@happier-dev/relay-server 0.1.2-preview.68.1

package/assets/happier-release.pub

@@ -0,0 +1,2 @@
+untrusted comment: minisign public key 91AE28177BF6E43C
+RWQ85PZ7FyiukYbL3qv/bKnwgbT68wLVzotapeMFIb8n+c7pBQ7U8W2t

package/bin/happier-server.mjs

@@ -0,0 +1,172 @@
+#!/usr/bin/env node
+import { createHash } from 'node:crypto';
+import { mkdir, readFile, rm, stat, writeFile } from 'node:fs/promises';
+import { homedir, platform, arch, tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { spawn } from 'node:child_process';
+
+import { resolveServerReleaseAssets } from '../src/releaseAssets.mjs';
+import { lookupSha256 } from '../src/checksums.mjs';
+import { verifyMinisign } from '../src/minisign.mjs';
+
+const OWNER = 'happier-dev';
+const REPO = 'happier';
+
+function fail(msg) {
+  process.stderr.write(`[happier-server] ${msg}\n`);
+  process.exit(1);
+}
+
+function parseArgs(argv) {
+  const kv = new Map();
+  const positionals = [];
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === '--') {
+      positionals.push(...argv.slice(i + 1));
+      break;
+    }
+    if (!a.startsWith('--')) {
+      positionals.push(a);
+      continue;
+    }
+    const v = argv[i + 1];
+    if (v && !v.startsWith('--')) {
+      kv.set(a, v);
+      i += 1;
+    } else {
+      kv.set(a, 'true');
+    }
+  }
+  return { kv, positionals };
+}
+
+function resolveTarget() {
+  const os = platform();
+  const cpu = arch();
+  // Server binaries are currently built for Linux only in CI.
+  if (os !== 'linux') {
+    fail(`Unsupported platform '${os}'. Server runner currently supports linux only.`);
+  }
+  if (cpu !== 'x64' && cpu !== 'arm64') {
+    fail(`Unsupported architecture '${cpu}'. Expected x64 or arm64.`);
+  }
+  return { os, arch: cpu };
+}
+
+function cacheRoot() {
+  const xdg = String(process.env.XDG_CACHE_HOME ?? '').trim();
+  if (xdg) return xdg;
+  return join(homedir(), '.cache');
+}
+
+async function fetchJson(url) {
+  const res = await fetch(url, {
+    headers: {
+      'user-agent': 'happier-server-runner',
+      accept: 'application/vnd.github+json',
+    },
+  });
+  if (!res.ok) throw new Error(`HTTP ${res.status} for ${url}`);
+  return res.json();
+}
+
+async function fetchText(url) {
+  const res = await fetch(url, { headers: { 'user-agent': 'happier-server-runner' } });
+  if (!res.ok) throw new Error(`HTTP ${res.status} for ${url}`);
+  return res.text();
+}
+
+async function downloadFile(url, destPath) {
+  const res = await fetch(url, { headers: { 'user-agent': 'happier-server-runner' } });
+  if (!res.ok) throw new Error(`HTTP ${res.status} for ${url}`);
+  const ab = await res.arrayBuffer();
+  await writeFile(destPath, Buffer.from(ab));
+}
+
+async function sha256File(path) {
+  const bytes = await readFile(path);
+  return createHash('sha256').update(bytes).digest('hex');
+}
+
+async function pathExists(p) {
+  try {
+    await stat(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function main() {
+  const { kv, positionals } = parseArgs(process.argv.slice(2));
+  const channel = String(kv.get('--channel') ?? '').trim() || 'stable';
