@seqyuan/annodex 0.1.53 → 0.1.55

package/bin/annodex.js

@@ -27,6 +27,7 @@ const https = require("https");
 const { randomBytes } = require("crypto");
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const { readAppSettings, ensureAppSettings } = require("../lib/app-settings.js");
+const macosCodexSecurity = require("../lib/macos-codex-security.js");
 
 const pkgDir = path.join(__dirname, "..");
 const nextDir = path.join(pkgDir, ".next");
@@ -82,6 +83,7 @@ const { values: cliArgs, positionals } = parseArgs({
     hostname: { type: "string", short: "H" },
     json:     { type: "boolean" },
     follow:   { type: "boolean", short: "f" },
+    repair:   { type: "boolean" },
     version:  { type: "boolean", short: "v" },
     help:     { type: "boolean", short: "h" },
   },
@@ -719,6 +721,298 @@ function spawnDetachedServer(extraEnv = {}, overridePort, overrideHost) {
   return child;
 }
 
+
+function commandOutput(command, args, options = {}) {
+  try {
+    const result = spawnSync(command, args, {
+      encoding: "utf8",
+      timeout: options.timeout ?? 5000,
+      windowsHide: true,
+      ...options,
+    });
+    return {
+      ok: result.status === 0,
+      status: result.status,
+      signal: result.signal,
+      stdout: (result.stdout || "").trim(),
+      stderr: (result.stderr || "").trim(),
+      error: result.error ? result.error.message : null,
+    };
+  } catch (error) {
+    return { ok: false, status: null, signal: null, stdout: "", stderr: "", error: error instanceof Error ? error.message : String(error) };
+  }
+}
+
+function getNpmPrefix() {
+  const npm = process.platform === "win32" ? "npm.cmd" : "npm";
+  const result = commandOutput(npm, ["prefix", "-g"], { timeout: 3000 });
+  return result.ok && result.stdout ? result.stdout.split(/\r?\n/)[0].trim() : null;
+}
+
+function codexPackageInfo() {
+  const platform = process.platform;
+  const arch = process.arch;
+  let pkgName = null;
+  let triple = null;
+  if (platform === "darwin") {
+    if (arch === "arm64") { pkgName = "codex-darwin-arm64"; triple = "aarch64-apple-darwin"; }
+    else if (arch === "x64") { pkgName = "codex-darwin-x64"; triple = "x86_64-apple-darwin"; }
+  } else if (platform === "linux") {
+    if (arch === "arm64") { pkgName = "codex-linux-arm64"; triple = "aarch64-unknown-linux-musl"; }
+    else if (arch === "x64") { pkgName = "codex-linux-x64"; triple = "x86_64-unknown-linux-musl"; }
+  } else if (platform === "win32") {
+    if (arch === "arm64") { pkgName = "codex-win32-arm64"; triple = "aarch64-pc-windows-msvc"; }
+    else if (arch === "x64") { pkgName = "codex-win32-x64"; triple = "x86_64-pc-windows-msvc"; }
+  }
+  return { pkgName, triple, binaryName: platform === "win32" ? "codex.exe" : "codex" };
+}
+
+function resolveCodexNativeCandidates() {
+  const { pkgName, triple, binaryName } = codexPackageInfo();
+  if (!pkgName || !triple) return [];
+  const roots = [
+    path.join(process.cwd(), "node_modules"),
+    path.join(pkgDir, "node_modules"),
+  ];
+  const npmPrefix = getNpmPrefix();
+  if (npmPrefix) roots.push(path.join(npmPrefix, "lib", "node_modules"));
+  const installedDir = getInstalledPackageDir();
+  roots.push(path.join(installedDir, "node_modules"));
+  roots.push(path.join(installedDir, "..", "..", "node_modules"));
+  const seen = new Set();
+  const out = [];
+  const subPaths = [
+    path.join("vendor", triple, "bin", binaryName),
+    path.join("vendor", triple, "codex", binaryName),
+  ];
+  for (const root of roots) {
+    for (const layout of ["flat", "nested"]) {
+      const pkgRoot = layout === "flat"
+        ? path.join(root, "@openai", pkgName)
+        : path.join(root, "@openai", "codex", "node_modules", "@openai", pkgName);
+      for (const sub of subPaths) {
+        const candidate = path.join(pkgRoot, sub);
+        if (seen.has(candidate)) continue;
+        seen.add(candidate);
+        if (fs.existsSync(candidate)) out.push(candidate);
+      }
+    }
+  }
+  return out;
