@moneysiren/cli 0.1.0-alpha.0 → 0.1.0-alpha.2

package/dist/apps/cli/src/release-installer.js

@@ -0,0 +1,393 @@
+import { createHash } from "node:crypto";
+import { execFile } from "node:child_process";
+import { mkdir, unlink, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { basename, isAbsolute, join, posix, resolve, win32 } from "node:path";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export const DEFAULT_RELEASE_REPOSITORY = "ztwz11/moneysiren";
+// Keep the source-free installer pinned to the latest published desktop/web release tag.
+export const DEFAULT_RELEASE_TAG = "v0.1.0-alpha.2";
+const RELEASE_REPOSITORY_ENV_KEY = "MONEYSIREN_RELEASE_REPOSITORY";
+const RELEASE_TAG_ENV_KEY = "MONEYSIREN_RELEASE_TAG";
+const RELEASE_INSTALL_DIR_ENV_KEY = "MONEYSIREN_RELEASE_INSTALL_DIR";
+const RELEASE_PLATFORM_ENV_KEY = "MONEYSIREN_RELEASE_PLATFORM";
+const WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY = "MONEYSIREN_WINDOWS_SIGNER_THUMBPRINTS";
+export async function installReleaseAssets(options) {
+    const env = options.env ?? process.env;
+    const repository = normalizeRepository(options.repository ?? env[RELEASE_REPOSITORY_ENV_KEY] ?? DEFAULT_RELEASE_REPOSITORY);
+    const tag = normalizeTag(options.tag ?? env[RELEASE_TAG_ENV_KEY] ?? DEFAULT_RELEASE_TAG);
+    const platform = normalizePlatform(options.platform ?? env[RELEASE_PLATFORM_ENV_KEY] ?? process.platform);
+    const configuredInstallDir = options.installDir ?? env[RELEASE_INSTALL_DIR_ENV_KEY];
+    const installDir = resolveReleaseInstallDir({
+        env,
+        ...(configuredInstallDir === undefined ? {} : { installDir: configuredInstallDir }),
+        platform,
+        tag,
+    });
+    const release = await fetchRelease({
+        fetchImpl: options.fetchImpl,
+        repository,
+        tag,
+    });
+    const releaseAssets = parseReleaseAssets(release.assets);
+    const checksumAssets = releaseAssets.filter((asset) => asset.name.toLowerCase().includes("sha256sums"));
+    const requestedSurfaces = options.selectedSurfaces.filter((surface) => surface === "web" || surface === "hud");
+    const installedAssets = [];
+    await mkdir(installDir, { recursive: true });
+    for (const surface of requestedSurfaces) {
+        const asset = selectSurfaceAsset(surface, platform, releaseAssets);
+        if (asset === null) {
+            throw new Error(`No ${surface} release asset found for ${platform} in ${repository}@${tag}.`);
+        }
+        const downloaded = await downloadAsset(options.fetchImpl, asset.browser_download_url);
+        const sha256 = sha256Hex(downloaded);
+        const checksum = await findChecksum({
+            assetName: asset.name,
+            checksumAssets,
+            fetchImpl: options.fetchImpl,
+        });
+        if (checksumAssets.length > 0 && checksum === null) {
+            throw new Error(`SHA256 checksum entry missing for ${asset.name}.`);
+        }
+        if (checksum !== null && checksum.toLowerCase() !== sha256) {
+            throw new Error(`SHA256 mismatch for ${asset.name}.`);
+        }
+        const outputPath = join(installDir, sanitizeAssetFileName(asset.name));
+        await writeFile(outputPath, downloaded);
+        let signature;
+        try {
+            signature = await verifyReleaseAssetSignature({
+                assetName: asset.name,
+                env,
+                fetchImpl: options.fetchImpl,
+                path: outputPath,
+                platform,
+                releaseAssets,
+                surface,
+                ...(options.signatureVerifier === undefined ? {} : { signatureVerifier: options.signatureVerifier }),
+                ...(options.trustedWindowsSignerThumbprints === undefined
+                    ? {}
+                    : { trustedWindowsSignerThumbprints: options.trustedWindowsSignerThumbprints }),
+            });
+        }
+        catch (error) {
+            await unlink(outputPath).catch(() => undefined);
+            throw error;
+        }
+        if (!signature.verified) {
+            await unlink(outputPath).catch(() => undefined);
+            throw new Error(`Release asset signature verification failed for ${asset.name}: ${signature.status} ${signature.message}`.trim());
