@pleri/olam-cli 0.1.174 → 0.1.180

package/host-cp/src/resolver.mjs

@@ -0,0 +1,121 @@
+// resolver.mjs — Phase A A1 (plan-chat-spa-supersedes-control-plane).
+//
+// Disambiguates a single opaque :id supplied on /plan/:id between
+//
+//   - a planning session (planning_sessions.session_id), or
+//   - a crystallized world (planning_artifacts.crystallized_world_id), or
+//   - unresolvable (returns {kind:'unresolved', canonical_id:null}).
+//
+// Used by plan-chat-spa's useResolveId hook (Phase A A2) so the SPA's
+// cold-open path can mount the correct surface without trusting the
+// id-shape (sentinel `sess_*` prefix is a hint, not authority — see
+// plan-chat-spa-supersedes-control-plane.md K1 SEC-1).
+//
+// Single SQL query (UNION ALL) so resolution costs one round-trip even
+// when the id misses both tables. Bearer auth + rate-limit live in the
+// HTTP handler in plan-chat-service.mjs; this helper is pool-pure for
+// unit testability.
+
+/**
+ * Validate the resolver :id shape. Mirrors plan-chat-service.mjs's
+ * SCOPE_ID_RE; tightened to 6-80 chars so an enumeration attacker can't
+ * grind through 1-5 char shapes.
+ */
+export const RESOLVE_ID_RE = /^[A-Za-z0-9._-]{6,80}$/;
+
+/**
+ * Resolve an opaque id against the chunks substrate.
+ *
+ * @param {{ query: (sql: string, params: unknown[]) => Promise<{ rows: unknown[] }> }} pool
+ *   A pg-shaped pool. Tests pass a stub; production passes pg.Pool.
+ * @param {string} id The candidate id.
+ * @returns {Promise<{ kind: 'session' | 'world' | 'unresolved', canonical_id: string | null }>}
+ */
+export async function resolveId(pool, id) {
+  if (typeof id !== 'string' || !RESOLVE_ID_RE.test(id)) {
+    return { kind: 'unresolved', canonical_id: null };
+  }
+
+  // Single round-trip. Both branches return the same shape
+  // (kind, canonical_id) so PG can UNION ALL them without coercion.
+  //
+  // Session branch wins on tie (LIMIT 1 + session ordered first) — a
+  // session id colliding with a world id is unlikely in practice
+  // (worldId is the random docker name; sessionId is uuid-shaped),
+  // but the deterministic ordering closes the K1 collision risk
+  // surfaced in pass 3 review.
+  const sql = `
+    SELECT kind, canonical_id FROM (
+      SELECT 'session' AS kind, session_id AS canonical_id, 1 AS rank
+        FROM planning_sessions
+        WHERE session_id = $1
+      UNION ALL
+      SELECT 'world' AS kind, crystallized_world_id AS canonical_id, 2 AS rank
+        FROM planning_artifacts
+        WHERE crystallized_world_id = $1
+    ) AS resolved
+    ORDER BY rank
+    LIMIT 1
+  `;
+
+  const result = await pool.query(sql, [id]);
+  const row = result.rows && result.rows[0];
+  if (!row) return { kind: 'unresolved', canonical_id: null };
+
+  // Pool stub-friendly: tolerate column names emerging from pg's
+  // case-insensitive identifier handling.
+  const kind = row.kind ?? row.KIND;
+  const canonical_id = row.canonical_id ?? row.CANONICAL_ID;
+  if (kind !== 'session' && kind !== 'world') {
+    return { kind: 'unresolved', canonical_id: null };
+  }
+  if (typeof canonical_id !== 'string' || canonical_id.length === 0) {
+    return { kind: 'unresolved', canonical_id: null };
+  }
+  return { kind, canonical_id };
+}
+
+/**
+ * Token-bucket rate limiter, per bearer principal. Closes the brute-
+ * force enumeration vector that bearer auth alone leaves open (an
+ * authenticated caller could otherwise grind through ids at
+ * line-rate).
+ *
+ * 60 req/min per bearer. Single-process in-memory map (one host-cp
+ * per host); a multi-instance deployment would need a shared store,
+ * but plan-chat-service is single-tenant single-host by design.
+ */
+export function createRateLimiter({
+  capacity = 60,
+  windowMs = 60_000,
+  now = () => Date.now(),
+} = {}) {
+  const buckets = new Map(); // key -> { tokens, lastRefill }
+
+  function take(key) {
+    const t = now();
+    let bucket = buckets.get(key);
+    if (!bucket) {
+      bucket = { tokens: capacity, lastRefill: t };
+      buckets.set(key, bucket);
+    }
+    // Refill proportional to elapsed time.
+    const elapsed = t - bucket.lastRefill;
+    if (elapsed > 0) {
+      const refill = (elapsed / windowMs) * capacity;
+      bucket.tokens = Math.min(capacity, bucket.tokens + refill);
+      bucket.lastRefill = t;
+    }
+    if (bucket.tokens < 1) {
+      return { allowed: false, retryAfterMs: Math.ceil((1 - bucket.tokens) * (windowMs / capacity)) };
+    }
+    bucket.tokens -= 1;
+    return { allowed: true, retryAfterMs: 0 };
+  }
+
+  function reset() {
+    buckets.clear();
+  }
+
+  return { take, reset };
+}

