@poolzin/pool-bot 2026.2.23 → 2026.2.25

package/dist/infra/device-pairing.js

@@ -1,85 +1,28 @@
 import { randomUUID } from "node:crypto";
-import fs from "node:fs/promises";
-import path from "node:path";
-import { resolveStateDir } from "../config/paths.js";
+import { normalizeDeviceAuthScopes } from "../shared/device-auth.js";
+import { roleScopesAllow } from "../shared/operator-scope-compat.js";
+import { createAsyncLock, pruneExpiredPending, readJsonFile, resolvePairingPaths, upsertPendingPairingRequest, writeJsonAtomic, } from "./pairing-files.js";
+import { generatePairingToken, verifyPairingToken } from "./pairing-token.js";
 const PENDING_TTL_MS = 5 * 60 * 1000;
-function resolvePaths(baseDir) {
-    const root = baseDir ?? resolveStateDir();
-    const dir = path.join(root, "devices");
-    return {
-        dir,
-        pendingPath: path.join(dir, "pending.json"),
-        pairedPath: path.join(dir, "paired.json"),
-    };
-}
-async function readJSON(filePath) {
-    try {
-        const raw = await fs.readFile(filePath, "utf8");
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-async function writeJSONAtomic(filePath, value) {
-    const dir = path.dirname(filePath);
-    await fs.mkdir(dir, { recursive: true });
-    const tmp = `${filePath}.${randomUUID()}.tmp`;
-    await fs.writeFile(tmp, JSON.stringify(value, null, 2), "utf8");
-    try {
-        await fs.chmod(tmp, 0o600);
-    }
-    catch {
-        // best-effort
-    }
-    await fs.rename(tmp, filePath);
-    try {
-        await fs.chmod(filePath, 0o600);
-    }
-    catch {
-        // best-effort
-    }
-}
-function pruneExpiredPending(pendingById, nowMs) {
-    for (const [id, req] of Object.entries(pendingById)) {
-        if (nowMs - req.ts > PENDING_TTL_MS) {
-            delete pendingById[id];
-        }
-    }
-}
-let lock = Promise.resolve();
-async function withLock(fn) {
-    const prev = lock;
-    let release;
-    lock = new Promise((resolve) => {
-        release = resolve;
-    });
-    await prev;
-    try {
-        return await fn();
-    }
-    finally {
-        release?.();
-    }
-}
+const withLock = createAsyncLock();
 async function loadState(baseDir) {
-    const { pendingPath, pairedPath } = resolvePaths(baseDir);
+    const { pendingPath, pairedPath } = resolvePairingPaths(baseDir, "devices");
     const [pending, paired] = await Promise.all([
-        readJSON(pendingPath),
-        readJSON(pairedPath),
+        readJsonFile(pendingPath),
+        readJsonFile(pairedPath),
     ]);
     const state = {
         pendingById: pending ?? {},
         pairedByDeviceId: paired ?? {},
     };
-    pruneExpiredPending(state.pendingById, Date.now());
+    pruneExpiredPending(state.pendingById, Date.now(), PENDING_TTL_MS);
     return state;
 }
 async function persistState(state, baseDir) {
-    const { pendingPath, pairedPath } = resolvePaths(baseDir);
+    const { pendingPath, pairedPath } = resolvePairingPaths(baseDir, "devices");
     await Promise.all([
-        writeJSONAtomic(pendingPath, state.pendingById),
-        writeJSONAtomic(pairedPath, state.pairedByDeviceId),
+        writeJsonAtomic(pendingPath, state.pendingById),
+        writeJsonAtomic(pairedPath, state.pairedByDeviceId),
     ]);
 }
 function normalizeDeviceId(deviceId) {
@@ -92,66 +35,71 @@ function normalizeRole(role) {
 function mergeRoles(...items) {
     const roles = new Set();
     for (const item of items) {
-        if (!item)
+        if (!item) {
             continue;
+        }
         if (Array.isArray(item)) {
             for (const role of item) {
                 const trimmed = role.trim();
-                if (trimmed)
+                if (trimmed) {
                     roles.add(trimmed);
+                }
             }
         }
         else {
             const trimmed = item.trim();
-            if (trimmed)
+            if (trimmed) {
                 roles.add(trimmed);
+            }
         }
     }
-    if (roles.size === 0)
+    if (roles.size === 0) {
         return undefined;
+    }
     return [...roles];
 }
 function mergeScopes(...items) {
     const scopes = new Set();
     for (const item of items) {
-        if (!item)
+        if (!item) {
             continue;
+        }
         for (const scope of item) {
             const trimmed = scope.trim();
-            if (trimmed)
+            if (trimmed) {
                 scopes.add(trimmed);
+            }
         }
     }
-    if (scopes.size === 0)
+    if (scopes.size === 0) {
         return undefined;
+    }
     return [...scopes];
 }
