@ijfw/memory-server 1.4.0 → 1.4.3

package/src/dispatch/signer-cli.js

@@ -0,0 +1,311 @@
+/**
+ * dispatch/signer-cli.js — IJFW v1.4.3 W9-A2 / B15
+ *
+ * CLI handlers for signing-key management. Exported as the frozen
+ * `{ handlers, subcommandHelp }` shape so the Phase D orchestrator can wire
+ * them into the top-level dispatch table without per-area editing.
+ *
+ * Subcommands:
+ *
+ *   keygen <author> [--backend software|ssh-agent] [--ssh-key-comment <c>]
+ *     - Default backend: software (existing v1.4.0 behavior — generates a
+ *       fresh Ed25519 keypair on disk).
+ *     - --backend ssh-agent: NO private-key generation in IJFW. Connects
+ *       to the running SSH agent, enumerates Ed25519 identities, selects
+ *       one to enroll. Writes only the public material:
+ *         ~/.ijfw/keys/<keyId>/public.pem
+ *         ~/.ijfw/keys/<keyId>/backend.json
+ *           { backend, pubkey_blob_hex, keyId, ssh_key_comment }
+ *       The comment is recorded for display only; sign-time identity
+ *       selection matches on pubkey_blob_hex (SEC-H-03).
+ *
+ *   keygen-fido2 <author>
+ *     - Deferred stub. Prints a message routing users to ssh-agent or the
+ *       default software backend. Exits 0 (deferred, not failed).
+ *
+ * Spec: .planning/1.4.3/HANDOFF-1.4.3.md §B15
+ */
+
+import { mkdir, writeFile, chmod } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+import {
+  generatePublisherKeypair,
+} from '../extension-signer.js';
+import {
+  listAgentIdentities,
+  pubkeyBlobFromPem,
+  ed25519PemFromRaw,
+  publicKeyFingerprint,
+  _testInternals,
+} from '../hardware-signer.js';
+
+/**
+ * Parse argv-style array (or whitespace-split string) into `{ positional, flags }`.
+ * Supports `--flag` (boolean) and `--flag value` (string value).
+ *
+ * @param {string|string[]} input
+ * @returns {{ positional: string[], flags: Record<string, string|boolean> }}
+ */
+function parseArgs(input) {
+  const tokens = Array.isArray(input)
+    ? input.slice()
+    : String(input || '').trim().split(/\s+/).filter(Boolean);
+  const positional = [];
+  const flags = {};
+  for (let i = 0; i < tokens.length; i++) {
+    const tok = tokens[i];
+    if (tok.startsWith('--')) {
+      const name = tok.slice(2);
+      const next = tokens[i + 1];
+      if (next !== undefined && !next.startsWith('--')) {
+        flags[name] = next;
+        i += 1;
+      } else {
+        flags[name] = true;
+      }
+    } else {
+      positional.push(tok);
+    }
+  }
+  return { positional, flags };
+}
+
+/**
+ * Extract the SSH wire ssh-ed25519 alg prefix used for filtering Ed25519
+ * identities returned by the agent.
+ */
+const ED25519_ALG_PREFIX = _testInternals.sshWireString(_testInternals.SSH_ED25519_ALG);
+
+/**
+ * Build the per-key directory path under the (possibly overridden) home.
+ */
+function keysDir(home, keyId) {
+  return join(home, '.ijfw', 'keys', keyId);
+}
+
+/**
+ * Convert an SSH-wire Ed25519 pubkey blob back into PEM. Useful when
+ * enrolling — the agent gives us the wire blob, but downstream verify
+ * paths want PEM.
+ *
+ * @param {Buffer} blob
+ * @returns {string} PEM
+ */
+function ed25519PemFromBlob(blob) {
+  // Blob shape: ssh-string("ssh-ed25519") || ssh-string(raw32).
+  // Skip the alg prefix; the trailing string is the raw key.
+  const algLen = ED25519_ALG_PREFIX.length;
+  // The raw key follows; the leading 4 bytes are the length (always 32).
+  const raw = blob.slice(algLen + 4);
+  if (raw.length !== 32) {
