@cnrai/pave 0.3.32 → 0.3.34

package/build-npm.js

@@ -0,0 +1,537 @@
+#!/usr/bin/env node
+/**
+ * Build script for npm-publishable PAVE package
+ *
+ * Creates an obfuscated, Node 16-compatible npm package at dist/npm/
+ * that can be published as @cnrai/pave.
+ *
+ * Pipeline: esbuild bundle � javascript-obfuscator � npm package
+ *
+ * Usage:
+ *   node build-npm.js                # Build only
+ *   node build-npm.js --publish      # Build and publish (requires npm login)
+ *   node build-npm.js --dry-run      # Build and show what would be published
+ *
+ * Output:
+ *   dist/npm/
+ *     package.json      - npm package metadata
+ *     pave.js           - Obfuscated main bundle with shebang
+ *     sandbox/          - Obfuscated sandbox runner files
+ *       pave-run.js
+ *       SandboxRunner.js
+ *       permission.js
+ *       utils/yaml.js
+ *     README.md         - Usage instructions
+ *     LICENSE           - MIT License
+ */
+
+const { execSync, execFileSync } = require('child_process');
+const esbuild = require('esbuild');
+const fs = require('fs');
+const path = require('path');
+
+// Directories
+const ROOT_DIR = __dirname;
+const OPENCODE_LITE_DIR = path.join(ROOT_DIR, '..', 'opencode-lite');
+const DIST_DIR = path.join(ROOT_DIR, 'dist', 'npm');
+const SANDBOX_DEST_DIR = path.join(DIST_DIR, 'sandbox');
+
+// Get version from package.json
+const packageJson = JSON.parse(fs.readFileSync(path.join(ROOT_DIR, 'package.json'), 'utf8'));
+const VERSION = packageJson.version || '0.0.0';
+
+// Check for flags (mutually exclusive)
+const hasPublishFlag = process.argv.includes('--publish');
+const hasDryRunFlag = process.argv.includes('--dry-run');
+
+if (hasPublishFlag && hasDryRunFlag) {
+  console.error('Error: --publish and --dry-run cannot be used together. Please specify only one.');
+  process.exit(1);
+}
+
+const shouldPublish = hasPublishFlag;
+const isDryRun = hasDryRunFlag;
+
+/**
+ * Obfuscate a JavaScript file using javascript-obfuscator.
+ * Uses execFileSync with argument array to safely handle paths with spaces.
+ * @param {string} inputPath - Path to the source file
+ * @param {string} outputPath - Path for the obfuscated output
+ * @returns {string} Path to the obfuscated file
+ */
+function obfuscateFile(inputPath, outputPath) {
+  // Resolve npx path for execFileSync
+  const npxPath = process.platform === 'win32' ? 'npx.cmd' : 'npx';
+
+  // Same obfuscation settings as build-binary.js for consistency
+  // Use --no-install to prevent npx from fetching packages from the registry
+  const args = [
+    '--no-install',
+    'javascript-obfuscator',
+    inputPath,
+    '--output', outputPath,
+    '--compact', 'true',
+    '--control-flow-flattening', 'false',
+    '--dead-code-injection', 'false',
+    '--identifier-names-generator', 'mangled',
+    '--rename-globals', 'false',
+    '--self-defending', 'false',
+    '--string-array', 'true',
+    '--string-array-encoding', 'base64',
+    '--string-array-threshold', '1.0',
+    '--seed', '42',
+    '--transform-object-keys', 'false',
+    '--unicode-escape-sequence', 'false',
+    '--target', 'node',
+    '--options-preset', 'low-obfuscation',
+    '--reserved-names', 'authenticated,valid,token,copilot,github,OpenCode,blessed,require,module,exports,process,console,Buffer,__dirname,__filename,program,tput,screen,cursor,options,element,children,parent,box,text,list,input,key,mouse,emit,on,off,render,destroy,focus,append,remove,hide,show,toggle,scroll,setContent,getContent,pushLine,setLine,insertLine,deleteLine,width,height,left,right,top,bottom,rows,cols',
+    '--reserved-strings', 'authenticated,valid,token,GitHub Copilot,Saved token is valid,OpenCode',
+    '--split-strings', 'false',
+  ];
+
+  try {
+    execFileSync(npxPath, args, { stdio: 'pipe', cwd: ROOT_DIR });
+  } catch (err) {
+    let message = 'javascript-obfuscator failed for ' + inputPath + ':\n' + String(err && err.message ? err.message : err);
+    if (err && err.stdout) {