+  if (channel !== 'stable' && channel !== 'preview') {
+    fail(`Invalid --channel '${channel}'. Expected stable|preview.`);
+  }
+  const tag = String(kv.get('--tag') ?? '').trim() || (channel === 'preview' ? 'server-preview' : 'server-stable');
+
+  const target = resolveTarget();
+
+  const releaseUrl = `https://api.github.com/repos/${OWNER}/${REPO}/releases/tags/${encodeURIComponent(tag)}`;
+  const release = await fetchJson(releaseUrl);
+  const assets = resolveServerReleaseAssets({ release, os: target.os, arch: target.arch });
+
+  const pubkeyPath = new URL('../assets/happier-release.pub', import.meta.url);
+  const pubkeyFile = await readFile(pubkeyPath, 'utf-8');
+
+  const tmp = join(tmpdir(), `happier-server-${process.pid}-${Date.now()}`);
+  await mkdir(tmp, { recursive: true });
+  try {
+    const checksumsPath = join(tmp, assets.checksums.name);
+    const checksumsSigPath = join(tmp, assets.checksumsSig.name);
+    await downloadFile(assets.checksums.url, checksumsPath);
+    await downloadFile(assets.checksumsSig.url, checksumsSigPath);
+
+    const checksumsText = await readFile(checksumsPath, 'utf-8');
+    const sigFile = await readFile(checksumsSigPath, 'utf-8');
+    const ok = verifyMinisign({ message: Buffer.from(checksumsText, 'utf-8'), pubkeyFile, sigFile });
+    if (!ok) fail('Signature verification failed for checksums file.');
+
+    const expected = lookupSha256({ checksumsText, filename: assets.tarball.name });
+
+    const cacheDir = join(cacheRoot(), 'happier', 'server', tag, assets.version, `${target.os}-${target.arch}`);
+    await mkdir(cacheDir, { recursive: true });
+    const artifactStem = `happier-server-v${assets.version}-${target.os}-${target.arch}`;
+    const serverDir = join(cacheDir, artifactStem);
+    const serverBin = join(serverDir, 'happier-server');
+
+    if (!(await pathExists(serverBin))) {
+      const tarballPath = join(tmp, assets.tarball.name);
+      await downloadFile(assets.tarball.url, tarballPath);
+      const actual = await sha256File(tarballPath);
+      if (actual !== expected) {
+        fail(`SHA256 mismatch for ${assets.tarball.name}: expected ${expected}, got ${actual}`);
+      }
+
+      // Extract archive into cache (archive root contains the artifactStem folder).
+      const extract = spawn('tar', ['-xzf', tarballPath, '-C', cacheDir], { stdio: 'inherit' });
+      await new Promise((resolve, reject) => {
+        extract.on('error', reject);
+        extract.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`tar exited with ${code}`))));
+      });
+    }
+
+    if (!(await pathExists(serverBin))) {
+      fail(`Extracted server binary not found at ${serverBin}`);
+    }
+
+    const child = spawn(serverBin, positionals, { stdio: 'inherit' });
+    child.on('exit', (code, signal) => {
+      if (signal) process.kill(process.pid, signal);
+      process.exit(code ?? 1);
+    });
+  } finally {
+    await rm(tmp, { recursive: true, force: true });
+  }
+}
+
+main().catch((err) => {
+  fail(err instanceof Error ? err.message : String(err));
+});
+