package/host-cp/src/server.mjs

@@ -48,7 +48,9 @@ import {
 import { betaResponseEmitter } from '@olam/auth-client';
 import { attemptRecovery, findScenarioForKind } from '../recovery/index.mjs';
 import { detectHaltChunk } from './halt-detect.mjs';
+import { evaluateRedirect, applyRedirect } from './redirect.mjs';
 import { spawnUpgraderContainer } from './upgrade-spawner.mjs';
+import { isPlanningPath } from './bootstrap-selective.mjs';
 import { parseProxyPath, perWorldBase, proxyToWorld } from './proxy.mjs';
 import { resolveHostCpEngine } from './engine-identity.mjs';
 import { StartupToken } from './auth.mjs';
@@ -896,6 +898,18 @@ const server = http.createServer(instrumentHandler('host-cp', async (req, res) =
     });
   }
 
+  // Phase B3 (plan-chat-spa-supersedes-control-plane): 301 redirect layer.
+  // Runs BEFORE static-serve so legacy `/world/:id` catch-all URLs that
+  // would otherwise be served as the SPA shell (and then 404 inside the
+  // SPA router after Phase B4 deletes the route) get redirected to
+  // their canonical successor. Allow-listed; closed set; security
+  // gated against SEC-2 (no caller-controlled Location, regex-validated
+  // ids, hardcoded prefixes). See packages/host-cp/src/redirect.mjs.
+  if (req.method === 'GET' || req.method === 'HEAD') {
+    const redirectVerdict = evaluateRedirect(url.pathname);
+    if (applyRedirect(res, redirectVerdict)) return;
+  }
+
   // Phase F-2-D dogfood fix: serve the SPA dist/ for non-API GET requests
   // BEFORE auth gate. The SPA itself is the auth gate — it loads, fetches
   // /api/bootstrap (unauthed), sets the cookie, then makes authed API calls.
@@ -3032,7 +3046,7 @@ async function tryServeStatic(req, res, pathname) {
   // Without this the SPA loads but every fetch 401s and the operator
   // sees "Could not load worlds — HTTP 401".
   if (isSpaShell) {
-    const html = await renderSpaShell(filePath);
+    const html = await renderSpaShell(filePath, pathname);
     res.writeHead(200, {
       'Content-Type': 'text/html; charset=utf-8',
       'Cache-Control': 'no-cache, no-store, must-revalidate',
@@ -3062,11 +3076,12 @@ async function tryServeStatic(req, res, pathname) {
   return true;
 }
 