+        }
+        installedAssets.push({
+            surface,
+            name: asset.name,
+            path: outputPath,
+            size: downloaded.byteLength,
+            sha256,
+            checksumVerified: checksum !== null,
+            signatureVerified: signature.status !== "not-required",
+        });
+    }
+    await writeFile(join(installDir, "install-manifest.json"), `${JSON.stringify({
+        version: 1,
+        repository,
+        tag,
+        releaseUrl: typeof release.html_url === "string" ? release.html_url : releaseUrl(repository, tag),
+        installedAt: (options.now ?? (() => new Date()))().toISOString(),
+        selectedSurfaces: options.selectedSurfaces,
+        assets: installedAssets.map((asset) => ({
+            surface: asset.surface,
+            name: asset.name,
+            path: asset.path,
+            size: asset.size,
+            sha256: asset.sha256,
+            checksumVerified: asset.checksumVerified,
+            signatureVerified: asset.signatureVerified,
+        })),
+    }, null, 2)}\n`, "utf8");
+    return {
+        repository,
+        tag,
+        installDir,
+        releaseUrl: typeof release.html_url === "string" ? release.html_url : releaseUrl(repository, tag),
+        assets: installedAssets,
+    };
+}
+export function resolveReleaseInstallDir(input = {}) {
+    const env = input.env ?? process.env;
+    const platform = input.platform ?? process.platform;
+    const tag = input.tag ?? DEFAULT_RELEASE_TAG;
+    const configured = trimToNull(input.installDir);
+    if (configured !== null) {
+        return isAbsolute(configured) ? configured : resolve(process.cwd(), configured);
+    }
+    const root = platform === "win32"
+        ? joinForPlatform(platform, trimToNull(env.APPDATA) ?? win32.join(resolveHomeDirectory(env), "AppData", "Roaming"), "MoneySiren")
+        : platform === "darwin"
+            ? joinForPlatform(platform, resolveHomeDirectory(env), "Library", "Application Support", "MoneySiren")
+            : joinForPlatform(platform, trimToNull(env.XDG_DATA_HOME) ?? joinForPlatform(platform, resolveHomeDirectory(env), ".local", "share"), "moneysiren");
+    return joinForPlatform(platform, root, "releases", sanitizePathSegment(tag));
+}
+function normalizeRepository(repository) {
+    const normalized = repository.trim();
+    if (!/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(normalized)) {
+        throw new Error("Release repository must be in owner/name form.");
+    }
+    return normalized;
+}
+function normalizeTag(tag) {
+    const normalized = tag.trim();
+    if (normalized.length === 0 || normalized.length > 128) {
+        throw new Error("Release tag is empty or too long.");
+    }
+    return normalized;
+}
+function normalizePlatform(platform) {
+    if (platform === "win32" || platform === "darwin" || platform === "linux") {
+        return platform;
+    }
+    return process.platform;
+}
+async function fetchRelease(input) {
+    const response = await input.fetchImpl(`https://api.github.com/repos/${input.repository}/releases/tags/${encodeURIComponent(input.tag)}`, {
+        headers: {
+            Accept: "application/vnd.github+json",
+            "User-Agent": "moneysiren-cli-release-installer",
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Could not read GitHub Release ${input.repository}@${input.tag}: ${response.status} ${response.statusText}`);
+    }
+    const body = await response.json();
+    if (!isRecord(body)) {
+        throw new Error("GitHub Release response was not an object.");
+    }
+    return body;
+}
+function parseReleaseAssets(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .filter(isRecord)
+        .flatMap((asset) => {
+        const name = asset.name;
+        const browserDownloadUrl = asset.browser_download_url;
+        if (typeof name !== "string" || typeof browserDownloadUrl !== "string") {
+            return [];
+        }
+        return [{
+                name,
+                browser_download_url: browserDownloadUrl,
+                ...(typeof asset.size === "number" ? { size: asset.size } : {}),
+            }];
+    });
+}
+function selectSurfaceAsset(surface, platform, assets) {
