@fusionkit/plane 0.1.0

package/dist/validation.js

@@ -0,0 +1,178 @@
+import { z } from "zod";
+import { ACTOR_KINDS, AGENT_KINDS, CHECKPOINT_TIERS, DISCLOSURE_MODES, HEX_HASH_PATTERN, parseHostAllowlistEntry, parsePoolName, parseSecretName, parseWorkspaceManifestPath, PROTOCOL_VERSIONS, SESSION_ISOLATIONS } from "@fusionkit/protocol";
+import { PRINCIPAL_ROLES } from "./store.js";
+/**
+ * Boundary validation for request bodies. Signed objects (chained events,
+ * receipts) are validated cryptographically by the plane, not re-described
+ * here; these schemas guard the unsigned inputs (run requests, actors,
+ * tokens) that nothing else checks. Parsing returns structured errors that
+ * the server turns into 400s.
+ */
+// The max lengths below are generous DoS guards (a 1M-char prompt, 100k
+// untracked files), not policy limits — policy is enforced separately by the
+// plane's policy engine. They exist to reject obviously abusive payloads at
+// the boundary before any work is done.
+const actorSchema = z.object({
+    kind: z.enum(ACTOR_KINDS),
+    id: z.string().min(1).max(256)
+});
+const manifestFileSchema = z.object({
+    path: z.string().min(1).max(4096).transform(parseWorkspaceManifestPath),
+    hash: z.string().regex(HEX_HASH_PATTERN),
+    bytes: z.number().int().nonnegative()
+});
+const workspaceSchema = z.object({
+    version: z.literal(PROTOCOL_VERSIONS.manifest),
+    baseRef: z.string().min(1).max(256),
+    bundleHash: z.string().regex(HEX_HASH_PATTERN),
+    dirtyDiffHash: z.string().regex(HEX_HASH_PATTERN).optional(),
+    untrackedFiles: z.array(manifestFileSchema).max(100000),
+    deniedPatterns: z.array(z.string().max(512)).max(10000),
+    deniedPaths: z
+        .array(z.string().max(4096).transform(parseWorkspaceManifestPath))
+        .max(100000)
+});
+const networkSchema = z.object({
+    defaultDeny: z.boolean(),
+    allowHosts: z.array(z.string().min(1).max(253).transform(parseHostAllowlistEntry)).max(1000)
+});
+const budgetSchema = z.object({
+    maxSpendUsd: z.number().nonnegative().optional(),
+    maxDurationMin: z.number().positive().optional()
+});
+const continuationSchema = z.object({
+    envelopeHash: z.string().regex(HEX_HASH_PATTERN),
+    checkpointId: z.string().min(1).max(256),
+    tier: z.enum(CHECKPOINT_TIERS)
+});
+const executionEnvSchema = z
+    .object({
+    inherit: z.array(z.string().min(1).max(128)).max(256).optional(),
+    secrets: z
+        .array(z.object({
+        env: z.string().min(1).max(256).transform(parseSecretName),
+        secretName: z.string().min(1).max(256).transform(parseSecretName)
+    }))
+        .max(256)
+        .optional(),
+    vars: z.record(z.string().min(1).max(256), z.string().max(100000)).optional(),
+    egressProxy: z.boolean().optional()
+})
+    .strict();
+const executionLogSchema = z
+    .object({
+    stdout: z.literal("capture"),
+    stderr: z.enum(["merge", "capture"]),
+    maxBytes: z.number().int().positive().optional()
+})
+    .strict();
+const executionSchema = z.discriminatedUnion("kind", [
+    z
+        .object({
+        kind: z.literal("shell"),
+        script: z.string().min(1).max(1_000_000),
+        shell: z.enum(["sh", "bash"]).optional(),
+        cwd: z.string().min(1).max(4096).transform(parseWorkspaceManifestPath).optional(),
+        timeoutMs: z.number().int().positive().optional(),
+        env: executionEnvSchema.optional(),
+        log: executionLogSchema.optional()
+    })
+        .strict(),
+    z
+        .object({
+        kind: z.literal("argv"),
+        command: z.string().min(1).max(4096),
+        args: z.array(z.string().max(100000)).max(10000),
+        cwd: z.string().min(1).max(4096).transform(parseWorkspaceManifestPath).optional(),
+        timeoutMs: z.number().int().positive().optional(),
+        env: executionEnvSchema.optional(),
+        log: executionLogSchema.optional()
+    })
+        .strict(),
+    z
+        .object({
+        kind: z.literal("agent"),
+        agent: z
+            .object({
+            kind: z.enum(AGENT_KINDS),
+            version: z.string().max(128).optional()
+        })
+            .strict(),
+        prompt: z.string().min(1).max(1_000_000),
+        timeoutMs: z.number().int().positive().optional(),
+        env: executionEnvSchema.optional(),
+        log: executionLogSchema.optional()
+    })
+        .strict()
+]);
+export const runRequestSchema = z.object({
+    requestedBy: actorSchema,
+    // agentKind is validated structurally; whether the kind is *permitted* is
+    // the policy engine's decision at contract time, not the schema's.
