@empir3/empir3-bridge 0.3.21

package/scripts/check-companion-surface.mjs

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const root = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+const serverSource = readFileSync(resolve(root, 'src/server.ts'), 'utf8');
+const bridgeUrl = process.env.BRIDGE_SMOKE_URL || '';
+
+const staticNeedles = [
+  'desktop:app',
+  'desktop:clipboard',
+  'desktop:execute',
+  'desktop:notify',
+  'desktop:file',
+  'desktop:file:pull',
+  'desktop:project:file',
+  'desktop:sync:push',
+  'desktop:capabilities',
+  'desktop:sysinfo',
+  'desktop:window',
+  'desktop:gui',
+  'desktop:agent-browser',
+  'desktop:browse',
+  'click_ref',
+  'type_ref',
+  'click_selector',
+  'type_selector',
+  'read_chat',
+  'recordings',
+  'desktop_cursor_position',
+];
+
+const failures = [];
+for (const needle of staticNeedles) {
+  if (!serverSource.includes(needle)) failures.push(`missing static surface: ${needle}`);
+}
+
+async function postCommand(cmd) {
+  const res = await fetch(`${bridgeUrl}/api/command`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(cmd),
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok || !body.ok) {
+    return { ok: false, status: res.status, body };
+  }
+  return { ok: true, result: body.result };
+}
+
+if (bridgeUrl) {
+  const requireCommand = async (label, cmd) => {
+    const r = await postCommand(cmd);
+    const text = JSON.stringify(r);
+    if (!r.ok) failures.push(`${label}: HTTP command failed ${text}`);
+    else if (/Unknown command|Unsupported desktop message|Unsupported .* action/i.test(text)) failures.push(`${label}: unsupported ${text}`);
+    return r.ok ? r.result : null;
+  };
+
+  const liveCommands = [
+    { label: 'capabilities quick', cmd: { type: 'desktop:capabilities:quick' } },
+    { label: 'capabilities check_cli', cmd: { type: 'desktop:capabilities:check_cli', name: 'node' } },
+    { label: 'sysinfo overview', cmd: { type: 'desktop:sysinfo:overview' } },
+    { label: 'sysinfo battery', cmd: { type: 'desktop:sysinfo:battery' } },
+    { label: 'sysinfo installed', cmd: { type: 'desktop:sysinfo:installed' } },
+    { label: 'window list', cmd: { type: 'desktop:window:list' } },
+    { label: 'window active', cmd: { type: 'desktop:window:active' } },
+    { label: 'gui monitors', cmd: { type: 'desktop:gui:monitors' } },
+    { label: 'gui position', cmd: { type: 'desktop:gui:position' } },
+    { label: 'gui screensize', cmd: { type: 'desktop:gui:screensize' } },
+    { label: 'app is_running', cmd: { type: 'desktop:app:is_running', name: 'explorer' } },
+    { label: 'browser status alias', cmd: { type: 'desktop:browse:status' } },
+    { label: 'browser recordings alias', cmd: { type: 'desktop:agent-browser:recordings' } },
+    { label: 'mcp cursor position', cmd: { type: 'desktop_cursor_position' } },
+  ];
+
+  for (const { label, cmd } of liveCommands) {
+    await requireCommand(label, cmd);
+  }
+
+  if (process.env.BRIDGE_SMOKE_BROWSER === '1') {
+    const html = '<!doctype html><html><body><label>Name <input id="name" aria-label="Name"></label><button id="go">Go</button><output id="out"></output><script>document.getElementById("go").onclick=()=>{document.getElementById("out").textContent="clicked:"+document.getElementById("name").value}</script></body></html>';
+    await requireCommand('browser navigate alias', { type: 'desktop:browse:navigate', url: `data:text/html;charset=utf-8,${encodeURIComponent(html)}` });
+    await new Promise(r => setTimeout(r, 700));
+    await requireCommand('browser type_selector alias', { type: 'desktop:browse:type_selector', selector: '#name', text: 'Vincent selector' });
