@ijfw/memory-server 1.4.1 → 1.4.3

package/src/dispatch/signer-cli.js

@@ -0,0 +1,311 @@
+/**
+ * dispatch/signer-cli.js — IJFW v1.4.3 W9-A2 / B15
+ *
+ * CLI handlers for signing-key management. Exported as the frozen
+ * `{ handlers, subcommandHelp }` shape so the Phase D orchestrator can wire
+ * them into the top-level dispatch table without per-area editing.
+ *
+ * Subcommands:
+ *
+ *   keygen <author> [--backend software|ssh-agent] [--ssh-key-comment <c>]
+ *     - Default backend: software (existing v1.4.0 behavior — generates a
+ *       fresh Ed25519 keypair on disk).
+ *     - --backend ssh-agent: NO private-key generation in IJFW. Connects
+ *       to the running SSH agent, enumerates Ed25519 identities, selects
+ *       one to enroll. Writes only the public material:
+ *         ~/.ijfw/keys/<keyId>/public.pem
+ *         ~/.ijfw/keys/<keyId>/backend.json
+ *           { backend, pubkey_blob_hex, keyId, ssh_key_comment }
+ *       The comment is recorded for display only; sign-time identity
+ *       selection matches on pubkey_blob_hex (SEC-H-03).
+ *
+ *   keygen-fido2 <author>
+ *     - Deferred stub. Prints a message routing users to ssh-agent or the
+ *       default software backend. Exits 0 (deferred, not failed).
+ *
+ * Spec: .planning/1.4.3/HANDOFF-1.4.3.md §B15
+ */
+
+import { mkdir, writeFile, chmod } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+import {
+  generatePublisherKeypair,
+} from '../extension-signer.js';
+import {
+  listAgentIdentities,
+  pubkeyBlobFromPem,
+  ed25519PemFromRaw,
+  publicKeyFingerprint,
+  _testInternals,
+} from '../hardware-signer.js';
+
+/**
+ * Parse argv-style array (or whitespace-split string) into `{ positional, flags }`.
+ * Supports `--flag` (boolean) and `--flag value` (string value).
+ *
+ * @param {string|string[]} input
+ * @returns {{ positional: string[], flags: Record<string, string|boolean> }}
+ */
+function parseArgs(input) {
+  const tokens = Array.isArray(input)
+    ? input.slice()
+    : String(input || '').trim().split(/\s+/).filter(Boolean);
+  const positional = [];
+  const flags = {};
+  for (let i = 0; i < tokens.length; i++) {
+    const tok = tokens[i];
+    if (tok.startsWith('--')) {
+      const name = tok.slice(2);
+      const next = tokens[i + 1];
+      if (next !== undefined && !next.startsWith('--')) {
+        flags[name] = next;
+        i += 1;
+      } else {
+        flags[name] = true;
+      }
+    } else {
+      positional.push(tok);
+    }
+  }
+  return { positional, flags };
+}
+
+/**
+ * Extract the SSH wire ssh-ed25519 alg prefix used for filtering Ed25519
+ * identities returned by the agent.
+ */
+const ED25519_ALG_PREFIX = _testInternals.sshWireString(_testInternals.SSH_ED25519_ALG);
+
+/**
+ * Build the per-key directory path under the (possibly overridden) home.
+ */
+function keysDir(home, keyId) {
+  return join(home, '.ijfw', 'keys', keyId);
+}
+
+/**
+ * Convert an SSH-wire Ed25519 pubkey blob back into PEM. Useful when
+ * enrolling — the agent gives us the wire blob, but downstream verify
+ * paths want PEM.
+ *
+ * @param {Buffer} blob
+ * @returns {string} PEM
+ */
+function ed25519PemFromBlob(blob) {
+  // Blob shape: ssh-string("ssh-ed25519") || ssh-string(raw32).
+  // Skip the alg prefix; the trailing string is the raw key.
+  const algLen = ED25519_ALG_PREFIX.length;
+  // The raw key follows; the leading 4 bytes are the length (always 32).
+  const raw = blob.slice(algLen + 4);
+  if (raw.length !== 32) {
+    throw new Error(`Expected 32-byte Ed25519 raw key, got ${raw.length}`);
+  }
+  return ed25519PemFromRaw(raw);
+}
+
+/**
+ * Filter agent identities to Ed25519 only.
+ *
+ * @param {Array<{blob: Buffer, comment: string}>} identities
+ * @returns {Array<{blob: Buffer, comment: string}>}
+ */
+function ed25519Only(identities) {
+  return identities.filter(
+    i => i.blob.length >= ED25519_ALG_PREFIX.length
+      && i.blob.slice(0, ED25519_ALG_PREFIX.length).equals(ED25519_ALG_PREFIX),
+  );
+}
+
+/**
+ * Enrol an existing SSH-agent identity as an IJFW publisher key.
+ *
+ * Workflow:
+ *   1. Connect to SSH_AUTH_SOCK (errors clearly if unavailable).
+ *   2. List identities; filter to Ed25519.
+ *   3. Resolve a single candidate. Selection precedence:
+ *      a. If --ssh-key-comment is provided, prefer that comment.
+ *      b. Otherwise: exactly 1 Ed25519 identity → auto-pick. Multiple
+ *         identities → fail with usage hint (interactive picker not yet
+ *         wired into MCP transport).
+ *   4. Compute keyId = sha256(SPKI-DER of the agent-key's PEM).
+ *   5. Write public.pem + backend.json to ~/.ijfw/keys/<keyId>/.
+ *
+ * @param {object} args
+ * @param {string} args.author informational author label
+ * @param {string} [args.sshKeyComment] disambiguator
+ * @param {string} [args.home] override ~/.ijfw root (test isolation)
+ * @param {string} [args.socketPath] override SSH_AUTH_SOCK (test isolation)
+ * @returns {Promise<{ ok: true, keyId: string, dir: string, ssh_key_comment: string, backend: 'ssh-agent' } | { ok: false, error: string }>}
+ */
+async function enrolSshAgentKey(args) {
+  const home = args.home || homedir();
+  let identities;
+  try {
+    identities = await listAgentIdentities(args.socketPath);
