@kvell007/embed-labs-cli 0.1.0-alpha.13 → 0.1.0-alpha.15

package/dist/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { createHash } from "node:crypto";
+import { createHash, createHmac, randomBytes } from "node:crypto";
 import { constants } from "node:fs";
 import { spawn } from "node:child_process";
 import { access, cp, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
@@ -1352,27 +1352,45 @@ function isApiResponse(value) {
 }
 async function bridgeGet(path) {
     const response = await fetch(`${DEFAULT_BRIDGE_URL}${path}`, {
-        headers: bridgeHeaders()
+        headers: bridgeHeaders("GET", path, "")
     });
     return await response.json();
 }
 async function bridgePost(path, body) {
+    const bodyText = JSON.stringify(body);
     const response = await fetch(`${DEFAULT_BRIDGE_URL}${path}`, {
         method: "POST",
-        headers: bridgeHeaders({ "content-type": "application/json" }),
-        body: JSON.stringify(body)
+        headers: bridgeHeaders("POST", path, bodyText, { "content-type": "application/json" }),
+        body: bodyText
     });
     return await response.json();
 }
-function bridgeHeaders(base = {}) {
+function bridgeHeaders(method, path, bodyText, base = {}) {
     const token = process.env.EMBED_BRIDGE_TOKEN?.trim();
     if (!token) {
         return base;
     }
-    return {
+    const headers = {
         ...base,
         authorization: `Bearer ${token}`
     };
+    addBridgeRequestSignature(headers, method, path, bodyText, token);
+    return headers;
+}
+function addBridgeRequestSignature(headers, method, pathWithQuery, bodyText, token) {
+    if (process.env.EMBED_BRIDGE_SIGNING === "0") {
+        return;
+    }
+    const timestamp = String(Math.floor(Date.now() / 1000));
+    const nonce = randomBytes(16).toString("hex");
+    const bodySha256 = createHash("sha256").update(bodyText).digest("hex");
+    const keyId = createHash("sha256").update(token).digest("hex").slice(0, 16);
+    const canonical = cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
+    headers["x-embed-key-id"] = keyId;
+    headers["x-embed-timestamp"] = timestamp;
+    headers["x-embed-nonce"] = nonce;
+    headers["x-embed-body-sha256"] = bodySha256;
+    headers["x-embed-signature"] = createHmac("sha256", token).update(canonical).digest("hex");
 }
 async function cloudGet(path) {
     return await cloudRequest("GET", path);
@@ -1386,6 +1404,7 @@ async function cloudDownloadArtifact(artifactId, outputPath) {
         const token = await cloudAuthToken();
         if (token) {
             headers.authorization = `Bearer ${token}`;
+            addCloudRequestSignature(headers, "GET", `/v1/artifacts/${encodeURIComponent(artifactId)}/download`, "", token);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}/v1/artifacts/${encodeURIComponent(artifactId)}/download`, {
             headers: Object.keys(headers).length > 0 ? headers : undefined
@@ -1421,17 +1440,19 @@ async function cloudDownloadArtifact(artifactId, outputPath) {
 async function cloudRequest(method, path, body) {
     try {
         const headers = {};
-        if (body !== undefined) {
+        const bodyText = body === undefined ? "" : JSON.stringify(body);
+        if (bodyText) {
             headers["content-type"] = "application/json";
         }
         const token = await cloudAuthToken();
         if (token) {
             headers.authorization = `Bearer ${token}`;
+            addCloudRequestSignature(headers, method, path, bodyText, token);
         }
         const response = await fetch(`${serviceBaseUrl(DEFAULT_CLOUD_API_URL)}${path}`, {
             method,
             headers: Object.keys(headers).length > 0 ? headers : undefined,
-            body: body === undefined ? undefined : JSON.stringify(body)
+            body: body === undefined ? undefined : bodyText
         });
         return await response.json();