-function normalizeScopes(scopes) {
-    if (!Array.isArray(scopes))
-        return [];
-    const out = new Set();
-    for (const scope of scopes) {
-        const trimmed = scope.trim();
-        if (trimmed)
-            out.add(trimmed);
-    }
-    return [...out].sort();
+function newToken() {
+    return generatePairingToken();
 }
-function scopesAllow(requested, allowed) {
-    if (requested.length === 0)
-        return true;
-    if (allowed.length === 0)
-        return false;
-    const allowedSet = new Set(allowed);
-    return requested.every((scope) => allowedSet.has(scope));
+function getPairedDeviceFromState(state, deviceId) {
+    return state.pairedByDeviceId[normalizeDeviceId(deviceId)] ?? null;
 }
-function newToken() {
-    return randomUUID().replaceAll("-", "");
+function cloneDeviceTokens(device) {
+    return device.tokens ? { ...device.tokens } : {};
+}
+function buildDeviceAuthToken(params) {
+    return {
+        token: newToken(),
+        role: params.role,
+        scopes: params.scopes,
+        createdAtMs: params.existing?.createdAtMs ?? params.now,
+        rotatedAtMs: params.rotatedAtMs,
+        revokedAtMs: undefined,
+        lastUsedAtMs: params.existing?.lastUsedAtMs,
+    };
 }
 export async function listDevicePairing(baseDir) {
     const state = await loadState(baseDir);
-    const pending = Object.values(state.pendingById).sort((a, b) => b.ts - a.ts);
-    const paired = Object.values(state.pairedByDeviceId).sort((a, b) => b.approvedAtMs - a.approvedAtMs);
+    const pending = Object.values(state.pendingById).toSorted((a, b) => b.ts - a.ts);
+    const paired = Object.values(state.pairedByDeviceId).toSorted((a, b) => b.approvedAtMs - a.approvedAtMs);
     return { pending, paired };
 }
 export async function getPairedDevice(deviceId, baseDir) {
@@ -165,38 +113,37 @@ export async function requestDevicePairing(req, baseDir) {
         if (!deviceId) {
             throw new Error("deviceId required");
         }
-        const existing = Object.values(state.pendingById).find((p) => p.deviceId === deviceId);
-        if (existing) {
-            return { status: "pending", request: existing, created: false };
-        }
-        const isRepair = Boolean(state.pairedByDeviceId[deviceId]);
-        const request = {
-            requestId: randomUUID(),
-            deviceId,
-            publicKey: req.publicKey,
-            displayName: req.displayName,
-            platform: req.platform,
-            clientId: req.clientId,
-            clientMode: req.clientMode,
-            role: req.role,
-            roles: req.role ? [req.role] : undefined,
-            scopes: req.scopes,
-            remoteIp: req.remoteIp,
-            silent: req.silent,
-            isRepair,
-            ts: Date.now(),
-        };
-        state.pendingById[request.requestId] = request;
-        await persistState(state, baseDir);
-        return { status: "pending", request, created: true };
+        return await upsertPendingPairingRequest({
+            pendingById: state.pendingById,
+            isExisting: (pending) => pending.deviceId === deviceId,
+            isRepair: Boolean(state.pairedByDeviceId[deviceId]),
+            createRequest: (isRepair) => ({
+                requestId: randomUUID(),
+                deviceId,
+                publicKey: req.publicKey,
+                displayName: req.displayName,
+                platform: req.platform,
+                clientId: req.clientId,
+                clientMode: req.clientMode,
+                role: req.role,
+                roles: req.role ? [req.role] : undefined,
+                scopes: req.scopes,
+                remoteIp: req.remoteIp,
+                silent: req.silent,
+                isRepair,
+                ts: Date.now(),
+            }),
+            persist: async () => await persistState(state, baseDir),
+        });
     });
 }
 export async function approveDevicePairing(requestId, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const pending = state.pendingById[requestId];
-        if (!pending)
+        if (!pending) {
             return null;
+        }
         const now = Date.now();
         const existing = state.pairedByDeviceId[pending.deviceId];
         const roles = mergeRoles(existing?.roles, existing?.role, pending.roles, pending.role);
@@ -204,7 +151,7 @@ export async function approveDevicePairing(requestId, baseDir) {
         const tokens = existing?.tokens ? { ...existing.tokens } : {};
         const roleForToken = normalizeRole(pending.role);
         if (roleForToken) {
