@dmsdc-ai/aigentry-telepty 0.5.8 → 0.6.0

package/src/audit/inject-log.js

@@ -0,0 +1,234 @@
+'use strict';
+
+// #43 P1 — inject audit spine.
+//
+// Component A in the spec (docs/specs/2026-06-09-inject-audit-provenance.md §3, §5, §8).
+// Three concerns, pure Node only (§17 무의존 — `crypto`/`fs`/`events`, no external deps):
+//   1. buildAuditLine(record)        — pure builder for the JSONL schema v1 (one line/delivery).
+//   2. createAuditWriter({...})       — bounded async append, size+age rotation, 0700 dir / 0600
+//                                       file, overflow→drop-oldest+event, NEVER fsync-block delivery.
+//   3. readInjectLog(path, filters)   — read/filter/paginate helper backing the P3 GET /api/injects.
+//
+// This is an AUDIT log, not a transactional ledger: no per-line fsync, bounded loss of the last
+// in-flight batch on hard crash is accepted (spec §8). Rotation/prune is best-effort and never
+// blocks the delivery hot path (append() is fire-and-forget; the writer drains on a timer).
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const { EventEmitter } = require('events');
+
+const SCHEMA_VERSION = 1;
+const DEFAULT_PREVIEW_BYTES = 200;
+const DEFAULT_QUEUE_MAX = 10000;
+const DEFAULT_FLUSH_MS = 250;
+const DEFAULT_MAX_BYTES = 50 * 1024 * 1024; // 50 MB
+const DEFAULT_MAX_FILES = 5;
+const DEFAULT_MAX_AGE_DAYS = 30;
+
+// Build one compact JSON line for a single delivery (schema v1, spec §5). Pure: the only
+// inputs are `record` fields; sha256/byte-length/spoof_suspected are derived here so the
+// builder is the single testable source of truth. Redaction default = hash-only: payload
+// content is NEVER written unless `record.preview === true`, and then only truncated.
+function buildAuditLine(record = {}) {
+  const payload = typeof record.payload === 'string' ? record.payload : '';
+  const claimed = record.claimed_from != null ? record.claimed_from : null;
+  const verified = record.verified_sender_sid != null ? record.verified_sender_sid : null;
+  const previewOn = record.preview === true;
+  const previewBytes = Number.isFinite(record.previewBytes) ? record.previewBytes : DEFAULT_PREVIEW_BYTES;
+
+  const line = {
+    v: SCHEMA_VERSION,
+    ts: record.ts || new Date().toISOString(),
+    inject_id: record.inject_id != null ? record.inject_id : null,
+    kind: record.kind || 'inject',
+    source: record.source || record.kind || 'inject',
+    claimed_from: claimed,
+    verified_sender_sid: verified,
+    spoof_suspected: !!(claimed && verified && claimed !== verified),
+    to: record.to != null ? record.to : null,
+    to_alias: record.to_alias != null ? record.to_alias : null,
+    origin: record.origin || 'trusted-local',
+    origin_host: record.origin_host != null ? record.origin_host : null,
+    ref_path: record.ref_path != null ? record.ref_path : null,
+    payload_sha256: crypto.createHash('sha256').update(payload).digest('hex'),
+    payload_bytes: Buffer.byteLength(payload),
+    payload_preview: previewOn ? truncatePreview(payload, previewBytes) : null,
+    delivery_result: record.delivery_result || 'success'
+  };
+  return JSON.stringify(line);
+}
+
+// Truncate a preview to at most `previewBytes` characters — never the full payload. Slicing
+// by character (not raw bytes) avoids splitting a multibyte sequence into invalid UTF-8.
+function truncatePreview(payload, previewBytes) {
+  if (payload.length <= previewBytes) return payload;
+  return payload.slice(0, previewBytes);
+}
+
+// Bounded async writer. append() pushes onto an in-memory FIFO and returns immediately; a
+// timer drains the batch with a single appendFile (spec §8). Overflow drops the OLDEST and
+// emits `audit_overflow` (silent truncation forbidden). Rotation/prune runs inside the drain,
+// off the delivery hot path. Returns an EventEmitter-like object ({ append, flush, close, on }).
+function createAuditWriter(options = {}) {
+  const filePath = options.path;
+  if (!filePath) throw new Error('createAuditWriter requires a path');
+  const queueMax = Number.isFinite(options.queueMax) ? options.queueMax : DEFAULT_QUEUE_MAX;
+  const flushMs = Number.isFinite(options.flushMs) ? options.flushMs : DEFAULT_FLUSH_MS;
+  const preview = options.preview === true;
+  const previewBytes = Number.isFinite(options.previewBytes) ? options.previewBytes : DEFAULT_PREVIEW_BYTES;
+  const maxBytes = Number.isFinite(options.maxBytes) ? options.maxBytes : DEFAULT_MAX_BYTES;
+  const maxFiles = Number.isFinite(options.maxFiles) ? options.maxFiles : DEFAULT_MAX_FILES;
+  const maxAgeDays = Number.isFinite(options.maxAgeDays) ? options.maxAgeDays : DEFAULT_MAX_AGE_DAYS;
+
+  const emitter = new EventEmitter();
+  let queue = [];
+  let timer = null;
+  let writing = false;
+  let closed = false;
+  let droppedTotal = 0;
+
+  ensureDir();
+
+  function ensureDir() {
+    const dir = path.dirname(filePath);
+    try {
+      fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+      fs.chmodSync(dir, 0o700); // tighten even if the dir pre-existed with a looser mode
+    } catch { /* best-effort; surfaced as audit_error at first write if truly broken */ }