+    await requireCommand('browser click_selector alias', { type: 'desktop:browse:click_selector', selector: '#go' });
+    const selectorResult = await requireCommand('browser selector evaluate', { type: 'desktop:browse:evaluate', script: 'document.getElementById("out").textContent' });
+    if (!String(selectorResult?.result || '').includes('Vincent selector')) failures.push(`browser selector round trip failed: ${JSON.stringify(selectorResult)}`);
+
+    const screenshot = await requireCommand('browser screenshot alias', { type: 'desktop:browse:screenshot', quality: 60 });
+    if (!screenshot?.base64 || screenshot?.mimeType !== 'image/jpeg' || Number(screenshot?.bytes || 0) < 1000) {
+      failures.push(`browser screenshot shape invalid: ${JSON.stringify({ mimeType: screenshot?.mimeType, bytes: screenshot?.bytes })}`);
+    }
+
+    await requireCommand('browser ref navigate alias', { type: 'desktop:browse:navigate', url: `data:text/html;charset=utf-8,${encodeURIComponent(html)}` });
+    await new Promise(r => setTimeout(r, 700));
+    const snap = await requireCommand('browser snapshot alias', { type: 'desktop:browse:snapshot', filter: 'all', format: 'json' });
+    const elements = Array.isArray(snap?.snapshot) ? snap.snapshot : (snap?.snapshot?.elements || snap?.snapshot?.tree || snap?.snapshot?.nodes || []);
+    const input = elements.find(e => e.role === 'input') || elements.find(e => /Name/i.test(`${e.name || ''} ${e.role || ''}`));
+    const button = elements.find(e => e.role === 'button' && /Go/i.test(`${e.name || ''}`)) || elements.find(e => /Go/i.test(`${e.name || ''}`));
+    if (!input?.ref || !button?.ref) failures.push(`browser refs missing: ${JSON.stringify(elements.slice(0, 5))}`);
+    else {
+      await requireCommand('browser type_ref alias', { type: 'desktop:browse:type_ref', ref: input.ref, text: 'Vincent ref' });
+      await requireCommand('browser click_ref alias', { type: 'desktop:browse:click_ref', ref: button.ref });
+      const refResult = await requireCommand('browser ref evaluate', { type: 'desktop:browse:evaluate', script: 'document.getElementById("out").textContent' });
+      if (!String(refResult?.result || '').includes('Vincent ref')) failures.push(`browser ref round trip failed: ${JSON.stringify(refResult)}`);
+    }
+  }
+}
+
+if (failures.length) {
+  console.error('Companion surface check failed:');
+  for (const failure of failures) console.error(`- ${failure}`);
+  process.exit(1);
+}
+
+console.log(`Companion surface check passed${bridgeUrl ? ` against ${bridgeUrl}` : ' (static)'}.`);

package/scripts/extract-welcome.mjs

@@ -0,0 +1,64 @@
+// Reverse of splice-welcome.mjs: regenerate scripts/welcome-body.txt FROM the
+// current getWelcomeHtml() body in src/server.ts. Use this to re-sync the
+// template after the function was edited directly in server.ts, so a later
+// `node scripts/splice-welcome.mjs` is a no-op instead of clobbering live code.
+//
+// Boundary contract MUST mirror splice-welcome.mjs exactly:
+//   spliced server.ts contains  "function getWelcomeHtml(apiBase = '') {\n" + body + "\n}"
+//   => body = src.slice(bodyStart, stopAt - 2)   (strip the leading "\n" after "{"
+//      and the trailing "\n}" the splicer adds).
+
+import { readFileSync, writeFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const ROOT = join(here, '..');
+const SRV  = join(ROOT, 'src', 'server.ts');
+const BODY = join(here, 'welcome-body.txt');
+
+const src = readFileSync(SRV, 'utf8');
+
+const startMarker = "function getWelcomeHtml(apiBase = '') {";
+const startIdx = src.indexOf(startMarker);
+if (startIdx === -1) throw new Error('start marker not found in src/server.ts');
+
+// Identical brace/string/comment walk to splice-welcome.mjs.
