@schuttdev/gigai 0.1.0-beta.1 → 0.1.0-beta.10

package/dist/chunk-4XUWD3DZ.js

@@ -0,0 +1,288 @@
+#!/usr/bin/env node
+
+// ../shared/dist/index.mjs
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+import { z } from "zod";
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var TAG_LENGTH = 16;
+function encrypt(payload, key) {
+  const keyBuffer = Buffer.from(key, "hex");
+  if (keyBuffer.length !== 32) {
+    throw new Error("Encryption key must be 32 bytes (64 hex chars)");
+  }
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, keyBuffer, iv, {
+    authTagLength: TAG_LENGTH
+  });
+  const plaintext = JSON.stringify(payload);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString("base64"),
+    ciphertext: encrypted.toString("base64"),
+    tag: tag.toString("base64")
+  };
+}
+function decrypt(encrypted, key) {
+  const keyBuffer = Buffer.from(key, "hex");
+  if (keyBuffer.length !== 32) {
+    throw new Error("Encryption key must be 32 bytes (64 hex chars)");
+  }
+  const iv = Buffer.from(encrypted.iv, "base64");
+  const ciphertext = Buffer.from(encrypted.ciphertext, "base64");
+  const tag = Buffer.from(encrypted.tag, "base64");
+  const decipher = createDecipheriv(ALGORITHM, keyBuffer, iv, {
+    authTagLength: TAG_LENGTH
+  });
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final()
+  ]);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+function generateEncryptionKey() {
+  return randomBytes(32).toString("hex");
+}
+var ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
+  ErrorCode2["PAIRING_EXPIRED"] = "PAIRING_EXPIRED";
+  ErrorCode2["PAIRING_INVALID"] = "PAIRING_INVALID";
+  ErrorCode2["PAIRING_USED"] = "PAIRING_USED";
+  ErrorCode2["TOKEN_INVALID"] = "TOKEN_INVALID";
+  ErrorCode2["TOKEN_DECRYPT_FAILED"] = "TOKEN_DECRYPT_FAILED";
+  ErrorCode2["ORG_MISMATCH"] = "ORG_MISMATCH";
+  ErrorCode2["SESSION_EXPIRED"] = "SESSION_EXPIRED";
+  ErrorCode2["SESSION_INVALID"] = "SESSION_INVALID";
+  ErrorCode2["AUTH_REQUIRED"] = "AUTH_REQUIRED";
+  ErrorCode2["TOOL_NOT_FOUND"] = "TOOL_NOT_FOUND";
+  ErrorCode2["EXEC_TIMEOUT"] = "EXEC_TIMEOUT";
+  ErrorCode2["EXEC_FAILED"] = "EXEC_FAILED";
+  ErrorCode2["HTTPS_REQUIRED"] = "HTTPS_REQUIRED";
+  ErrorCode2["RATE_LIMITED"] = "RATE_LIMITED";
+  ErrorCode2["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+  ErrorCode2["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+  ErrorCode2["MCP_ERROR"] = "MCP_ERROR";
+  ErrorCode2["MCP_NOT_CONNECTED"] = "MCP_NOT_CONNECTED";
+  ErrorCode2["TRANSFER_NOT_FOUND"] = "TRANSFER_NOT_FOUND";
+  ErrorCode2["TRANSFER_EXPIRED"] = "TRANSFER_EXPIRED";
+  ErrorCode2["PATH_NOT_ALLOWED"] = "PATH_NOT_ALLOWED";
+  ErrorCode2["COMMAND_NOT_ALLOWED"] = "COMMAND_NOT_ALLOWED";
+  return ErrorCode2;
+})(ErrorCode || {});
+var STATUS_CODES = {
+  [
+    "PAIRING_EXPIRED"
+    /* PAIRING_EXPIRED */
+  ]: 410,
+  [
+    "PAIRING_INVALID"
+    /* PAIRING_INVALID */
+  ]: 400,
+  [
+    "PAIRING_USED"
+    /* PAIRING_USED */
+  ]: 409,
+  [
+    "TOKEN_INVALID"
+    /* TOKEN_INVALID */
+  ]: 401,
+  [
+    "TOKEN_DECRYPT_FAILED"
+    /* TOKEN_DECRYPT_FAILED */
+  ]: 401,
+  [
+    "ORG_MISMATCH"
+    /* ORG_MISMATCH */
+  ]: 403,
+  [
+    "SESSION_EXPIRED"
+    /* SESSION_EXPIRED */
+  ]: 401,
+  [
+    "SESSION_INVALID"
+    /* SESSION_INVALID */
+  ]: 401,
+  [
+    "AUTH_REQUIRED"
+    /* AUTH_REQUIRED */
+  ]: 401,
+  [
+    "TOOL_NOT_FOUND"
+    /* TOOL_NOT_FOUND */
+  ]: 404,
+  [
+    "EXEC_TIMEOUT"
+    /* EXEC_TIMEOUT */
+  ]: 408,
+  [
+    "EXEC_FAILED"
+    /* EXEC_FAILED */
+  ]: 500,
+  [
+    "HTTPS_REQUIRED"
+    /* HTTPS_REQUIRED */
+  ]: 403,
+  [
+    "RATE_LIMITED"
+    /* RATE_LIMITED */
+  ]: 429,
+  [
+    "VALIDATION_ERROR"
+    /* VALIDATION_ERROR */
+  ]: 400,
+  [
