@tokenwarden/opencode 0.1.0

package/dist/src/core/protection/signing.js

@@ -0,0 +1,28 @@
+import { createPrivateKey, createPublicKey, sign, verify } from "node:crypto";
+export function canonicalJson(value) {
+    return JSON.stringify(sortForCanonicalJson(value));
+}
+export function signEnvelope(payload, privateKeyPem) {
+    const key = createPrivateKey(privateKeyPem);
+    const signature = sign(null, Buffer.from(canonicalJson(payload), "utf8"), key).toString("base64url");
+    return {
+        alg: "Ed25519",
+        payload,
+        signature,
+    };
+}
+export function verifyEnvelope(envelope, publicKeyPem) {
+    if (envelope.alg !== "Ed25519")
+        return false;
+    const key = createPublicKey(publicKeyPem);
+    return verify(null, Buffer.from(canonicalJson(envelope.payload), "utf8"), key, Buffer.from(envelope.signature, "base64url"));
+}
+function sortForCanonicalJson(value) {
+    if (Array.isArray(value))
+        return value.map(sortForCanonicalJson);
+    if (!value || typeof value !== "object")
+        return value;
+    return Object.fromEntries(Object.entries(value)
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([key, item]) => [key, sortForCanonicalJson(item)]));
+}

package/dist/src/core/protection/tamper.js

@@ -0,0 +1,18 @@
+import { createHash } from "node:crypto";
+import { readFile } from "node:fs/promises";
+export async function sha256File(filePath) {
+    return createHash("sha256").update(await readFile(filePath)).digest("hex");
+}
+export async function verifyFileChecksum(filePath, expectedSha256) {
+    let actual;
+    try {
+        actual = await sha256File(filePath);
+    }
+    catch (error) {
+        return { ok: false, reason: `could not read file: ${error.message}` };
+    }
+    if (actual !== expectedSha256) {
+        return { ok: false, sha256: actual, reason: "checksum mismatch" };
+    }
+    return { ok: true, sha256: actual };
+}