+let i = startIdx;
+let depth = 0;
+let inSingle = false, inDouble = false, inBacktick = false, inLine = false, inBlock = false;
+let prevCh = '';
+let stopAt = -1;
+for (; i < src.length; i++) {
+  const c = src[i];
+  if (inLine) { if (c === '\n') inLine = false; prevCh = c; continue; }
+  if (inBlock) { if (prevCh === '*' && c === '/') inBlock = false; prevCh = c; continue; }
+  if (!inSingle && !inDouble && !inBacktick) {
+    if (c === '/' && src[i+1] === '/') { inLine = true; i++; prevCh = ''; continue; }
+    if (c === '/' && src[i+1] === '*') { inBlock = true; i++; prevCh = ''; continue; }
+  }
+  if (!inDouble && !inBacktick && c === "'" && prevCh !== '\\') { inSingle = !inSingle; prevCh = c; continue; }
+  if (!inSingle && !inBacktick && c === '"' && prevCh !== '\\') { inDouble = !inDouble; prevCh = c; continue; }
+  if (!inSingle && !inDouble && c === '`' && prevCh !== '\\') { inBacktick = !inBacktick; prevCh = c; continue; }
+  if (inSingle || inDouble || inBacktick) { prevCh = c; continue; }
+  if (c === '{') depth++;
+  else if (c === '}') { depth--; if (depth === 0) { stopAt = i + 1; break; } }
+  prevCh = c;
+}
+if (stopAt === -1) throw new Error('matching closing brace not found');
+
+// Skip the newline sequence right after the "{" (CRLF or LF).
+let bodyStart = startIdx + startMarker.length;
+if (src[bodyStart] === '\r') bodyStart++;
+if (src[bodyStart] === '\n') bodyStart++;
+else throw new Error(`expected newline right after function signature, got ${JSON.stringify(src.slice(startIdx + startMarker.length, startIdx + startMarker.length + 2))}`);
+
+// The closing "}" is at stopAt-1; trim the newline sequence (\r?\n) before it.
+let bodyEnd = stopAt - 1; // index of '}'
+if (src[bodyEnd - 1] === '\n') bodyEnd--;
+if (src[bodyEnd - 1] === '\r') bodyEnd--;
+
+const body = src.slice(bodyStart, bodyEnd);
+writeFileSync(BODY, body);
+const lines = (body.match(/\n/g) || []).length + 1;
+console.log(`Extracted getWelcomeHtml body -> welcome-body.txt (${lines} lines, ${body.length} bytes)`);

package/scripts/gh-route-handler-check.mjs

@@ -0,0 +1,57 @@
+// Focused live check for the lent-GitHub-CLI execution + enforcement layer that
+// the new empir3-channel route (handleEmpir3Message: github:probe / github:exec)
+// delegates to. Exercises the REAL handlers against REAL gh on this machine.
+// Read-only gh commands only. Run: npx tsx scripts/gh-route-handler-check.mjs
+import * as ghNs from '../src/handlers/github-cli.ts';
+const gh = ghNs.default ?? ghNs;
+const { probeGithubCli, githubExec, defaultGhScopes } = gh;
+
+const ON = defaultGhScopes();                       // read/pr/issue/repo/release on; workflow/admin/api_write off
+let pass = 0, fail = 0;
+const ok = (c, msg, extra) => { (c ? pass++ : fail++); console.log(`${c ? 'PASS' : 'FAIL'}  ${msg}${extra ? `  → ${extra}` : ''}`); };
+
+console.log('— probe —');
+const p = await probeGithubCli(true, ON);
+ok(p.available === true, 'probe: gh available', `path=${p.path}`);
+ok(p.authenticated === true, 'probe: authenticated', `account=${p.account}`);
+ok(typeof p.account === 'string' && p.account.length > 0, 'probe: active account parsed', p.account);