+    throw new Error(`Expected 32-byte Ed25519 raw key, got ${raw.length}`);
+  }
+  return ed25519PemFromRaw(raw);
+}
+
+/**
+ * Filter agent identities to Ed25519 only.
+ *
+ * @param {Array<{blob: Buffer, comment: string}>} identities
+ * @returns {Array<{blob: Buffer, comment: string}>}
+ */
+function ed25519Only(identities) {
+  return identities.filter(
+    i => i.blob.length >= ED25519_ALG_PREFIX.length
+      && i.blob.slice(0, ED25519_ALG_PREFIX.length).equals(ED25519_ALG_PREFIX),
+  );
+}
+
+/**
+ * Enrol an existing SSH-agent identity as an IJFW publisher key.
+ *
+ * Workflow:
+ *   1. Connect to SSH_AUTH_SOCK (errors clearly if unavailable).
+ *   2. List identities; filter to Ed25519.
+ *   3. Resolve a single candidate. Selection precedence:
+ *      a. If --ssh-key-comment is provided, prefer that comment.
+ *      b. Otherwise: exactly 1 Ed25519 identity → auto-pick. Multiple
+ *         identities → fail with usage hint (interactive picker not yet
+ *         wired into MCP transport).
+ *   4. Compute keyId = sha256(SPKI-DER of the agent-key's PEM).
+ *   5. Write public.pem + backend.json to ~/.ijfw/keys/<keyId>/.
+ *
+ * @param {object} args
+ * @param {string} args.author informational author label
+ * @param {string} [args.sshKeyComment] disambiguator
+ * @param {string} [args.home] override ~/.ijfw root (test isolation)
+ * @param {string} [args.socketPath] override SSH_AUTH_SOCK (test isolation)
+ * @returns {Promise<{ ok: true, keyId: string, dir: string, ssh_key_comment: string, backend: 'ssh-agent' } | { ok: false, error: string }>}
+ */
+async function enrolSshAgentKey(args) {
+  const home = args.home || homedir();
+  let identities;
+  try {
+    identities = await listAgentIdentities(args.socketPath);
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+  const candidates = ed25519Only(identities);
+  if (candidates.length === 0) {
+    return {
+      ok: false,
+      error: 'SSH agent has no Ed25519 identities; add one with `ssh-keygen -t ed25519` and `ssh-add`',
+    };
+  }
+  let chosen;
+  if (args.sshKeyComment) {
+    const matches = candidates.filter(c => c.comment === args.sshKeyComment);
+    if (matches.length === 0) {
+      return {
+        ok: false,
+        error: `SSH agent has no Ed25519 identity with comment ${JSON.stringify(args.sshKeyComment)}`,
+      };
+    }
+    if (matches.length > 1) {
+      return {
+        ok: false,
+        error: `Multiple SSH agent identities share comment ${JSON.stringify(args.sshKeyComment)}; comments are not unique — disambiguate by re-running ssh-add or removing duplicates`,
+      };
+    }
+    chosen = matches[0];
+  } else if (candidates.length === 1) {
+    chosen = candidates[0];
+  } else {
+    return {
+      ok: false,
+      error: `Multiple Ed25519 identities in SSH agent (${candidates.length}); pass --ssh-key-comment <c> to disambiguate. Comments seen: ${candidates.map(c => JSON.stringify(c.comment)).join(', ')}`,
+    };
+  }
+
+  let pem;
+  try {
+    pem = ed25519PemFromBlob(chosen.blob);
+  } catch (err) {
+    return { ok: false, error: `failed to convert agent blob to PEM: ${err.message}` };
+  }
+  const keyId = publicKeyFingerprint(pem);
+  // Belt-and-braces self-consistency check: the blob we just stored should
+  // round-trip back through PEM and yield the same blob.
+  const roundTripBlob = pubkeyBlobFromPem(pem);
+  if (!roundTripBlob.equals(chosen.blob)) {
+    return {
+      ok: false,
+      error: 'internal: pubkey blob round-trip via PEM differed; refusing to enrol',
+    };
+  }
+