+    "INTERNAL_ERROR"
+    /* INTERNAL_ERROR */
+  ]: 500,
+  [
+    "MCP_ERROR"
+    /* MCP_ERROR */
+  ]: 502,
+  [
+    "MCP_NOT_CONNECTED"
+    /* MCP_NOT_CONNECTED */
+  ]: 503,
+  [
+    "TRANSFER_NOT_FOUND"
+    /* TRANSFER_NOT_FOUND */
+  ]: 404,
+  [
+    "TRANSFER_EXPIRED"
+    /* TRANSFER_EXPIRED */
+  ]: 410,
+  [
+    "PATH_NOT_ALLOWED"
+    /* PATH_NOT_ALLOWED */
+  ]: 403,
+  [
+    "COMMAND_NOT_ALLOWED"
+    /* COMMAND_NOT_ALLOWED */
+  ]: 403
+};
+var GigaiError = class extends Error {
+  code;
+  statusCode;
+  details;
+  constructor(code, message, details) {
+    super(message);
+    this.name = "GigaiError";
+    this.code = code;
+    this.statusCode = STATUS_CODES[code];
+    this.details = details;
+  }
+  toJSON() {
+    return {
+      error: {
+        code: this.code,
+        message: this.message,
+        ...this.details !== void 0 && { details: this.details }
+      }
+    };
+  }
+};
+var TailscaleHttpsConfigSchema = z.object({
+  provider: z.literal("tailscale"),
+  funnelPort: z.number().optional()
+});
+var CloudflareHttpsConfigSchema = z.object({
+  provider: z.literal("cloudflare"),
+  tunnelName: z.string(),
+  domain: z.string().optional()
+});
+var LetsEncryptHttpsConfigSchema = z.object({
+  provider: z.literal("letsencrypt"),
+  domain: z.string(),
+  email: z.string().email(),
+  certPath: z.string().optional(),
+  keyPath: z.string().optional()
+});
+var ManualHttpsConfigSchema = z.object({
+  provider: z.literal("manual"),
+  certPath: z.string(),
+  keyPath: z.string()
+});
+var HttpsConfigSchema = z.discriminatedUnion("provider", [
+  TailscaleHttpsConfigSchema,
+  CloudflareHttpsConfigSchema,
+  LetsEncryptHttpsConfigSchema,
+  ManualHttpsConfigSchema
+]);
+var CliToolConfigSchema = z.object({
+  type: z.literal("cli"),
+  name: z.string(),
+  command: z.string(),
+  args: z.array(z.string()).optional(),
+  description: z.string(),
+  timeout: z.number().optional(),
+  cwd: z.string().optional(),
+  env: z.record(z.string()).optional()
+});
+var McpToolConfigSchema = z.object({
+  type: z.literal("mcp"),
+  name: z.string(),
+  command: z.string(),
+  args: z.array(z.string()).optional(),
+  description: z.string(),
+  env: z.record(z.string()).optional()
+});
+var ScriptToolConfigSchema = z.object({
+  type: z.literal("script"),
+  name: z.string(),
+  path: z.string(),
+  description: z.string(),
+  timeout: z.number().optional(),
+  interpreter: z.string().optional()
+});
+var BuiltinToolConfigSchema = z.object({
+  type: z.literal("builtin"),
+  name: z.string(),
+  builtin: z.enum(["filesystem", "shell"]),
+  description: z.string(),
+  config: z.record(z.unknown()).optional()
+});
+var ToolConfigSchema = z.discriminatedUnion("type", [
+  CliToolConfigSchema,
+  McpToolConfigSchema,
+  ScriptToolConfigSchema,
+  BuiltinToolConfigSchema
+]);
+var AuthConfigSchema = z.object({
+  encryptionKey: z.string().length(64),
+  pairingTtlSeconds: z.number().default(300),
+  sessionTtlSeconds: z.number().default(14400)
+});
+var ServerConfigSchema = z.object({
+  port: z.number().default(7443),
+  host: z.string().default("0.0.0.0"),
+  https: HttpsConfigSchema.optional()
+});
+var GigaiConfigSchema = z.object({
+  server: ServerConfigSchema,
+  auth: AuthConfigSchema,
+  tools: z.array(ToolConfigSchema).default([])
+});
+function decodeJWTPayload(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format: expected 3 segments");
+  }
+  const payload = parts[1];
+  const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const decoded = Buffer.from(padded, "base64").toString("utf8");
+  return JSON.parse(decoded);
+}
+
+export {
+  encrypt,
+  decrypt,
+  generateEncryptionKey,
+  ErrorCode,
+  GigaiError,
+  GigaiConfigSchema,
+  decodeJWTPayload
+};