+ok(p.device_opted_in === true && !!p.scopes, 'probe: opt-in + scope matrix surfaced', JSON.stringify(p.scopes));
+
+console.log('\n— exec: read-scope commands (real gh) —');
+const ver = await githubExec({ args: ['--version'], scopes: ON });
+ok(ver.success === true && /gh version/i.test(ver.stdout || ''), 'exec gh --version', (ver.stdout || '').split('\n')[0]);
+ok(ver.scope === 'read' && ver.exitCode === 0, 'exec --version classified read, exit 0');
+
+const auth = await githubExec({ args: ['auth', 'status'], scopes: ON });
+ok(auth.success === true && auth.scope === 'read', 'exec gh auth status (read)', `exit ${auth.exitCode}`);
+
+const repos = await githubExec({ args: ['repo', 'list', '--limit', '3'], scopes: ON });
+ok(repos.success === true && repos.scope === 'read', 'exec gh repo list --limit 3 (real API call)', `exit ${repos.exitCode}`);
+console.log('   repo list head:', (repos.stdout || repos.stderr || '').split('\n').slice(0, 3).join(' | ').slice(0, 160));
+
+console.log('\n— enforcement: scope gate + hard-blocks —');
+const secret = await githubExec({ args: ['secret', 'list'], scopes: ON }); // admin scope, default OFF
+ok(secret.success === false && secret.stage === 'scope_disabled' && secret.scope === 'admin',
+   'exec gh secret list refused (scope_disabled: admin)', `stage=${secret.stage} scope=${secret.scope}`);
+
+const wf = await githubExec({ args: ['workflow', 'run', 'ci.yml'], scopes: ON }); // workflow scope, default OFF
+ok(wf.success === false && wf.stage === 'scope_disabled' && wf.scope === 'workflow',
+   'exec gh workflow run refused (scope_disabled: workflow)', `scope=${wf.scope}`);
+
+const tok = await githubExec({ args: ['auth', 'token'], scopes: ON });
+ok(tok.success === false && tok.stage === 'blocked', 'exec gh auth token HARD-BLOCKED', tok.error?.slice(0, 60));
+
+const ext = await githubExec({ args: ['extension', 'install', 'x/y'], scopes: ON });
+ok(ext.success === false && ext.stage === 'blocked', 'exec gh extension install HARD-BLOCKED');
+
+const bogus = await githubExec({ args: ['frobnicate'], scopes: ON });
+ok(bogus.success === false && bogus.stage === 'blocked', 'exec unknown top-level cmd default-DENY');
+
+console.log('\n— scope-enabled passes when toggled on —');
+const adminOn = { ...ON, admin: true };
+const secret2 = await githubExec({ args: ['secret', 'list', '--repo', `${p.account}/nonexistent-repo-xyz`], scopes: adminOn });
+// With admin enabled the scope gate passes; gh itself may cli_error on a bogus repo — that's the right layer.
+ok(secret2.stage !== 'scope_disabled', 'admin scope enabled → passes scope gate (reaches gh)', `stage=${secret2.stage ?? 'ok'}`);
+
+console.log(`\n${fail === 0 ? '✅' : '❌'} ${pass} passed, ${fail} failed`);
+process.exit(fail === 0 ? 0 : 1);

package/scripts/gh-wire-test.mjs

@@ -0,0 +1,107 @@
+// Wire-level smoke for the empir3-channel GitHub route.
+//
+// Spins an isolated bridge server (tsx src/server.ts) on an alt port pointed at
+// a LOCAL mock empir3 WS server (this file). The mock drives github:probe +
+// github:exec exactly as empir3-server would, and verifies the bridge's
+// handleEmpir3Message route replies (github:probe:result / github:exec:result)
+// with real gh. Does NOT touch the installed daemon, prod, or Chrome.