-            const nextScopes = normalizeScopes(pending.scopes);
+            const nextScopes = normalizeDeviceAuthScopes(pending.scopes);
             const existingToken = tokens[roleForToken];
             const now = Date.now();
             tokens[roleForToken] = {
@@ -242,19 +189,33 @@ export async function rejectDevicePairing(requestId, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const pending = state.pendingById[requestId];
-        if (!pending)
+        if (!pending) {
             return null;
+        }
         delete state.pendingById[requestId];
         await persistState(state, baseDir);
         return { requestId, deviceId: pending.deviceId };
     });
 }
+export async function removePairedDevice(deviceId, baseDir) {
+    return await withLock(async () => {
+        const state = await loadState(baseDir);
+        const normalized = normalizeDeviceId(deviceId);
+        if (!normalized || !state.pairedByDeviceId[normalized]) {
+            return null;
+        }
+        delete state.pairedByDeviceId[normalized];
+        await persistState(state, baseDir);
+        return { deviceId: normalized };
+    });
+}
 export async function updatePairedDeviceMetadata(deviceId, patch, baseDir) {
     return await withLock(async () => {
         const state = await loadState(baseDir);
         const existing = state.pairedByDeviceId[normalizeDeviceId(deviceId)];
-        if (!existing)
+        if (!existing) {
             return;
+        }
         const roles = mergeRoles(existing.roles, existing.role, patch.role);
         const scopes = mergeScopes(existing.scopes, patch.scopes);
         state.pairedByDeviceId[deviceId] = {
@@ -271,8 +232,9 @@ export async function updatePairedDeviceMetadata(deviceId, patch, baseDir) {
     });
 }
 export function summarizeDeviceTokens(tokens) {
-    if (!tokens)
+    if (!tokens) {
         return undefined;
+    }
     const summaries = Object.values(tokens)
         .map((token) => ({
         role: token.role,
@@ -282,27 +244,32 @@ export function summarizeDeviceTokens(tokens) {
         revokedAtMs: token.revokedAtMs,
         lastUsedAtMs: token.lastUsedAtMs,
     }))
-        .sort((a, b) => a.role.localeCompare(b.role));
+        .toSorted((a, b) => a.role.localeCompare(b.role));
     return summaries.length > 0 ? summaries : undefined;
 }
 export async function verifyDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        const device = getPairedDeviceFromState(state, params.deviceId);
+        if (!device) {
             return { ok: false, reason: "device-not-paired" };
+        }
         const role = normalizeRole(params.role);
-        if (!role)
+        if (!role) {
             return { ok: false, reason: "role-missing" };
+        }
         const entry = device.tokens?.[role];
-        if (!entry)
+        if (!entry) {
             return { ok: false, reason: "token-missing" };
-        if (entry.revokedAtMs)
+        }
+        if (entry.revokedAtMs) {
             return { ok: false, reason: "token-revoked" };
-        if (entry.token !== params.token)
+        }
+        if (!verifyPairingToken(params.token, entry.token)) {
             return { ok: false, reason: "token-mismatch" };
-        const requestedScopes = normalizeScopes(params.scopes);
-        if (!scopesAllow(requestedScopes, entry.scopes)) {
+        }
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
+        if (!roleScopesAllow({ role, requestedScopes, allowedScopes: entry.scopes })) {
             return { ok: false, reason: "scope-mismatch" };
         }
         entry.lastUsedAtMs = Date.now();
@@ -316,30 +283,29 @@ export async function verifyDeviceToken(params) {
 export async function ensureDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
-            return null;
-        const role = normalizeRole(params.role);
-        if (!role)
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
+        const context = resolveDeviceTokenUpdateContext({
+            state,
+            deviceId: params.deviceId,
+            role: params.role,
+        });
+        if (!context) {
             return null;
-        const requestedScopes = normalizeScopes(params.scopes);
-        const tokens = device.tokens ? { ...device.tokens } : {};
-        const existing = tokens[role];
+        }
+        const { device, role, tokens, existing } = context;
         if (existing && !existing.revokedAtMs) {
-            if (scopesAllow(requestedScopes, existing.scopes)) {
+            if (roleScopesAllow({ role, requestedScopes, allowedScopes: existing.scopes })) {
                 return existing;
             }