+  const dir = keysDir(home, keyId);
+  await mkdir(dir, { recursive: true, mode: 0o700 });
+  try { await chmod(dir, 0o700); } catch { /* best-effort */ }
+  await writeFile(join(dir, 'public.pem'), pem, 'utf8');
+  try { await chmod(join(dir, 'public.pem'), 0o644); } catch { /* best-effort */ }
+  const backendJson = {
+    backend: 'ssh-agent',
+    pubkey_blob_hex: chosen.blob.toString('hex'),
+    keyId,
+    ssh_key_comment: chosen.comment, // display only — never used for matching
+  };
+  await writeFile(
+    join(dir, 'backend.json'),
+    JSON.stringify(backendJson, null, 2) + '\n',
+    'utf8',
+  );
+  if (typeof args.author === 'string' && args.author.length > 0) {
+    try {
+      await writeFile(
+        join(dir, 'author.txt'),
+        `${args.author}\n${new Date().toISOString()}\n`,
+        'utf8',
+      );
+    } catch { /* non-fatal */ }
+  }
+
+  return {
+    ok: true,
+    keyId,
+    dir,
+    ssh_key_comment: chosen.comment,
+    backend: 'ssh-agent',
+  };
+}
+
+/**
+ * keygen handler. Dispatches to software (default) or ssh-agent backend
+ * per --backend.
+ *
+ * @param {string|string[]} args
+ * @param {object} [ctx]
+ * @returns {Promise<object>}
+ */
+async function keygenHandler(args, ctx = {}) {
+  const { positional, flags } = parseArgs(args);
+  const author = positional[0] || '';
+  const backend = flags.backend === true ? undefined : flags.backend;
+
+  if (backend === undefined || backend === 'software') {
+    const kp = await generatePublisherKeypair(author);
+    return {
+      ok: true,
+      backend: 'software',
+      keyId: kp.keyId,
+      dir: kp.dir,
+      publicKey: kp.publicKey,
+    };
+  }
+
+  if (backend === 'ssh-agent') {
+    const sshKeyComment = flags['ssh-key-comment'] === true
+      ? undefined
+      : flags['ssh-key-comment'];
+    return enrolSshAgentKey({
+      author,
+      sshKeyComment,
+      home: ctx.home,
+      socketPath: ctx.socketPath,
+    });
+  }
+
+  // Fail-closed per SEC-L-02. Unknown backend names must not silently fall
+  // through to software.
+  return {
+    ok: false,
+    error: `Unsupported --backend value ${JSON.stringify(backend)}; valid: software, ssh-agent`,
+  };
+}
+
+/**
+ * keygen-fido2 handler — deferred stub.
+ *
+ * Native libfido2 bindings would be IJFW's first native prod dep; that's
+ * a v1.5.0+ architecture decision. For v1.4.3, FIDO2-backed signing is
+ * available transitively via ssh-agent (modern YubiKey/Solokey speak
+ * SSH agent natively).
+ *
+ * @returns {Promise<{ ok: true, deferred: true, message: string }>}
+ */
+async function keygenFido2Handler(_args, ctx = {}) {
+  const msg = 'FIDO2/libfido2 path deferred to v1.5.0; use --backend ssh-agent or default software backend';
+  // Write to stderr for CLI visibility without disturbing JSON-stdout
+  // consumers. Optionally inject a writer via ctx for tests.
+  const stderr = ctx.stderr || process.stderr;
+  try { stderr.write(`${msg}\n`); } catch { /* ignore */ }
+  return { ok: true, deferred: true, message: msg };
+}
+
+export const handlers = Object.freeze({
+  keygen: keygenHandler,
+  'keygen-fido2': keygenFido2Handler,
+});
+
+export const subcommandHelp = Object.freeze({
+  keygen: 'keygen <author> [--backend software|ssh-agent] [--ssh-key-comment <c>] — generate or enrol a publisher signing key',
+  'keygen-fido2': 'keygen-fido2 <author> — deferred to v1.5.0; use --backend ssh-agent instead',
+});
+
+// Test-only exports.
+export const _testOnly = Object.freeze({
+  parseArgs,
+  enrolSshAgentKey,
+});