+//
+// Run from the bridge repo:  node scripts/gh-wire-test.mjs
+import { WebSocketServer } from 'ws';
+import { spawn, execSync } from 'node:child_process';
+
+const WS_PORT = 4599;
+const PW_PORT = 3199;
+let pass = 0, fail = 0, child = null, done = false;
+const ok = (c, m, x) => { (c ? pass++ : fail++); console.log(`${c ? 'PASS' : 'FAIL'}  ${m}${x ? `  → ${x}` : ''}`); };
+
+const wss = new WebSocketServer({ host: '127.0.0.1', port: WS_PORT });
+console.log(`[mock-empir3] listening on ws://127.0.0.1:${WS_PORT}`);
+
+function cleanup(code) {
+  if (done) return; done = true;
+  try { if (child?.pid) execSync(`taskkill /pid ${child.pid} /T /F`, { stdio: 'ignore' }); } catch {}
+  try { wss.close(); } catch {}
+  console.log(`\n${fail === 0 ? '✅' : '❌'} wire route: ${pass} passed, ${fail} failed`);
+  setTimeout(() => process.exit(code ?? (fail === 0 ? 0 : 1)), 300);
+}
+const hardTimer = setTimeout(() => { console.log('[mock-empir3] overall timeout'); fail++; cleanup(1); }, 60_000);
+
+wss.on('connection', (ws, req) => {
+  console.log(`[mock-empir3] bridge connected: ${req.url}`);
+  const waiters = new Map();                       // id -> resolve
+  const reply = (type, id) => new Promise((res) => { waiters.set(`${type}:${id}`, res); });
+
+  ws.on('message', (data) => {
+    let msg; try { msg = JSON.parse(data.toString()); } catch { return; }
+    const p = msg.payload || {};
+    // Resolve any waiter keyed by replytype:id
+    if (msg.type && p.id != null) {
+      const w = waiters.get(`${msg.type}:${p.id}`);
+      if (w) { waiters.delete(`${msg.type}:${p.id}`); w(p); }
+    }
+  });
+
+  const send = (type, payload) => ws.send(JSON.stringify({ type, payload }));
+
+  (async () => {
+    await new Promise(r => setTimeout(r, 1500));   // let the bridge finish its init announces
+
+    // 1) probe
+    const probeP = reply('github:probe:result', 'p1');
+    send('github:probe', { id: 'p1' });
+    const probe = await Promise.race([probeP, new Promise(r => setTimeout(() => r(null), 8000))]);
+    if (!probe) { ok(false, 'github:probe round-trip (no reply)'); }
+    else {
+      ok(probe.available === true, 'github:probe:result available', `path=${probe.path}`);
+      ok(probe.authenticated === true && !!probe.account, 'github:probe:result authed', `account=${probe.account}`);
+      ok(probe.device_opted_in === true, 'github:probe:result device_opted_in (lend ON)', String(probe.device_opted_in));
+      ok(!!probe.scopes && probe.scopes.read === true, 'github:probe:result scope matrix', JSON.stringify(probe.scopes));
+    }
+
+    // 2) exec: gh --version (read)
+    const verP = reply('github:exec:result', 'e1');
+    send('github:exec', { id: 'e1', args: ['--version'], timeout_sec: 60 });
+    const ver = await Promise.race([verP, new Promise(r => setTimeout(() => r(null), 15000))]);
+    ok(ver && ver.success === true && /gh version/i.test(ver.stdout || ''), 'github:exec gh --version round-trip', ver ? (ver.stdout || '').split('\n')[0] : 'no reply');
+    ok(ver && ver.scope === 'read' && ver.exitCode === 0, 'github:exec --version → read, exit 0');
+
+    // 3) exec: real API call (read)
+    const repoP = reply('github:exec:result', 'e2');
+    send('github:exec', { id: 'e2', args: ['repo', 'list', '--limit', '3'], timeout_sec: 60 });
+    const repo = await Promise.race([repoP, new Promise(r => setTimeout(() => r(null), 20000))]);
+    ok(repo && repo.success === true && repo.scope === 'read', 'github:exec gh repo list (real API) round-trip', repo ? `exit ${repo.exitCode}` : 'no reply');
+    if (repo?.stdout) console.log('   repo list head:', repo.stdout.split('\n').slice(0, 2).join(' | ').slice(0, 140));
+
+    // 4) exec: scope_disabled (admin off) — comes back as a normal result, success:false
+    const secP = reply('github:exec:result', 'e3');
+    send('github:exec', { id: 'e3', args: ['secret', 'list'], timeout_sec: 60 });
+    const sec = await Promise.race([secP, new Promise(r => setTimeout(() => r(null), 10000))]);
+    ok(sec && sec.success === false && sec.stage === 'scope_disabled' && sec.scope === 'admin',
+       'github:exec secret list → scope_disabled:admin', sec ? `stage=${sec.stage}` : 'no reply');
+
+    // 5) exec: hard-blocked
+    const tokP = reply('github:exec:result', 'e4');
+    send('github:exec', { id: 'e4', args: ['auth', 'token'], timeout_sec: 60 });
