@enactprotocol/shared 1.0.13 → 1.2.0

package/dist/security/verification-enforcer.js

@@ -5,10 +5,33 @@ import logger from "../exec/logger";
  * Enforce mandatory signature verification for tool execution
  * This is the central function that should be called before ANY tool execution
  */
+/**
+ * Get security policy based on execution context
+ */
+export function getSecurityPolicy(options) {
+    // Local files have different security policies
+    if (options.isLocalFile) {
+        return {
+            allowSkipVerification: true,
+            allowUnsigned: true,
+            requireInteractiveConfirmation: false,
+            defaultVerificationPolicy: "permissive",
+        };
+    }
+    // Production/registry tools have strict policies
+    return {
+        allowSkipVerification: false,
+        allowUnsigned: false,
+        requireInteractiveConfirmation: !!options.interactive,
+        defaultVerificationPolicy: options.verifyPolicy || "permissive",
+    };
+}
 export async function enforceSignatureVerification(tool, options = {}) {
     const toolName = tool.name || "unknown";
+    // Apply centralized security policy based on context
+    const securityPolicy = getSecurityPolicy(options);
     // Check if verification is explicitly skipped
-    if (options.skipVerification) {
+    if (options.skipVerification && securityPolicy.allowSkipVerification) {
         logger.warn(`🚨 SECURITY WARNING: Signature verification skipped for tool: ${toolName}`);
         logger.warn(`   This bypasses security measures and is NOT recommended for production use!`);
         return {
@@ -29,8 +52,8 @@ export async function enforceSignatureVerification(tool, options = {}) {
         !!tool.signature;
     if (!hasSignatures) {
         logger.warn(`⚠️  Tool has no signatures: ${toolName}`);
-        // Only allow unsigned tools if explicitly permitted (for development/testing)
-        if (options.allowUnsigned) {
+        // Only allow unsigned tools if policy permits (for development/testing)
+        if (options.allowUnsigned || securityPolicy.allowUnsigned) {
             logger.warn(`   Allowing unsigned tool execution due to allowUnsigned flag (DEV/TEST ONLY)`);
             return {
                 allowed: true,

package/dist/services/McpCoreService.d.ts

@@ -27,8 +27,6 @@ export declare class McpCoreService {
      */
     executeToolByName(name: string, inputs?: Record<string, any>, options?: {
         timeout?: string;
-        verifyPolicy?: "permissive" | "enterprise" | "paranoid";
-        skipVerification?: boolean;
         force?: boolean;
         dryRun?: boolean;
     }): Promise<ExecutionResult>;
@@ -37,19 +35,9 @@ export declare class McpCoreService {
      */
     executeRawTool(toolYaml: string, inputs?: Record<string, any>, options?: {
         timeout?: string;
-        skipVerification?: boolean;
         force?: boolean;
         dryRun?: boolean;
     }): Promise<ExecutionResult>;
-    /**
-     * Verify a tool's signature
-     */
-    verifyTool(name: string, policy?: string): Promise<{
-        verified: boolean;
-        signatures: any[];
-        policy: string;
-        errors?: string[];
-    }>;
     /**
      * Check if a tool exists
      */

package/dist/services/McpCoreService.js

@@ -38,8 +38,6 @@ export class McpCoreService {
     async executeToolByName(name, inputs = {}, options) {
         const executeOptions = {
             timeout: options?.timeout,
-            verifyPolicy: options?.verifyPolicy,
-            skipVerification: options?.skipVerification,
             force: options?.force,
             dryRun: options?.dryRun,
         };
@@ -51,18 +49,11 @@ export class McpCoreService {
     async executeRawTool(toolYaml, inputs = {}, options) {
         const executeOptions = {
             timeout: options?.timeout,
-            skipVerification: options?.skipVerification,
             force: options?.force,
             dryRun: options?.dryRun,
         };
         return await this.core.executeRawTool(toolYaml, inputs, executeOptions);
     }
-    /**
-     * Verify a tool's signature
-     */
-    async verifyTool(name, policy) {
-        return await this.core.verifyTool(name, policy);
-    }
     /**
      * Check if a tool exists
      */

package/dist/types.d.ts

@@ -2,6 +2,7 @@ export interface EnactTool {
     name: string;
     description: string;
     command: string;
+    from?: string;
     timeout?: string;
     tags?: string[];
     license?: string;
@@ -47,14 +48,14 @@ export interface EnactTool {
         value: string;
         role?: string;
     };
-    signatures?: Record<string, {
+    signatures?: {
+        signer: string;
         algorithm: string;
         type: string;
-        signer: string;
-        created: string;
         value: string;
+        created: string;
         role?: string;
-    }>;
+    }[];
     [key: string]: any;
 }
 export interface JSONSchemaDefinition {