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@happier-dev/relay-server",
+  "version": "0.1.2-preview.68.1",
+  "description": "Happier server runner (downloads and verifies the correct server binary for your platform).",
+  "repository": "https://github.com/happier-dev/happier.git",
+  "author": "Leeroy Brun <leeroy.brun@gmail.com>",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "relay-server": "bin/happier-server.mjs",
+    "happier-server": "bin/happier-server.mjs"
+  },
+  "files": [
+    "assets",
+    "bin",
+    "src"
+  ],
+  "engines": {
+    "node": ">=22"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "scripts": {
+    "test": "node --test"
+  }
+}

package/src/checksums.mjs

@@ -0,0 +1,17 @@
+export function lookupSha256({ checksumsText, filename }) {
+  const target = String(filename ?? '').trim();
+  if (!target) throw new Error('[checksums] filename is required');
+
+  const text = String(checksumsText ?? '');
+  const lines = text.split('\n');
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const m = /^([0-9a-fA-F]{8,})\s+(.+)$/.exec(trimmed);
+    if (!m) continue;
+    const hash = m[1].toLowerCase();
+    const file = m[2].trim();
+    if (file === target) return hash;
+  }
+  throw new Error(`[checksums] sha256 not found for ${target}`);
+}

package/src/checksums.test.mjs

@@ -0,0 +1,18 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+
+import { lookupSha256 } from './checksums.mjs';
+
+test('lookupSha256 returns sha256 for matching filename', () => {
+  const text = [
+    'aaaabbbb  file-one.tar.gz',
+    '1234abcd  happier-server-v0.1.0-linux-x64.tar.gz',
+    '',
+  ].join('\n');
+  assert.equal(lookupSha256({ checksumsText: text, filename: 'happier-server-v0.1.0-linux-x64.tar.gz' }), '1234abcd');
+});
+
+test('lookupSha256 throws when filename not present', () => {
+  assert.throws(() => lookupSha256({ checksumsText: 'aaaa  other', filename: 'missing' }));
+});
+

package/src/minisign.mjs

@@ -0,0 +1,94 @@
+import { createHash, createPublicKey, verify } from 'node:crypto';
+
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+
+function decodeBase64Line(line, expectedBytes) {
+  const bytes = Buffer.from(String(line ?? '').trim(), 'base64');
+  if (expectedBytes != null && bytes.length !== expectedBytes) {
+    throw new Error(`[minisign] expected ${expectedBytes} bytes, got ${bytes.length}`);
+  }
+  return bytes;
+}
+
+function parseMinisignPublicKeyFile(pubkeyFile) {
+  const lines = String(pubkeyFile ?? '')
+    .split('\n')
+    .map((l) => l.trim())
+    .filter(Boolean);
+  if (lines.length < 2) throw new Error('[minisign] invalid public key file');
+  const payload = lines.at(-1);
+  const bytes = decodeBase64Line(payload, 42);
+  const signatureAlgorithm = bytes.subarray(0, 2);
+  const keyId = bytes.subarray(2, 10);
+  const rawPublicKey = bytes.subarray(10, 42);
+  return { signatureAlgorithm, keyId, rawPublicKey };
+}
+
+function parseMinisignSignatureFile(sigFile) {
+  const lines = String(sigFile ?? '').split('\n');
+  if (lines.length < 4) throw new Error('[minisign] invalid signature file');
+
+  const untrustedPayload = String(lines[1] ?? '').trim();
+  const trustedComment = String(lines[2] ?? '');
+  const globalPayload = String(lines[3] ?? '').trim();
+
+  const untrustedBytes = decodeBase64Line(untrustedPayload, 74);
+  const signatureAlgorithm = untrustedBytes.subarray(0, 2);
+  const keyId = untrustedBytes.subarray(2, 10);
+  const signature = untrustedBytes.subarray(10, 74);
+
+  const globalSignature = decodeBase64Line(globalPayload, 64);
+
+  if (!trustedComment.startsWith('trusted comment: ')) {
+    throw new Error('[minisign] unexpected trusted comment format');
+  }
+  const trustedSuffix = Buffer.from(trustedComment.slice('trusted comment: '.length), 'utf-8');
+
+  return { signatureAlgorithm, keyId, signature, trustedSuffix, globalSignature };
+}
+
+function createEd25519PublicKey(rawPublicKey) {
+  if (!Buffer.isBuffer(rawPublicKey) || rawPublicKey.length !== 32) {
+    throw new Error('[minisign] invalid Ed25519 public key length');
+  }
+  const spki = Buffer.concat([ED25519_SPKI_PREFIX, rawPublicKey]);
+  return createPublicKey({ key: spki, format: 'der', type: 'spki' });
+}
+
+function bytesEqual(a, b) {
+  if (!a || !b) return false;
+  if (a.length !== b.length) return false;
+  // constant-time compare not required here (public data), but keep it simple.
+  return Buffer.compare(a, b) === 0;
+}
+
+export function verifyMinisign({ message, pubkeyFile, sigFile }) {
+  const bin = Buffer.isBuffer(message) ? message : Buffer.from(message ?? '');
+  const pubkey = parseMinisignPublicKeyFile(pubkeyFile);
+  const sig = parseMinisignSignatureFile(sigFile);
+
+  if (!bytesEqual(pubkey.signatureAlgorithm, Buffer.from('Ed'))) {
+    throw new Error('[minisign] incompatible public key signature algorithm');
+  }
+  if (!bytesEqual(pubkey.keyId, sig.keyId)) {
+    throw new Error('[minisign] incompatible key identifiers');
+  }
+
+  let prehashed = false;
+  if (bytesEqual(sig.signatureAlgorithm, Buffer.from('Ed'))) {
+    prehashed = false;
+  } else if (bytesEqual(sig.signatureAlgorithm, Buffer.from('ED'))) {
+    prehashed = true;
+  } else {
+    throw new Error('[minisign] unsupported signature algorithm');
+  }
+
+  const publicKey = createEd25519PublicKey(pubkey.rawPublicKey);
+  const payload = prehashed ? createHash('blake2b512').update(bin).digest() : bin;
+
+  const okSig = verify(null, payload, publicKey, sig.signature);
+  if (!okSig) return false;
+
+  const okGlobal = verify(null, Buffer.concat([sig.signature, sig.trustedSuffix]), publicKey, sig.globalSignature);
+  return okGlobal;
+}

