@toon-protocol/townhouse 0.1.0-rc5 → 0.1.1

package/dist/index.js

@@ -1,170 +1,61 @@
 import { createRequire } from 'module'; const require = createRequire(import.meta.url);
 import {
+  BootReconciler,
+  ComposeLoaderError,
   ConfigValidationError,
   ConnectorAdminClient,
   ConnectorConfigGenerator,
   DEFAULT_ATOR_PROXY,
   DockerOrchestrator,
+  ImageManifestSchema,
+  NodesYamlEntrySchema,
+  NodesYamlSchema,
+  OrchestratorError,
+  PeerTypeResolver,
+  SnapshotWriter,
   TransportProbe,
   WalletManager,
   createApiServer,
+  createDeltaComputer,
   createWizardApiServer,
   decryptWallet,
   encryptWallet,
   getDefaultConfig,
+  loadComposeTemplate,
   loadConfig,
   loadWallet,
+  materializeComposeTemplate,
+  readImageManifest,
+  readNodesYaml,
   saveConfig,
   saveWallet,
-  validateConfig
-} from "./chunk-IB6TNCUQ.js";
-import "./chunk-UTFWPLTB.js";
-
-// src/compose-loader.ts
-import {
-  readFileSync,
-  writeFileSync,
-  mkdirSync,
-  chmodSync,
-  statSync,
-  lstatSync,
-  existsSync
-} from "fs";
-import { dirname, join, resolve, isAbsolute } from "path";
-import { fileURLToPath } from "url";
-import { homedir } from "os";
-var VALID_PROFILES = ["dev", "hs"];
-var ComposeLoaderError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ComposeLoaderError";
-  }
-};
-function defaultDistDir() {
-  const here = dirname(fileURLToPath(import.meta.url));
-  return resolve(here, "..", "dist");
-}
-function assertValidProfile(profile) {
-  if (!VALID_PROFILES.includes(profile)) {
-    throw new ComposeLoaderError(
-      `invalid compose profile: '${profile}'. Must be one of: ${VALID_PROFILES.join(", ")}.`
-    );
-  }
-}
-var SYSTEM_PATH_PREFIXES = [
-  "/etc",
-  "/usr",
-  "/bin",
-  "/sbin",
-  "/lib",
-  "/lib64",
-  "/proc",
-  "/sys",
-  "/dev",
-  "/boot",
-  "/root"
-];
-function assertValidTownhouseHome(home) {
-  if (!home) {
-    throw new ComposeLoaderError(
-      "townhouseHome resolved to an empty path. Set $HOME or pass options.townhouseHome explicitly."
-    );
-  }
-  if (!isAbsolute(home)) {
-    throw new ComposeLoaderError(
-      `townhouseHome must be an absolute path; got '${home}'.`
-    );
-  }
-  if (home === "/" || home === "\\") {
-    throw new ComposeLoaderError(
-      `townhouseHome must not be the filesystem root; got '${home}'. This usually means $HOME is unset and homedir() returned '/'.`
-    );
-  }
-  for (const prefix of SYSTEM_PATH_PREFIXES) {
-    if (home === prefix || home.startsWith(prefix + "/")) {
-      throw new ComposeLoaderError(
-        `townhouseHome must not target a system directory; got '${home}'. Allowed paths: under $HOME, under tmpdir(), or any user-writable location.`
-      );
-    }
-  }
-}
-function assertNotSymlink(filePath) {
-  try {
-    const lst = lstatSync(filePath);
-    if (lst.isSymbolicLink()) {
-      throw new ComposeLoaderError(
-        `${filePath} is a symlink; refusing to write through it. If this is intentional, remove the symlink and re-run.`
-      );
-    }
-  } catch (err) {
-    const code = err.code;
-    if (code !== "ENOENT") throw err;
-  }
-}
-function loadComposeTemplate(profile, options = {}) {
-  assertValidProfile(profile);
-  const distDir = options.distDir ?? defaultDistDir();
-  const composePath = join(distDir, "compose", `townhouse-${profile}.yml`);
-  if (!existsSync(composePath)) {
-    throw new ComposeLoaderError(
-      `compose template not found: ${composePath}. Did you run 'pnpm --filter @toon-protocol/townhouse build' first?`
-    );
-  }
-  return readFileSync(composePath, "utf-8");
