npm - @seqyuan/annodex - Versions diffs - 0.1.54 → 0.1.56 - Mend

@seqyuan/annodex 0.1.54 → 0.1.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/lib/macos-codex-security.js CHANGED Viewed

@@ -101,11 +101,24 @@ function codesignVerify(binaryPath, { timeoutMs = 5_000 } = {}) {
 /** Fast spawn-path check — only detect revoked certs (not full strict verify). */
 function needsRepairBeforeSpawn(binaryPath) {
+  // Fast check: codesign --verify (catches stripped/malformed signatures).
   const result = spawnSync(CODESIGN, ["--verify", binaryPath], {
     encoding: "utf8",
     timeout: 3_000,
   });
-  return needsRevokedCertRepair(codesignOutput(result));
+  if (needsRevokedCertRepair(codesignOutput(result))) return true;
+  // codesign may say "valid on disk" while spctl detects revoked certs
+  // (CSSMERR_TP_CERT_REVOKED).  Only spctl checks Apple's revocation DB.
+  // Use a shorter timeout on the spawn path (doctor uses 10s).
+  // Treat spctl timeout as needing repair: a valid cert should return
+  // quickly; a slow response usually means the revocation check is
+  // happening against a revoked cert. Worst case: unnecessary ad-hoc
+  // re-sign, which is harmless.
+  const sp = spctlAssess(binaryPath, 5_000);
+  if (sp.revoked || sp.timedOut) return true;
+  return false;
 }
 function shouldRepairCodexBinary(binaryPath) {
@@ -220,6 +233,51 @@ function looksLikeNativeCodexBinary(filePath) {
   return base === "codex" || base === "codex.exe";
 }
+/** Given a codex executable path (may be a JS shim), find the real native binary. */
+function resolveNativeBinaryFromShim(executablePath) {
+  if (!executablePath || !fs.existsSync(executablePath)) return null;
+  // If it's already a native binary (inside vendor/), return as-is
+  if (/vendor[/\\]/.test(executablePath)) return executablePath;
+  // Check if it's a JS shim (e.g. node_modules/.bin/codex)
+  try {
+    const content = fs.readFileSync(executablePath, "utf8").slice(0, 512);
+    if (content.includes("node") || content.includes("#!/")) {
+      // This is a shim/script — find the native binary nearby
+      const shimDir = path.dirname(executablePath);
+      const nodeModulesDir = path.join(shimDir, "..");
+      const platform = process.platform;
+      const arch = process.arch;
+      let pkgName;
+      let triple;
+      if (platform === "darwin") {
+        if (arch === "arm64") { pkgName = "codex-darwin-arm64"; triple = "aarch64-apple-darwin"; }
+        else if (arch === "x64") { pkgName = "codex-darwin-x64"; triple = "x86_64-apple-darwin"; }
+        else return null;
+      } else {
+        return null;
+      }
+      const binaryName = "codex";
+      const subPaths = [
+        path.join("vendor", triple, "bin", binaryName),
+        path.join("vendor", triple, "codex", binaryName),
+      ];
+      for (const sub of subPaths) {
+        const candidate = path.join(nodeModulesDir, "@openai", pkgName, sub);
+        if (fs.existsSync(candidate)) return candidate;
+      }
+      // Also try nested layout
+      for (const sub of subPaths) {
+        const candidate = path.join(nodeModulesDir, "@openai", "codex", "node_modules", "@openai", pkgName, sub);
+        if (fs.existsSync(candidate)) return candidate;
+      }
+    }
+  } catch { /* ignore */ }
+  return executablePath;
+}
 function repairMacOSCodexPaths(binaryPaths, { force = false, mode = "doctor" } = {}) {
   if (!isDarwin()) return [];
   const seen = new Set();
@@ -273,8 +331,22 @@ function prepareMacOSCodexForSpawn(executablePath, cwd) {
   if (!isDarwin()) return { quarantine: { cleared: 0, paths: [] }, repairs: [] };
   const quarantine = { cleared: 0, paths: [], skipped: true };
+  if (!executablePath) return { quarantine, repairs: [] };
+  // If the resolved executable is a JS shim (e.g. node_modules/.bin/codex),
+  // find and repair the underlying native binary instead.
+  // Spawning the shim causes Node to exec the native binary as a grandchild,
+  // which macOS Gatekeeper may kill even after ad-hoc signing of the shim itself.
+  const resolvedNative = resolveNativeBinaryFromShim(executablePath);
+  if (resolvedNative && resolvedNative !== executablePath) {
+    console.log(
+      `[codex-server] Resolved native codex binary from shim: ${executablePath} -> ${resolvedNative}`,
+    );
+    prepareMacOSCodexForSpawn(resolvedNative, cwd);
+    return { quarantine, repairs: [], shimResolved: resolvedNative };
+  }
-  if (!executablePath || !looksLikeNativeCodexBinary(executablePath)) {
+  if (!looksLikeNativeCodexBinary(executablePath)) {
     return { quarantine, repairs: [] };
   }
   if (isBinaryPrepared(executablePath) || preparingBinaries.has(executablePath)) {
@@ -312,5 +384,6 @@ module.exports = {
   needsRevokedCertRepair,
   clearMacOSQuarantine,
   repairMacOSCodexPaths,
+  resolveNativeBinaryFromShim,
   prepareMacOSCodexForSpawn,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@seqyuan/annodex",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "description": "AI-native bioinformatics workspace by Annoroad",
   "license": "MIT",
   "bin": {

/package/.next/static/{CSz6uFOkLtpKpHvCD1S5n → J5i1iPyQwH3dIlgQM8SFk}/_buildManifest.js RENAMED Viewed

File without changes

/package/.next/static/{CSz6uFOkLtpKpHvCD1S5n → J5i1iPyQwH3dIlgQM8SFk}/_ssgManifest.js RENAMED Viewed

File without changes