YACxF,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtE,MAAM,UAAU,GAAG;gBACjB,QAAQ,SAAS,EAAE,EAAE,cAAc,EAAE,wBAAwB;gBAC7D,IAAI,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,EAAE,iCAAiC,OAAO,GAAG;aAC3E,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7B,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,UAAU,CAAC,CAAC;YAEzD,MAAM,SAAS,GAAG,QAAQ,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,WAAW,EAAE,CAAC;YACrF,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE;gBACxE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO;aACvC,CAAC,CAAC;YACH,IAAI,KAAK,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,yBAAyB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACvE,CAAC;YAED,OAAO,UAAU,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QACrG,CAAC;gBAAS,CAAC;YACT,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,OAAmB;QACjC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAExD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG;gBACZ,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE;gBAC3D,cAAc,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE;gBACnC,cAAc,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBAC3C,cAAc,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE;gBACvC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE;aAC/C,CAAC;YACF,OAAO;gBACL,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE;gBACpD,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;aACpC,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,aAAa,CAAC,CAAC;YAC3D,OAAO,UAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,EAAE;gBACtD,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO;gBACtC,GAAG,EAAE,EAAE,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,sBAAsB,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE;aAC/F,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,OAAO;QAKL,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC/D,OAAO;YACL,MAAM,EAAE,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE;YAC1B,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;YACzF,SAAS;SACV,CAAC;IACJ,CAAC;IAED,6DAA6D;IAE7D;;;;OAIG;IACK,KAAK,CAAC,YAAY,CAAC,OAAe,EAAE,UAAkB;QAC5D,IAAI,CAAC;YACH,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACrE,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;gBAAE,OAAO,IAAI,CAAC;YAErC,MAAM,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACnC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;YAClD,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;YAEzG,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACzB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAC3E,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF"}

package/dist/src/appliance/rvfa-signing.d.ts

@@ -0,0 +1,123 @@
+/**
+ * RVFA Ed25519 Code Signing -- Digital signatures for RVFA appliance files.
+ *
+ * Provides tamper detection and publisher identity verification using
+ * Ed25519 (RFC 8032) via Node.js native crypto. Zero external dependencies.
+ *
+ * @module @claude-flow/cli/appliance/rvfa-signing
+ */
+export interface RvfaKeyPair {
+    publicKey: Buffer;
+    privateKey: Buffer;
+    fingerprint: string;
+}
+export interface SignatureMetadata {
+    algorithm: 'ed25519';
+    publicKeyFingerprint: string;
+    signature: string;
+    signedAt: string;
+    signedBy?: string;
+    scope: 'full' | 'sections';
+}
+export interface VerifyResult {
+    valid: boolean;
+    signerFingerprint?: string;
+    signedAt?: string;
+    signedBy?: string;
+    errors: string[];
+}
+/**
+ * Generate a new Ed25519 key pair for RVFA signing.
+ */
+export declare function generateKeyPair(): Promise<RvfaKeyPair>;
+/**
+ * Save a key pair to disk as PEM files.
+ *
+ * @param keyPair  The key pair to persist.
+ * @param dir      Directory to write files into.
+ * @param name     Base name for the key files (default: 'rvfa-signing').
+ * @returns Paths to the written public and private key files.
+ */
+export declare function saveKeyPair(keyPair: RvfaKeyPair, dir: string, name?: string): Promise<{
+    publicKeyPath: string;
+    privateKeyPath: string;
+}>;
+/**
+ * Load a key pair from PEM files on disk.
+ *
+ * @param dir   Directory containing the key files.
+ * @param name  Base name for the key files (default: 'rvfa-signing').
+ */
+export declare function loadKeyPair(dir: string, name?: string): Promise<RvfaKeyPair>;
+/**
+ * Load a public key from a single PEM file.
+ */
+export declare function loadPublicKey(path: string): Promise<Buffer>;
+/**
+ * Signs RVFA appliance files and data with Ed25519.
+ */
+export declare class RvfaSigner {
+    private readonly keyObj;
+    private readonly fingerprint;
+    constructor(privateKey: Buffer | string);
+    /**
+     * Sign an RVFA appliance file in-place.
+     *
+     * Algorithm:
+     *  1. Read and parse the RVFA binary
+     *  2. Strip any existing signature from the header
+     *  3. Compute SHA256 of [canonical_header + section_data + footer]
+     *  4. Sign the digest with Ed25519
+     *  5. Embed signature metadata into the header
+     *  6. Write the updated binary back to the file
+     *
+     * @param rvfaPath   Path to the .rvf appliance file.
+     * @param signedBy   Optional publisher name.
+     * @returns The signature metadata that was embedded.
+     */
+    signAppliance(rvfaPath: string, signedBy?: string): Promise<SignatureMetadata>;
+    /**
+     * Sign a section footer hash (detached signature).
+     *
+     * @param footerHash  The 32-byte SHA256 footer hash from an RVFA file.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    signSections(footerHash: Buffer): Promise<string>;
+    /**
+     * Sign an RVFP patch file (detached signature).
+     *
+     * @param patchData  The raw patch binary data.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    signPatch(patchData: Buffer): Promise<string>;
+}
+/**
+ * Verifies Ed25519 signatures on RVFA appliance files and data.
+ */
+export declare class RvfaVerifier {
+    private readonly keyObj;
+    private readonly fingerprint;
+    constructor(publicKey: Buffer | string);
+    /**
+     * Verify the Ed25519 signature embedded in an RVFA appliance file.
+     *
+     * @param rvfaPath  Path to the .rvf appliance file.
+     * @returns Verification result with details and any errors.
+     */
+    verifyAppliance(rvfaPath: string): Promise<VerifyResult>;
+    /**
+     * Verify a detached Ed25519 signature over arbitrary data.
+     *
+     * @param data       The data that was signed.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    verifyDetached(data: Buffer, signature: string): Promise<boolean>;
+    /**
+     * Verify an RVFP patch file signature.
+     *
+     * @param patchData  The raw patch binary data.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    verifyPatch(patchData: Buffer, signature: string): Promise<boolean>;
+}
+//# sourceMappingURL=rvfa-signing.d.ts.map

package/dist/src/appliance/rvfa-signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rvfa-signing.d.ts","sourceRoot":"","sources":["../../../src/appliance/rvfa-signing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAkBH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,SAAS,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,UAAU,CAAC;CAC5B;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,OAAO,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAYD;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,WAAW,CAAC,CAW5D;AAED;;;;;;;GAOG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,EACX,IAAI,SAAiB,GACpB,OAAO,CAAC;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAAC,CAa5D;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,IAAI,SAAiB,GACpB,OAAO,CAAC,WAAW,CAAC,CAmBtB;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AA4HD;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAEzB,UAAU,EAAE,MAAM,GAAG,MAAM;IASvC;;;;;;;;;;;;;;OAcG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA2BpF;;;;;OAKG;IACG,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAUvD;;;;;OAKG;IACG,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAKpD;AAID;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAEzB,SAAS,EAAE,MAAM,GAAG,MAAM;IAMtC;;;;;OAKG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAqE9D;;;;;OAKG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMvE;;;;;OAKG;IACG,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAK1E"}