@venturewild/workspace 0.1.12 → 0.1.14

package/server/src/logpaths.mjs

@@ -1,98 +1,98 @@
-// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
-// the operator channel all read the same set, and a tiny append/rotate/tail
-// helper for the new logs we write ourselves (cli, operator).
-//
-// WHY a registry and not just scattered paths: a brand-new user's install is the
-// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
-// and "I can't see what happened on their machine" is the #1 un-debuggable
-// failure. Centralising the log locations is what lets `wild-workspace doctor`
-// gather them and the operator channel tail them by name — never by arbitrary
-// path (the tail allowlist is TAILABLE below).
-//
-// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
-// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
-// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
-// them here for READING rather than moving them. Everything lives under
-// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
-
-import os from 'node:os';
-import path from 'node:path';
-import fs from 'node:fs';
-
-// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
-// defaults. Overridable via env for tests / unusual homes.
-export function globalDir(env = process.env) {
-  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
-}
-
-// Logical name → filename. The first three are written by existing components;
-// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
-export const LOG_FILES = Object.freeze({
-  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
-  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
-  daemon: 'daemon.log', //         the bmo-sync daemon
-  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
-  operator: 'operator.log', //     the consented operator channel's audit trail
-  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
-});
-
-// Logs the operator channel may tail BY NAME — never an arbitrary path.
-export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
-
-export function logFile(name, env = process.env) {
-  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
-}
-
-export function diagnosticsDir(env = process.env) {
-  return path.join(globalDir(env), 'diagnostics');
-}
-
-const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
-
-// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
-export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
-  try {
-    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
-  } catch {
-    /* missing / racing rename — nothing to rotate */
-  }
-}
-
-// Append a timestamped line to a named log; ensures the dir + rotates. Returns
-// the file path. Never throws — logging must not break the caller's path.
-export function appendLine(name, line, env = process.env) {
-  const file = logFile(name, env);
-  try {
-    fs.mkdirSync(path.dirname(file), { recursive: true });
-    rotateIfBig(file);
-    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
-  } catch {
-    /* read-only fs etc. — degrade silently */
-  }
-  return file;
-}
-
-// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
-// Returns '' when the file is missing/unreadable.
-export function tailFile(file, n = 200) {
-  try {
-    // Drop the trailing newline so the last line isn't an empty entry.
-    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
-    return lines.slice(Math.max(0, lines.length - n)).join('\n');
-  } catch {
-    return '';
-  }
-}
-
-// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
-export function listLogs(env = process.env) {
-  return TAILABLE.map((name) => {
-    const file = logFile(name, env);
-    try {
-      const st = fs.statSync(file);
-      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
-    } catch {
-      return { name, file, exists: false, size: null, mtime: null };
-    }
-  });
-}
+// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
+// the operator channel all read the same set, and a tiny append/rotate/tail
+// helper for the new logs we write ourselves (cli, operator).
+//
+// WHY a registry and not just scattered paths: a brand-new user's install is the
+// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
+// and "I can't see what happened on their machine" is the #1 un-debuggable
+// failure. Centralising the log locations is what lets `wild-workspace doctor`
+// gather them and the operator channel tail them by name — never by arbitrary
+// path (the tail allowlist is TAILABLE below).
+//
+// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
+// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
+// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
+// them here for READING rather than moving them. Everything lives under
+// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
+
+import os from 'node:os';
+import path from 'node:path';
+import fs from 'node:fs';
+
+// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
+// defaults. Overridable via env for tests / unusual homes.
+export function globalDir(env = process.env) {
+  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
+}
+
+// Logical name → filename. The first three are written by existing components;
+// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
+export const LOG_FILES = Object.freeze({
+  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
+  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
+  daemon: 'daemon.log', //         the bmo-sync daemon
+  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
+  operator: 'operator.log', //     the consented operator channel's audit trail
+  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
+});
+
+// Logs the operator channel may tail BY NAME — never an arbitrary path.
+export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
+
+export function logFile(name, env = process.env) {
+  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
+}
+
+export function diagnosticsDir(env = process.env) {
+  return path.join(globalDir(env), 'diagnostics');
+}
+
+const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
+
+// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
+export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
+  try {
+    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
+  } catch {
+    /* missing / racing rename — nothing to rotate */
+  }
+}
+
+// Append a timestamped line to a named log; ensures the dir + rotates. Returns
+// the file path. Never throws — logging must not break the caller's path.
+export function appendLine(name, line, env = process.env) {
+  const file = logFile(name, env);
+  try {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    rotateIfBig(file);
+    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
+  } catch {
+    /* read-only fs etc. — degrade silently */
+  }
+  return file;
+}
+
+// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
+// Returns '' when the file is missing/unreadable.
+export function tailFile(file, n = 200) {
+  try {
+    // Drop the trailing newline so the last line isn't an empty entry.
+    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
+    return lines.slice(Math.max(0, lines.length - n)).join('\n');
+  } catch {
+    return '';
+  }
+}
+
+// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
+export function listLogs(env = process.env) {
+  return TAILABLE.map((name) => {
+    const file = logFile(name, env);
+    try {
+      const st = fs.statSync(file);
+      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
+    } catch {
+      return { name, file, exists: false, size: null, mtime: null };
+    }
+  });
+}