package/src/minisign.verify.test.mjs

@@ -0,0 +1,75 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { generateKeyPairSync, sign } from 'node:crypto';
+
+import { verifyMinisign } from './minisign.mjs';
+
+function b64(buf) {
+  return Buffer.from(buf).toString('base64');
+}
+
+function base64UrlToBuffer(value) {
+  const s = String(value ?? '')
+    .replace(/-/g, '+')
+    .replace(/_/g, '/')
+    .padEnd(Math.ceil(String(value ?? '').length / 4) * 4, '=');
+  return Buffer.from(s, 'base64');
+}
+
+test('verifyMinisign validates Ed25519 minisign signatures (Ed)', () => {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519');
+  const jwk = publicKey.export({ format: 'jwk' });
+  const rawPublicKey = base64UrlToBuffer(jwk.x);
+  assert.equal(rawPublicKey.length, 32);
+
+  const keyId = Buffer.from('0123456789abcdef', 'hex'); // 8 bytes
+  const publicKeyBytes = Buffer.concat([Buffer.from('Ed'), keyId, rawPublicKey]);
+
+  const pubkeyFile = `untrusted comment: minisign public key\n${b64(publicKeyBytes)}\n`;
+
+  const message = Buffer.from('hello from happier', 'utf-8');
+  const signature = sign(null, message, privateKey);
+  assert.equal(signature.length, 64);
+
+  const sigLineBytes = Buffer.concat([Buffer.from('Ed'), keyId, signature]);
+  const trustedComment = 'trusted comment: test';
+  const trustedSuffix = Buffer.from(trustedComment.slice('trusted comment: '.length), 'utf-8');
+  const globalSignature = sign(null, Buffer.concat([signature, trustedSuffix]), privateKey);
+  assert.equal(globalSignature.length, 64);
+
+  const sigFile = [
+    'untrusted comment: signature from happier test',
+    b64(sigLineBytes),
+    trustedComment,
+    b64(globalSignature),
+    '',
+  ].join('\n');
+
+  assert.equal(verifyMinisign({ message, pubkeyFile, sigFile }), true);
+});
+
+test('verifyMinisign rejects invalid signatures', () => {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519');
+  const jwk = publicKey.export({ format: 'jwk' });
+  const rawPublicKey = base64UrlToBuffer(jwk.x);
+  const keyId = Buffer.from('0123456789abcdef', 'hex');
+  const publicKeyBytes = Buffer.concat([Buffer.from('Ed'), keyId, rawPublicKey]);
+  const pubkeyFile = `untrusted comment: minisign public key\n${b64(publicKeyBytes)}\n`;
+
+  const message = Buffer.from('hello', 'utf-8');
+  const signature = sign(null, message, privateKey);
+  const sigLineBytes = Buffer.concat([Buffer.from('Ed'), keyId, signature]);
+  const trustedComment = 'trusted comment: test';
+  const trustedSuffix = Buffer.from(trustedComment.slice('trusted comment: '.length), 'utf-8');
+  const globalSignature = sign(null, Buffer.concat([signature, trustedSuffix]), privateKey);
+  const sigFile = [
+    'untrusted comment: sig',
+    b64(sigLineBytes),
+    trustedComment,
+    b64(globalSignature),
+    '',
+  ].join('\n');
+
+  assert.equal(verifyMinisign({ message: Buffer.from('tampered', 'utf-8'), pubkeyFile, sigFile }), false);
+});
+