+  }
+
+  // Fire-and-forget: NEVER returns a promise to the caller — the delivery path must not await.
+  function append(record) {
+    if (closed) return;
+    if (queue.length >= queueMax) {
+      queue.shift(); // drop oldest
+      droppedTotal += 1;
+      emitter.emit('audit_overflow', { dropped: droppedTotal, queueMax });
+    }
+    queue.push({
+      ...record,
+      preview: record.preview != null ? record.preview : preview,
+      previewBytes: record.previewBytes != null ? record.previewBytes : previewBytes
+    });
+    scheduleFlush();
+  }
+
+  function scheduleFlush() {
+    if (timer || writing || queue.length === 0) return;
+    timer = setTimeout(() => { timer = null; flush().catch(() => {}); }, flushMs);
+    if (timer && typeof timer.unref === 'function') timer.unref();
+  }
+
+  async function flush() {
+    if (writing || queue.length === 0) return;
+    writing = true;
+    const batch = queue;
+    queue = [];
+    try {
+      await rotateIfNeeded();
+      const data = batch.map((r) => buildAuditLine(r)).join('\n') + '\n';
+      await fs.promises.appendFile(filePath, data, { mode: 0o600 });
+      // appendFile's mode only applies on create — chmod each flush so a pre-existing file
+      // (or umask-loosened create) is forced to 0600 (the file may carry preview content).
+      try { await fs.promises.chmod(filePath, 0o600); } catch { /* best-effort */ }
+    } catch (err) {
+      emitter.emit('audit_error', err);
+    } finally {
+      writing = false;
+      if (queue.length > 0) scheduleFlush();
+    }
+  }
+
+  async function rotateIfNeeded() {
+    let size = 0;
+    try { size = (await fs.promises.stat(filePath)).size; } catch { size = 0; }
+    if (size >= maxBytes) {
+      // Shift .{maxFiles-1}→.{maxFiles} … .1→.2, dropping the oldest beyond maxFiles, then
+      // active→.1. rename overwrites, so the file falling off the top is discarded.
+      for (let i = maxFiles - 1; i >= 1; i--) {
+        try { await fs.promises.rename(`${filePath}.${i}`, `${filePath}.${i + 1}`); } catch { /* gap */ }
+      }
+      try { await fs.promises.rename(filePath, `${filePath}.1`); } catch { /* nothing to rotate */ }
+    }
+    await pruneByAge();
+  }
+
+  async function pruneByAge() {
+    if (!(maxAgeDays > 0)) return;
+    const cutoff = Date.now() - maxAgeDays * 86400000;
+    for (let i = 1; i <= maxFiles; i++) {
+      const rotated = `${filePath}.${i}`;
+      try {
+        const st = await fs.promises.stat(rotated);
+        if (st.mtimeMs < cutoff) await fs.promises.unlink(rotated);
+      } catch { /* absent or busy — best-effort */ }
+    }
+  }
+
+  async function close() {
+    closed = true;
+    if (timer) { clearTimeout(timer); timer = null; }
+    await flush();
+  }
+
+  return {
+    append,
+    flush,
+    close,
+    on: emitter.on.bind(emitter),
+    off: emitter.off.bind(emitter)
+  };
+}
+
+function toMs(value) {
+  if (value == null) return null;
+  if (typeof value === 'number') return value < 1e12 ? value * 1000 : value;
+  const s = String(value).trim();
+  if (/^\d+$/.test(s)) {
+    const n = Number(s);
+    return n < 1e12 ? n * 1000 : n;
+  }
+  const parsed = Date.parse(s);
+  return Number.isNaN(parsed) ? null : parsed;
+}
+
+// Filter an array of parsed records (spec §7). `from` matches claimed_from OR
+// verified_sender_sid; `to` matches the resolved sid OR the pre-resolution alias.
+function matchInjects(records, filters = {}) {
+  let out = records;
+  const since = toMs(filters.since);
+  const until = toMs(filters.until);
+  if (since != null) out = out.filter((r) => { const t = toMs(r.ts); return t != null && t >= since; });
+  if (until != null) out = out.filter((r) => { const t = toMs(r.ts); return t != null && t <= until; });
+  if (filters.to) out = out.filter((r) => r.to === filters.to || r.to_alias === filters.to);
+  if (filters.from) out = out.filter((r) => r.claimed_from === filters.from || r.verified_sender_sid === filters.from);
+  if (filters.spoof) out = out.filter((r) => r.spoof_suspected === true);
+  return out;
+}
+
+// Read the jsonl, filter, return newest-first, paginate by cursor (line offset into the
+// filtered newest-first list). Bounded by `limit` (default 200). Absent file → empty result.
+function readInjectLog(filePath, options = {}) {
+  const limit = Math.min(Math.max(Number(options.limit) || 200, 1), 1000);
+  const cursor = Number(options.cursor) > 0 ? Number(options.cursor) : 0;
+  let raw = '';
+  try { raw = fs.readFileSync(filePath, 'utf8'); } catch { return { injects: [], next_cursor: null }; }
+
+  const records = raw.split('\n').filter(Boolean).map((l) => {
+    try { return JSON.parse(l); } catch { return null; }
+  }).filter(Boolean);
+
+  const filtered = matchInjects(records, options);
+  filtered.reverse(); // newest first
+  const page = filtered.slice(cursor, cursor + limit);
+  const next = cursor + limit < filtered.length ? cursor + limit : null;
+  return { injects: page, next_cursor: next };
+}
+
+module.exports = {
+  buildAuditLine,
+  createAuditWriter,
+  readInjectLog,
+  matchInjects
+};