+}
+
+function resolveCodexShimCandidates() {
+  const names = process.platform === "win32" ? ["codex.cmd", "codex.exe", "codex"] : ["codex"];
+  const dirs = [path.join(process.cwd(), "node_modules", ".bin"), path.join(pkgDir, "node_modules", ".bin")];
+  const npmPrefix = getNpmPrefix();
+  if (npmPrefix) dirs.push(process.platform === "win32" ? npmPrefix : path.join(npmPrefix, "bin"));
+  const installedDir = getInstalledPackageDir();
+  dirs.push(path.join(installedDir, "node_modules", ".bin"));
+  dirs.push(path.join(installedDir, "..", "..", ".bin"));
+  const seen = new Set();
+  const out = [];
+  for (const dir of dirs) {
+    for (const name of names) {
+      const candidate = path.join(dir, name);
+      if (!seen.has(candidate) && fs.existsSync(candidate)) {
+        seen.add(candidate);
+        out.push(candidate);
+      }
+    }
+  }
+  const which = commandOutput(process.platform === "win32" ? "where" : "which", ["codex"], { timeout: 3000 });
+  if (which.ok && which.stdout) {
+    for (const line of which.stdout.split(/\r?\n/).map((v) => v.trim()).filter(Boolean)) {
+      if (!seen.has(line) && fs.existsSync(line)) {
+        seen.add(line);
+        out.push(line);
+      }
+    }
+  }
+  return out;
+}
+
+function xattrInfo(target) {
+  if (process.platform !== "darwin" || !target) return null;
+  const result = commandOutput("xattr", [target], { timeout: 3000 });
+  return {
+    ok: result.ok,
+    hasQuarantine: /com\.apple\.quarantine/.test(result.stdout),
+    attributes: result.stdout ? result.stdout.split(/\r?\n/).filter(Boolean) : [],
+    error: result.ok ? null : (result.stderr || result.error),
+  };
+}
+
+function spctlAssess(target) {
+  if (process.platform !== "darwin" || !target) return null;
+  const result = commandOutput("spctl", ["--assess", "--verbose", target], { timeout: 5000 });
+  return {
+    accepted: result.ok || /accepted/i.test(`${result.stdout}\n${result.stderr}`),
+    status: result.status,
+    output: `${result.stdout}${result.stderr ? `\n${result.stderr}` : ""}`.trim(),
+    error: result.error,
+  };
+}
+
+function selectedCodexPath(nativeCandidates, shimCandidates) {
+  const envPath = process.env.ANNODEX_CODEX_PATH?.trim();
+  if (envPath) return { path: envPath, source: "ANNODEX_CODEX_PATH", exists: fs.existsSync(envPath) };
+  if (nativeCandidates[0]) return { path: nativeCandidates[0], source: "native-candidate", exists: true };
+  if (shimCandidates[0]) return { path: shimCandidates[0], source: "shim-candidate", exists: true };
+  return { path: process.platform === "win32" ? "codex.cmd" : "codex", source: "PATH fallback", exists: null };
+}
+
+function detectMacOSVersion() {
+  if (process.platform !== "darwin") return null;
+  const result = commandOutput("sw_vers", ["-productVersion"], { timeout: 3000 });
+  return result.ok ? result.stdout : null;
+}
+
+function macOSProtectedLocationInfo(targetPath) {
+  if (process.platform !== "darwin" || !targetPath) return null;
+  const real = safeRealpath(targetPath);
+  const home = os.homedir();
+  const protectedRoots = [
+    { label: "Desktop", path: path.join(home, "Desktop") },
+    { label: "Documents", path: path.join(home, "Documents") },
+    { label: "Downloads", path: path.join(home, "Downloads") },
+    { label: "iCloud Drive", path: path.join(home, "Library", "Mobile Documents") },
+  ];
+  const match = protectedRoots.find((root) => isPathInside(real, root.path));
+  return {
+    path: real,
+    inProtectedLocation: Boolean(match),
+    root: match?.label ?? null,
+  };
+}
+
+function runDoctor(json = false, repair = false) {
+  const nativeCandidates = resolveCodexNativeCandidates();
+  const shimCandidates = resolveCodexShimCandidates();
+  const selected = selectedCodexPath(nativeCandidates, shimCandidates);
+  const selectedReal = selected.exists ? safeRealpath(selected.path) : selected.path;
+
+  let repairResults = null;
+  if (repair && process.platform === "darwin") {