package/dist/src/core/savings.js

@@ -0,0 +1,91 @@
+const SAVING_SOURCES = new Set(["tool-output", "smart-read", "smart-pack", "chat-history", "manual"]);
+export function createSavingsEvent(input) {
+    const wouldHaveUsedTokens = tokenCount(input.wouldHaveUsedTokens);
+    const usedTokens = tokenCount(input.usedTokens);
+    const savedTokens = Math.max(0, wouldHaveUsedTokens - usedTokens);
+    const percentSaved = calculatePercent(savedTokens, wouldHaveUsedTokens);
+    return {
+        timestamp: new Date().toISOString(),
+        sessionID: input.sessionID ?? "unknown",
+        source: input.source,
+        label: input.label,
+        wouldHaveUsedTokens,
+        usedTokens,
+        savedTokens,
+        percentSaved,
+        metadata: input.metadata,
+    };
+}
+export function normalizeSavingsEvent(value) {
+    if (!value || typeof value !== "object")
+        return undefined;
+    const event = value;
+    const savedFromEvent = tokenCount(event.savedTokens);
+    const usedTokens = tokenCount(event.usedTokens);
+    let wouldHaveUsedTokens = tokenCount(event.wouldHaveUsedTokens ?? event.rawTokens);
+    if (wouldHaveUsedTokens === 0 && savedFromEvent > 0)
+        wouldHaveUsedTokens = usedTokens + savedFromEvent;
+    const savedTokens = Math.max(0, wouldHaveUsedTokens - usedTokens);
+    const source = SAVING_SOURCES.has(event.source) ? event.source : "manual";
+    return {
+        timestamp: typeof event.timestamp === "string" && event.timestamp ? event.timestamp : "1970-01-01T00:00:00.000Z",
+        sessionID: typeof event.sessionID === "string" && event.sessionID ? event.sessionID : "unknown",
+        source,
+        label: typeof event.label === "string" && event.label ? event.label : "unknown",
+        wouldHaveUsedTokens,
+        usedTokens,
+        savedTokens,
+        percentSaved: calculatePercent(savedTokens, wouldHaveUsedTokens),
+        metadata: event.metadata && typeof event.metadata === "object" ? event.metadata : undefined,
+    };
+}
+export function summarizeSavings(events) {
+    const normalizedEvents = events.flatMap((event) => {
+        const normalized = normalizeSavingsEvent(event);
+        return normalized ? [normalized] : [];
+    });
+    const summary = {
+        events: normalizedEvents.length,
+        sessions: 0,
+        wouldHaveUsedTokens: 0,
+        usedTokens: 0,
+        savedTokens: 0,
+        percentSaved: 0,
+        bySource: {},
+    };
+    const sessionIDs = new Set();
+    for (const event of normalizedEvents) {
+        sessionIDs.add(event.sessionID);
+        summary.wouldHaveUsedTokens += event.wouldHaveUsedTokens;
+        summary.usedTokens += event.usedTokens;
+        summary.savedTokens += event.savedTokens;
+        const source = (summary.bySource[event.source] ??= {
+            events: 0,
+            wouldHaveUsedTokens: 0,
+            usedTokens: 0,
+            savedTokens: 0,
+            percentSaved: 0,
+        });
+        source.events += 1;
+        source.wouldHaveUsedTokens += event.wouldHaveUsedTokens;
+        source.usedTokens += event.usedTokens;
+        source.savedTokens += event.savedTokens;
+    }
+    summary.sessions = sessionIDs.size;
+    summary.percentSaved = calculatePercent(summary.savedTokens, summary.wouldHaveUsedTokens);
+    for (const source of Object.values(summary.bySource)) {
+        source.percentSaved = calculatePercent(source.savedTokens, source.wouldHaveUsedTokens);
+    }
+    return summary;
+}
+function calculatePercent(saved, wouldHaveUsed) {
+    if (!Number.isFinite(saved) || !Number.isFinite(wouldHaveUsed) || wouldHaveUsed <= 0)
+        return 0;
+    return Math.round((saved / wouldHaveUsed) * 1000) / 10;
+}
+function tokenCount(value) {
+    const parsed = typeof value === "number" ? value : typeof value === "string" && value.trim() ? Number(value) : 0;
+    if (!Number.isFinite(parsed))
+        return 0;
+    return Math.max(0, Math.round(parsed));
+}