package/src/releaseAssets.mjs

@@ -0,0 +1,33 @@
+export function resolveServerReleaseAssets({ release, os, arch }) {
+  const assets = Array.isArray(release?.assets) ? release.assets : [];
+  const byName = new Map();
+  for (const asset of assets) {
+    const name = String(asset?.name ?? '');
+    const url = String(asset?.browser_download_url ?? '');
+    if (!name || !url) continue;
+    byName.set(name, { name, url });
+  }
+
+  const checksumsName = [...byName.keys()].find((name) => /^checksums-happier-server-v\d+\.\d+\.\d+\.txt$/.test(name));
+  if (!checksumsName) {
+    throw new Error('[server] missing checksums-happier-server-v<version>.txt asset');
+  }
+  const versionMatch = /^checksums-happier-server-v(\d+\.\d+\.\d+)\.txt$/.exec(checksumsName);
+  const version = versionMatch?.[1] ?? null;
+  if (!version) {
+    throw new Error('[server] unable to derive server version from checksums filename');
+  }
+
+  const checksumsSigName = `${checksumsName}.minisig`;
+  const tarballName = `happier-server-v${version}-${os}-${arch}.tar.gz`;
+
+  const checksums = byName.get(checksumsName) ?? null;
+  const checksumsSig = byName.get(checksumsSigName) ?? null;
+  const tarball = byName.get(tarballName) ?? null;
+
+  if (!checksums) throw new Error(`[server] missing release asset: ${checksumsName}`);
+  if (!checksumsSig) throw new Error(`[server] missing release asset: ${checksumsSigName}`);
+  if (!tarball) throw new Error(`[server] missing release asset: ${tarballName}`);
+
+  return { version, tarball, checksums, checksumsSig };
+}

package/src/releaseAssets.test.mjs

@@ -0,0 +1,28 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+
+import { resolveServerReleaseAssets } from './releaseAssets.mjs';
+
+test('resolveServerReleaseAssets picks tarball + checksums + minisig for linux-x64', () => {
+  const release = {
+    tag_name: 'server-preview',
+    assets: [
+      { name: 'checksums-happier-server-v0.1.0.txt', browser_download_url: 'https://example/checksums.txt' },
+      { name: 'checksums-happier-server-v0.1.0.txt.minisig', browser_download_url: 'https://example/checksums.txt.minisig' },
+      { name: 'happier-server-v0.1.0-linux-x64.tar.gz', browser_download_url: 'https://example/server.tgz' },
+      { name: 'happier-server-v0.1.0-linux-arm64.tar.gz', browser_download_url: 'https://example/server-arm.tgz' },
+    ],
+  };
+
+  const resolved = resolveServerReleaseAssets({ release, os: 'linux', arch: 'x64' });
+  assert.equal(resolved.version, '0.1.0');
+  assert.equal(resolved.tarball.name, 'happier-server-v0.1.0-linux-x64.tar.gz');
+  assert.equal(resolved.checksums.name, 'checksums-happier-server-v0.1.0.txt');
+  assert.equal(resolved.checksumsSig.name, 'checksums-happier-server-v0.1.0.txt.minisig');
+});
+
+test('resolveServerReleaseAssets throws when required assets are missing', () => {
+  const release = { tag_name: 'server-preview', assets: [{ name: 'nope', browser_download_url: 'x' }] };
+  assert.throws(() => resolveServerReleaseAssets({ release, os: 'linux', arch: 'x64' }));
+});
+