-// Memoized injected SPA shell. Read once at first request; serve from
-// memory thereafter. Cache invalidates on dist/ mtime change so a
-// rebuilt bundle is picked up without restart.
-let _spaCache = null;
-let _spaCacheKey = '';
+// Memoized injected SPA shells. Read once per (mtime, bearer-len,
+// bootstrap-bit) tuple; serve from memory thereafter. Cache invalidates
+// on dist/ mtime change so a rebuilt bundle is picked up without
+// restart. Phase D1 — keyed map (not single slot) so /plan and
+// /workspaces don't trash each other's cached HTML.
+const _spaCacheByKey = new Map();
 
 /**
  * Bootstrap script injected into the SPA shell. Two responsibilities:
@@ -3166,14 +3181,37 @@ function buildPlanChatBearerInjection() {
   }
 }
 
-async function renderSpaShell(filePath) {
+// Phase D1 — Selective BOOTSTRAP_SCRIPT no-op.
+//
+// Planning paths use plan-chat-spa's own readBearer() resolver
+// (lib/bearer.ts) which reads window.__OLAM_PLAN_CHAT_BEARER__ injected
+// inline OR falls back to the URL hash channel. They DO NOT need the
+// host-cp bootstrap's cookie+fetch-rewrite shim. Non-planning surfaces
+// (/workspaces, /repos, /runbooks, /design, /inbox, /world/:id/editor,
+// /world/:id/events) still rely on bootstrap-injected cookie + the
+// monkey-patched fetch/EventSource that rewrites world-scoped paths
+// to /api/world/<id>/... — keep injecting for them until Phase E
+// migrates each to a bootstrap-free pattern.
+//
+// Reversal: edit BOOTSTRAP_NOOP_PLANNING_PATHS in bootstrap-selective.mjs
+// to [] to restore universal injection. Single-line change.
+//
+// Per K1 SCP-3 + phase-d-tasks D1 acceptance.
+
+async function renderSpaShell(filePath, pathname) {
   const stat = fs.statSync(filePath);
   const bearerInjection = buildPlanChatBearerInjection();
-  // Cache key must include the bearer so rotation invalidates correctly.
-  const cacheKey = stat.mtimeMs + ':' + bearerInjection.length;
-  if (_spaCache !== null && _spaCacheKey === cacheKey) {
-    return _spaCache;
-  }
+  // Path-selective: planning paths skip the bootstrap shim entirely
+  // (plan-chat-spa's readBearer handles auth); non-planning paths
+  // retain it (Phase E will migrate them).
+  const skipBootstrap = isPlanningPath(pathname);
+  const bootstrapPart = skipBootstrap ? '' : BOOTSTRAP_SCRIPT;
+  // Cache key includes bearer length AND the bootstrap-presence bit so
+  // /plan and /workspaces don't share a cached shell.
+  const cacheKey =
+    stat.mtimeMs + ':' + bearerInjection.length + ':' + (skipBootstrap ? '0' : '1');
+  const cached = _spaCacheByKey.get(cacheKey);
+  if (cached !== undefined) return cached;
   let html = fs.readFileSync(filePath, 'utf-8');
   // Vite emits relative asset paths (`./assets/...`) so the SPA bundle
   // is portable across deploy paths. But under host-cp's path-segment
@@ -3184,10 +3222,13 @@ async function renderSpaShell(filePath) {
   // Inject right after <head> so the bootstrap runs before any other
   // script tag on the page. Bearer injection runs after the host-cp
   // bootstrap so window.__OLAM_PLAN_CHAT_BEARER__ is set before the
-  // SPA bundle reads it.
-  html = html.replace(/<head>/i, `<head>\n    ${BOOTSTRAP_SCRIPT}\n    ${bearerInjection}`);
-  _spaCache = html;
-  _spaCacheKey = cacheKey;
+  // SPA bundle reads it. On planning paths the bootstrap is empty —
+  // bearer injection still runs (plan-chat-spa reads it directly).
+  html = html.replace(
+    /<head>/i,
+    `<head>\n    ${bootstrapPart}\n    ${bearerInjection}`,
+  );
+  _spaCacheByKey.set(cacheKey, html);
   return html;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.174",
+  "version": "0.1.180",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"