+    const tok = await Promise.race([tokP, new Promise(r => setTimeout(() => r(null), 10000))]);
+    ok(tok && tok.success === false && tok.stage === 'blocked', 'github:exec auth token → blocked', tok ? tok.error?.slice(0, 50) : 'no reply');
+
+    clearTimeout(hardTimer);
+    cleanup();
+  })().catch((e) => { console.error('[mock-empir3] driver error:', e); fail++; cleanup(1); });
+});
+
+// ── spawn the isolated bridge server pointed at the mock ──
+const env = {
+  ...process.env,
+  PW_PORT: String(PW_PORT),                          // avoid the daemon's :3006
+  EMPIR3_BRIDGE_PORT: '9967',                         // avoid the daemon's :9867
+  EMPIR3_WS_URL: `ws://127.0.0.1:${WS_PORT}`,         // override → connect to mock, NOT prod
+  EMPIR3_AUTH_TOKEN: 'gh-wire-test-token',
+  EMPIR3_SERVER: `http://127.0.0.1:${PW_PORT}`,       // keep version-manifest fetch off prod
+};
+console.log('[mock-empir3] spawning isolated bridge: npx tsx src/server.ts (PW_PORT=' + PW_PORT + ')');
+child = spawn('npx', ['tsx', 'src/server.ts'], { env, cwd: process.cwd(), shell: true });
+child.stdout.on('data', d => process.stdout.write(`[bridge] ${d}`));
+child.stderr.on('data', d => process.stderr.write(`[bridge:err] ${d}`));
+child.on('exit', (c) => { if (!done) { console.log(`[bridge] exited early code=${c}`); fail++; cleanup(1); } });

package/scripts/publish-downloads.mjs

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+import { existsSync, readFileSync, statSync } from 'fs';
+import { createHash } from 'crypto';
+import { basename, join, resolve } from 'path';
+import { spawnSync } from 'child_process';
+import { fileURLToPath } from 'url';
+
+/**
+ * Publish the bridge download artifacts in a STAGED order so a fresh Go stub can
+ * never observe a manifest that points at not-yet-live artifacts, and the public
+ * Empir3Setup.exe never reads a manifest before it is live:
+ *
+ *   1. node + payload tarballs (+ their .sig)  ── the manifest points at these
+ *   2. bridge-version.json                      ── now points at #1, all live
+ *   3. Empir3Setup.exe                          ── only after its manifest is live
+ *
+ * The manifest signature is EMBEDDED (single file, atomic swap) so there is no
+ * manifest/.sig race — but artifact-before-manifest-before-exe still matters.
+ * After each hop we verify on the SERVER (sha256sum, authoritative — no
+ * Cloudflare cache in the way) before proceeding.
+ */
+const root = resolve(fileURLToPath(new URL('..', import.meta.url)));
+const dist = join(root, 'build', 'dist');
+const server = process.env.EMPIR3_DOWNLOAD_HOST;
+const remoteDir = process.env.EMPIR3_DOWNLOAD_DIR;
+const publicBase = process.env.EMPIR3_PAYLOAD_PUBLIC_URL_BASE || 'https://app.empir3.com/downloads';
+const dryRun = process.argv.includes('--dry-run');
+// The deploy target is intentionally NOT hardcoded (this is a public repo). Set
+// both env vars before a real publish; --dry-run can run without them.
+if (!dryRun && (!server || !remoteDir)) {
+  fail('set EMPIR3_DOWNLOAD_HOST (e.g. user@host) and EMPIR3_DOWNLOAD_DIR (e.g. /var/www/app/downloads) — the publish target is not stored in the repo');
+}
+
+function fail(message) {
+  console.error(`[publish-downloads] ${message}`);
+  process.exit(1);
+}
+
+function run(cmd, args, { capture = false } = {}) {
+  const pretty = [cmd, ...args].join(' ');
+  console.log(`[publish-downloads] ${pretty}`);
+  if (dryRun) return '';
+  const result = spawnSync(cmd, args, { stdio: capture ? ['ignore', 'pipe', 'inherit'] : 'inherit', shell: false, encoding: 'utf8' });
+  if (result.status !== 0) fail(`command failed: ${pretty}`);
+  return capture ? (result.stdout || '') : '';
+}
+
+function sha256OfFile(p) {
+  return createHash('sha256').update(readFileSync(p)).digest('hex');
+}
+
+function requireArtifact(name) {
+  const p = join(dist, name);
+  if (!existsSync(p) || !statSync(p).isFile()) fail(`required artifact missing: ${name} (run npm run build:windows)`);
+  return p;
+}
+
+// Upload each file ATOMICALLY: scp to a temp name, verify the temp's sha256 on
+// the server (authoritative — bypasses Cloudflare), then `mv` into place. The
+// rename is atomic on the same filesystem, so a fresh client can never observe
+// a partially-written file at the final name.