     }
@@ -1441,6 +1462,39 @@ async function cloudRequest(method, path, body) {
         });
     }
 }
+function addCloudRequestSignature(headers, method, pathWithQuery, bodyText, token) {
+    if (process.env.EMBED_CLOUD_API_SIGNING === "0") {
+        return;
+    }
+    const timestamp = String(Math.floor(Date.now() / 1000));
+    const nonce = randomBytes(16).toString("hex");
+    const bodySha256 = createHash("sha256").update(bodyText).digest("hex");
+    const keyId = createHash("sha256").update(token).digest("hex").slice(0, 16);
+    const canonical = cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256);
+    headers["x-embed-key-id"] = keyId;
+    headers["x-embed-timestamp"] = timestamp;
+    headers["x-embed-nonce"] = nonce;
+    headers["x-embed-body-sha256"] = bodySha256;
+    headers["x-embed-signature"] = createHmac("sha256", token).update(canonical).digest("hex");
+}
+function cloudRequestCanonicalString(method, pathWithQuery, timestamp, nonce, bodySha256) {
+    return [
+        method.toUpperCase(),
+        normalizeCloudPathForSignature(pathWithQuery),
+        timestamp,
+        nonce,
+        bodySha256
+    ].join("\n");
+}
+function normalizeCloudPathForSignature(pathWithQuery) {
+    try {
+        const parsed = new URL(pathWithQuery, "http://embed.local");
+        return `${parsed.pathname}${parsed.search}`;
+    }
+    catch {
+        return pathWithQuery.startsWith("/") ? pathWithQuery : `/${pathWithQuery}`;
+    }
+}
 async function pluginList(parsed) {
     const releaseDir = stringFlag(parsed, "release-dir");
     const manifest = releaseDir ? await readPluginReleaseManifest(releaseDir) : undefined;
@@ -1850,6 +1904,7 @@ async function cleanupLegacyCodexPluginRemnants(targetRoot) {
     const removedPaths = [];
     const removedConfigTables = [];
     const warnings = [];
+    const stoppedProcesses = await stopLegacyCodexPluginProcesses(warnings);
     const legacyPaths = [
         join(targetRoot, "dbt-agent"),
         join(targetRoot, "development-board-toolchain"),
@@ -1859,7 +1914,7 @@ async function cleanupLegacyCodexPluginRemnants(targetRoot) {
     ];
     legacyPaths.push(...await discoverLegacyCodexCachePaths(targetRoot));
     if (resolve(targetRoot) === resolve(defaultCodexPluginRoot())) {
-        legacyPaths.push(join(defaultCodexHome(), ".tmp", "plugins"), join(defaultCodexHome(), ".tmp", "plugins.sha"));
+        legacyPaths.push(join(defaultCodexHome(), ".tmp", "plugins"), join(defaultCodexHome(), ".tmp", "plugins.sha"), join(defaultCodexHome(), "skills", "dbt-agent"), join(defaultCodexHome(), "skills", "development-board-toolchain-dev"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-live-board-ops"), join(defaultCodexHome(), "memories", "skills", "dbt-agent-platform-plugin-maintenance"));
     }
     for (const candidate of legacyPaths) {
         try {
@@ -1888,14 +1943,51 @@ async function cleanupLegacyCodexPluginRemnants(targetRoot) {
             warnings.push(`Could not update ${configPath}: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
-    const removedHistoryEntries = await cleanupLegacyCodexHistoryMentions(warnings);
+    const removedHistoryEntries = await cleanupLegacyCodexTextState(warnings);
     return {
         legacy_removed_paths: Array.from(new Set(removedPaths)),
         legacy_removed_config_tables: removedConfigTables,
         legacy_removed_history_entries: removedHistoryEntries,
+        legacy_stopped_processes: stoppedProcesses,
         ...(warnings.length > 0 ? { warnings } : {})
     };
 }
+async function stopLegacyCodexPluginProcesses(warnings) {
+    if (process.platform === "win32")
+        return 0;
+    try {
+        const ps = await runLocalProcess("ps", ["-axo", "pid=,command="]);
+        if (ps.code !== 0)
+            return 0;
+        let stopped = 0;
+        for (const line of ps.stdout.split("\n")) {