package/src/extension-installer.js

@@ -36,6 +36,7 @@ import { randomBytes } from 'node:crypto';
 import { spawn } from 'node:child_process';
 import { get as httpsGet } from 'node:https';
 import { pipeline } from 'node:stream/promises';
+import { createInterface } from 'node:readline';
 
 import {
   validateExtensionManifest,
@@ -79,6 +80,35 @@ const EXTENSION_NAME_PATTERN = /^(@[a-z0-9-]+\/)?[a-z][a-z0-9-]*$/;
 // Verdicts considered acceptable for a normal install (3/3 lenses).
 const ACCEPTABLE_VERDICTS = new Set(['PASS', 'CONDITIONAL']);
 
+// --- helpers: TTY confirmation ---------------------------------------------
+
+/**
+ * Prompt the user to confirm an untrusted publisher by typing the last 8 chars
+ * of the keyId. Returns true on match, false on mismatch or EOF.
+ * Only called when process.stdin.isTTY === true.
+ *
+ * @param {string} keyId
+ * @returns {Promise<boolean>}
+ */
+export async function promptUntrustedConfirmation(keyId) {
+  const expected = keyId.slice(-8);
+  return new Promise((resolve) => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+    const prompt =
+      `⚠️  Extension is signed by publisher keyId ${keyId} but ${keyId} is not in your trusted publishers store.\n` +
+      `   Type the LAST 8 CHARS of the keyId (lowercase hex) to confirm: `;
+    let answered = false;
+    rl.question(prompt, (line) => {
+      answered = true;
+      rl.close();
+      resolve(line.trim() === expected);
+    });
+    rl.once('close', () => {
+      if (!answered) resolve(false); // EOF / ctrl-D
+    });
+  });
+}
+
 // --- helpers: source resolution -------------------------------------------
 
 /**
@@ -763,6 +793,15 @@ export async function installExtension(source, opts = {}) {
             errors: [`signature: verify failed: ${sigCheck.reason}${kidHint}`],
           };
         }
+        // B11: when stdin is a TTY, require the user to confirm by typing the
+        // last 8 chars of the keyId. Non-TTY (CI / scripted) falls through to
+        // the stderr-warn path unchanged — no regression for automation.
+        if (process.stdin.isTTY === true && sigCheck.publisherKeyId) {
+          const confirmed = await promptUntrustedConfirmation(sigCheck.publisherKeyId);
+          if (!confirmed) {
+            return { ok: false, errors: ['signature: untrusted confirmation cancelled'] };
+          }
+        }
         process.stderr.write(
           `[ijfw] extension-installer: signature unverified for ${manifest.name}: ${sigCheck.reason}\n`,
         );

package/src/extension-manifest-schema.js

@@ -297,5 +297,30 @@ export function validateExtensionManifest(obj) {
     }
   }
 
+  // === B15: publisher_key_backend ===
+  if (obj.publisher_key_backend !== undefined) {
+    if (obj.publisher_key_backend !== 'software' && obj.publisher_key_backend !== 'ssh-agent') {
+      errors.push("publisher_key_backend: must be 'software' or 'ssh-agent'");
+    }
+  }
+
+  // === B16: quotas ===
+  if (obj.quotas !== undefined) {
+    if (obj.quotas === null || typeof obj.quotas !== 'object' || Array.isArray(obj.quotas)) {
+      errors.push('quotas: must be an object');
+    } else {
+      const ALLOWED_DIMS = ['max_files_written', 'max_bytes_written', 'max_wall_clock_ms'];
+      for (const [k, v] of Object.entries(obj.quotas)) {
+        if (!ALLOWED_DIMS.includes(k)) {
+          // forward-compat: unknown quota dimensions ignored with warning (no error push)
+          continue;
+        }
+        if (!Number.isInteger(v) || v <= 0) {
+          errors.push(`quotas.${k}: must be a positive integer`);
+        }
+      }
+    }
+  }
+
   return { valid: errors.length === 0, errors };
 }