+function uploadAndVerify(label, files) {
+  console.log(`\n[publish-downloads] === ${label} ===`);
+  for (const f of files) {
+    const name = basename(f.path);
+    const tmp = `${remoteDir}/${name}.uploading`;
+    const final = `${remoteDir}/${name}`;
+    run('scp', [f.path, `${server}:${tmp}`]);
+    if (dryRun) continue;
+    const out = run('ssh', [server, `sha256sum '${tmp}'`], { capture: true });
+    const remoteSha = (out.trim().split(/\s+/)[0] || '').toLowerCase();
+    if (remoteSha !== f.sha) {
+      run('ssh', [server, `rm -f '${tmp}'`]);
+      fail(`server sha mismatch for ${name}: local ${f.sha} != remote ${remoteSha}`);
+    }
+    run('ssh', [server, `mv -f '${tmp}' '${final}'`]); // atomic swap into place
+    console.log(`[publish-downloads]   ✓ ${name} on server (sha ok, atomic mv)`);
+  }
+}
+
+// Verify a fresh client can actually fetch the artifact at the EXACT URL it will
+// use, with the right bytes. The artifact URLs carry a cache-bust query, so this
+// bypasses any Cloudflare cache and reflects origin.
+function publicShaCheck(url, wantSha) {
+  if (dryRun) return;
+  const out = run('ssh', [server, `curl -fsSL '${url}' | sha256sum`], { capture: true });
+  const got = (out.trim().split(/\s+/)[0] || '').toLowerCase();
+  if (got !== wantSha) fail(`public fetch sha mismatch for ${url}: got ${got}, want ${wantSha}`);
+  console.log(`[publish-downloads]   ✓ public ${url.split('/').pop()} (sha ok)`);
+}
+
+// Like publicShaCheck but retries — for a FIXED-name URL (bridge-version.json)
+// that Cloudflare may cache briefly. Blocks until the public URL returns the
+// expected bytes, or aborts with a purge hint.
+function publicShaCheckRetry(url, wantSha, { tries = 10, delayMs = 3000 } = {}) {
+  if (dryRun) return;
+  for (let i = 1; i <= tries; i++) {
+    const out = run('ssh', [server, `curl -fsSL '${url}' | sha256sum`], { capture: true });
+    const got = (out.trim().split(/\s+/)[0] || '').toLowerCase();
+    if (got === wantSha) { console.log(`[publish-downloads]   ✓ public ${url.split('/').pop()} reflects new bytes (try ${i})`); return; }
+    console.log(`[publish-downloads]   … public ${url.split('/').pop()} still stale (try ${i}/${tries}); got ${got.slice(0, 12)}…`);
+    if (i < tries) Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, delayMs); // block delayMs
+  }
+  fail(`public ${url} never returned the new sha (${wantSha}). Purge the Cloudflare cache for that URL, then re-run — the exe was NOT published, so nothing is half-live.`);
+}
+
+function publicGet200(name) {
+  if (dryRun) return;
+  run('ssh', [server, `curl -fsS -o /dev/null -w '%{http_code}' '${publicBase}/${name}' | grep -q 200 || (echo 'not 200' && exit 1)`]);
+}
+
+if (!existsSync(dist)) fail(`missing dist directory: ${dist}. Run npm run build:windows first.`);
+
+const manifestPath = join(dist, 'bridge-version.json');
+if (!existsSync(manifestPath)) fail('required artifact missing: bridge-version.json');
+const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+if (!manifest.version) fail('bridge-version.json is missing version');
+if (!manifest.nodeVersion) fail('bridge-version.json is missing nodeVersion (rebuild with the Go-bootstrapper build.js)');
+if (!manifest.manifestSignature) fail('bridge-version.json is missing manifestSignature (rebuild)');
+
+const payloadTar = `bridge-payload-v${manifest.version}.tar.gz`;
+const payloadSig = `bridge-payload-v${manifest.version}.sig`;
+const nodeTar = `node-win-x64-v${manifest.nodeVersion}.tar.gz`;
+const nodeSig = `node-win-x64-v${manifest.nodeVersion}.sig`;
+
+const f = (name, sha) => ({ path: requireArtifact(name), sha });
+
+// sha of tarballs comes from the (signed) manifest; sigs/exe/manifest are
+// verified by local-computed sha against the server copy.