+    macosCodexSecurity.clearMacOSQuarantine(process.cwd());
+    const repairPaths = [...new Set([
+      ...nativeCandidates,
+      selected.exists ? selected.path : null,
+    ].filter(Boolean))];
+    repairResults = macosCodexSecurity.repairMacOSCodexPaths(repairPaths);
+    if (!json) {
+      console.log("repair:");
+      for (const item of repairResults) {
+        if (item.skipped) {
+          console.log(`- ${item.path}: skipped (no revoked cert)`);
+        } else {
+          console.log(`- ${item.path}: ${item.repair?.ok ? "repaired" : "failed"}`);
+        }
+      }
+      console.log("");
+    }
+  }
+
+  const transport = (process.env.ANNODEX_CODEX_TRANSPORT || "auto").toLowerCase();
+  const resolvedTransport = transport === "ws" || transport === "stdio" ? transport : (process.platform === "linux" ? "ws" : "stdio");
+  const versionProbe = selected.path
+    ? commandOutput(selected.path, ["--version"], { timeout: 15000 })
+    : null;
+  const report = {
+    annodex: { version: VERSION, packageName: PKG_NAME, packageDir: pkgDir, installedPackageDir: getInstalledPackageDir() },
+    platform: { platform: process.platform, arch: process.arch, macOSVersion: detectMacOSVersion() },
+    node: { version: process.version, execPath: process.execPath, cwd: process.cwd() },
+    appBundle: { enabled: process.env.ANNODEX_APP_BUNDLE === "1", env: process.env.ANNODEX_APP_BUNDLE || null },
+    workspace: {
+      packageDir: safeRealpath(pkgDir),
+      cwd: safeRealpath(process.cwd()),
+      packageDirMacOSProtection: macOSProtectedLocationInfo(pkgDir),
+      cwdMacOSProtection: macOSProtectedLocationInfo(process.cwd()),
+    },
+    config: { configDir: agentDir, logFile, npmPrefix: getNpmPrefix() },
+    transport: { requested: process.env.ANNODEX_CODEX_TRANSPORT || "auto", resolved: resolvedTransport },
+    codex: {
+      envPath: process.env.ANNODEX_CODEX_PATH || null,
+      selected: { ...selected, realpath: selectedReal },
+      nativeCandidates,
+      shimCandidates,
+      selectedXattr: xattrInfo(selected.exists ? selected.path : null),
+      selectedCodesign: selected.exists
+        ? macosCodexSecurity.codesignVerify(selected.path)
+        : null,
+      selectedSpctl: spctlAssess(selected.exists ? selected.path : null),
+      versionProbe: versionProbe ? {
+        ok: versionProbe.ok,
+        status: versionProbe.status,
+        signal: versionProbe.signal,
+        stdout: versionProbe.stdout,
+        stderr: versionProbe.stderr,
+        error: versionProbe.error,
+      } : null,
+    },
+    recommendations: [],
+    repair: repairResults,
+  };
+  if (process.platform === "darwin") {
+    if (!report.appBundle.enabled) report.recommendations.push("macOS: not launched from Annodex.app; CLI mode is diagnostic/advanced until the launcher PoC is validated.");
+    if (report.appBundle.enabled && report.workspace.packageDirMacOSProtection?.inProtectedLocation) {
+      report.recommendations.push(`macOS: Annodex.app is reading source/runtime files from ${report.workspace.packageDirMacOSProtection.root}. Finder-launched apps may hit TCC EPERM there. Move the repo/runtime outside protected folders or bundle the runtime into Annodex.app before evaluating launcher viability.`);
+    }
+    if (report.codex.selectedXattr?.hasQuarantine) report.recommendations.push("macOS: selected codex path has com.apple.quarantine. Run `annodex doctor --repair` or restart annodex (xattr is cleared automatically on codex spawn).");
+    if (report.codex.selectedCodesign?.revoked || (report.codex.selectedSpctl?.output && macosCodexSecurity.needsRevokedCertRepair(report.codex.selectedSpctl.output))) {
+      report.recommendations.push("macOS: codex binary has a revoked Developer ID signature (CSSMERR_TP_CERT_REVOKED). Run `annodex doctor --repair` to strip and apply ad-hoc signing, then retry codex --version.");
+    } else if (report.codex.selectedSpctl && !report.codex.selectedSpctl.accepted && versionProbe && !versionProbe.ok) {