         }
         const now = Date.now();
-        const next = {
-            token: newToken(),
+        const next = buildDeviceAuthToken({
             role,
             scopes: requestedScopes,
-            createdAtMs: existing?.createdAtMs ?? now,
+            existing,
+            now,
             rotatedAtMs: existing ? now : undefined,
-            revokedAtMs: undefined,
-            lastUsedAtMs: existing?.lastUsedAtMs,
-        };
+        });
         tokens[role] = next;
         device.tokens = tokens;
         state.pairedByDeviceId[device.deviceId] = device;
@@ -347,28 +313,40 @@ export async function ensureDeviceToken(params) {
         return next;
     });
 }
+function resolveDeviceTokenUpdateContext(params) {
+    const device = getPairedDeviceFromState(params.state, params.deviceId);
+    if (!device) {
+        return null;
+    }
+    const role = normalizeRole(params.role);
+    if (!role) {
+        return null;
+    }
+    const tokens = cloneDeviceTokens(device);
+    const existing = tokens[role];
+    return { device, role, tokens, existing };
+}
 export async function rotateDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
-        const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
-            return null;
-        const role = normalizeRole(params.role);
-        if (!role)
+        const context = resolveDeviceTokenUpdateContext({
+            state,
+            deviceId: params.deviceId,
+            role: params.role,
+        });
+        if (!context) {
             return null;
-        const tokens = device.tokens ? { ...device.tokens } : {};
-        const existing = tokens[role];
-        const requestedScopes = normalizeScopes(params.scopes ?? existing?.scopes ?? device.scopes);
+        }
+        const { device, role, tokens, existing } = context;
+        const requestedScopes = normalizeDeviceAuthScopes(params.scopes ?? existing?.scopes ?? device.scopes);
         const now = Date.now();
-        const next = {
-            token: newToken(),
+        const next = buildDeviceAuthToken({
             role,
             scopes: requestedScopes,
-            createdAtMs: existing?.createdAtMs ?? now,
+            existing,
+            now,
             rotatedAtMs: now,
-            revokedAtMs: undefined,
-            lastUsedAtMs: existing?.lastUsedAtMs,
-        };
+        });
         tokens[role] = next;
         device.tokens = tokens;
         if (params.scopes !== undefined) {
@@ -383,13 +361,16 @@ export async function revokeDeviceToken(params) {
     return await withLock(async () => {
         const state = await loadState(params.baseDir);
         const device = state.pairedByDeviceId[normalizeDeviceId(params.deviceId)];
-        if (!device)
+        if (!device) {
             return null;
+        }
         const role = normalizeRole(params.role);
-        if (!role)
+        if (!role) {
             return null;
-        if (!device.tokens?.[role])
+        }
+        if (!device.tokens?.[role]) {
             return null;
+        }
         const tokens = { ...device.tokens };
         const entry = { ...tokens[role], revokedAtMs: Date.now() };
         tokens[role] = entry;

package/dist/infra/exec-approvals-allowlist.js

@@ -1,31 +1,6 @@
-import fs from "node:fs";
-import path from "node:path";
 import { DEFAULT_SAFE_BINS, analyzeShellCommand, isWindowsPlatform, matchAllowlist, resolveAllowlistCandidatePath, splitCommandChain, } from "./exec-approvals-analysis.js";
+import { SAFE_BIN_GENERIC_PROFILE, SAFE_BIN_PROFILES, validateSafeBinArgv, } from "./exec-safe-bin-policy.js";
 import { isTrustedSafeBinPath } from "./exec-safe-bin-trust.js";
-function isPathLikeToken(value) {
-    const trimmed = value.trim();
-    if (!trimmed) {
-        return false;
-    }
-    if (trimmed === "-") {
-        return false;
-    }
-    if (trimmed.startsWith("./") || trimmed.startsWith("../") || trimmed.startsWith("~")) {
-        return true;
-    }
-    if (trimmed.startsWith("/")) {
-        return true;
-    }
-    return /^[A-Za-z]:[\\/]/.test(trimmed);
-}
-function defaultFileExists(filePath) {
-    try {
-        return fs.existsSync(filePath);
-    }
-    catch {
-        return false;
-    }
-}
 export function normalizeSafeBins(entries) {
     if (!Array.isArray(entries)) {
         return new Set();
@@ -41,15 +16,10 @@ export function resolveSafeBins(entries) {
     }
     return normalizeSafeBins(entries ?? []);
 }
-function hasGlobToken(value) {
-    // Safe bins are stdin-only; globbing is both surprising and a historical bypass vector.