package/src/protocol/http-auth.js

@@ -21,6 +21,38 @@ function createVerifyJwt(JWT_SECRET) {
   return verifyJwt;
 }
 
+function createBrokerAcl(aclTable = {}) {
+  return {
+    canInject(fromNode, toNode) {
+      if (!fromNode || !toNode) return false;
+      const allowedTargets = aclTable[fromNode];
+      if (Array.isArray(allowedTargets)) return allowedTargets.includes(toNode);
+      if (allowedTargets instanceof Set) return allowedTargets.has(toNode);
+      return false;
+    }
+  };
+}
+
+function signNodeJwt(secret, claims) {
+  if (!secret) throw new Error('JWT secret is required');
+  if (!claims || typeof claims !== 'object') throw new Error('JWT claims are required');
+
+  const headerB64 = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+  const payloadB64 = Buffer.from(JSON.stringify(claims)).toString('base64url');
+  const sigB64 = crypto.createHmac('sha256', secret)
+    .update(`${headerB64}.${payloadB64}`)
+    .digest('base64url');
+  return `${headerB64}.${payloadB64}.${sigB64}`;
+}
+
+function isRevokedNode(revokedNodes, decodedJwtOrSub) {
+  const sub = typeof decodedJwtOrSub === 'string' ? decodedJwtOrSub : decodedJwtOrSub && decodedJwtOrSub.sub;
+  if (!sub || !revokedNodes) return false;
+  if (Array.isArray(revokedNodes)) return revokedNodes.includes(sub);
+  if (revokedNodes instanceof Set) return revokedNodes.has(sub);
+  return false;
+}
+
 function createIsAllowedPeer(PEER_ALLOWLIST) {
   function isAllowedPeer(ip) {
     if (!ip) return false;
@@ -66,6 +98,9 @@ function createAuthMiddleware(options) {
 
 module.exports = {
   createAuthMiddleware,
+  createBrokerAcl,
   createIsAllowedPeer,
-  createVerifyJwt
+  createVerifyJwt,
+  isRevokedNode,
+  signNodeJwt
 };