package/src/extension-permission-check.mjs

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+// IJFW v1.4.1 B7 -- shared extension permission checker.
+//
+// Reads ~/.ijfw/state/active-extension.json. Accepts a JSON payload on stdin
+// with shape { hook_event_name, tool_name, tool_input } (Claude/Codex shape --
+// callers reshape platform-specific payloads before piping here).
+//
+// Exit 0 = allow. Exit 1 = deny (stderr message emitted).
+// With no active-extension.json: always exit 0 (backwards-compat invariant).
+//
+// Also appends one JSON line per check to ~/.ijfw/state/permission-events.jsonl
+// (best-effort: failures are swallowed so logging never breaks tool dispatch).
+
+import { readFile, appendFile, mkdir } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+// B16/SEC-H-01 — quota enforcement on tier-2 hook side. Mirrors the tier-1
+// gate in server.js so both paths converge on the same counters.
+import { checkAndIncrement as quotaCheckAndIncrement } from './extension-quota-tracker.js';
+
+async function emitEvent(home, extensionName, toolName, allowed, reason) {
+  try {
+    const stateDir = join(home, '.ijfw', 'state');
+    await mkdir(stateDir, { recursive: true });
+    const event = { ts: new Date().toISOString(), extension: extensionName, tool: toolName, allowed };
+    if (reason) event.reason = reason;
+    await appendFile(join(stateDir, 'permission-events.jsonl'), JSON.stringify(event) + '\n', 'utf8');
+  } catch {
+    // Best-effort: swallow all errors.
+  }
+}
+
+const home = process.env.HOME || process.env.USERPROFILE || homedir();
+const stateFile = join(home, '.ijfw', 'state', 'active-extension.json');
+
+let active;
+try {
+  const raw = await readFile(stateFile, 'utf8');
+  active = JSON.parse(raw);
+  if (!active || typeof active !== 'object' || !active.name || !active.permissions) {
+    process.stderr.write('ijfw extension permission check: malformed active-extension state\n');
+    process.exit(1);
+  }
+} catch (err) {
+  if (err.code === 'ENOENT') process.exit(0); // no active extension -- allow
+  process.stderr.write(`ijfw extension permission check: ${err.message}\n`);
+  process.exit(1);
+}
+
+// B18 — surface cross-IDE divergence as a non-blocking stderr warning.
+// Mirrors runtime-mediator.maybeWarnDivergence on the tier-2 hook side.
+try {
+  const { detectCrossIdeDivergence } = await import('./active-extension-writer.js');
+  const verdict = await detectCrossIdeDivergence({ homeDir: home });
+  if (verdict && verdict.divergent) {
+    const age = typeof verdict.age_seconds === 'number' ? `${verdict.age_seconds}s ago` : 'unknown time ago';
+    process.stderr.write(
+      `[ijfw] active extension last activated by '${verdict.last_writer}' ${age}; this IDE is '${verdict.current_ide}'\n`,
+    );
+  }
+} catch {
+  // Best-effort: divergence detection never blocks the hook.
+}
+
+const chunks = [];
+for await (const c of process.stdin) chunks.push(c);
+const payload_str = chunks.join('');
+if (!payload_str.trim()) process.exit(0);
+
+let req;
+try { req = JSON.parse(payload_str); } catch { process.exit(0); }
+
+const tool = req.tool_name || '';
+const writes = new Set(active.permissions.writes || []);
+const reads = new Set(active.permissions.reads || []);
+const writeTools = new Set(['Edit', 'Write', 'NotebookEdit', 'Bash']);
+const readTools = new Set(['Read', 'Glob', 'Grep', 'LS', 'NotebookRead', 'WebFetch', 'WebSearch']);