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+  const candidates = ed25519Only(identities);
+  if (candidates.length === 0) {
+    return {
+      ok: false,
+      error: 'SSH agent has no Ed25519 identities; add one with `ssh-keygen -t ed25519` and `ssh-add`',
+    };
+  }
+  let chosen;
+  if (args.sshKeyComment) {
+    const matches = candidates.filter(c => c.comment === args.sshKeyComment);
+    if (matches.length === 0) {
+      return {
+        ok: false,
+        error: `SSH agent has no Ed25519 identity with comment ${JSON.stringify(args.sshKeyComment)}`,
+      };
+    }
+    if (matches.length > 1) {
+      return {
+        ok: false,
+        error: `Multiple SSH agent identities share comment ${JSON.stringify(args.sshKeyComment)}; comments are not unique — disambiguate by re-running ssh-add or removing duplicates`,
+      };
+    }
+    chosen = matches[0];
+  } else if (candidates.length === 1) {
+    chosen = candidates[0];
+  } else {
+    return {
+      ok: false,
+      error: `Multiple Ed25519 identities in SSH agent (${candidates.length}); pass --ssh-key-comment <c> to disambiguate. Comments seen: ${candidates.map(c => JSON.stringify(c.comment)).join(', ')}`,
+    };
+  }
+
+  let pem;
+  try {
+    pem = ed25519PemFromBlob(chosen.blob);
+  } catch (err) {
+    return { ok: false, error: `failed to convert agent blob to PEM: ${err.message}` };
+  }
+  const keyId = publicKeyFingerprint(pem);
+  // Belt-and-braces self-consistency check: the blob we just stored should
+  // round-trip back through PEM and yield the same blob.
+  const roundTripBlob = pubkeyBlobFromPem(pem);
+  if (!roundTripBlob.equals(chosen.blob)) {
+    return {
+      ok: false,
+      error: 'internal: pubkey blob round-trip via PEM differed; refusing to enrol',
+    };
+  }
+
+  const dir = keysDir(home, keyId);
+  await mkdir(dir, { recursive: true, mode: 0o700 });
+  try { await chmod(dir, 0o700); } catch { /* best-effort */ }
+  await writeFile(join(dir, 'public.pem'), pem, 'utf8');
+  try { await chmod(join(dir, 'public.pem'), 0o644); } catch { /* best-effort */ }
+  const backendJson = {
+    backend: 'ssh-agent',
+    pubkey_blob_hex: chosen.blob.toString('hex'),
+    keyId,
+    ssh_key_comment: chosen.comment, // display only — never used for matching
+  };
+  await writeFile(
+    join(dir, 'backend.json'),
+    JSON.stringify(backendJson, null, 2) + '\n',
+    'utf8',
+  );
+  if (typeof args.author === 'string' && args.author.length > 0) {
+    try {
+      await writeFile(
+        join(dir, 'author.txt'),
+        `${args.author}\n${new Date().toISOString()}\n`,
+        'utf8',
+      );
+    } catch { /* non-fatal */ }
+  }
+
+  return {
+    ok: true,
+    keyId,
+    dir,
+    ssh_key_comment: chosen.comment,
+    backend: 'ssh-agent',
+  };
+}
+
+/**
+ * keygen handler. Dispatches to software (default) or ssh-agent backend
+ * per --backend.
+ *
+ * @param {string|string[]} args
+ * @param {object} [ctx]
+ * @returns {Promise<object>}
+ */
+async function keygenHandler(args, ctx = {}) {
+  const { positional, flags } = parseArgs(args);
+  const author = positional[0] || '';
+  const backend = flags.backend === true ? undefined : flags.backend;
+
+  if (backend === undefined || backend === 'software') {
+    const kp = await generatePublisherKeypair(author);
+    return {
+      ok: true,
+      backend: 'software',
+      keyId: kp.keyId,
+      dir: kp.dir,
+      publicKey: kp.publicKey,
+    };
+  }
+
+  if (backend === 'ssh-agent') {
+    const sshKeyComment = flags['ssh-key-comment'] === true
+      ? undefined
+      : flags['ssh-key-comment'];
+    return enrolSshAgentKey({
+      author,
+      sshKeyComment,
+      home: ctx.home,
+      socketPath: ctx.socketPath,
+    });
+  }
+
+  // Fail-closed per SEC-L-02. Unknown backend names must not silently fall
+  // through to software.
+  return {
+    ok: false,
+    error: `Unsupported --backend value ${JSON.stringify(backend)}; valid: software, ssh-agent`,
+  };
+}
+
+/**
+ * keygen-fido2 handler — deferred stub.
+ *
+ * Native libfido2 bindings would be IJFW's first native prod dep; that's
+ * a v1.5.0+ architecture decision. For v1.4.3, FIDO2-backed signing is
+ * available transitively via ssh-agent (modern YubiKey/Solokey speak
+ * SSH agent natively).
+ *
+ * @returns {Promise<{ ok: true, deferred: true, message: string }>}
+ */
+async function keygenFido2Handler(_args, ctx = {}) {
+  const msg = 'FIDO2/libfido2 path deferred to v1.5.0; use --backend ssh-agent or default software backend';
+  // Write to stderr for CLI visibility without disturbing JSON-stdout
+  // consumers. Optionally inject a writer via ctx for tests.
+  const stderr = ctx.stderr || process.stderr;
+  try { stderr.write(`${msg}\n`); } catch { /* ignore */ }
+  return { ok: true, deferred: true, message: msg };
+}
+
+export const handlers = Object.freeze({
+  keygen: keygenHandler,
+  'keygen-fido2': keygenFido2Handler,
+});
+
+export const subcommandHelp = Object.freeze({
+  keygen: 'keygen <author> [--backend software|ssh-agent] [--ssh-key-comment <c>] — generate or enrol a publisher signing key',
+  'keygen-fido2': 'keygen-fido2 <author> — deferred to v1.5.0; use --backend ssh-agent instead',
+});
+
+// Test-only exports.
+export const _testOnly = Object.freeze({
+  parseArgs,
+  enrolSshAgentKey,
+});