package/dist/src/core/storage.js

@@ -0,0 +1,123 @@
+import { appendFile, mkdir, open, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+import { setTimeout as sleep } from "node:timers/promises";
+import { normalizeSavingsEvent, summarizeSavings } from "./savings.js";
+import { encryptedAppendFile, encryptedReadFile, encryptedWriteFileFromPath } from "./protection/sidecar.js";
+const ENCRYPTED_APPEND_LOCK_TIMEOUT_MS = 15_000;
+const ENCRYPTED_APPEND_LOCK_RETRY_MS = 25;
+export function createStore(dataDir = defaultDataDir()) {
+    const encryptedDir = join(dataDir, "encrypted");
+    return {
+        dataDir,
+        eventsPath: join(encryptedDir, "usage.jsonl.enc"),
+        rawOutputDir: join(encryptedDir, "raw-tool-output"),
+        failureLogPath: join(dataDir, "logs", "failures.jsonl"),
+    };
+}
+export function defaultDataDir() {
+    if (process.env.TOKENWARDEN_HOME)
+        return process.env.TOKENWARDEN_HOME;
+    if (process.env.XDG_CACHE_HOME)
+        return join(process.env.XDG_CACHE_HOME, "tokenwarden");
+    return join(homedir(), ".cache", "tokenwarden");
+}
+export async function appendSavingsEvent(store, event) {
+    await withFileLock(`${store.eventsPath}.lock`, async () => {
+        await encryptedAppendFile(store.eventsPath, `${JSON.stringify(event)}\n`);
+    });
+}
+export async function readSavingsEvents(store, filter = {}) {
+    let content;
+    try {
+        content = await encryptedReadFile(store.eventsPath);
+    }
+    catch {
+        return [];
+    }
+    if (!content)
+        return [];
+    const events = content
+        .split(/\r?\n/)
+        .filter(Boolean)
+        .flatMap((line) => {
+        try {
+            const event = normalizeSavingsEvent(JSON.parse(line));
+            return event ? [event] : [];
+        }
+        catch {
+            return [];
+        }
+    });
+    if (!filter.sessionID)
+        return events;
+    return events.filter((event) => event.sessionID === filter.sessionID);
+}
+export async function summarizeStore(store, filter = {}) {
+    return summarizeSavings(await readSavingsEvents(store, filter));
+}
+export async function appendFailureLog(store, log) {
+    const entry = {
+        timestamp: new Date().toISOString(),
+        ...log,
+    };
+    await mkdir(dirname(store.failureLogPath), { recursive: true });
+    await appendFile(store.failureLogPath, `${JSON.stringify(entry)}\n`, "utf8");
+}
+export async function writeRawOutput(store, input) {
+    const safeSession = safePathPart(input.sessionID);
+    const safeCall = safePathPart(input.callID);
+    const filePath = join(store.rawOutputDir, safeSession, `${safeCall}.txt.enc`);
+    const tempPath = `${filePath}.tmp-${process.pid}-${Date.now()}`;
+    await mkdir(dirname(tempPath), { recursive: true });
+    try {
+        await writeFile(tempPath, input.output, "utf8");
+        await encryptedWriteFileFromPath(filePath, tempPath);
+    }
+    finally {
+        await rm(tempPath, { force: true });
+    }
+    return filePath;
+}
+function safePathPart(value) {
+    return value.replace(/[^a-zA-Z0-9_.-]/g, "_").slice(0, 120) || "unknown";
+}
+async function withFileLock(lockPath, run) {
+    const handle = await acquireFileLock(lockPath);
+    try {
+        return await run();
+    }
+    finally {
+        try {
+            await handle.close();
+        }
+        finally {
+            await rm(lockPath, { force: true });
+        }
+    }
+}
+async function acquireFileLock(lockPath) {
+    await mkdir(dirname(lockPath), { recursive: true });
+    const deadline = Date.now() + ENCRYPTED_APPEND_LOCK_TIMEOUT_MS;
+    for (;;) {
+        try {
+            const handle = await open(lockPath, "wx");
+            try {
+                await handle.writeFile(`${JSON.stringify({ pid: process.pid, createdAt: new Date().toISOString() })}\n`, "utf8");
+            }
+            catch (error) {
+                await handle.close();
+                await rm(lockPath, { force: true });
+                throw error;
+            }
+            return handle;
+        }
+        catch (error) {
+            if (error.code !== "EEXIST")
+                throw error;
+            if (Date.now() >= deadline)
+                throw new Error(`timed out waiting for encrypted storage lock: ${lockPath}`);
+            await sleep(ENCRYPTED_APPEND_LOCK_RETRY_MS);
+        }
+    }
+}

package/dist/src/core/tokens.js

@@ -0,0 +1,40 @@
+export function countTokens(value) {
+    const text = stringifyForTokens(value);
+    if (text.length === 0)
+        return 0;
+    const words = text.match(/[\p{L}\p{N}_]+|[^\s\p{L}\p{N}_]/gu) ?? [];
+    const charEstimate = Math.ceil(text.length / 4);
+    const wordEstimate = Math.ceil(words.length * 0.75);
+    return Math.max(1, Math.max(charEstimate, wordEstimate));
+}
+export function stringifyForTokens(value) {
+    if (typeof value === "string")
+        return value;
+    if (value === undefined || value === null)
+        return "";
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return String(value);
+    }
+}
+export function trimToTokenBudget(text, budget) {
+    if (budget <= 0)
+        return "";
+    if (countTokens(text) <= budget)
+        return text;
+    const lines = text.split(/\r?\n/);
+    const kept = [];
+    for (const line of lines) {
+        const next = [...kept, line].join("\n");
+        if (countTokens(next) > budget)
+            break;
+        kept.push(line);
+    }
+    if (kept.length === 0) {
+        const approximateChars = Math.max(1, budget * 4);
+        return text.slice(0, approximateChars);
+    }
+    return kept.join("\n");
+}