+    agentKind: z.string().min(1).max(64),
+    agentVersion: z.string().max(128).optional(),
+    prompt: z.string().min(1).max(1_000_000),
+    pool: z.string().min(1).max(128).transform(parsePoolName),
+    secretNames: z.array(z.string().min(1).max(256).transform(parseSecretName)).max(256),
+    workspace: workspaceSchema,
+    network: networkSchema,
+    budget: budgetSchema,
+    disclosure: z.enum(DISCLOSURE_MODES),
+    execution: executionSchema.optional(),
+    isolation: z.enum(SESSION_ISOLATIONS).optional(),
+    continuation: continuationSchema.optional()
+});
+export const createRunBodySchema = z.object({
+    dryRun: z.boolean().optional(),
+    request: runRequestSchema
+});
+export const enrollBodySchema = z.object({
+    enrollToken: z.string().min(1).max(4096),
+    publicKeyPem: z.string().min(1).max(8192),
+    pool: z.string().min(1).max(128).transform(parsePoolName)
+});
+export const claimBodySchema = z.object({
+    runnerToken: z.string().min(1).max(4096),
+    pool: z.string().min(1).max(128).transform(parsePoolName)
+});
+export const approveBodySchema = z.object({
+    actor: actorSchema.optional(),
+    /** Optional IdP-issued JWT; when present, the approval is bound to its subject. */
+    idpToken: z.string().min(1).max(8192).optional()
+});
+export const cancelBodySchema = z.object({
+    actor: actorSchema.optional()
+});
+// Events and receipts are signed, hash-chained objects. Their integrity is
+// verified cryptographically inside the plane (chain verification + runner
+// signature), which is a stronger gate than any structural schema. The
+// schema here only bounds the envelope shape/size; the crypto check is
+// authoritative, so re-describing the full object as zod would be redundant.
+export const eventsBodySchema = z.object({
+    claimToken: z.string().min(1).max(8192),
+    events: z.array(z.unknown()).max(100000)
+});
+export const completeBodySchema = z.object({
+    claimToken: z.string().min(1).max(8192),
+    receipt: z.unknown()
+});
+export const issuePrincipalBodySchema = z.object({
+    name: z.string().min(1).max(128),
+    role: z.enum(PRINCIPAL_ROLES)
+});
+export class ValidationError extends Error {
+    issues;
+    constructor(issues) {
+        super(`invalid request: ${issues.join("; ")}`);
+        this.name = "ValidationError";
+        this.issues = issues;
+    }
+}
+export function parseBody(schema, raw) {
+    const result = schema.safeParse(raw);
+    if (!result.success) {
+        const issues = result.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`);
+        throw new ValidationError(issues);
+    }
+    return result.data;
+}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@fusionkit/plane",
+  "private": false,
+  "version": "0.1.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/velum-labs/handoffkit.git",
+    "directory": "packages/plane"
+  },
+  "description": "Warrant control plane: contracts, policy, approvals, receipt countersignature, secret broker, audit export, and the control panel UI.",
+  "license": "UNLICENSED",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "ui"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public",
+    "provenance": true
+  },
+  "dependencies": {
+    "jose": "6.2.3",
+    "pino": "10.3.1",
+    "zod": "4.4.3",
+    "@fusionkit/protocol": "0.1.0"
+  }
+}

package/ui/app.css

@@ -0,0 +1,276 @@
+:root {
+  --bg: #0b0e14;
+  --bg-raised: #11151f;
+  --bg-hover: #161b28;
+  --border: #232a3a;
+  --text: #d7dce6;
+  --text-dim: #8b94a7;
+  --accent: #7aa2f7;
+  --accent-dim: #2a3756;
+  --good: #34d399;
+  --bad: #f87171;
+  --warn: #fbbf24;
+  --info: #60a5fa;
+  --mono: "SF Mono", ui-monospace, "Cascadia Code", Menlo, Consolas, monospace;
+  --sans: -apple-system, BlinkMacSystemFont, "Segoe UI", Inter, Roboto, sans-serif;