+      message += '\nstdout:\n' + err.stdout.toString();
+    }
+    if (err && err.stderr) {
+      message += '\nstderr:\n' + err.stderr.toString();
+    }
+    throw new Error(message);
+  }
+  return outputPath;
+}
+
+async function build() {
+  console.log('='.repeat(60));
+  console.log('Building PAVE npm package v' + VERSION);
+  console.log('='.repeat(60));
+
+  // Clean and recreate dist/npm directory
+  if (fs.existsSync(DIST_DIR)) {
+    fs.rmSync(DIST_DIR, { recursive: true, force: true });
+  }
+  fs.mkdirSync(DIST_DIR, { recursive: true });
+  fs.mkdirSync(SANDBOX_DEST_DIR, { recursive: true });
+  fs.mkdirSync(path.join(SANDBOX_DEST_DIR, 'utils'), { recursive: true });
+
+  // Ensure javascript-obfuscator is available (must be pre-installed as devDependency)
+  console.log('\n[0/5] Checking javascript-obfuscator...');
+  const npxCheck = process.platform === 'win32' ? 'npx.cmd' : 'npx';
+  try {
+    execFileSync(npxCheck, ['--no-install', 'javascript-obfuscator', '--version'], { stdio: 'pipe', cwd: ROOT_DIR });
+    console.log('   javascript-obfuscator is available');
+  } catch (e) {
+    console.error('   Error: javascript-obfuscator is not installed.');
+    console.error('   Run: npm install --save-dev javascript-obfuscator');
+    process.exit(1);
+  }
+
+  // Step 1: Bundle with esbuild
+  console.log('\n[1/5] Bundling with esbuild (target: node16)...');
+
+  const bundlePath = path.join(DIST_DIR, 'pave-bundle.js');
+
+  await esbuild.build({
+    entryPoints: [path.join(ROOT_DIR, 'index.js')],
+    bundle: true,
+    platform: 'node',
+    target: 'node16',
+    outfile: bundlePath,
+    define: {
+      PAVE_VERSION: JSON.stringify(VERSION),
+    },
+    nodePaths: [path.join(ROOT_DIR, 'node_modules')],
+    external: [
+      'blessed',
+      'abort-controller',
+      'term.js',
+      'pty.js',
+    ],
+    minify: true,
+    keepNames: true,
+    sourcemap: false,
+    format: 'cjs',
+  });
+
+  const bundleStats = fs.statSync(bundlePath);
+  console.log('   Bundle size: ' + (bundleStats.size / 1024).toFixed(1) + ' KB');
+
+  // Step 2: Obfuscate main bundle
+  console.log('\n[2/5] Obfuscating main bundle...');
+
+  const obfuscatedPath = path.join(DIST_DIR, 'pave.js');
+  obfuscateFile(bundlePath, obfuscatedPath);
+
+  // Add shebang, iSH auto-detection, and make executable
+  let content = fs.readFileSync(obfuscatedPath, 'utf-8');
+  content = content.replace(/^(#!.*\n)+/, '');
+
+  // iSH auto-detection prefix: re-execs with optimized flags if on iSH
+  // Runs before any heavy imports. Checks process.execArgv to avoid infinite loop.
+  const ishPrefix = [
+    '(function(){',
+    'if(process.execArgv.indexOf("--jitless")!==-1)return;',
+    'try{require("fs").readFileSync("/proc/ish/version","utf-8")}catch(e){return}',
+    'var f=["--jitless","--max-old-space-size=128","--optimize-for-size",',
+    '"--no-lazy","--expose-gc","--gc-interval=25","--max-semi-space-size=8",',
+    '"--memory-reducer","--no-compilation-cache","--no-turbo-inlining",',
+    '"--no-use-osr","--no-opt","--stack-size=512"];',
+    'var r=require("child_process").spawnSync(process.execPath,',
+    'f.concat([__filename]).concat(process.argv.slice(2)),',
+    '{stdio:"inherit"});',
+    'process.exit(r.status||0);',
+    '})();',
+  ].join('');
+
+  content = '#!/usr/bin/env node\n' + ishPrefix + '\n' + content;
+  fs.writeFileSync(obfuscatedPath, content);
+  fs.chmodSync(obfuscatedPath, 0o755);
+
+  // Remove intermediate bundle
+  fs.unlinkSync(bundlePath);
+
+  const obfStats = fs.statSync(obfuscatedPath);
+  console.log('   Obfuscated size: ' + (obfStats.size / 1024).toFixed(1) + ' KB');
+
+  // Verify obfuscation of main bundle
+  const obfContent = fs.readFileSync(obfuscatedPath, 'utf-8');
+  const sensitiveStrings = ['newGlobal', 'os.system', 'SandboxRunner', 'drainJobQueue'];
+  const found = sensitiveStrings.filter((s) => { return obfContent.includes(s); });
+  if (found.length > 0) {