+            const match = /^\s*(\d+)\s+(.+)$/.exec(line);
+            if (!match)
+                continue;
+            const pid = Number(match[1]);
+            const command = match[2] || "";
+            if (!isLegacyCodexPluginProcess(command))
+                continue;
+            try {
+                process.kill(pid, "SIGTERM");
+                stopped += 1;
+            }
+            catch (error) {
+                warnings.push(`Could not stop legacy Codex plugin process ${pid}: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        return stopped;
+    }
+    catch (error) {
+        warnings.push(`Could not scan legacy Codex plugin processes: ${error instanceof Error ? error.message : String(error)}`);
+        return 0;
+    }
+}
+function isLegacyCodexPluginProcess(command) {
+    const trimmed = command.trim();
+    return /^\/.*\/dbt-agent-mcp-bridge(?:\s|$)/.test(trimmed)
+        || /^dbt-agent-mcp-bridge(?:\s|$)/.test(trimmed);
+}
 async function discoverLegacyCodexCachePaths(targetRoot) {
     const paths = [];
     const cacheRoot = join(targetRoot, "cache");
@@ -1913,12 +2005,18 @@ async function discoverLegacyCodexCachePaths(targetRoot) {
     }
     return paths;
 }
-async function cleanupLegacyCodexHistoryMentions(warnings) {
-    const historyPath = join(defaultCodexHome(), "history.jsonl");
+async function cleanupLegacyCodexTextState(warnings) {
+    let removed = 0;
+    removed += await cleanupLegacyCodexTextFile(join(defaultCodexHome(), "history.jsonl"), warnings);
+    removed += await cleanupLegacyCodexTextFile(join(defaultCodexHome(), "session_index.jsonl"), warnings);
+    removed += await cleanupLegacyCodexTextFile(join(defaultCodexHome(), "rules", "default.rules"), warnings);
+    return removed;
+}
+async function cleanupLegacyCodexTextFile(filePath, warnings) {
     try {
-        if (!await pathExists(historyPath))
+        if (!await pathExists(filePath))
             return 0;
-        const current = await readFile(historyPath, "utf8");
+        const current = await readFile(filePath, "utf8");
         const lines = current.split("\n");
         let removed = 0;
         const kept = lines.filter((line) => {
@@ -1931,18 +2029,20 @@ async function cleanupLegacyCodexHistoryMentions(warnings) {
             return true;
         });
         if (removed > 0) {
-            await writeFile(historyPath, kept.join("\n"), "utf8");
+            await writeFile(filePath, kept.join("\n"), "utf8");
         }
         return removed;
     }
     catch (error) {
-        warnings.push(`Could not clean Codex legacy history mentions: ${error instanceof Error ? error.message : String(error)}`);
+        warnings.push(`Could not clean Codex legacy text state ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
         return 0;
     }
 }
 function isLegacyCodexHistoryMention(line) {
     return line.includes("plugin://dbt-agent@plugins")
         || line.includes("plugin://dbt-agent@embed-labs")
+        || line.includes("development-board-toolchain-dev")
+        || line.includes("development-board-toolchain")
         || /dbt-agent/i.test(line);
 }
 function removeLegacyCodexConfigTables(text) {
@@ -1985,7 +2085,10 @@ function legacyCodexCleanupWarning(cleanup) {
         parts.push(`removed ${cleanup.legacy_removed_config_tables.length} legacy Codex config table(s)`);
     }
     if (cleanup.legacy_removed_history_entries) {
-        parts.push(`removed ${cleanup.legacy_removed_history_entries} legacy Codex history mention(s)`);
+        parts.push(`removed ${cleanup.legacy_removed_history_entries} legacy Codex text-state mention(s)`);
+    }
+    if (cleanup.legacy_stopped_processes) {
+        parts.push(`stopped ${cleanup.legacy_stopped_processes} legacy Codex plugin process(es)`);
     }
     if (cleanup.warnings?.length) {
         parts.push(`cleanup warning(s): ${cleanup.warnings.join("; ")}`);