package/src/extension-manifest-schema.js

@@ -297,5 +297,30 @@ export function validateExtensionManifest(obj) {
     }
   }
 
+  // === B15: publisher_key_backend ===
+  if (obj.publisher_key_backend !== undefined) {
+    if (obj.publisher_key_backend !== 'software' && obj.publisher_key_backend !== 'ssh-agent') {
+      errors.push("publisher_key_backend: must be 'software' or 'ssh-agent'");
+    }
+  }
+
+  // === B16: quotas ===
+  if (obj.quotas !== undefined) {
+    if (obj.quotas === null || typeof obj.quotas !== 'object' || Array.isArray(obj.quotas)) {
+      errors.push('quotas: must be an object');
+    } else {
+      const ALLOWED_DIMS = ['max_files_written', 'max_bytes_written', 'max_wall_clock_ms'];
+      for (const [k, v] of Object.entries(obj.quotas)) {
+        if (!ALLOWED_DIMS.includes(k)) {
+          // forward-compat: unknown quota dimensions ignored with warning (no error push)
+          continue;
+        }
+        if (!Number.isInteger(v) || v <= 0) {
+          errors.push(`quotas.${k}: must be a positive integer`);
+        }
+      }
+    }
+  }
+
   return { valid: errors.length === 0, errors };
 }

package/src/extension-permission-check.mjs

@@ -14,6 +14,9 @@
 import { readFile, appendFile, mkdir } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+// B16/SEC-H-01 — quota enforcement on tier-2 hook side. Mirrors the tier-1
+// gate in server.js so both paths converge on the same counters.
+import { checkAndIncrement as quotaCheckAndIncrement } from './extension-quota-tracker.js';
 
 async function emitEvent(home, extensionName, toolName, allowed, reason) {
   try {
@@ -44,6 +47,21 @@ try {
   process.exit(1);
 }
 