+    const candidates = assets.filter((asset) => !asset.name.toLowerCase().includes("sha256sums"));
+    if (surface === "web") {
+        return candidates.find((asset) => /^moneysiren-web-runtime-.+\.tar\.gz$/i.test(asset.name)) ?? null;
+    }
+    if (platform === "win32") {
+        return candidates.find((asset) => /\.(exe|msi)$/i.test(asset.name)) ?? null;
+    }
+    if (platform === "darwin") {
+        return candidates.find((asset) => /macos/i.test(asset.name) && /\.(tar\.gz|dmg)$/i.test(asset.name)) ?? null;
+    }
+    return null;
+}
+async function findChecksum(input) {
+    for (const checksumAsset of input.checksumAssets) {
+        const content = await downloadAsset(input.fetchImpl, checksumAsset.browser_download_url);
+        const checksum = parseChecksumFile(content.toString("utf8"), input.assetName);
+        if (checksum !== null) {
+            return checksum;
+        }
+    }
+    return null;
+}
+async function downloadAsset(fetchImpl, url) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+        throw new Error("Refusing to download a non-HTTPS release asset.");
+    }
+    const response = await fetchImpl(url, {
+        headers: {
+            "User-Agent": "moneysiren-cli-release-installer",
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Could not download release asset: ${response.status} ${response.statusText}`);
+    }
+    return Buffer.from(await response.arrayBuffer());
+}
+function parseChecksumFile(content, assetName) {
+    for (const line of content.split(/\r?\n/)) {
+        const match = /^([a-f0-9]{64})\s+\*?(.+)$/i.exec(line.trim());
+        if (match !== null && basename(match[2] ?? "") === assetName) {
+            return match[1] ?? null;
+        }
+    }
+    return null;
+}
+function sha256Hex(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+async function verifyReleaseAssetSignature(input) {
+    const verifier = input.signatureVerifier ?? defaultReleaseAssetSignatureVerifier;
+    const expectedSignerThumbprints = await findExpectedSignerThumbprints({
+        assetName: input.assetName,
+        env: input.env,
+        fetchImpl: input.fetchImpl,
+        platform: input.platform,
+        releaseAssets: input.releaseAssets,
+        surface: input.surface,
+        ...(input.trustedWindowsSignerThumbprints === undefined
+            ? {}
+            : { trustedWindowsSignerThumbprints: input.trustedWindowsSignerThumbprints }),
+    });
+    return verifier.verify({
+        assetName: input.assetName,
+        ...(expectedSignerThumbprints === null ? {} : { expectedSignerThumbprints }),
+        path: input.path,
+        platform: input.platform,
+        surface: input.surface,
+    });
+}
+const defaultReleaseAssetSignatureVerifier = {
+    async verify(input) {
+        if (input.surface !== "hud" || input.platform !== "win32") {
+            return {
+                verified: true,
+                status: "not-required",
+                message: "No platform signature check is required for this release asset.",
+            };
+        }
+        if (!/\.(exe|msi)$/i.test(input.assetName)) {
+            return {
+                verified: false,
+                status: "unsupported",
+                message: "Windows HUD release assets must be .exe or .msi installers.",
+            };
+        }
+        if (input.expectedSignerThumbprints === undefined || input.expectedSignerThumbprints.length === 0) {
+            return {
+                verified: false,
+                status: "missing-signature-metadata",
+                message: `Windows HUD release assets require ${WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY} or moneysiren-tray-windows-SIGNATURE.json metadata.`,
+            };
+        }
+        return verifyWindowsAuthenticodeSignature(input.path, input.expectedSignerThumbprints);
+    },
+};
+async function findExpectedSignerThumbprints(input) {
+    if (input.surface !== "hud" || input.platform !== "win32") {
+        return null;
+    }
+    const trustedThumbprints = normalizeThumbprintList([
+        ...(input.trustedWindowsSignerThumbprints ?? []),
+        ...parseThumbprintEnv(input.env[WINDOWS_SIGNER_THUMBPRINTS_ENV_KEY]),
+    ]);
+    if (trustedThumbprints.length > 0) {
+        return trustedThumbprints;
+    }