package/dist/utils/config.js

@@ -14,7 +14,7 @@ export async function ensureConfig() {
         await mkdir(CONFIG_DIR, { recursive: true });
     }
     if (!existsSync(CONFIG_FILE)) {
-        await writeConfig({ history: [] });
+        await writeFile(CONFIG_FILE, JSON.stringify({ history: [] }, null, 2));
     }
 }
 /**

package/dist/utils/version.js

@@ -1,11 +1,32 @@
 // src/utils/version.ts
 import pc from "picocolors";
+import { readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 /**
  * Displays the CLI version with nice formatting
  */
 export function showVersion() {
-    // Bun automatically sets npm_package_version when running scripts via package.json
-    const version = process.env.npm_package_version || "0.0.1-dev";
+    let version = "0.0.1-dev";
+    try {
+        // Try to get version from environment first (for npm scripts)
+        if (process.env.npm_package_version) {
+            version = process.env.npm_package_version;
+        }
+        else {
+            // When running as installed binary, read from package.json
+            // Go up from shared/dist/utils/version.js to find package.json
+            const currentFile = typeof __filename !== 'undefined' ? __filename : fileURLToPath(import.meta.url);
+            const sharedDir = dirname(dirname(dirname(currentFile)));
+            const packageJsonPath = join(sharedDir, 'package.json');
+            const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf8'));
+            version = packageJson.version;
+        }
+    }
+    catch (error) {
+        // Fall back to default version if anything fails
+        version = "1.0.14";
+    }
     const versionText = `v${version}`;
     console.error(`
 ${pc.bold("Enact CLI")} ${pc.cyan(versionText)}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enactprotocol/shared",
-  "version": "1.0.13",
+  "version": "1.2.0",
   "description": "Shared utilities and core functionality for Enact Protocol",
   "type": "module",
   "main": "./dist/index.js",
@@ -22,10 +22,6 @@
       "import": "./dist/utils/index.js",
       "types": "./dist/utils/index.d.ts"
     },
-    "./security": {
-      "import": "./dist/security/index.js",
-      "types": "./dist/security/index.d.ts"
-    },
     "./services": {
       "import": "./dist/services/index.js",
       "types": "./dist/services/index.d.ts"
@@ -65,6 +61,7 @@
   "license": "MIT",
   "dependencies": {
     "@dagger.io/dagger": "^0.9.11",
+    "@enactprotocol/security": "^0.2.5",
     "dotenv": "^16.5.0",
     "pino": "^9.7.0",
     "pino-pretty": "^13.0.0",
@@ -76,4 +73,4 @@
     "@types/node": "^20.12.12",
     "typescript": "^5.4.5"
   }
-}
+}

package/src/api/enact-api.ts

@@ -62,7 +62,7 @@ export class EnactApiClient {
 		const responseData = await response.json();
 
 		// Debug logging to help identify response structure issues
-		if (process.env.NODE_ENV === "development" || process.env.DEBUG) {
+		if ((process.env.NODE_ENV === "development" || process.env.DEBUG) && !process.env.ENACT_SILENT) {
 			console.error(`API Response for ${endpoint}:`, responseData);
 		}
 
@@ -141,7 +141,7 @@ export class EnactApiClient {
 
 		try {
 			// Log the request for debugging
-			if (process.env.NODE_ENV === "development" || process.env.DEBUG) {
+			if ((process.env.NODE_ENV === "development" || process.env.DEBUG) && !process.env.ENACT_SILENT) {
 				console.error(
 					`Search request to ${endpoint}:`,
 					JSON.stringify(query, null, 2),

package/src/api/types.ts

@@ -2,6 +2,7 @@ export interface EnactToolDefinition {
 	name: string;
 	description: string;
 	command: string;
+	from?: string;
 	version?: string;
 	timeout?: string;
 	tags?: string[];
@@ -37,7 +38,14 @@ export interface EnactToolDefinition {
 		value: string;
 		role?: string;
 	};
-	signatures?: Record<string, any>;
+	signatures?: {
+		signer: string;
+		algorithm: string;
+		type: string;
+		value: string;
+		created: string;
+		role?: string;
+	}[];
 	raw_content?: string;
 	namespace?: string;
 	enact?: string;
@@ -87,7 +95,6 @@ export interface EnactExecOptions {
 	timeout?: string;
 	dry?: boolean;
 	verbose?: boolean;
-	skipVerification?: boolean; // New option to skip signature verification
-	verifyPolicy?: string; // Verification policy to use
-	force?: boolean; // Force execution even if verification fails
+	force?: boolean; // Force execution even if verification fails (legacy)
+	dangerouslySkipVerification?: boolean; // Skip all signature verification (DANGEROUS)
 }

package/src/core/DaggerExecutionProvider.ts

@@ -409,6 +409,8 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 						inputs,
 						environment,
 						tool.timeout,
+						undefined,
+						tool,
 					);
 
 					logger.debug(
@@ -527,6 +529,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 			showSpinner?: boolean;
 			streamOutput?: boolean;
 		},
+		tool?: EnactTool,
 	): Promise<CommandResult> {
 		const verbose = options?.verbose ?? false;
 		const showSpinner = options?.showSpinner ?? false;
@@ -554,17 +557,20 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 			);
 