+    console.error('   Error: Some sensitive strings still visible in pave.js after obfuscation: ' + found.join(', '));
+    process.exit(1);
+  } else {
+    console.log('   Sensitive strings successfully obfuscated');
+  }
+
+  // Step 3: Copy and obfuscate sandbox files
+  console.log('\n[3/5] Copying and obfuscating sandbox files...');
+
+  const sandboxFiles = [
+    { src: 'bin/pave-run.js', dest: 'pave-run.js' },
+    { src: 'src/sandbox/SandboxRunner.js', dest: 'SandboxRunner.js' },
+    { src: 'src/tools/permission.js', dest: 'permission.js' },
+    { src: 'src/utils/yaml.js', dest: 'utils/yaml.js' },
+  ];
+
+  for (let i = 0; i < sandboxFiles.length; i++) {
+    const file = sandboxFiles[i];
+    const srcPath = path.join(OPENCODE_LITE_DIR, file.src);
+    const destPath = path.join(SANDBOX_DEST_DIR, file.dest);
+
+    if (!fs.existsSync(srcPath)) {
+      console.error('   Error: Required sandbox file is missing: ' + srcPath);
+      process.exit(1);
+    }
+
+    let fileContent = fs.readFileSync(srcPath, 'utf-8');
+
+    // Fix require paths for the bundled structure (same as build.js)
+    if (file.dest === 'pave-run.js') {
+      fileContent = fileContent.replace(
+        /var sandboxPath = path\.join\(__dirname.*SandboxRunner\.js'\);/,
+        "var sandboxPath = path.join(__dirname, 'SandboxRunner.js');",
+      );
+      fileContent = fileContent.replace(
+        /var permissionPath = path\.join\(__dirname.*permission\.js'\);/,
+        "var permissionPath = path.join(__dirname, 'permission.js');",
+      );
+    }
+
+    if (file.dest === 'SandboxRunner.js') {
+      fileContent = fileContent.replace(
+        /} = require\(['"]\.\.\/tools\/permission['"]\);/,
+        "} = require('./permission');",
+      );
+      fileContent = fileContent.replace(
+        /require\(['"]\.\.\/tools\/permission['"]\)/g,
+        "require('./permission')",
+      );
+    }
+
+    if (file.dest === 'permission.js') {
+      fileContent = fileContent.replace(
+        /require\(['"]\.\.\/utils\/yaml['"]\)/g,
+        "require('./utils/yaml')",
+      );
+      // Strip developer-specific absolute paths from LEGACY_ENV_FILE_PATHS
+      // to avoid leaking local machine info into the npm package
+      fileContent = fileContent.replace(
+        /,\s*['"]\/Users\/[^'"]*['"]/g,
+        '',
+      );
+    }
+
+    // Write patched file to a temp location, then obfuscate to dest
+    const tempPath = destPath.replace(/\.js$/, '.input.js');
+    fs.writeFileSync(tempPath, fileContent);
+
+    try {
+      obfuscateFile(tempPath, destPath);
+      fs.unlinkSync(tempPath);
+      console.log('   Obfuscated: sandbox/' + file.dest);
+    } catch (err) {
+      // yaml.js is a generic YAML parsing utility with no PAVE-specific logic,
+      // so it's safe to ship unobfuscated if obfuscation fails
+      if (file.dest === 'utils/yaml.js') {
+        console.warn('   Warning: Obfuscation skipped for sandbox/utils/yaml.js; using patched source.');
+        fs.renameSync(tempPath, destPath);
+      } else {
+        console.error('   Error: Failed to obfuscate sandbox/' + file.dest + ': ' + err.message);
+        try { fs.unlinkSync(tempPath); } catch (e) { /* cleanup best-effort */ }
+        process.exit(1);
+      }
+    }
+  }
+
+  // Verify sandbox outputs for sensitive strings (except yaml.js which may be unobfuscated)
+  const sandboxSensitive = ['newGlobal', 'os.system', 'drainJobQueue', 'SandboxRunner'];
+  const whitelistedSandbox = ['utils/yaml.js'];
+  // pave-run.js legitimately references SandboxRunner as a require path/variable name
+  const perFileWhitelist = { 'pave-run.js': ['SandboxRunner'] };
+  for (let k = 0; k < sandboxFiles.length; k++) {
+    const sf = sandboxFiles[k];
+    if (whitelistedSandbox.indexOf(sf.dest) > -1) continue;
+    const sfPath = path.join(SANDBOX_DEST_DIR, sf.dest);
+    if (!fs.existsSync(sfPath)) continue;
+    const sfContent = fs.readFileSync(sfPath, 'utf-8');
+    const fileWhitelist = perFileWhitelist[sf.dest] || [];
