@stream44.studio/t44 0.4.0-rc.24

package/examples/01-Lifecycle/main.test.ts

@@ -0,0 +1,223 @@
+#!/usr/bin/env bun test
+// Set VERBOSE=1 to see stdout/stderr from spawned t44 commands
+
+export const testConfig = {
+    group: 'lifecycle',
+    runOnAll: false,
+}
+
+import { join } from 'path'
+import { mkdir, writeFile, rm, stat } from 'fs/promises'
+import * as bunTest from 'bun:test'
+import { run } from '@stream44.studio/t44/workspace-rt'
+
+const {
+    test: { describe, it, expect, beforeAll, workbenchDir },
+} = await run(async ({ encapsulate, CapsulePropertyTypes, makeImportStack }: any) => {
+    const spine = await encapsulate({
+        '#@stream44.studio/encapsulate/spine-contracts/CapsuleSpineContract.v0': {
+            '#@stream44.studio/encapsulate/structs/Capsule': {},
+            '#': {
+                test: {
+                    type: CapsulePropertyTypes.Mapping,
+                    value: '@stream44.studio/t44/caps/ProjectTest',
+                    options: {
+                        '#': {
+                            bunTest,
+                        }
+                    }
+                },
+            }
+        }
+    }, {
+        importMeta: import.meta,
+        importStack: makeImportStack(),
+        capsuleName: '@stream44.studio/t44/examples/01-Lifecycle/main.test'
+    })
+    return { spine }
+}, async ({ spine, apis }: any) => {
+    return apis[spine.capsuleSourceLineRef]
+}, {
+    importMeta: import.meta
+})
+
+const t44Bin = join(import.meta.dir, '../../bin/t44')
+const bunExe = Bun.which('bun')
+
+const homeDir = join(workbenchDir, 'lifecycle', 'home')
+const repoDir = join(workbenchDir, 'lifecycle', 'repo')
+const env = { ...process.env, T44_HOME_DIR: homeDir, T44_KEYS_PASSPHRASE: 't44-test' }
+
+async function runT44(...args: string[]) {
+    const proc = Bun.spawn([bunExe!, t44Bin, ...args, '--yes'], {
+        env,
+        cwd: repoDir,
+        stdout: 'pipe',
+        stderr: 'pipe',
+        stdin: 'pipe',
+    })
+    proc.stdin.end()
+
+    const timeout = setTimeout(() => proc.kill(), 15_000)
+
+    const stdoutChunks: string[] = []
+    const stderrChunks: string[] = []
+
+    const verbose = !!process.env.VERBOSE
+
+    const stdoutReader = new WritableStream({
+        write(chunk) {
+            const text = new TextDecoder().decode(chunk)
+            stdoutChunks.push(text)
+            if (verbose) process.stdout.write(text)
+        }
+    })
+
+    const stderrReader = new WritableStream({
+        write(chunk) {
+            const text = new TextDecoder().decode(chunk)
+            stderrChunks.push(text)
+            if (verbose) process.stderr.write(text)
+        }
+    })
+
+    const [exitCode] = await Promise.all([
+        proc.exited,
+        proc.stdout.pipeTo(stdoutReader),
+        proc.stderr.pipeTo(stderrReader),
+    ])
+
+    clearTimeout(timeout)
+
+    return { exitCode, stdout: stdoutChunks.join(''), stderr: stderrChunks.join('') }
+}
+
+describe('t44 lifecycle', function () {
+
+    beforeAll(async () => {
+        await rm(join(workbenchDir, 'lifecycle'), { recursive: true, force: true })
+        await mkdir(homeDir, { recursive: true })
+        await mkdir(join(homeDir, '.ssh'), { recursive: true })
+        await mkdir(repoDir, { recursive: true })
+        // Note: .workspace/workspace.yaml is now created automatically by t44 init
+    })
+
+    it('init --yes initializes workspace', async () => {
+        const { exitCode, stdout, stderr } = await runT44('init')
+
+        console.log('STDOUT:', stdout)
+        console.log('STDERR:', stderr)