-}
-function materializeComposeTemplate(profile, options = {}) {
-  assertValidProfile(profile);
-  const home = options.townhouseHome || join(homedir(), ".townhouse");
-  assertValidTownhouseHome(home);
-  const distDir = options.distDir ?? defaultDistDir();
-  const manifestSrc = join(distDir, "image-manifest.json");
-  if (profile === "hs" && !existsSync(manifestSrc)) {
-    throw new ComposeLoaderError(
-      `image-manifest.json not found at ${manifestSrc}. HS mode requires a digest-pinned image manifest. Reinstall @toon-protocol/townhouse from npm to restore the manifest.`
-    );
-  }
-  const yaml = loadComposeTemplate(profile, options);
-  const composeDir = join(home, "compose");
-  mkdirSync(composeDir, { recursive: true, mode: 448 });
-  for (const dir of [home, composeDir]) {
-    const lst = lstatSync(dir);
-    if (lst.isSymbolicLink()) {
-      const target = statSync(dir);
-      if (!target.isDirectory()) {
-        throw new ComposeLoaderError(
-          `${dir} is a symlink to a non-directory; refusing to materialize.`
-        );
-      }
-      continue;
-    }
-    const currentMode = lst.mode & 511;
-    if ((currentMode & 63) !== 0) {
-      chmodSync(dir, 448);
-    }
-  }
-  const composePath = join(composeDir, `townhouse-${profile}.yml`);
-  assertNotSymlink(composePath);
-  writeFileSync(composePath, yaml, { mode: 384, encoding: "utf-8" });
-  chmodSync(composePath, 384);
-  const manifestPath = join(home, "image-manifest.json");
-  if (existsSync(manifestSrc)) {
-    assertNotSymlink(manifestPath);
-    const manifest = readFileSync(manifestSrc, "utf-8");
-    writeFileSync(manifestPath, manifest, { mode: 384, encoding: "utf-8" });
-    chmodSync(manifestPath, 384);
-  }
-  return { composePath, manifestPath };
-}
+  utcDayBoundary,
+  utcMonthBoundary,
+  utcYearBoundary,
+  validateConfig,
+  writeNodesYaml
+} from "./chunk-W33MEOPM.js";
+import "./chunk-5O4SBV5O.js";
+import "./chunk-GQNBZJ6F.js";
+import "./chunk-I2R4CRUX.js";
 export {
+  BootReconciler,
   ComposeLoaderError,
   ConfigValidationError,
   ConnectorAdminClient,
   ConnectorConfigGenerator,
   DEFAULT_ATOR_PROXY,
   DockerOrchestrator,
+  ImageManifestSchema,
+  NodesYamlEntrySchema,
+  NodesYamlSchema,
+  OrchestratorError,
+  PeerTypeResolver,
+  SnapshotWriter,
   TransportProbe,
   WalletManager,
   createApiServer,
+  createDeltaComputer,
   createWizardApiServer,
   decryptWallet,
   encryptWallet,
@@ -173,8 +64,14 @@ export {
   loadConfig,
   loadWallet,
   materializeComposeTemplate,
+  readImageManifest,
+  readNodesYaml,
   saveConfig,
   saveWallet,
-  validateConfig
+  utcDayBoundary,
+  utcMonthBoundary,
+  utcYearBoundary,
+  validateConfig,
+  writeNodesYaml
 };
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/compose-loader.ts"],"sourcesContent":["import {\n  readFileSync,\n  writeFileSync,\n  mkdirSync,\n  chmodSync,\n  statSync,\n  lstatSync,\n  existsSync,\n} from 'node:fs';\nimport { dirname, join, resolve, isAbsolute } from 'node:path';\nimport { fileURLToPath } from 'node:url';\nimport { homedir } from 'node:os';\n\nexport type ComposeProfile = 'dev' | 'hs';\nconst VALID_PROFILES: readonly ComposeProfile[] = ['dev', 'hs'] as const;\n\nexport interface ComposeLoaderOptions {\n  /** Override default `~/.townhouse/` write target. Used by tests. */\n  townhouseHome?: string;\n  /** Override the package-relative dist directory the loader reads from.\n   *  Defaults to the `dist/` adjacent to compose-loader.js at runtime.