package/src/submit-gate.js

@@ -198,6 +198,7 @@ async function confirmSubmitAccepted(session, bodyText, opts = {}) {
 
   let lastVisibility = null;
   let everVisible = false;
+  let everObservedOutput = false;
 
   while (true) {
     const state = getState ? getState() : null;
@@ -214,6 +215,7 @@ async function confirmSubmitAccepted(session, bodyText, opts = {}) {
 
     const visibility = observeBodyVisibility(session, bodyText, opts);
     lastVisibility = visibility;
+    if (visibility.observable && visibility.empty === false) everObservedOutput = true;
     if (visibility.reason === 'empty_body') {
       return {
         accepted: true,
@@ -235,22 +237,67 @@ async function confirmSubmitAccepted(session, bodyText, opts = {}) {
     }
     if (visibility.visible) {
       everVisible = true;
-    } else {
+    } else if (everVisible) {
+      // Body was visible then disappeared — the CR consumed the input line.
+      return {
+        accepted: true,
+        retryable: false,
+        waited_ms: now() - start,
+        reason: 'body_consumed',
+        visibility,
+      };
+    } else if (!getState) {
+      // No state probe → preserve the optimistic body-absent accept so callers
+      // without a sessionStateManager keep the prior screen-free behavior.
       return {
         accepted: true,
         retryable: false,
         waited_ms: now() - start,
-        reason: everVisible ? 'body_consumed' : 'body_absent',
+        reason: 'body_absent',
         visibility,
       };
     }
+    // else: body never observably present AND a state probe IS available — do NOT
+    // optimistically accept on absence. A dropped CR on codex alt-screen renders
+    // the body OFF the outputRing tail, so absence is not positive submit evidence
+    // (#568 FM3). Keep polling within the window for the primary signal — a state
+    // transition idle→working/thinking. If none arrives, fall through to no_land.
 
     if (now() - start >= timeoutMs) {
+      if (visibility.visible) {
+        // Body stayed in the input box the whole window — the CR was not consumed.
+        return {
+          accepted: false,
+          retryable: true,
+          waited_ms: now() - start,
+          reason: 'body_still_visible',
+          visibility,
+          state: state || undefined,
+        };
+      }
+      if (everObservedOutput) {
+        // The terminal produced output (it is alive) but the body was never consumed
+        // AND no state transition occurred — the CR did not land (#568 FM3, e.g. a
+        // dropped CR on codex alt-screen). Truthful retryable failure, never a false
+        // success on an unsent CR.
+        return {
+          accepted: false,
+          retryable: true,
+          waited_ms: now() - start,
+          reason: 'no_land',
+          visibility,
+          state: state || undefined,
+        };
+      }
+      // No observable terminal output at all for the whole window — we have zero
+      // screen evidence either way. Preserve the long-standing optimistic accept
+      // (back-compat: a wrapped session that never echoes), but mark it ambiguous.
       return {
-        accepted: false,
-        retryable: true,
+        accepted: true,
+        retryable: false,
         waited_ms: now() - start,
-        reason: 'body_still_visible',
+        reason: 'no_observable',
+        ambiguous: true,
         visibility,
         state: state || undefined,
       };
@@ -260,6 +307,78 @@ async function confirmSubmitAccepted(session, bodyText, opts = {}) {
   }
 }
 