+        console.log('EXIT CODE:', exitCode)
+
+        expect(exitCode).toBe(0)
+
+        // Verify registry was created
+        const registryDir = join(homeDir, '.o/workspace.foundation')
+        const registryStat = await stat(registryDir)
+        expect(registryStat.isDirectory()).toBe(true)
+
+        // Verify SSH keys were created
+        const sshDir = join(homeDir, '.ssh')
+        const rootKeyStat = await stat(join(sshDir, 'id_t44_ed25519'))
+        expect(rootKeyStat.isFile()).toBe(true)
+
+        const signingKeyStat = await stat(join(sshDir, 'id_t44_signing_ed25519'))
+        expect(signingKeyStat.isFile()).toBe(true)
+    }, 15_000)
+
+    it('activate — bin/activate.ts outputs shell exports', async () => {
+        const activateBin = join(import.meta.dir, '../../bin/activate.ts')
+        const proc = Bun.spawn([bunExe!, activateBin, '--yes'], {
+            env,
+            cwd: repoDir,
+            stdout: 'pipe',
+            stderr: 'pipe',
+            stdin: 'pipe',
+        })
+        proc.stdin.end()
+
+        const timeout = setTimeout(() => proc.kill(), 15_000)
+
+        const stdoutChunks: string[] = []
+        const stderrChunks: string[] = []
+
+        const verbose = !!process.env.VERBOSE
+
+        const stdoutReader = new WritableStream({
+            write(chunk) {
+                const text = new TextDecoder().decode(chunk)
+                stdoutChunks.push(text)
+                if (verbose) process.stdout.write(text)
+            }
+        })
+
+        const stderrReader = new WritableStream({
+            write(chunk) {
+                const text = new TextDecoder().decode(chunk)
+                stderrChunks.push(text)
+                if (verbose) process.stderr.write(text)
+            }
+        })
+
+        const [exitCode] = await Promise.all([
+            proc.exited,
+            proc.stdout.pipeTo(stdoutReader),
+            proc.stderr.pipeTo(stderrReader),
+        ])
+
+        clearTimeout(timeout)
+
+        const stdout = stdoutChunks.join('')
+        const stderr = stderrChunks.join('')
+
+        if (exitCode !== 0) {
+            console.log('STDOUT:', stdout)
+            console.log('STDERR:', stderr)
+        }
+
+        expect(exitCode).toBe(0)
+        expect(stdout.length).toBeGreaterThan(0)
+        expect(stdout).toContain('export ')
+    }, 15_000)
+
+    it('info — displays workspace information', async () => {
+        const { exitCode, stdout, stderr } = await runT44('info', '--full')
+
+        if (exitCode !== 0) {
+            console.log('STDOUT:', stdout)
+            console.log('STDERR:', stderr)
+        }
+
+        expect(exitCode).toBe(0)
+        expect(stdout).toContain('WORKSPACE INFORMATION')
+        expect(stdout).toContain('repo')
+        expect(stdout).toContain('did:key:')
+        expect(stdout).toContain('CONFIGURATION FILES')
+    }, 15_000)
+
+    it('activate — outputs shell export statements', async () => {
+        const { exitCode, stdout, stderr } = await runT44('activate')
+
+        if (exitCode !== 0) {
+            console.log('STDOUT:', stdout)
+            console.log('STDERR:', stderr)
+        }
+
+        expect(exitCode).toBe(0)
+        expect(stdout).toContain('export ')
+        expect(stdout).toContain('F_WORKSPACE_DIR')
+    }, 15_000)
+
+    it('query — displays workspace model', async () => {
+        const { exitCode, stdout, stderr } = await runT44('query', '--full')
+
+        if (exitCode !== 0) {
+            console.log('STDOUT:', stdout)
+            console.log('STDERR:', stderr)