package/server/src/pairing.mjs

@@ -0,0 +1,137 @@
+// In-memory store of pending "sign in this device" requests (Phase 2 device
+// approval). A new device calls POST /api/auth/pair/start → we mint a short
+// human CODE (the owner reads it off the new device) plus an unguessable
+// requestId (the device polls by THIS, never the code). The owner approves from
+// a partner session — which must echo the matching code (confused-deputy
+// defense) — and we attach a minted device token; the device claims it ONCE.
+//
+// Deliberately in-memory + ephemeral (5-min TTL): a pending request that
+// survived a restart would just be a longer attack window for no UX gain — the
+// device simply re-requests. The durable artifact is the minted token
+// (persisted via TokenRegistry), not the pairing record.
+
+import crypto from 'node:crypto';
+import { nanoid } from 'nanoid';
+
+const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_MAX_PENDING = 5;
+
+// 6-digit zero-padded code. Used ONLY owner-side (the approver matches it
+// against the code shown on the new device). It is NEVER an auth credential on
+// the public poll path — the device authenticates by requestId — so its low
+// entropy is not an internet-facing brute-force surface.
+function makeCode() {
+  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
+}
+
+export class PairingStore {
+  constructor({ ttlMs = DEFAULT_TTL_MS, maxPending = DEFAULT_MAX_PENDING, clock = () => Date.now() } = {}) {
+    this.ttlMs = ttlMs;
+    this.maxPending = maxPending;
+    this.clock = clock;
+    // requestId -> { requestId, code, label, status, createdAt, expiresAt, token, sub, exp }
+    this.requests = new Map();
+  }
+
+  // Expire stale pending requests; drop terminal records a while after expiry to
+  // bound memory. Called on every accessor so the map self-cleans.
+  prune() {
+    const now = this.clock();
+    for (const [id, r] of this.requests) {
+      if (r.status === 'pending' && r.expiresAt <= now) r.status = 'expired';
+      if (r.expiresAt + this.ttlMs <= now) this.requests.delete(id);
+    }
+  }
+
+  pendingCount() {
+    this.prune();
+    let n = 0;
+    for (const r of this.requests.values()) if (r.status === 'pending') n += 1;
+    return n;
+  }
+
+  // Returns { requestId, code, expiresAt } or null if the global pending cap is
+  // reached (anti-spam: bounds how cluttered the owner's approval list can get).
+  create({ label } = {}) {
+    if (this.pendingCount() >= this.maxPending) return null;
+    const now = this.clock();
+    const requestId = nanoid(16);
+    // Codes must be UNIQUE among pending so "owner types the code" resolves to
+    // exactly one request (collision odds are ~nil at maxPending=5, but be
+    // deterministic about it).
+    const pendingCodes = new Set(
+      [...this.requests.values()].filter((r) => r.status === 'pending').map((r) => r.code),
+    );
+    let code = makeCode();
+    for (let guard = 0; pendingCodes.has(code) && guard < 50; guard += 1) code = makeCode();
+    const rec = {
+      requestId,
+      code,
+      label: label || 'a device',
+      status: 'pending',
+      createdAt: now,
+      expiresAt: now + this.ttlMs,
+      token: null,
+      sub: null,
+      exp: null,
+    };
+    this.requests.set(requestId, rec);
+    return { requestId, code: rec.code, expiresAt: rec.expiresAt };
+  }
+
+
+  get(requestId) {
+    this.prune();
+    return this.requests.get(requestId) || null;
+  }
+
+  // Pending, non-expired requests for the owner's approval UI (includes the code
+  // so the owner can visually match it against the new device's screen).
+  listPending() {
+    this.prune();
+    // Includes the code so the owner can match it against the new device's
+    // screen and approve the right one if more than one is pending. Approval
+    // itself is by requestId (one tap); the code is the human "is this mine?"
+    // confirmation, not a typed secret.
+    return [...this.requests.values()]
+      .filter((r) => r.status === 'pending')
+      .map((r) => ({ requestId: r.requestId, code: r.code, label: r.label, createdAt: r.createdAt }));
+  }
+
+  // Approve a specific pending request (the one the owner tapped, having matched
+  // its code against the new device). Returns true on success. `tokenInfo` =
+  // { token, sub, exp } from mintDeviceToken.
+  approve(requestId, tokenInfo) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'approved';
+    r.token = tokenInfo.token;
+    r.sub = tokenInfo.sub;
+    r.exp = tokenInfo.exp;
+    return true;
+  }
+
+  deny(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'denied';
+    return true;
+  }
+
+  // One-shot token read: once approved, the device gets the token exactly once;
+  // a replayed poll yields { status:'claimed' } with no token.
+  claim(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r) return { status: 'expired' };
+    if (r.status === 'approved' && r.token) {
+      const token = r.token;
+      r.status = 'claimed';
+      r.token = null;
+      return { status: 'approved', token };
+    }
+    return { status: r.status };
+  }
+}