+    const sfFound = sandboxSensitive.filter((s) => {
+      return fileWhitelist.indexOf(s) === -1 && sfContent.includes(s);
+    });
+    if (sfFound.length > 0) {
+      console.error('   Error: Sensitive strings in sandbox/' + sf.dest + ': ' + sfFound.join(', '));
+      process.exit(1);
+    }
+  }
+  console.log('   Sandbox files verified: no sensitive strings detected');
+
+  // Check for developer-specific paths that should not be in published package
+  const devPathPatterns = [/\/Users\/[^/\\]+\//g, /\/home\/[^/\\]+\//g, /C:\\\\Users\\\\[^\\]+\\\\/g];
+  for (let m = 0; m < sandboxFiles.length; m++) {
+    const dpFile = sandboxFiles[m];
+    const dpPath = path.join(SANDBOX_DEST_DIR, dpFile.dest);
+    if (!fs.existsSync(dpPath)) continue;
+    const dpContent = fs.readFileSync(dpPath, 'utf-8');
+    for (let n = 0; n < devPathPatterns.length; n++) {
+      const devMatch = dpContent.match(devPathPatterns[n]);
+      if (devMatch) {
+        console.error('   Error: Developer-specific path found in sandbox/' + dpFile.dest + ': ' + devMatch[0]);
+        process.exit(1);
+      }
+    }
+  }
+  console.log('   Sandbox files verified: no developer-specific paths detected');
+
+  // Step 4: Generate package.json, README, LICENSE
+  console.log('\n[4/5] Generating package metadata...');
+
+  const npmPackage = {
+    name: '@cnrai/pave',
+    version: VERSION,
+    description: 'PAVE - Personal AI Virtual Environment. AI agent framework for the terminal.',
+    main: 'pave.js',
+    bin: {
+      pave: './pave.js',
+    },
+    scripts: {
+      start: 'node pave.js',
+    },
+    engines: {
+      node: '>=16.0.0',
+    },
+    os: ['darwin', 'linux', 'win32'],
+    dependencies: {
+      blessed: '^0.1.81',
+      'js-yaml': '^4.1.0',
+    },
+    files: [
+      'pave.js',
+      'sandbox/',
+      'README.md',
+      'LICENSE',
+    ],
+    keywords: [
+      'ai', 'terminal', 'tui', 'agent', 'cli',
+      'ish', 'ios', 'node16', 'memory-efficient',
+    ],
+    repository: {
+      type: 'git',
+      url: 'git+https://github.com/cnrai/openpave.git',
+    },
+    homepage: 'https://github.com/cnrai/openpave',
+    bugs: {
+      url: 'https://github.com/cnrai/openpave/issues',
+    },
+    author: 'CNRAI',
+    license: 'MIT',
+  };
+
+  fs.writeFileSync(
+    path.join(DIST_DIR, 'package.json'),
+    JSON.stringify(npmPackage, null, 2) + '\n',
+  );
+  console.log('   Created package.json');
+
+  // README
+  const readme = [
+    '# @cnrai/pave',
+    '',
+    'PAVE - Personal AI Virtual Environment. AI agent framework for the terminal.',
+    '',
+    '## Installation',
+    '',
+    '```bash',
+    'npm install -g @cnrai/pave',
+    '```',
+    '',
+    '## Usage',
+    '',
+    '```bash',
+    'pave                    # Launch TUI',
+    'pave --help             # Show help',
+    'pave --version          # Show version',
+    'pave chat "question"    # Quick chat',
+    '```',
+    '',
+    '### iSH (iOS)',
+    '',
+    '```bash',
+    'npm install -g @cnrai/pave',
+    'pave                    # Auto-detects iSH and applies optimized Node flags',
+    '```',
+    '',
+    '## Requirements',
+    '',
+    '- Node.js >= 16.0.0',
+    '- A GitHub Copilot subscription (for the AI backend)',
+    '',
+    '## Links',
+    '',
+    '- Source: https://github.com/cnrai/openpave',
+    '- Issues: https://github.com/cnrai/openpave/issues',
+    '- Homebrew (native binary): `brew tap cnrai/tap && brew install pave`',
+    '',
+    '## License',
+    '',
+    'MIT - Copyright (c) 2025 CNRAI',
+    '',
+  ].join('\n');
+
+  fs.writeFileSync(path.join(DIST_DIR, 'README.md'), readme);
+  console.log('   Created README.md');
+
+  // LICENSE
+  const license = [
+    'MIT License',
+    '',
+    'Copyright (c) 2025 CNRAI',
+    '',
+    'Permission is hereby granted, free of charge, to any person obtaining a copy',
+    'of this software and associated documentation files (the "Software"), to deal',