+    const metadataAsset = input.releaseAssets.find((asset) => /^moneysiren-tray-windows-SIGNATURE\.json$/i.test(asset.name));
+    if (metadataAsset === undefined) {
+        return null;
+    }
+    const metadata = JSON.parse((await downloadAsset(input.fetchImpl, metadataAsset.browser_download_url)).toString("utf8"));
+    const entries = Array.isArray(metadata) ? metadata : [metadata];
+    for (const entry of entries) {
+        if (!isRecord(entry) || entry.assetName !== input.assetName || typeof entry.signerThumbprint !== "string") {
+            continue;
+        }
+        return [normalizeThumbprint(entry.signerThumbprint)];
+    }
+    return null;
+}
+async function verifyWindowsAuthenticodeSignature(path, expectedSignerThumbprints) {
+    const literalPath = powerShellSingleQuotedString(path);
+    try {
+        const { stdout } = await execFileAsync("powershell.exe", [
+            "-NoProfile",
+            "-NonInteractive",
+            "-Command",
+            [
+                `$signature = Get-AuthenticodeSignature -LiteralPath ${literalPath}`,
+                "$status = [string]$signature.Status",
+                "$message = [string]$signature.StatusMessage",
+                "if ($signature.Status -ne 'Valid' -or $null -eq $signature.SignerCertificate) {",
+                "  Write-Output ($status + \"|\" + $message)",
+                "  exit 1",
+                "}",
+                "Write-Output ($status + \"|\" + $signature.SignerCertificate.Thumbprint + \"|\" + $signature.SignerCertificate.Subject)",
+            ].join("; "),
+        ], {
+            windowsHide: true,
+            timeout: 30_000,
+        });
+        const [status, signerThumbprint, ...messageParts] = stdout.trim().split("|");
+        const normalizedSignerThumbprint = normalizeThumbprint(signerThumbprint ?? "");
+        const normalizedExpectedSignerThumbprints = expectedSignerThumbprints.map(normalizeThumbprint);
+        if (!normalizedExpectedSignerThumbprints.includes(normalizedSignerThumbprint)) {
+            return {
+                verified: false,
+                status: "signer-mismatch",
+                message: `Expected signer ${normalizedExpectedSignerThumbprints.join(", ")}, got ${normalizedSignerThumbprint || "unknown"}.`,
+            };
+        }
+        return {
+            verified: true,
+            status: status ?? "Valid",
+            message: messageParts.join("|"),
+        };
+    }
+    catch (error) {
+        const output = isRecord(error) && typeof error.stdout === "string" ? error.stdout.trim() : "";
+        const [status, ...messageParts] = output.split("|");
+        return {
+            verified: false,
+            status: status && status.length > 0 ? status : "Unknown",
+            message: messageParts.join("|") || (error instanceof Error ? error.message : String(error)),
+        };
+    }
+}
+function normalizeThumbprint(value) {
+    return value.replaceAll(/\s/g, "").toUpperCase();
+}
+function normalizeThumbprintList(values) {
+    return Array.from(new Set(values.map(normalizeThumbprint).filter((value) => value.length > 0)));
+}
+function parseThumbprintEnv(value) {
+    if (value === undefined) {
+        return [];
+    }
+    return value.split(/[,\s;]+/).map((part) => part.trim()).filter((part) => part.length > 0);
+}
+function powerShellSingleQuotedString(value) {
+    return `'${value.replaceAll("'", "''")}'`;
+}
+function sanitizeAssetFileName(name) {
+    return basename(name).replace(/[^A-Za-z0-9._ -]/g, "_");
+}
+function sanitizePathSegment(value) {
+    return value.replace(/[^A-Za-z0-9._-]/g, "_");
+}
+function releaseUrl(repository, tag) {
+    return `https://github.com/${repository}/releases/tag/${encodeURIComponent(tag)}`;
+}
+function resolveHomeDirectory(env) {
+    return trimToNull(env.HOME) ?? trimToNull(env.USERPROFILE) ?? homedir();
+}
+function trimToNull(value) {
+    const trimmed = value?.trim();
+    return trimmed === undefined || trimmed.length === 0 ? null : trimmed;
+}
+function joinForPlatform(platform, ...segments) {
+    return platform === "win32" ? win32.join(...segments) : posix.join(...segments);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+//# sourceMappingURL=release-installer.js.map