+        }
+
+        expect(exitCode).toBe(0)
+        expect(stdout).toContain('WorkspaceConfig')
+    }, 15_000)
+
+})

package/lib/crypto.ts

@@ -0,0 +1,53 @@
+
+import * as crypto from 'crypto'
+
+/**
+ * Encrypt a string using AES-256-GCM with a key derived from the private key
+ */
+export function encryptString(plaintext: string, privateKeyBase64: string): string {
+    // Derive a 32-byte symmetric key from the private key using SHA-256
+    const keyBytes = Buffer.from(privateKeyBase64, 'base64')
+    const symmetricKey = crypto.createHash('sha256').update(keyBytes).digest()
+    
+    // Generate a random IV
+    const iv = crypto.randomBytes(16)
+    
+    // Encrypt using AES-256-GCM
+    const cipher = crypto.createCipheriv('aes-256-gcm', symmetricKey, iv)
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final()
+    ])
+    const authTag = cipher.getAuthTag()
+    
+    // Combine IV + authTag + encrypted data and encode as base64
+    const combined = Buffer.concat([iv, authTag, encrypted])
+    return combined.toString('base64')
+}
+
+/**
+ * Decrypt a string using AES-256-GCM with a key derived from the private key
+ */
+export function decryptString(ciphertext: string, privateKeyBase64: string): string {
+    // Derive the same symmetric key from the private key
+    const keyBytes = Buffer.from(privateKeyBase64, 'base64')
+    const symmetricKey = crypto.createHash('sha256').update(keyBytes).digest()
+    
+    // Decode the combined data
+    const combined = Buffer.from(ciphertext, 'base64')
+    
+    // Extract IV (16 bytes), authTag (16 bytes), and encrypted data
+    const iv = combined.subarray(0, 16)
+    const authTag = combined.subarray(16, 32)
+    const encrypted = combined.subarray(32)
+    
+    // Decrypt using AES-256-GCM
+    const decipher = crypto.createDecipheriv('aes-256-gcm', symmetricKey, iv)
+    decipher.setAuthTag(authTag)
+    const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final()
+    ])
+    
+    return decrypted.toString('utf8')
+}

package/lib/key.ts

@@ -0,0 +1,381 @@
+
+import { execSync } from 'child_process'
+import { readdir, readFile, stat } from 'fs/promises'
+import { join } from 'path'
+
+export interface Ed25519KeyInfo {
+    name: string
+    privateKeyPath: string
+    publicKey: string
+}
+
+export interface KeyConfig {
+    name: string
+    privateKeyPath: string
+    publicKey: string
+    keyFingerprint: string
+}
+
+/**
+ * Extract the SHA256 fingerprint from ssh-keygen -lf output.
+ * Output format: "256 SHA256:xxx comment (ED25519)"
+ */
+export function extractFingerprint(sshKeygenOutput: string): string {
+    const match = sshKeygenOutput.match(/(SHA256:\S+)/)
+    return match ? match[1] : sshKeygenOutput
+}
+
+/**
+ * Compute the SHA256 fingerprint of a key file.
+ */
+export function computeFingerprint(privateKeyPath: string): string {
+    return extractFingerprint(execSync(
+        `ssh-keygen -lf ${JSON.stringify(privateKeyPath)}`,
+        { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
+    ).trim())
+}
+
+/**
+ * Check whether an Ed25519 private key has a passphrase set.
+ */
+export function hasPassphrase(privateKeyPath: string): boolean {
+    try {
+        execSync(
+            `ssh-keygen -y -P "" -f ${JSON.stringify(privateKeyPath)}`,
+            { stdio: 'pipe' }
+        )
+        return false // empty passphrase worked → no passphrase
+    } catch {
+        return true // empty passphrase failed → has passphrase
+    }
+}
+
+/**
+ * Discover existing Ed25519 keys in the given SSH directory.