+      report.recommendations.push("macOS: spctl assessment did not accept the selected codex binary and codex --version failed. Try `annodex doctor --repair` for ad-hoc signing.");
+    }
+  }
+  if (report.codex.selected.exists === false) report.recommendations.push("ANNODEX_CODEX_PATH is set but does not exist. Fix or unset it.");
+  if (versionProbe && !versionProbe.ok) report.recommendations.push("codex --version probe failed. Check the selected codex path and macOS security dialogs/logs.");
+
+  if (json) {
+    console.log(JSON.stringify(report, null, 2));
+    return versionProbe && !versionProbe.ok ? 1 : 0;
+  }
+  console.log(`annodex doctor v${VERSION}`);
+  console.log(`platform: ${process.platform}/${process.arch}${report.platform.macOSVersion ? ` macOS ${report.platform.macOSVersion}` : ""}`);
+  console.log(`node: ${process.version} ${process.execPath}`);
+  console.log(`app bundle: ${report.appBundle.enabled ? "yes" : "no"}`);
+  if (report.workspace.packageDirMacOSProtection?.inProtectedLocation) {
+    console.log(`package dir protection: ${report.workspace.packageDirMacOSProtection.root}`);
+  }
+  if (report.workspace.cwdMacOSProtection?.inProtectedLocation) {
+    console.log(`cwd protection: ${report.workspace.cwdMacOSProtection.root}`);
+  }
+  console.log(`config dir: ${agentDir}`);
+  console.log(`transport: requested=${report.transport.requested} resolved=${report.transport.resolved}`);
+  console.log(`codex selected: ${selected.path} (${selected.source}, exists=${selected.exists})`);
+  if (selectedReal && selectedReal !== selected.path) console.log(`codex realpath: ${selectedReal}`);
+  console.log(`native candidates: ${nativeCandidates.length ? nativeCandidates.join("; ") : "none"}`);
+  console.log(`shim candidates: ${shimCandidates.length ? shimCandidates.join("; ") : "none"}`);
+  if (report.codex.selectedXattr) {
+    console.log(`xattr quarantine: ${report.codex.selectedXattr.hasQuarantine ? "yes" : "no"}`);
+    if (report.codex.selectedXattr.attributes.length) console.log(`xattr attributes: ${report.codex.selectedXattr.attributes.join(", ")}`);
+  }
+  if (report.codex.selectedCodesign) {
+    console.log(`codesign verify: ${report.codex.selectedCodesign.ok ? "ok" : "failed"}${report.codex.selectedCodesign.revoked ? " (revoked cert)" : ""}`);
+    if (report.codex.selectedCodesign.output) console.log(`codesign output: ${report.codex.selectedCodesign.output}`);
+  }
+  if (report.codex.selectedSpctl) {
+    console.log(`spctl accepted: ${report.codex.selectedSpctl.accepted ? "yes" : "no"}`);
+    if (report.codex.selectedSpctl.output) console.log(`spctl output: ${report.codex.selectedSpctl.output}`);
+  }
+  if (versionProbe) {
+    console.log(`codex --version: ${versionProbe.ok ? "ok" : "failed"}${versionProbe.signal ? ` signal=${versionProbe.signal}` : ""}`);
+    if (versionProbe.stdout) console.log(`  stdout: ${versionProbe.stdout}`);
+    if (versionProbe.stderr) console.log(`  stderr: ${versionProbe.stderr}`);
+    if (versionProbe.error) console.log(`  error: ${versionProbe.error}`);
+  }
+  if (report.recommendations.length) {
+    console.log("recommendations:");
+    for (const item of report.recommendations) console.log(`- ${item}`);
+  }
+  return versionProbe && !versionProbe.ok ? 1 : 0;
+}
+
 if (cliArgs.version) {
   console.log(VERSION);
   process.exit(0);
@@ -734,6 +1028,7 @@ Usage:
   annodex stop           Stop background annodex
   annodex status [--json] Show background server status
   annodex logs [-f]      Show background server logs
+  annodex doctor [--json] [--repair] Diagnose local codex/runtime setup
   annodex passwd          Set or change password (empty = disable auth)
   annodex update          Update to the latest version
 
@@ -749,6 +1044,10 @@ Options:
 }
 
 const firstPos = positionals[0];
+if (firstPos === "doctor") {
+  process.exit(runDoctor(cliArgs.json, cliArgs.repair));
+}
+
 if (firstPos === "status") {
   const json = cliArgs.json;
   staleStateRemoved();