+}
+
+* { box-sizing: border-box; }
+
+[hidden] { display: none !important; }
+
+body {
+  margin: 0;
+  background: var(--bg);
+  color: var(--text);
+  font-family: var(--sans);
+  font-size: 14px;
+  line-height: 1.5;
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+}
+
+main { flex: 1; width: 100%; max-width: 1100px; margin: 0 auto; padding: 24px 20px 48px; }
+
+code, .mono { font-family: var(--mono); font-size: 12.5px; }
+
+/* ---------- chrome ---------- */
+
+.topbar {
+  display: flex;
+  align-items: center;
+  gap: 28px;
+  padding: 14px 20px;
+  border-bottom: 1px solid var(--border);
+  background: var(--bg-raised);
+  position: sticky;
+  top: 0;
+  z-index: 10;
+}
+
+.brand { display: flex; align-items: baseline; gap: 8px; }
+.brand-mark { color: var(--accent); font-size: 18px; }
+.brand-name { font-weight: 700; letter-spacing: 0.04em; font-size: 16px; }
+.brand-sub { color: var(--text-dim); font-size: 12px; text-transform: uppercase; letter-spacing: 0.12em; }
+
+.nav { display: flex; gap: 4px; }
+.nav a {
+  color: var(--text-dim);
+  text-decoration: none;
+  padding: 6px 12px;
+  border-radius: 6px;
+  font-weight: 500;
+}
+.nav a:hover { color: var(--text); background: var(--bg-hover); }
+.nav a.active { color: var(--accent); background: var(--accent-dim); }
+
+.top-actions { margin-left: auto; display: flex; gap: 8px; }
+
+.footer {
+  display: flex;
+  justify-content: space-between;
+  gap: 16px;
+  padding: 14px 20px;
+  border-top: 1px solid var(--border);
+  color: var(--text-dim);
+  font-size: 12px;
+}
+
+/* ---------- buttons ---------- */
+
+.btn {
+  font: inherit;
+  border: 1px solid var(--border);
+  background: var(--bg-raised);
+  color: var(--text);
+  border-radius: 6px;
+  padding: 6px 14px;
+  cursor: pointer;
+}
+.btn:hover { background: var(--bg-hover); }
+.btn-primary { background: var(--accent); border-color: var(--accent); color: #0b0e14; font-weight: 600; }
+.btn-primary:hover { filter: brightness(1.1); background: var(--accent); }
+.btn-ghost { background: transparent; color: var(--text-dim); }
+.btn-ghost:hover { color: var(--text); }
+.btn-danger { color: var(--bad); border-color: var(--bad); background: transparent; }
+.btn-danger:hover { background: rgba(248, 113, 113, 0.1); }
+.btn-good { color: var(--good); border-color: var(--good); background: transparent; }
+.btn-good:hover { background: rgba(52, 211, 153, 0.1); }
+.btn:disabled { opacity: 0.5; cursor: not-allowed; }
+
+/* ---------- login ---------- */
+
+.login { display: flex; justify-content: center; padding-top: 8vh; }
+.login-card {
+  width: 460px;
+  background: var(--bg-raised);
+  border: 1px solid var(--border);
+  border-radius: 12px;
+  padding: 32px;
+}
+.login-card h1 { margin: 0 0 8px; font-size: 20px; }
+.login-card p { color: var(--text-dim); margin: 0 0 20px; }
+.login-card form { display: flex; gap: 8px; }
+.login-card input {
+  flex: 1;
+  font-family: var(--mono);
+  font-size: 13px;
+  background: var(--bg);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  color: var(--text);
+  padding: 8px 10px;
+}
+.login-card input:focus { outline: none; border-color: var(--accent); }
+.login-error { color: var(--bad); margin-top: 12px; }
+
+/* ---------- shared view bits ---------- */
+
+.view-head {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  margin: 4px 0 18px;
+}
+.view-head h1 { font-size: 18px; margin: 0; }
+.view-head .count { color: var(--text-dim); }
+.view-head .spacer { flex: 1; }
+.muted { color: var(--text-dim); }
+.empty {
+  border: 1px dashed var(--border);
+  border-radius: 10px;
+  padding: 36px;
+  text-align: center;
+  color: var(--text-dim);
+}
+.empty code { color: var(--text); }
+
+table { width: 100%; border-collapse: collapse; }
+th {