package/dist/chunk-FN4LCKUA.js

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+import {
+  ErrorCode,
+  GigaiError,
+  encrypt
+} from "./chunk-4XUWD3DZ.js";
+
+// ../server/dist/chunk-54TEF6CS.mjs
+import { nanoid } from "nanoid";
+var PAIRING_CODE_LENGTH = 8;
+var PAIRING_CODE_CHARS = "0123456789ABCDEFGHJKLMNPQRSTUVWXYZ";
+function generatePairingCode(store, ttlSeconds) {
+  let code = "";
+  const bytes = nanoid(PAIRING_CODE_LENGTH);
+  for (let i = 0; i < PAIRING_CODE_LENGTH; i++) {
+    code += PAIRING_CODE_CHARS[bytes.charCodeAt(i) % PAIRING_CODE_CHARS.length];
+  }
+  store.addPairingCode(code, ttlSeconds);
+  return code;
+}
+function validateAndPair(store, code, orgUuid, encryptionKey, serverFingerprint) {
+  const entry = store.getPairingCode(code.toUpperCase());
+  if (!entry) {
+    throw new GigaiError(ErrorCode.PAIRING_INVALID, "Invalid pairing code");
+  }
+  if (entry.used) {
+    throw new GigaiError(ErrorCode.PAIRING_USED, "Pairing code already used");
+  }
+  if (entry.expiresAt < Date.now()) {
+    throw new GigaiError(ErrorCode.PAIRING_EXPIRED, "Pairing code expired");
+  }
+  store.markPairingCodeUsed(code.toUpperCase());
+  return encrypt(
+    { orgUuid, serverFingerprint, createdAt: Date.now() },
+    encryptionKey
+  );
+}
+
+export {
+  generatePairingCode,
+  validateAndPair
+};

package/dist/chunk-OMGUT7RM.js

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+
+// ../server/dist/chunk-KF32K7J3.mjs
+import { nanoid } from "nanoid";
+var AuthStore = class {
+  pairingCodes = /* @__PURE__ */ new Map();
+  sessions = /* @__PURE__ */ new Map();
+  boundOrgs = /* @__PURE__ */ new Map();
+  // serverFingerprint -> orgUuid
+  cleanupInterval;
+  constructor() {
+    this.cleanupInterval = setInterval(() => this.cleanup(), 6e4);
+  }
+  // Pairing codes
+  addPairingCode(code, ttlSeconds) {
+    const entry = {
+      code,
+      expiresAt: Date.now() + ttlSeconds * 1e3,
+      used: false
+    };
+    this.pairingCodes.set(code, entry);
+    return entry;
+  }
+  getPairingCode(code) {
+    return this.pairingCodes.get(code);
+  }
+  markPairingCodeUsed(code) {
+    const entry = this.pairingCodes.get(code);
+    if (entry) {
+      entry.used = true;
+    }
+  }
+  // Sessions
+  createSession(orgUuid, ttlSeconds) {
+    const session = {
+      id: nanoid(32),
+      orgUuid,
+      token: nanoid(48),
+      expiresAt: Date.now() + ttlSeconds * 1e3,
+      lastActivity: Date.now()
+    };
+    this.sessions.set(session.token, session);
+    return session;
+  }
+  getSession(token) {
+    const session = this.sessions.get(token);
+    if (session) {
+      session.lastActivity = Date.now();
+    }
+    return session;
+  }
+  // Org binding (bind-on-first-use for wildcard tokens)
+  bindOrg(fingerprint, orgUuid) {
+    this.boundOrgs.set(fingerprint, orgUuid);
+  }
+  getBoundOrg(fingerprint) {
+    return this.boundOrgs.get(fingerprint);
+  }
+  // Cleanup
+  cleanup() {
+    const now = Date.now();
+    for (const [key, code] of this.pairingCodes) {
+      if (code.expiresAt < now) {
+        this.pairingCodes.delete(key);
+      }
+    }
+    for (const [key, session] of this.sessions) {
+      if (session.expiresAt < now) {
+        this.sessions.delete(key);
+      }
+    }
+  }
+  destroy() {
+    clearInterval(this.cleanupInterval);
+    this.pairingCodes.clear();
+    this.sessions.clear();
+  }
+};
+
+export {
+  AuthStore
+};