+ */
+export async function discoverEd25519Keys(sshDir: string): Promise<Ed25519KeyInfo[]> {
+    const dir = sshDir
+    const keys: Ed25519KeyInfo[] = []
+
+    let entries: string[]
+    try {
+        entries = await readdir(dir)
+    } catch {
+        return keys
+    }
+
+    const pubFiles = entries.filter(f => f.endsWith('.pub'))
+
+    for (const pubFile of pubFiles) {
+        try {
+            const pubPath = join(dir, pubFile)
+            const content = await readFile(pubPath, 'utf-8')
+            const trimmed = content.trim()
+
+            if (!trimmed.startsWith('ssh-ed25519 ')) {
+                continue
+            }
+
+            const privateName = pubFile.replace(/\.pub$/, '')
+            const privatePath = join(dir, privateName)
+
+            try {
+                await stat(privatePath)
+            } catch {
+                continue
+            }
+
+            keys.push({
+                name: privateName,
+                privateKeyPath: privatePath,
+                publicKey: trimmed
+            })
+        } catch {
+            // Skip unreadable files
+        }
+    }
+
+    return keys
+}
+
+/**
+ * Check if a key file exists at the given path.
+ */
+export async function keyFileExists(privateKeyPath: string): Promise<boolean> {
+    try {
+        const s = await stat(privateKeyPath)
+        return s.isFile()
+    } catch {
+        return false
+    }
+}
+
+/**
+ * Check if the key is loaded in the ssh-agent by fingerprint.
+ */
+export function isKeyInAgent(privateKeyPath: string): boolean {
+    let keyFingerprint: string
+    try {
+        const fpOutput = execSync(
+            `ssh-keygen -lf ${JSON.stringify(privateKeyPath)}`,
+            { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }
+        ).trim()
+        const match = fpOutput.match(/(SHA256:\S+)/)
+        keyFingerprint = match ? match[1] : ''
+    } catch {
+        return false
+    }
+
+    if (!keyFingerprint) return false
+
+    try {
+        const agentKeys = execSync('ssh-add -l', {
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe']
+        })
+        return agentKeys.includes(keyFingerprint)
+    } catch {
+        return false
+    }
+}
+
+/**
+ * Add a key to the macOS ssh-agent with Keychain storage.
+ * Returns true if added successfully, false otherwise.
+ */
+export function addKeyToAgent(privateKeyPath: string): boolean {
+    try {
+        execSync(
+            `ssh-add --apple-use-keychain ${JSON.stringify(privateKeyPath)}`,
+            { stdio: 'inherit' }
+        )
+        return true
+    } catch {
+        return false
+    }
+}
+
+/**
+ * Ensure a key is loaded in the ssh-agent. Adds it if not already present.
+ * Logs status messages using chalk.
+ * Skips adding to agent in non-TTY mode (e.g., CI environments).
+ */
+export async function ensureKeyInAgent(privateKeyPath: string, keyName: string, keyLabel: string): Promise<void> {
+    const chalk = (await import('chalk')).default
+
+    // Skip ssh-agent operations in non-TTY mode (CI, scripts, etc.)
+    if (!process.stdin.isTTY || process.env.CI) {
+        return
+    }
+
+    if (isKeyInAgent(privateKeyPath)) {
+        return
+    }
+
+    console.log(chalk.gray(`\n   Adding ${keyLabel} '${keyName}' to ssh-agent (macOS Keychain) ...`))
+    if (addKeyToAgent(privateKeyPath)) {
+        console.log(chalk.green(`   ✓ ${keyLabel} added to ssh-agent`))
+        console.log(chalk.gray(`     Passphrase stored in macOS Keychain.\n`))
+    } else {
+        console.log(chalk.yellow(`\n   ⚠  Could not add key to ssh-agent`))
+        console.log(chalk.yellow(`     You may need to enter the passphrase manually when the key is used.\n`))
+    }
+}
+
+/**
+ * Prompt for a passphrase using inquirer (password input with confirmation).
+ * Returns null in non-TTY mode (CI environments).
+ */
+export async function promptPassphrase(): Promise<string | null> {
+    // Skip prompting in non-TTY mode (CI, scripts, etc.)