+    'in the Software without restriction, including without limitation the rights',
+    'to use, copy, modify, merge, publish, distribute, sublicense, and/or sell',
+    'copies of the Software, and to permit persons to whom the Software is',
+    'furnished to do so, subject to the following conditions:',
+    '',
+    'The above copyright notice and this permission notice shall be included in all',
+    'copies or substantial portions of the Software.',
+    '',
+    'THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR',
+    'IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,',
+    'FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE',
+    'AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER',
+    'LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,',
+    'OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE',
+    'SOFTWARE.',
+    '',
+  ].join('\n');
+
+  fs.writeFileSync(path.join(DIST_DIR, 'LICENSE'), license);
+  console.log('   Created LICENSE');
+
+  // Step 5: Summary and optional publish
+  console.log('\n[5/5] Package summary...');
+
+  // Calculate total size
+  let totalSize = 0;
+  function addSize(filePath) {
+    if (fs.existsSync(filePath)) {
+      totalSize += fs.statSync(filePath).size;
+    }
+  }
+  addSize(path.join(DIST_DIR, 'pave.js'));
+  addSize(path.join(DIST_DIR, 'package.json'));
+  addSize(path.join(DIST_DIR, 'README.md'));
+  addSize(path.join(DIST_DIR, 'LICENSE'));
+
+  // Add sandbox files
+  const sandboxDir = path.join(DIST_DIR, 'sandbox');
+  if (fs.existsSync(sandboxDir)) {
+    const walkDir = function (dir) {
+      const files = fs.readdirSync(dir);
+      for (let j = 0; j < files.length; j++) {
+        const fp = path.join(dir, files[j]);
+        const stat = fs.statSync(fp);
+        if (stat.isDirectory()) {
+          walkDir(fp);
+        } else {
+          totalSize += stat.size;
+        }
+      }
+    };
+    walkDir(sandboxDir);
+  }
+
+  console.log('\n' + '='.repeat(60));
+  console.log('npm package built successfully!');
+  console.log('='.repeat(60));
+  console.log('\n   Package:   @cnrai/pave@' + VERSION);
+  console.log('   Location:  ' + DIST_DIR);
+  console.log('   Size:      ' + (totalSize / 1024).toFixed(1) + ' KB (before npm install)');
+  console.log('\n   Contents:');
+  console.log('     pave.js            - Obfuscated main bundle');
+  console.log('     sandbox/           - Obfuscated sandbox files');
+  console.log('     package.json       - npm metadata');
+  console.log('     README.md          - Usage instructions');
+  console.log('     LICENSE            - MIT License');
+
+  if (shouldPublish) {
+    console.log('\n   Publishing to npm...');
+    try {
+      execSync('npm publish --access public', { cwd: DIST_DIR, stdio: 'inherit' });
+      console.log('\n   Published @cnrai/pave@' + VERSION + ' to npm!');
+    } catch (err) {
+      console.error('\n   Publish failed: ' + err.message);
+      console.error('   Make sure you are logged in: npm login');
+      console.error('   And @cnrai org exists: npm org create cnrai');
+      process.exit(1);
+    }
+  } else if (isDryRun) {
+    console.log('\n   Dry run (showing what would be published):');
+    try {
+      execSync('npm pack --dry-run', { cwd: DIST_DIR, stdio: 'inherit' });
+    } catch (err) {
+      // Only ignore the error if the npm command itself is not available.
+      if (err && (err.code === 'ENOENT' || err.status === 127)) {
+        console.log('   (npm pack not available, skipping dry run)');
+      } else {
+        console.error('   npm pack --dry-run failed:', err && err.message ? err.message : err);
+        process.exit(1);
+      }
+    }
+  } else {
+    console.log('\n   To publish:');
+    console.log('     cd ' + DIST_DIR);
+    console.log('     npm publish --access public');
+    console.log('\n   Or run: node build-npm.js --publish');
+  }
+}
+
+build().catch((err) => {
+  console.error('Build failed:', err);
+  process.exit(1);
+});