+// B18 — surface cross-IDE divergence as a non-blocking stderr warning.
+// Mirrors runtime-mediator.maybeWarnDivergence on the tier-2 hook side.
+try {
+  const { detectCrossIdeDivergence } = await import('./active-extension-writer.js');
+  const verdict = await detectCrossIdeDivergence({ homeDir: home });
+  if (verdict && verdict.divergent) {
+    const age = typeof verdict.age_seconds === 'number' ? `${verdict.age_seconds}s ago` : 'unknown time ago';
+    process.stderr.write(
+      `[ijfw] active extension last activated by '${verdict.last_writer}' ${age}; this IDE is '${verdict.current_ide}'\n`,
+    );
+  }
+} catch {
+  // Best-effort: divergence detection never blocks the hook.
+}
+
 const chunks = [];
 for await (const c of process.stdin) chunks.push(c);
 const payload_str = chunks.join('');
@@ -75,5 +93,48 @@ if (readTools.has(tool) && !has(reads, `tool:${tool.toLowerCase()}`) && !has(rea
   await emitEvent(home, active.name, tool, false, reason);
   process.exit(1);
 }
+
+// B16: quota enforcement on tier-2 hook side. Permission has passed; if the
+// active extension declared quotas, check the relevant dimension.
+const quotas = (active && typeof active.quotas === 'object' && active.quotas) ? active.quotas : null;
+if (quotas && writeTools.has(tool)) {
+  const lc = tool.toLowerCase();
+  // files_written dimension for Edit/Write/NotebookEdit/Bash.
+  if (typeof quotas.max_files_written === 'number' && quotas.max_files_written > 0) {
+    const filePath = (req.tool_input && (req.tool_input.file_path || req.tool_input.path || req.tool_input.notebook_path)) || null;
+    const r = await quotaCheckAndIncrement(active.name, 'files_written', 1, quotas.max_files_written, { homeDir: home, path: typeof filePath === 'string' ? filePath : null });
+    if (!r.allowed) {
+      process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota files_written (${r.current + 1}/${r.limit})\n`);
+      await emitEvent(home, active.name, tool, false, `quota:files_written ${r.current + 1}/${r.limit}`);
+      process.exit(1);
+    }
+  }
+  if (typeof quotas.max_bytes_written === 'number' && quotas.max_bytes_written > 0) {
+    let bytes = 0;
+    try {
+      const ti = req.tool_input || {};
+      if (typeof ti.content === 'string') bytes += ti.content.length;
+      if (typeof ti.new_string === 'string') bytes += ti.new_string.length;
+      if (typeof ti.command === 'string' && lc === 'bash') bytes += ti.command.length;
+    } catch { /* defensive */ }
+    if (bytes > 0) {
+      const r = await quotaCheckAndIncrement(active.name, 'bytes_written', bytes, quotas.max_bytes_written, { homeDir: home });
+      if (!r.allowed) {
+        process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota bytes_written (${r.current + bytes}/${r.limit})\n`);
+        await emitEvent(home, active.name, tool, false, `quota:bytes_written ${r.current + bytes}/${r.limit}`);
+        process.exit(1);
+      }
+    }
+  }
+}
+if (quotas && typeof quotas.max_wall_clock_ms === 'number' && quotas.max_wall_clock_ms > 0) {
+  const r = await quotaCheckAndIncrement(active.name, 'wall_clock_ms', 0, quotas.max_wall_clock_ms, { homeDir: home });
+  if (!r.allowed) {
+    process.stderr.write(`[ijfw] extension '${active.name}' exceeded quota wall_clock_ms (${r.current}/${r.limit})\n`);
+    await emitEvent(home, active.name, tool, false, `quota:wall_clock_ms ${r.current}/${r.limit}`);
+    process.exit(1);
+  }
+}
+
 await emitEvent(home, active.name, tool, true);
 process.exit(0);