package/dist/apps/cli/src/slash.js

@@ -34,6 +34,18 @@ export function resolveSlashCommand(args) {
     if (command === "/modes") {
         return noExtraArgs(command, rest, ["modes"]);
     }
+    if (command === "/start") {
+        return {
+            kind: "dispatch",
+            args: ["start", ...rest],
+        };
+    }
+    if (command === "/hud") {
+        return {
+            kind: "dispatch",
+            args: ["hud", ...rest],
+        };
+    }
     if (command === "/init") {
         return noExtraArgs(command, rest, ["init"]);
     }

package/dist/apps/cli/src/version.d.ts

@@ -0,0 +1,2 @@
+export declare const CLI_VERSION = "0.1.0-alpha.2";
+//# sourceMappingURL=version.d.ts.map

package/dist/apps/cli/src/version.js

@@ -0,0 +1,2 @@
+export const CLI_VERSION = "0.1.0-alpha.2";
+//# sourceMappingURL=version.js.map

package/dist/packages/config/src/load.js

@@ -57,7 +57,10 @@ function loadProviders(env) {
         datadog: loadProviderConfig("datadog", env),
         sentry: loadProviderConfig("sentry", env),
         "codex-cli": loadProviderConfig("codex-cli", env),
+        "codex-app": loadProviderConfig("codex-app", env),
         "claude-cli": loadProviderConfig("claude-cli", env),
+        "claude-app": loadProviderConfig("claude-app", env),
+        antigravity: loadProviderConfig("antigravity", env),
     };
 }
 function loadProviderConfig(provider, env) {

package/dist/packages/config/src/schema.d.ts

@@ -20,7 +20,10 @@ export declare const PROVIDER_ENV_KEYS: {
     readonly datadog: readonly ["DATADOG_API_KEY", "DATADOG_APP_KEY", "DATADOG_SITE"];
     readonly sentry: readonly ["SENTRY_AUTH_TOKEN", "SENTRY_ORG"];
     readonly "codex-cli": readonly [];
+    readonly "codex-app": readonly [];
     readonly "claude-cli": readonly [];
+    readonly "claude-app": readonly [];
+    readonly antigravity: readonly [];
 };
 export type ConfiguredProvider = keyof typeof PROVIDER_ENV_KEYS;
 export interface ProviderConfig {

package/dist/packages/config/src/schema.js

@@ -20,6 +20,9 @@ export const PROVIDER_ENV_KEYS = {
     datadog: ["DATADOG_API_KEY", "DATADOG_APP_KEY", "DATADOG_SITE"],
     sentry: ["SENTRY_AUTH_TOKEN", "SENTRY_ORG"],
     "codex-cli": [],
+    "codex-app": [],
     "claude-cli": [],
+    "claude-app": [],
+    antigravity: [],
 };
 //# sourceMappingURL=schema.js.map