\n   *  Tests use this to point at fixture directories. */\n  distDir?: string;\n}\n\nexport class ComposeLoaderError extends Error {\n  constructor(message: string) {\n    super(message);\n    this.name = 'ComposeLoaderError';\n  }\n}\n\nfunction defaultDistDir(): string {\n  // Resolves to `dist/` adjacent to the bundled output at runtime.\n  // When bundled by tsup, import.meta.url is the path of dist/index.js,\n  // so dirname = <package>/dist. resolve(<package>/dist, '..', 'dist') = <package>/dist.\n  // When running via tsx/ts-node from src/, dirname = <package>/src,\n  // so resolve(<package>/src, '..', 'dist') = <package>/dist. Both work.\n  const here = dirname(fileURLToPath(import.meta.url));\n  return resolve(here, '..', 'dist');\n}\n\nfunction assertValidProfile(\n  profile: string\n): asserts profile is ComposeProfile {\n  if (!(VALID_PROFILES as readonly string[]).includes(profile)) {\n    throw new ComposeLoaderError(\n      `invalid compose profile: '${profile}'. Must be one of: ${VALID_PROFILES.join(', ')}.`\n    );\n  }\n}\n\n// Reject townhouseHome paths that target system directories. Internal callers\n// (CLI, API, Story 45.4) pass `~/.townhouse` or test tmpdirs; an attacker\n// reaching this code path with `townhouseHome: '/etc'` would otherwise write\n// `/etc/compose/townhouse-hs.yml` and `chmod /etc 0o700`. The list is a\n// belt-and-suspenders defense — it doesn't replace caller validation, but it\n// turns a silent privilege escalation into a loud error.\nconst SYSTEM_PATH_PREFIXES = [\n  '/etc',\n  '/usr',\n  '/bin',\n  '/sbin',\n  '/lib',\n  '/lib64',\n  '/proc',\n  '/sys',\n  '/dev',\n  '/boot',\n  '/root',\n] as const;\n\nfunction assertValidTownhouseHome(home: string): void {\n  if (!home) {\n    throw new ComposeLoaderError(\n      'townhouseHome resolved to an empty path. Set $HOME or pass options.townhouseHome explicitly.'\n    );\n  }\n  if (!isAbsolute(home)) {\n    throw new ComposeLoaderError(\n      `townhouseHome must be an absolute path; got '${home}'.`\n    );\n  }\n  if (home === '/' || home === '\\\\') {\n    throw new ComposeLoaderError(\n      `townhouseHome must not be the filesystem root; got '${home}'. ` +\n        `This usually means $HOME is unset and homedir() returned '/'.`\n    );\n  }\n  for (const prefix of SYSTEM_PATH_PREFIXES) {\n    if (home === prefix || home.startsWith(prefix + '/')) {\n      throw new ComposeLoaderError(\n        `townhouseHome must not target a system directory; got '${home}'. ` +\n          `Allowed paths: under $HOME, under tmpdir(), or any user-writable location.`\n      );\n    }\n  }\n}\n\n// Refuse to write through a symlink at composePath/manifestPath. The dir-level\n// guard above only protects the directory itself; this protects the file path.\nfunction assertNotSymlink(filePath: string): void {\n  try {\n    const lst = lstatSync(filePath);\n    if (lst.isSymbolicLink()) {\n      throw new ComposeLoaderError(\n        `${filePath} is a symlink; refusing to write through it. ` +\n          `If this is intentional, remove the symlink and re-run.`\n      );\n    }\n  } catch (err) {\n    // ENOENT is expected (file doesn't exist yet — fresh write); rethrow others.\n    const code = (err as NodeJS.ErrnoException).code;\n    if (code !== 'ENOENT') throw err;\n  }\n}\n\n/**\n * Returns the rendered compose YAML for the requested profile.\n * For 'hs', digest substitutions are already applied (resolved at build time).\n * For 'dev', the YAML is returned verbatim (uses local `toon:*` image tags).\n * Throws `ComposeLoaderError` if the requested profile's YAML is unreadable.