+    if (!process.stdin.isTTY || process.env.CI) {
+        return null
+    }
+
+    const inquirer = await import('inquirer')
+    const chalk = (await import('chalk')).default
+
+    try {
+        const { passphrase } = await inquirer.default.prompt([
+            {
+                type: 'password',
+                name: 'passphrase',
+                message: 'Enter a passphrase for the key:',
+                mask: '*',
+                validate: (input: string) => {
+                    if (!input || input.length === 0) {
+                        return 'Passphrase cannot be empty'
+                    }
+                    if (input.length < 5) {
+                        return 'Passphrase must be at least 5 characters'
+                    }
+                    return true
+                }
+            }
+        ])
+
+        const { confirm } = await inquirer.default.prompt([
+            {
+                type: 'password',
+                name: 'confirm',
+                message: 'Confirm passphrase:',
+                mask: '*',
+                validate: (input: string) => {
+                    if (input !== passphrase) {
+                        return 'Passphrases do not match'
+                    }
+                    return true
+                }
+            }
+        ])
+
+        return passphrase
+    } catch (error: any) {
+        if (error.message?.includes('SIGINT') || error.message?.includes('force closed')) {
+            console.log(chalk.red('\n\nABORTED\n'))
+            process.exit(0)
+        }
+        throw error
+    }
+}
+
+/**
+ * Ensure a key has a passphrase. If not, prompt the user to set one.
+ */
+export async function ensurePassphrase(privateKeyPath: string, keyName: string, keyLabel: string): Promise<boolean> {
+    const chalk = (await import('chalk')).default
+
+    if (hasPassphrase(privateKeyPath)) {
+        return true
+    }
+
+    console.log(chalk.yellow(`\n   ⚠  ${keyLabel} '${keyName}' has no passphrase`))
+    console.log(chalk.gray(`   A passphrase is required to protect the key. The passphrase will be stored`))
+    console.log(chalk.gray(`   in the macOS Keychain so you won't need to enter it again.\n`))
+
+    const passphrase = await promptPassphrase()
+    if (!passphrase) {
+        console.log(chalk.red(`\n   ✗ A passphrase is required for the ${keyLabel.toLowerCase()}.\n`))
+        return false
+    }
+
+    console.log(chalk.gray(`\n   Setting passphrase on ${privateKeyPath} ...`))
+    try {
+        execSync(
+            `ssh-keygen -p -f ${JSON.stringify(privateKeyPath)} -P "" -N ${JSON.stringify(passphrase)}`,
+            { stdio: 'pipe' }
+        )
+    } catch (error: any) {
+        console.log(chalk.red(`\n   ✗ Failed to set passphrase: ${error.message}\n`))
+        return false
+    }
+
+    console.log(chalk.green(`   ✓ Passphrase set on ${keyLabel.toLowerCase()} '${keyName}'\n`))
+    return true
+}
+
+/**
+ * Generate a new Ed25519 SSH key with a passphrase.
+ * Returns the key info or null on failure.
+ */
+export async function generateEd25519Key(
+    privateKeyPath: string,
+    passphrase: string,
+    comment: string
+): Promise<{ publicKey: string; keyFingerprint: string } | null> {
+    const chalk = (await import('chalk')).default
+    const { mkdir } = await import('fs/promises')
+    const { dirname } = await import('path')
+
+    await mkdir(dirname(privateKeyPath), { recursive: true })
+
+    try {
+        execSync(
+            `ssh-keygen -t ed25519 -f ${JSON.stringify(privateKeyPath)} -N ${JSON.stringify(passphrase)} -C ${JSON.stringify(comment)}`,
+            { stdio: 'pipe' }
+        )
+    } catch (error: any) {
+        console.log(chalk.red(`\n   ✗ Failed to generate key: ${error.message}\n`))
+        return null
+    }
+
+    const pubKeyContent = await readFile(privateKeyPath + '.pub', 'utf-8')
+    const publicKey = pubKeyContent.trim()
+    const keyFingerprint = computeFingerprint(privateKeyPath)
+
+    return { publicKey, keyFingerprint }
+}
+
+/**
+ * Validate that a configured key exists and its fingerprint matches.