+
+const has = (set, want) =>
+  set.has(want) ||
+  set.has('*') ||
+  [...set].some((p) => p.endsWith(':*') && want.startsWith(p.slice(0, -1)));
+
+if (writeTools.has(tool) && !has(writes, `tool:${tool.toLowerCase()}`) && !has(writes, 'tool:*')) {
+  const reason = `not in permissions.writes`;
+  process.stderr.write(`extension "${active.name}" not permitted to use ${tool} (declare tool:${tool.toLowerCase()} in permissions.writes)\n`);
+  await emitEvent(home, active.name, tool, false, reason);
+  process.exit(1);
+}
+if (readTools.has(tool) && !has(reads, `tool:${tool.toLowerCase()}`) && !has(reads, 'tool:*')) {
+  const reason = `not in permissions.reads`;
+  process.stderr.write(`extension "${active.name}" not permitted to use ${tool} (declare tool:${tool.toLowerCase()} in permissions.reads)\n`);
+  await emitEvent(home, active.name, tool, false, reason);
+  process.exit(1);
+}
+
+// B16: quota enforcement on tier-2 hook side. Permission has passed; if the
+// active extension declared quotas, check the relevant dimension.
+const quotas = (active && typeof active.quotas === 'object' && active.quotas) ? active.quotas : null;
+if (quotas && writeTools.has(tool)) {
+  const lc = tool.toLowerCase();
+  // files_written dimension for Edit/Write/NotebookEdit/Bash.
+  if (typeof quotas.max_files_written === 'number' && quotas.max_files_written > 0) {
+    const filePath = (req.tool_input && (req.tool_input.file_path || req.tool_input.path || req.tool_input.notebook_path)) || null;
+    const r = await quotaCheckAndIncrement(active.name, 'files_written', 1, quotas.max_files_written, { homeDir: home, path: typeof filePath === 'string' ? filePath : null });
+    if (!r.allowed) {
+      process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota files_written (${r.current + 1}/${r.limit})\n`);
+      await emitEvent(home, active.name, tool, false, `quota:files_written ${r.current + 1}/${r.limit}`);
+      process.exit(1);
+    }
+  }
+  if (typeof quotas.max_bytes_written === 'number' && quotas.max_bytes_written > 0) {
+    let bytes = 0;
+    try {
+      const ti = req.tool_input || {};
+      if (typeof ti.content === 'string') bytes += ti.content.length;
+      if (typeof ti.new_string === 'string') bytes += ti.new_string.length;
+      if (typeof ti.command === 'string' && lc === 'bash') bytes += ti.command.length;
+    } catch { /* defensive */ }
+    if (bytes > 0) {
+      const r = await quotaCheckAndIncrement(active.name, 'bytes_written', bytes, quotas.max_bytes_written, { homeDir: home });
+      if (!r.allowed) {
+        process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota bytes_written (${r.current + bytes}/${r.limit})\n`);
+        await emitEvent(home, active.name, tool, false, `quota:bytes_written ${r.current + bytes}/${r.limit}`);
+        process.exit(1);
+      }
+    }
+  }
+}
+if (quotas && typeof quotas.max_wall_clock_ms === 'number' && quotas.max_wall_clock_ms > 0) {
+  const r = await quotaCheckAndIncrement(active.name, 'wall_clock_ms', 0, quotas.max_wall_clock_ms, { homeDir: home });
+  if (!r.allowed) {
+    process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota wall_clock_ms (${r.current}/${r.limit})\n`);
+    await emitEvent(home, active.name, tool, false, `quota:wall_clock_ms ${r.current}/${r.limit}`);
+    process.exit(1);
+  }
+}
+
+await emitEvent(home, active.name, tool, true);
+process.exit(0);