\n */\nexport function loadComposeTemplate(\n  profile: ComposeProfile,\n  options: ComposeLoaderOptions = {}\n): string {\n  assertValidProfile(profile);\n  const distDir = options.distDir ?? defaultDistDir();\n  const composePath = join(distDir, 'compose', `townhouse-${profile}.yml`);\n  if (!existsSync(composePath)) {\n    throw new ComposeLoaderError(\n      `compose template not found: ${composePath}. ` +\n        `Did you run 'pnpm --filter @toon-protocol/townhouse build' first?`\n    );\n  }\n  return readFileSync(composePath, 'utf-8');\n}\n\n/**\n * Writes the resolved compose YAML to `<townhouseHome>/compose/<profile>.yml`\n * and copies `dist/image-manifest.json` to `<townhouseHome>/image-manifest.json`.\n * BOTH output files are written with mode 0o600 (NFR8 — operator-secret file mode).\n * Returns the absolute paths of the two files written.\n */\nexport function materializeComposeTemplate(\n  profile: ComposeProfile,\n  options: ComposeLoaderOptions = {}\n): { composePath: string; manifestPath: string } {\n  assertValidProfile(profile);\n  const home = options.townhouseHome || join(homedir(), '.townhouse');\n  assertValidTownhouseHome(home);\n\n  const distDir = options.distDir ?? defaultDistDir();\n  const manifestSrc = join(distDir, 'image-manifest.json');\n\n  // Validate inputs BEFORE any writes so a failure leaves disk untouched.\n  // HS profile cannot succeed without a manifest — fail loudly up-front\n  // rather than after writing a stale/torn compose file.\n  if (profile === 'hs' && !existsSync(manifestSrc)) {\n    throw new ComposeLoaderError(\n      `image-manifest.json not found at ${manifestSrc}. ` +\n        `HS mode requires a digest-pinned image manifest. ` +\n        `Reinstall @toon-protocol/townhouse from npm to restore the manifest.`\n    );\n  }\n  // loadComposeTemplate also throws ENOENT if the source is missing — surface\n  // it now (read-only) so we don't mkdir or chmod for a doomed call.\n  const yaml = loadComposeTemplate(profile, options);\n\n  const composeDir = join(home, 'compose');\n  // Pass mode: 0o700 so newly-created intermediates start tight (closes the\n  // mkdir → chmod TOCTOU window that allowed brief world-readable state).\n  mkdirSync(composeDir, { recursive: true, mode: 0o700 });\n\n  // Refuse to chmod symlink targets — operator may have placed `~/.townhouse`\n  // as a symlink to an encrypted volume, and we should not silently flip the\n  // mode of a path we did not create. lstatSync inspects the link itself.\n  for (const dir of [home, composeDir]) {\n    const lst = lstatSync(dir);\n    if (lst.isSymbolicLink()) {\n      // Resolve the link target and confirm it's a directory; do not chmod.\n      const target = statSync(dir);\n      if (!target.isDirectory()) {\n        throw new ComposeLoaderError(\n          `${dir} is a symlink to a non-directory; refusing to materialize.`\n        );\n      }\n      continue;\n    }\n    // Only narrow the mode if it is currently broader than 0o700. Operators\n    // who deliberately set 0o700 OR tighter (e.g. 0o500) keep their setting.\n    // Bug fix R2: previous `!== 0o700` widened 0o500 to 0o700 — now we only\n    // chmod if the existing mode grants any permission outside the owner.\n    const currentMode = lst.mode & 0o777;\n    if ((currentMode & 0o077) !== 0) {\n      chmodSync(dir, 0o700);\n    }\n  }\n\n  const composePath = join(composeDir, `townhouse-${profile}.yml`);\n  // R2 file-symlink guard — refuse to write through a planted symlink.