npm - @modelstatus/cli - Versions diffs - 0.1.71 → 0.1.73 - Mend

@modelstatus/cli 0.1.71 → 0.1.73

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@modelstatus/cli",
-  "version": "0.1.71",
+  "version": "0.1.73",
   "description": "Track which AI models you use, where, and never get surprised by a retirement. Free offline model-health for any repo (mm status), browser sign-in for cloud inventory + alerts.",
   "keywords": [
     "llm",

package/src/index.js CHANGED Viewed

@@ -824,6 +824,7 @@ async function applyUpdate(rerunArgs) {
   if (r.status === "latest") process.stderr.write(`✓ Already on the latest mm (${r.version}).\n`);
   else if (r.status === "manual")
     process.stderr.write(`✦ mm ${r.to} is available (you're on ${r.from}), but auto-update can't write ${process.execPath}. Reinstall:\n  curl -fsSL https://llmstatus.ai/install.sh | bash\n`);
+  else if (r.status === "brew") process.stderr.write(`✦ mm ${r.to} is available (you're on ${r.from}). This is a Homebrew install — update with:\n  brew upgrade modelstatus-cli\n`);
   else if (r.status === "npm") process.stderr.write(`This is an npm-managed install. Update with:\n  npm update -g @modelstatus/cli\n`);
   else if (r.status === "unsupported") process.stderr.write(`Self-update isn't supported for this build. Reinstall:\n  curl -fsSL https://llmstatus.ai/install.sh | bash\n`);
   else if (r.status === "error") process.stderr.write(`! Update check failed: ${r.message}\n`);

package/src/updater.js CHANGED Viewed

@@ -13,6 +13,7 @@
  *     same-run doesn't re-exec, so any in-flight state stays sane.
  */
 import crypto from "node:crypto";
+import { spawnSync } from "node:child_process";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
@@ -97,6 +98,14 @@ function dirWritable(dir) {
   }
 }
+/** True when the running binary lives under a Homebrew prefix. Brew owns the
+ * binary's lifecycle (`brew upgrade`), and silently swapping it out from under
+ * brew would break its integrity tracking — so we never self-update there. */
+function isBrewManaged() {
+  const p = process.execPath;
+  return p.includes("/Cellar/") || p.includes("/homebrew/") || p.includes("/linuxbrew/");
+}
 /** Replace the executable via the atomic tmp+rename pattern ONLY (a new inode).
  * We must NOT writeFileSync over the live executable's inode: truncating +
  * rewriting a running, memory-mapped Mach-O can make macOS SIGKILL the running
@@ -114,6 +123,24 @@ function replaceBinary(exe, buf) {
   }
 }
+// Our Developer ID team. A self-update download must be signed by us before we
+// swap it in — otherwise a CDN compromise would auto-propagate to every
+// installed macOS user (worse than a one-time install compromise). The sha256
+// is from the same CDN as the binary, so it can't prove provenance; the code
+// signature is the real anchor.
+const TEAM_ID = "9H8U98V2UU";
+/** macOS only: verify a downloaded binary file carries a valid Developer ID
+ * signature under OUR team, anchored to Apple. Throws if codesign is missing or
+ * the check fails (fail closed). No-op on Linux/Windows (no equivalent). */
+function verifyMacSignature(file) {
+  if (process.platform !== "darwin") return;
+  const req = `anchor apple generic and certificate leaf[subject.OU] = "${TEAM_ID}"`;
+  const r = spawnSync("codesign", ["--verify", "--strict", `-R=${req}`, file], { stdio: "ignore" });
+  if (r.error) throw new Error("codesign unavailable — refusing to self-update");
+  if (r.status !== 0) throw new Error(`downloaded binary failed Developer ID verification (team ${TEAM_ID})`);
+}
 async function downloadAndReplace(version, key, expectedSha) {
   const exe = process.execPath;
   const ext = process.platform === "win32" ? ".exe" : "";
@@ -125,6 +152,17 @@ async function downloadAndReplace(version, key, expectedSha) {
   if (actualSha !== expectedSha) {
     throw new Error(`sha256 mismatch: expected ${expectedSha.slice(0, 12)}…, got ${actualSha.slice(0, 12)}…`);
   }
+  // On macOS, verify the SIGNATURE before trusting these bytes as our binary.
+  // Stage to a temp file, codesign-verify it, then swap — never swap unverified.
+  if (process.platform === "darwin") {
+    const staged = path.join(path.dirname(exe), `.${path.basename(exe)}.verify.${process.pid}`);
+    try {
+      fs.writeFileSync(staged, buf, { mode: 0o755 });
+      verifyMacSignature(staged);
+    } finally {
+      try { fs.unlinkSync(staged); } catch { /* best effort */ }
+    }
+  }
   replaceBinary(exe, buf);
 }
@@ -158,6 +196,9 @@ export async function forceUpdate() {
     const expectedSha = manifest.sha256?.[key];
     if (!expectedSha) return { status: "error", message: `no sha256 for ${key}` };
+    if (isBrewManaged()) {
+      return { status: "brew", from: dispVer(BUILD_VERSION), to: dispVer(manifest.version) };
+    }
     if (!dirWritable(path.dirname(process.execPath))) {
       return { status: "manual", from: dispVer(BUILD_VERSION), to: dispVer(manifest.version) };
     }
@@ -173,6 +214,7 @@ export async function maybeCheckForUpdate(flags = {}) {
   try {
     if (!IS_SHELL_INSTALL) return null;
     if (process.env.MM_NO_AUTO_UPDATE) return null;
+    if (isBrewManaged()) return null; // brew upgrade owns the lifecycle
     if (flags.json || flags.ci) return null;
     const cache = readCache() || {};