package/dist/packages/local-api/src/server.js

@@ -3,7 +3,7 @@ import { parseNotificationPreferences, readNotificationDigest, readNotificationP
 import { assertLoopbackHost, isLoopbackHost, removeRuntimeLock, writeRuntimeLock, } from "../../runtime/src/index.js";
 const DEFAULT_HOST = "127.0.0.1";
 const DEFAULT_PORT = 47831;
-const DEFAULT_VERSION = "0.1.0-alpha.0";
+const DEFAULT_VERSION = "0.1.0-alpha.2";
 export async function startLocalApiServer(options = {}) {
     const host = options.host ?? DEFAULT_HOST;
     const requestedPort = options.port ?? DEFAULT_PORT;

package/dist/packages/view-model/src/hud-model.d.ts

@@ -0,0 +1,74 @@
+import { type AggregateSyncStatus, type ItemSyncView, type RiskSeverity } from "./sync-state.js";
+import { type UsageProgressView } from "./usage-progress.js";
+import type { TodayLiveProviderView, TodayLiveView } from "./view-model.js";
+import type { NotificationWidgetKey } from "./notification-preferences-model.js";
+export type CreditAccuracy = "exact" | "estimated" | "bounded" | "unknown";
+export interface CreditItemView {
+    itemKey: string;
+    expiresAt: string | null;
+    estimatedEarliestAt: string | null;
+    estimatedLatestAt: string | null;
+    accuracy: CreditAccuracy;
+    status: "active" | "expiring_soon" | "expired" | "unknown";
+}
+export interface CreditPoolView {
+    kind: "credit_pool";
+    id: string;
+    providerKey: "codex-app" | "codex-cli";
+    variant: "count" | "expiry";
+    availableCount: number | null;
+    totalEarnedCount: number | null;
+    credits: readonly CreditItemView[];
+    unresolvedCount: number;
+    nearestExpiryAt: string | null;
+    accuracy: CreditAccuracy;
+    sync: ItemSyncView;
+    riskSeverity: RiskSeverity;
+    target: {
+        type: "service";
+        providerKey: "codex-app" | "codex-cli";
+    };
+}
+export interface QuotaItemView {
+    kind: "quota";
+    id: string;
+    providerKey: string;
+    window: "five_hour" | "weekly" | "context" | "budget";
+    progress: UsageProgressView;
+    resetAt: string | null;
+    sync: ItemSyncView;
+    riskSeverity: RiskSeverity;
+    target: {
+        type: "service" | "dashboard";
+        providerKey?: string;
+        routeKey?: string;
+    };
+}
+export type HudItemView = QuotaItemView | CreditPoolView;
+export interface HudViewModel {
+    generatedAt: string;
+    localOnly: true;
+    secretsReturned: false;
+    dataRevision: string;
+    sync: {
+        status: AggregateSyncStatus;
+        freshCount: number;
+        staleCount: number;
+        errorCount: number;
+        neutralCount: number;
+        lastSuccessAt: string | null;
+    };
+    risk: {
+        severity: RiskSeverity;
+        warningCount: number;
+        criticalCount: number;
+    };
+    items: readonly HudItemView[];
+}
+export declare const CODEX_APP_PROVIDER_KEY = "codex-app";
+export declare const CODEX_CLI_PROVIDER_KEY = "codex-cli";
+export declare function buildHudViewModel(todayLive: TodayLiveView): HudViewModel;
+export declare function filterHudViewModelByWidgets(model: HudViewModel, selectedWidgets: readonly NotificationWidgetKey[]): HudViewModel;
+export declare function buildCreditPoolFromProvider(provider: TodayLiveProviderView, generatedAt: string): CreditPoolView | null;
+export declare function buildCreditPoolsFromProvider(provider: TodayLiveProviderView, generatedAt: string): CreditPoolView[];
+//# sourceMappingURL=hud-model.d.ts.map