+  text-align: left;
+  color: var(--text-dim);
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  font-weight: 600;
+  padding: 8px 12px;
+  border-bottom: 1px solid var(--border);
+}
+td { padding: 10px 12px; border-bottom: 1px solid var(--border); vertical-align: top; }
+tr.row-link { cursor: pointer; }
+tr.row-link:hover td { background: var(--bg-hover); }
+
+.chip {
+  display: inline-block;
+  font-family: var(--mono);
+  font-size: 11px;
+  padding: 2px 8px;
+  border-radius: 999px;
+  border: 1px solid var(--border);
+  color: var(--text-dim);
+  white-space: nowrap;
+}
+.chip.completed { color: var(--good); border-color: var(--good); }
+.chip.failed, .chip.cancelled { color: var(--bad); border-color: var(--bad); }
+.chip.running, .chip.claimed, .chip.provisioning { color: var(--info); border-color: var(--info); }
+.chip.awaiting_approval { color: var(--warn); border-color: var(--warn); }
+.chip.created { color: var(--text); border-color: var(--text-dim); }
+.chip.continuation { color: var(--accent); border-color: var(--accent); }
+
+.hash { font-family: var(--mono); font-size: 12px; color: var(--text-dim); }
+
+/* ---------- run detail ---------- */
+
+.detail-grid { display: grid; grid-template-columns: 1.2fr 1fr; gap: 16px; }
+@media (max-width: 900px) { .detail-grid { grid-template-columns: 1fr; } }
+
+.card {
+  background: var(--bg-raised);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 18px;
+  margin-bottom: 16px;
+}
+.card h2 {
+  margin: 0 0 12px;
+  font-size: 12px;
+  color: var(--text-dim);
+  text-transform: uppercase;
+  letter-spacing: 0.1em;
+}
+.card dl { margin: 0; display: grid; grid-template-columns: 150px 1fr; row-gap: 8px; }
+.card dt { color: var(--text-dim); }
+.card dd { margin: 0; overflow-wrap: anywhere; }
+
+.actions { display: flex; gap: 8px; flex-wrap: wrap; }
+
+.five-q .q { margin-bottom: 14px; }
+.five-q .q:last-child { margin-bottom: 0; }
+.five-q .q h3 { margin: 0 0 4px; font-size: 13px; color: var(--accent); }
+.five-q .q div { color: var(--text); overflow-wrap: anywhere; }
+.five-q .q .sub { color: var(--text-dim); font-size: 13px; }
+
+.timeline { list-style: none; margin: 0; padding: 0; }
+.timeline li {
+  display: flex;
+  gap: 10px;
+  padding: 7px 0;
+  border-bottom: 1px solid var(--border);
+  align-items: baseline;
+}
+.timeline li:last-child { border-bottom: none; }
+.timeline .seq { font-family: var(--mono); font-size: 11px; color: var(--text-dim); width: 28px; flex-shrink: 0; }
+.timeline .etype {
+  font-family: var(--mono);
+  font-size: 12px;
+  width: 190px;
+  flex-shrink: 0;
+}
+.timeline .edetail { color: var(--text-dim); font-size: 12.5px; overflow-wrap: anywhere; }
+.timeline .ok { color: var(--good); }
+.timeline .err { color: var(--bad); }
+.timeline .warn { color: var(--warn); }
+.timeline .info { color: var(--info); }
+.timeline .plain { color: var(--text); }
+
+.banner {
+  border: 1px solid var(--warn);
+  background: rgba(251, 191, 36, 0.08);
+  color: var(--warn);
+  border-radius: 8px;
+  padding: 10px 14px;
+  margin-bottom: 16px;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+.banner .spacer { flex: 1; }
+
+.verify-ok { color: var(--good); }
+.verify-info { color: var(--text-dim); font-size: 12.5px; }
+
+pre.policy {
+  background: var(--bg-raised);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 18px;
+  overflow-x: auto;
+  font-family: var(--mono);
+  font-size: 12.5px;
+  line-height: 1.6;
+}
+
+.toast {
+  position: fixed;
+  bottom: 24px;
+  right: 24px;
+  background: var(--bg-raised);
+  border: 1px solid var(--border);
+  border-left: 3px solid var(--accent);
+  border-radius: 8px;
+  padding: 10px 16px;
+  box-shadow: 0 8px 30px rgba(0, 0, 0, 0.5);
+  z-index: 100;
+}
+.toast.error { border-left-color: var(--bad); }