+const payloadTarFile = f(payloadTar, manifest.sha256.toLowerCase());
+const nodeTarFile = f(nodeTar, manifest.nodeSha256.toLowerCase());
+const payloadSigFile = f(payloadSig, sha256OfFile(requireArtifact(payloadSig)));
+const nodeSigFile = f(nodeSig, sha256OfFile(requireArtifact(nodeSig)));
+const manifestFile = f('bridge-version.json', sha256OfFile(manifestPath));
+const exeFile = f('Empir3Setup.exe', sha256OfFile(requireArtifact('Empir3Setup.exe')));
+
+// Local sanity: the tarballs on disk must match the manifest's declared shas.
+if (sha256OfFile(payloadTarFile.path) !== payloadTarFile.sha) fail('local payload tarball sha != manifest.sha256 — rebuild');
+if (sha256OfFile(nodeTarFile.path) !== nodeTarFile.sha) fail('local node tarball sha != manifest.nodeSha256 — rebuild');
+
+console.log(`[publish-downloads] publishing bridge v${manifest.version} (node v${manifest.nodeVersion}) to ${server}:${remoteDir}`);
+run('ssh', [server, `mkdir -p '${remoteDir}'`]);
+
+// 1. Artifacts FIRST (the manifest will point at these).
+uploadAndVerify('Stage 1: node + payload artifacts (+ sigs)',
+  [nodeTarFile, nodeSigFile, payloadTarFile, payloadSigFile]);
+
+// 1b. Confirm a fresh stub can fetch the EXACT signed URLs (payload/node tarballs
+// AND their .sig — the stub fetches all four). These carry a unique ?v=&t= query,
+// so Cloudflare can't serve a stale copy.
+console.log('\n[publish-downloads] === Verify stub-visible artifact URLs ===');
+publicShaCheck(manifest.nodeUrl, manifest.nodeSha256.toLowerCase());
+publicShaCheck(manifest.payloadUrl, manifest.sha256.toLowerCase());
+publicShaCheck(manifest.nodeSignatureUrl, sha256OfFile(nodeSigFile.path));
+publicShaCheck(manifest.signatureUrl, sha256OfFile(payloadSigFile.path));
+
+// 2. Manifest NEXT (now everything it references is live).
+uploadAndVerify('Stage 2: signed manifest', [manifestFile]);
+
+// 2b. CRITICAL ORDERING GATE: the public, fixed-name manifest URL must already
+// return the NEW bytes BEFORE we publish the exe. The exe is the trigger — if it
+// went live while bridge-version.json was still the stale (possibly pre-Go,
+// nodeUrl-less) manifest, a fresh stub would read the wrong manifest. This
+// fixed-name URL CAN be Cloudflare-cached, so retry briefly; if it never matches,
+// abort and tell the operator to purge the CF cache for bridge-version.json.
+console.log('\n[publish-downloads] === Gate: public manifest must reflect new bytes before exe ===');
+publicShaCheckRetry(`${publicBase}/bridge-version.json`, manifestFile.sha, { tries: 10, delayMs: 3000 });
+
+// 3. Empir3Setup.exe LAST (only after the manifest it reads is confirmed live).
+uploadAndVerify('Stage 3: Empir3Setup.exe', [exeFile]);
+
+// Final reachability of the exe (a stale-cached old exe still works since it
+// re-reconciles, so a 200 is sufficient here).
+publicGet200('Empir3Setup.exe');
+
+console.log('\n[publish-downloads] done');
+console.log(`  Installer: ${publicBase}/Empir3Setup.exe`);
+console.log(`  Manifest:  ${publicBase}/bridge-version.json`);
+console.log(`  Node:      ${publicBase}/${nodeTar}`);
+console.log(`  Payload:   ${publicBase}/${payloadTar}`);