-    // Note: we still harden execution-time expansion separately.
-    return /[*?[\]]/.test(value);
-}
 export function isSafeBinUsage(params) {
     // Windows host exec uses PowerShell, which has different parsing/expansion rules.
     // Keep safeBins conservative there (require explicit allowlist entries).
-    if (isWindowsPlatform(process.platform)) {
+    if (isWindowsPlatform(params.platform ?? process.platform)) {
         return false;
     }
     if (params.safeBins.size === 0) {
@@ -60,55 +30,25 @@ export function isSafeBinUsage(params) {
     if (!execName) {
         return false;
     }
-    const matchesSafeBin = params.safeBins.has(execName) ||
-        (process.platform === "win32" && params.safeBins.has(path.parse(execName).name));
+    const matchesSafeBin = params.safeBins.has(execName);
     if (!matchesSafeBin) {
         return false;
     }
     if (!resolution?.resolvedPath) {
         return false;
     }
-    if (!isTrustedSafeBinPath({
+    const isTrustedPath = params.isTrustedSafeBinPathFn ?? isTrustedSafeBinPath;
+    if (!isTrustedPath({
         resolvedPath: resolution.resolvedPath,
         trustedDirs: params.trustedSafeBinDirs,
     })) {
         return false;
     }
-    const cwd = params.cwd ?? process.cwd();
-    const exists = params.fileExists ?? defaultFileExists;
     const argv = params.argv.slice(1);
-    for (let i = 0; i < argv.length; i += 1) {
-        const token = argv[i];
-        if (!token) {
-            continue;
-        }
-        if (token === "-") {
-            continue;
-        }
-        if (token.startsWith("-")) {
-            const eqIndex = token.indexOf("=");
-            if (eqIndex > 0) {
-                const value = token.slice(eqIndex + 1);
-                if (value && hasGlobToken(value)) {
-                    return false;
-                }
-                if (value && (isPathLikeToken(value) || exists(path.resolve(cwd, value)))) {
-                    return false;
-                }
-            }
-            continue;
-        }
-        if (hasGlobToken(token)) {
-            return false;
-        }
-        if (isPathLikeToken(token)) {
-            return false;
-        }
-        if (exists(path.resolve(cwd, token))) {
-            return false;
-        }
-    }
-    return true;
+    const safeBinProfiles = params.safeBinProfiles ?? SAFE_BIN_PROFILES;
+    const genericSafeBinProfile = params.safeBinGenericProfile ?? SAFE_BIN_GENERIC_PROFILE;
+    const profile = safeBinProfiles[execName] ?? genericSafeBinProfile;
+    return validateSafeBinArgv(argv, profile);
 }
 function evaluateSegments(segments, params) {
     const matches = [];
@@ -127,7 +67,8 @@ function evaluateSegments(segments, params) {
             argv: segment.argv,
             resolution: segment.resolution,
             safeBins: params.safeBins,
-            cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
         });
         const skillAllow = allowSkills && segment.resolution?.executableName
             ? params.skillBins?.has(segment.resolution.executableName)
@@ -157,6 +98,8 @@ export function evaluateExecAllowlist(params) {
                 allowlist: params.allowlist,
                 safeBins: params.safeBins,
                 cwd: params.cwd,
+                platform: params.platform,
+                trustedSafeBinDirs: params.trustedSafeBinDirs,
                 skillBins: params.skillBins,
                 autoAllowSkills: params.autoAllowSkills,
             });
@@ -173,6 +116,8 @@ export function evaluateExecAllowlist(params) {
         allowlist: params.allowlist,
         safeBins: params.safeBins,
         cwd: params.cwd,
+        platform: params.platform,
+        trustedSafeBinDirs: params.trustedSafeBinDirs,
         skillBins: params.skillBins,
         autoAllowSkills: params.autoAllowSkills,
     });
@@ -209,6 +154,8 @@ export function evaluateShellAllowlist(params) {
             allowlist: params.allowlist,
             safeBins: params.safeBins,
             cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
             skillBins: params.skillBins,
             autoAllowSkills: params.autoAllowSkills,
         });
@@ -239,6 +186,8 @@ export function evaluateShellAllowlist(params) {
             allowlist: params.allowlist,
             safeBins: params.safeBins,
             cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
             skillBins: params.skillBins,
             autoAllowSkills: params.autoAllowSkills,
         });