\n  assertNotSymlink(composePath);\n  writeFileSync(composePath, yaml, { mode: 0o600, encoding: 'utf-8' });\n  // Defensive re-chmod: writeFileSync's mode option is honored only on file\n  // creation — if composePath already existed at e.g. 0o644 (stale state from\n  // a prior interrupted run), the mode is unchanged by writeFileSync.\n  // chmodSync corrects both that case AND the WSL2 umask-masking edge case.\n  chmodSync(composePath, 0o600);\n\n  const manifestPath = join(home, 'image-manifest.json');\n  if (existsSync(manifestSrc)) {\n    assertNotSymlink(manifestPath);\n    const manifest = readFileSync(manifestSrc, 'utf-8');\n    writeFileSync(manifestPath, manifest, { mode: 0o600, encoding: 'utf-8' });\n    chmodSync(manifestPath, 0o600);\n  }\n  // (Manifest absence for 'dev' profile is silently tolerated — dev mode\n  // doesn't need digest pinning. HS profile already failed at the entry guard.)\n\n  return { composePath, manifestPath };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,SAAS,MAAM,SAAS,kBAAkB;AACnD,SAAS,qBAAqB;AAC9B,SAAS,eAAe;AAGxB,IAAM,iBAA4C,CAAC,OAAO,IAAI;AAWvD,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAC5C,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAEA,SAAS,iBAAyB;AAMhC,QAAM,OAAO,QAAQ,cAAc,YAAY,GAAG,CAAC;AACnD,SAAO,QAAQ,MAAM,MAAM,MAAM;AACnC;AAEA,SAAS,mBACP,SACmC;AACnC,MAAI,CAAE,eAAqC,SAAS,OAAO,GAAG;AAC5D,UAAM,IAAI;AAAA,MACR,6BAA6B,OAAO,sBAAsB,eAAe,KAAK,IAAI,CAAC;AAAA,IACrF;AAAA,EACF;AACF;AAQA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,yBAAyB,MAAoB;AACpD,MAAI,CAAC,MAAM;AACT,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,CAAC,WAAW,IAAI,GAAG;AACrB,UAAM,IAAI;AAAA,MACR,gDAAgD,IAAI;AAAA,IACtD;AAAA,EACF;AACA,MAAI,SAAS,OAAO,SAAS,MAAM;AACjC,UAAM,IAAI;AAAA,MACR,uDAAuD,IAAI;AAAA,IAE7D;AAAA,EACF;AACA,aAAW,UAAU,sBAAsB;AACzC,QAAI,SAAS,UAAU,KAAK,WAAW,SAAS,GAAG,GAAG;AACpD,YAAM,IAAI;AAAA,QACR,0DAA0D,IAAI;AAAA,MAEhE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,iBAAiB,UAAwB;AAChD,MAAI;AACF,UAAM,MAAM,UAAU,QAAQ;AAC9B,QAAI,IAAI,eAAe,GAAG;AACxB,YAAM,IAAI;AAAA,QACR,GAAG,QAAQ;AAAA,MAEb;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AAEZ,UAAM,OAAQ,IAA8B;AAC5C,QAAI,SAAS,SAAU,OAAM;AAAA,EAC/B;AACF;AAQO,SAAS,oBACd,SACA,UAAgC,CAAC,GACzB;AACR,qBAAmB,OAAO;AAC1B,QAAM,UAAU,QAAQ,WAAW,eAAe;AAClD,QAAM,cAAc,KAAK,SAAS,WAAW,aAAa,OAAO,MAAM;AACvE,MAAI,CAAC,WAAW,WAAW,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR,+BAA+B,WAAW;AAAA,IAE5C;AAAA,EACF;AACA,SAAO,aAAa,aAAa,OAAO;AAC1C;AAQO,SAAS,2BACd,SACA,UAAgC,CAAC,GACc;AAC/C,qBAAmB,OAAO;AAC1B,QAAM,OAAO,QAAQ,iBAAiB,KAAK,QAAQ,GAAG,YAAY;AAClE,2BAAyB,IAAI;AAE7B,QAAM,UAAU,QAAQ,WAAW,eAAe;AAClD,QAAM,cAAc,KAAK,SAAS,qBAAqB;AAKvD,MAAI,YAAY,QAAQ,CAAC,WAAW,WAAW,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,WAAW;AAAA,IAGjD;AAAA,EACF;AAGA,QAAM,OAAO,oBAAoB,SAAS,OAAO;AAEjD,QAAM,aAAa,KAAK,MAAM,SAAS;AAGvC,YAAU,YAAY,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAKtD,aAAW,OAAO,CAAC,MAAM,UAAU,GAAG;AACpC,UAAM,MAAM,UAAU,GAAG;AACzB,QAAI,IAAI,eAAe,GAAG;AAExB,YAAM,SAAS,SAAS,GAAG;AAC3B,UAAI,CAAC,OAAO,YAAY,GAAG;AACzB,cAAM,IAAI;AAAA,UACR,GAAG,GAAG;AAAA,QACR;AAAA,MACF;AACA;AAAA,IACF;AAKA,UAAM,cAAc,IAAI,OAAO;AAC/B,SAAK,cAAc,QAAW,GAAG;AAC/B,gBAAU,KAAK,GAAK;AAAA,IACtB;AAAA,EACF;AAEA,QAAM,cAAc,KAAK,YAAY,aAAa,OAAO,MAAM;AAE/D,mBAAiB,WAAW;AAC5B,gBAAc,aAAa,MAAM,EAAE,MAAM,KAAO,UAAU,QAAQ,CAAC;AAKnE,YAAU,aAAa,GAAK;AAE5B,QAAM,eAAe,KAAK,MAAM,qBAAqB;AACrD,MAAI,WAAW,WAAW,GAAG;AAC3B,qBAAiB,YAAY;AAC7B,UAAM,WAAW,aAAa,aAAa,OAAO;AAClD,kBAAc,cAAc,UAAU,EAAE,MAAM,KAAO,UAAU,QAAQ,CAAC;AACxE,cAAU,cAAc,GAAK;AAAA,EAC/B;AAIA,SAAO,EAAE,aAAa,aAAa;AACrC;","names":[]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}