+/**
+ * Render-gate the submit CR (#568). Resolve `ready` only when the input is
+ * settled enough to safely receive a bare 0x0D:
+ *   - the injected body is echoed in the outputRing tail (the input is present), AND
+ *   - the render has gone quiet — the tail is unchanged for ≥ quietWindowMs.
+ *
+ * This closes the FM1 busy-render race: the pre-#568 submit fired the CR with no
+ * readiness gate, so under load the CR landed mid-render and the TUI dropped it.
+ * The daemon applies the same gate before each retry CR (FM2).
+ *
+ * Bounded + best-effort: if the render never goes quiet within timeoutMs (e.g. a
+ * continuous spinner), resolve { ready:false, reason:'timeout' } so the caller
+ * STILL writes the CR — never worse than the pre-gate behavior. When the body
+ * never echoes into the tail (alt-screen / non-echoing TUI), settle on the quiet
+ * window alone once echoGraceMs has elapsed (reason:'settled_no_echo').
+ *
+ * Pure: outputRing-only, DI now/sleep — no I/O, no daemon coupling.
+ *
+ * @param {{ outputRing?: string[] }} session
+ * @param {string} bodyText
+ * @param {{ timeoutMs?: number, quietWindowMs?: number, echoGraceMs?: number, pollIntervalMs?: number, tailBytes?: number, stripAnsi?: Function, now?: Function, sleep?: Function }} [opts]
+ * @returns {Promise<{ ready: boolean, reason: string, echoed: boolean, settled: boolean, waited_ms: number }>}
+ */
+async function awaitInputSettled(session, bodyText, opts = {}) {
+  const timeoutMs = Number.isFinite(opts.timeoutMs) ? opts.timeoutMs : 1500;
+  const quietWindowMs = Number.isFinite(opts.quietWindowMs) ? opts.quietWindowMs : 100;
+  const echoGraceMs = Number.isFinite(opts.echoGraceMs) ? opts.echoGraceMs : 400;
+  const pollIntervalMs = Number.isFinite(opts.pollIntervalMs) ? opts.pollIntervalMs : 30;
+  const tailBytes = Number.isFinite(opts.tailBytes) ? opts.tailBytes : 8192;
+  const stripAnsi = typeof opts.stripAnsi === 'function' ? opts.stripAnsi : (s) => s;
+  const now = typeof opts.now === 'function' ? opts.now : () => Date.now();
+  const sleep = typeof opts.sleep === 'function' ? opts.sleep : (ms) => new Promise((r) => setTimeout(r, ms));
+
+  const needle = normalize(bodyText);
+  if (!needle) {
+    return { ready: true, reason: 'empty_body', echoed: false, settled: true, waited_ms: 0 };
+  }
+  if (!session || !Array.isArray(session.outputRing)) {
+    // No ring to observe — cannot gate; stay optimistic and never block the CR.
+    return { ready: true, reason: 'no_ring', echoed: false, settled: false, waited_ms: 0 };
+  }
+
+  const start = now();
+  let lastTail = null;
+  let lastChangeAt = start;
+  let everEchoed = false;
+
+  while (true) {
+    const tail = normalize(stripAnsi(readTail(session, tailBytes)));
+    if (tail.indexOf(needle) !== -1) everEchoed = true;
+
+    if (lastTail === null || tail !== lastTail) {
+      // Render still active — reset the quiet-window timer.
+      lastTail = tail;
+      lastChangeAt = now();
+    } else if (now() - lastChangeAt >= quietWindowMs) {
+      // Tail unchanged for the full quiet window → render settled.
+      if (everEchoed) {
+        return { ready: true, reason: 'settled', echoed: true, settled: true, waited_ms: now() - start };
+      }
+      if (now() - start >= echoGraceMs) {
+        return { ready: true, reason: 'settled_no_echo', echoed: false, settled: true, waited_ms: now() - start };
+      }
+    }
+
+    if (now() - start >= timeoutMs) {
+      return { ready: false, reason: 'timeout', echoed: everEchoed, settled: false, waited_ms: now() - start };
+    }
+    await sleep(pollIntervalMs);
+  }
+}
+
 function isAcceptedSubmitState(state, submittedAtMs) {
   if (!state || !ACCEPTED_AFTER_SUBMIT_STATES.has(state.state)) return false;
   if (!Number.isFinite(submittedAtMs)) {
@@ -292,6 +411,7 @@ function observeBodyVisibility(session, bodyText, opts = {}) {
       observable: true,
       visible: haystack.indexOf(needle) !== -1,
       source: 'screen',
+      empty: haystack.length === 0,
     };
   }
 
@@ -305,6 +425,10 @@ function observeBodyVisibility(session, bodyText, opts = {}) {
     observable: true,
     visible: haystack.indexOf(needle) !== -1,
     source: 'output_ring',
+    // #568: distinguish "terminal alive but body off-screen" (empty=false → a
+    // dropped CR is no_land) from "no screen evidence at all" (empty=true → stay
+    // optimistic). Used by confirmSubmitAccepted's bounded timeout fallback.
+    empty: haystack.length === 0,
   };
 }
 
@@ -425,6 +549,7 @@ function defaultReadScreen(workspaceId, lines) {
 
 module.exports = {
   awaitReplReady,
+  awaitInputSettled,
   verifyBodyConsumed,
   confirmSubmitAccepted,
   observeBodyVisibility,