+ * Returns true if valid, false otherwise (with error messages logged).
+ */
+export async function validateConfiguredKey(
+    keyConfig: KeyConfig,
+    keyLabel: string
+): Promise<boolean> {
+    const chalk = (await import('chalk')).default
+
+    const exists = await keyFileExists(keyConfig.privateKeyPath)
+    if (!exists) {
+        console.log(chalk.red(`\n┌─────────────────────────────────────────────────────────────────┐`))
+        console.log(chalk.red(`│  ✗  ${keyLabel} Error${' '.repeat(Math.max(0, 56 - keyLabel.length))}│`))
+        console.log(chalk.red(`├─────────────────────────────────────────────────────────────────┤`))
+        console.log(chalk.red(`│  The configured private key file is missing:                    │`))
+        console.log(chalk.red(`│  ${keyConfig.privateKeyPath}`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  The private key '${keyConfig.name}' has been removed or moved.`))
+        console.log(chalk.red(`│  Please restore the key file to the path above to proceed.     │`))
+        console.log(chalk.red(`└─────────────────────────────────────────────────────────────────┘\n`))
+        return false
+    }
+
+    let currentFingerprint: string
+    try {
+        currentFingerprint = computeFingerprint(keyConfig.privateKeyPath)
+    } catch (error: any) {
+        console.log(chalk.red(`\n┌─────────────────────────────────────────────────────────────────┐`))
+        console.log(chalk.red(`│  ✗  ${keyLabel} Error${' '.repeat(Math.max(0, 56 - keyLabel.length))}│`))
+        console.log(chalk.red(`├─────────────────────────────────────────────────────────────────┤`))
+        console.log(chalk.red(`│  Failed to compute fingerprint for the private key at:          │`))
+        console.log(chalk.red(`│  ${keyConfig.privateKeyPath}`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  The key file may be corrupted. Please restore the original     │`))
+        console.log(chalk.red(`│  key file to proceed.                                           │`))
+        console.log(chalk.red(`└─────────────────────────────────────────────────────────────────┘\n`))
+        return false
+    }
+
+    if (currentFingerprint !== keyConfig.keyFingerprint) {
+        console.log(chalk.red(`\n┌─────────────────────────────────────────────────────────────────┐`))
+        console.log(chalk.red(`│  ✗  ${keyLabel} Mismatch${' '.repeat(Math.max(0, 53 - keyLabel.length))}│`))
+        console.log(chalk.red(`├─────────────────────────────────────────────────────────────────┤`))
+        console.log(chalk.red(`│  The private key at the configured path does not match the      │`))
+        console.log(chalk.red(`│  fingerprint stored in the workspace config.                    │`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  Key name: ${keyConfig.name}`))
+        console.log(chalk.red(`│  Path:     ${keyConfig.privateKeyPath}`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  The private key has changed. Please restore the original       │`))
+        console.log(chalk.red(`│  private key that matches the configured fingerprint to proceed.│`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  Expected fingerprint:                                          │`))
+        console.log(chalk.red(`│  ${keyConfig.keyFingerprint}`))
+        console.log(chalk.red(`│                                                                 │`))
+        console.log(chalk.red(`│  Current fingerprint:                                           │`))
+        console.log(chalk.red(`│  ${currentFingerprint}`))
+        console.log(chalk.red(`└─────────────────────────────────────────────────────────────────┘\n`))
+        return false
+    }
+
+    if (!process.env.T44_KEYS_PASSPHRASE) {
+        const passphraseOk = await ensurePassphrase(keyConfig.privateKeyPath, keyConfig.name, keyLabel)
+        if (!passphraseOk) {
+            return false
+        }
+
+        await ensureKeyInAgent(keyConfig.privateKeyPath, keyConfig.name, keyLabel)
+    }
+
+    return true
+}