 			if (verbose) {
+				// Determine which container image to use - prefer tool's 'from' field over default baseImage
+				const containerImage = tool?.from || this.options.baseImage!;
+				
 				try {
 					const pc = require("picocolors");
 					console.error(
 						pc.cyan("\n🐳 Executing Enact command in Dagger container:"),
 					);
 					console.error(pc.white(substitutedCommand));
-					console.error(pc.gray(`Base image: ${this.options.baseImage}`));
+					console.error(pc.gray(`Container image: ${containerImage}${tool?.from ? ' (from tool.from)' : ' (default baseImage)'}`));
 				} catch (e) {
 					console.error("\n🐳 Executing Enact command in Dagger container:");
 					console.error(substitutedCommand);
-					console.error(`Base image: ${this.options.baseImage}`);
+					console.error(`Container image: ${containerImage}${tool?.from ? ' (from tool.from)' : ' (default baseImage)'}`);
 				}
 			}
 
@@ -577,7 +583,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 
 			// Execute command with enhanced error handling and timeout management
 			const result = await Promise.race([
-				this.executeWithConnect(substitutedCommand, environment, inputs),
+				this.executeWithConnect(substitutedCommand, environment, inputs, tool),
 				this.createTimeoutPromise(effectiveTimeout),
 			]);
 
@@ -627,6 +633,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 		command: string,
 		environment: ExecutionEnvironment,
 		inputs: Record<string, any>,
+		tool?: EnactTool,
 	): Promise<CommandResult> {
 		return new Promise<CommandResult>((resolve, reject) => {
 			// Setup abort handling
@@ -645,6 +652,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 						client,
 						environment,
 						inputs,
+						tool,
 					);
 					logger.debug("📦 Container setup complete");
 					const commandResult = await this.executeInContainer(
@@ -698,13 +706,17 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 		client: Client,
 		environment: ExecutionEnvironment,
 		inputs: Record<string, any>,
+		tool?: EnactTool,
 	): Promise<Container> {
+		// Determine which container image to use - prefer tool's 'from' field over default baseImage
+		const containerImage = tool?.from || this.options.baseImage!;
+		
 		logger.debug(
-			`🚀 Setting up container with base image: ${this.options.baseImage}`,
+			`🚀 Setting up container with image: ${containerImage}${tool?.from ? ' (from tool.from)' : ' (default baseImage)'}`,
 		);
 
 		// Start with base container
-		let container = client.container().from(this.options.baseImage!);
+		let container = client.container().from(containerImage);
 		logger.debug("📦 Base container created");
 
 		// Set working directory
@@ -721,7 +733,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 
 		// Install common tools needed for Enact commands
 		if (this.options.enableNetwork) {
-			container = await this.installCommonTools(container);
+			container = await this.installCommonTools(container, containerImage);
 			logger.debug("🔧 Common tools installed");
 		} else {
 			logger.debug("🔧 Skipping common tools installation (network disabled)");
@@ -745,14 +757,14 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 	 * Install common tools that Enact commands might need
 	 * Enhanced with better error handling and timeout
 	 */
-	private async installCommonTools(container: Container): Promise<Container> {
+	private async installCommonTools(container: Container, containerImage: string): Promise<Container> {
 		logger.debug(
-			`🔧 Installing common tools for base image: ${this.options.baseImage}`,
+			`🔧 Installing common tools for container image: ${containerImage}`,
 		);
 
 		try {
 			// For node images, most tools are already available, so we can skip installation
-			if (this.options.baseImage?.includes("node:")) {
+			if (containerImage.includes("node:")) {
 				logger.debug(
 					"📦 Node.js image detected, skipping tool installation (most tools already available)",
 				);
@@ -760,10 +772,10 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 			}
 
 			// Determine package manager based on base image
-			const isAlpine = this.options.baseImage?.includes("alpine");
+			const isAlpine = containerImage.includes("alpine");
 			const isDebian =
-				this.options.baseImage?.includes("debian") ||
-				this.options.baseImage?.includes("ubuntu");
+				containerImage.includes("debian") ||
+				containerImage.includes("ubuntu");
 
 			if (isAlpine) {
 				logger.debug("📦 Detected Alpine Linux, installing basic tools");
@@ -783,7 +795,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 				]);
 			} else {
 				logger.warn(
-					`Unknown base image ${this.options.baseImage}, skipping tool installation`,
+					`Unknown container image ${containerImage}, skipping tool installation`,
 				);
 			}
 
@@ -1161,6 +1173,7 @@ export class DaggerExecutionProvider extends ExecutionProvider {
 				showSpinner: true,
 				streamOutput: false,
 			},
+			undefined, // no tool parameter for backwards compatibility
 		);
 
 		if (result.exitCode !== 0) {