@venturewild/workspace 0.3.3 → 0.3.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.3.3",
+  "version": "0.3.4",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/google-vouch.mjs

@@ -0,0 +1,87 @@
+// Google sign-in vouch (req 2) — the LOCAL-server half of "Sign in with Google".
+//
+// Why a vouch at all: Google's OAuth redirect URI must be a single, pre-registered
+// HTTPS URL, and the code exchange needs the client SECRET — neither can live on a
+// per-user, behind-the-tunnel local server. So bmo-sync (the central relay, which
+// already holds the account registry) owns the Google flow: it exchanges the code,
+// reads the user's verified email, checks it against the workspace's OWNER email,
+// and — only on a match — mints a short-lived VOUCH that it hands back to the local
+// server via `<slug>.venturewild.llc/?gv=<vouch>`. The local server verifies the
+// vouch and mints its own durable device token (reusing the same machinery as a
+// device-approval), so the cookie/role/revocation story is unchanged.
+//
+// The trust anchor is a secret BOTH sides already share, with NO new key to
+// distribute: the account token. bmo-sync stores `sha256(account_token)` in hex
+// (accounts.account_token_hash); the local server has the raw account token and
+// derives the same hex. That hex is the HS256 signing key. A third party can't
+// forge a vouch without the account token (or bmo-sync's at-rest hash), and the
+// local server already trusts bmo-sync (it routes all its traffic), so vouching
+// for identity adds no party that wasn't already in the trust base.
+
+import { SignJWT, jwtVerify } from 'jose';
+import { createHash } from 'node:crypto';
+
+export const VOUCH_AUDIENCE = 'wild-workspace-google-vouch';
+export const VOUCH_ISSUER = 'bmo-sync';
+// Vouches are single-hop and consumed immediately on the return redirect, so the
+// lifetime is tiny — long enough to survive the 302 + the SPA's POST, no more.
+export const VOUCH_TTL_SECONDS = 120;
+
+/**
+ * The HS256 key shared with bmo-sync: the lowercase-hex sha256 of the account
+ * token, exactly as bmo-sync stores it in `accounts.account_token_hash`
+ * (routes/slug.rs::hash_token = `hex::encode(Sha256::digest(token))`). Returns
+ * null when the install has no account token (not slug-linked → no Google sign-in).
+ */
+export function vouchKey(accountToken) {
+  if (!accountToken) return null;
+  const hex = createHash('sha256').update(String(accountToken)).digest('hex');
+  return new TextEncoder().encode(hex);
+}
+
+/**
+ * Mint a Google vouch (HS256). This is the contract bmo-sync implements in Rust;
+ * we keep a JS minter so the local-server verifier can be tested round-trip and
+ * the claim shape has one source of truth. NOT used in production by the server.
+ */
+export async function mintGoogleVouch({ accountToken, email, slug, nowSec = Math.floor(Date.now() / 1000), ttlSeconds = VOUCH_TTL_SECONDS }) {
+  const key = vouchKey(accountToken);
+  if (!key) throw new Error('no account token');
+  return new SignJWT({ email: String(email), slug: slug ? String(slug) : undefined })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(VOUCH_ISSUER)
+    .setAudience(VOUCH_AUDIENCE)
+    .setIssuedAt(nowSec)
+    .setExpirationTime(nowSec + ttlSeconds)
+    .sign(key);
+}
+
+/**
+ * Verify a Google vouch against this install's account token. Returns
+ * `{ ok: true, email, slug }` or `{ ok: false, reason }`. Never throws. The caller
+ * still enforces that `email` matches the configured owner email + `slug` matches
+ * this install — the vouch only proves "bmo-sync verified this Google identity for
+ * this account", not "this is the owner".
+ */
+export async function verifyGoogleVouch(token, accountToken) {
+  const key = vouchKey(accountToken);
+  if (!token || !key) return { ok: false, reason: 'no-token-or-key' };
+  try {
+    const { payload } = await jwtVerify(token, key, {
+      issuer: VOUCH_ISSUER,
+      audience: VOUCH_AUDIENCE,
+    });
+    if (!payload.email || typeof payload.email !== 'string') {
+      return { ok: false, reason: 'no-email' };
+    }
+    return { ok: true, email: payload.email, slug: typeof payload.slug === 'string' ? payload.slug : null };
+  } catch (e) {
+    // jose throws on bad signature / expiry / aud-iss mismatch — all "not valid".
+    return { ok: false, reason: e?.code || 'invalid' };
+  }
+}
+
+/** Case-insensitive owner-email match (Google emails are case-insensitive). */
+export function emailMatches(a, b) {
+  return Boolean(a) && Boolean(b) && String(a).trim().toLowerCase() === String(b).trim().toLowerCase();
+}

package/server/src/index.mjs

@@ -30,6 +30,7 @@ import {
   TokenRegistry,
 } from './share.mjs';
 import { PairingStore } from './pairing.mjs';
+import { verifyGoogleVouch, emailMatches } from './google-vouch.mjs';
 import { listDir, readFile, fullTree, workspaceSummary, safeResolve } from './fs.mjs';
 import { InboxWatcher } from './inbox.mjs';
 import { ActivityBus } from './activity.mjs';
@@ -588,6 +589,14 @@ export async function createServer(overrides = {}) {
     return attrs.join('; ');
   }
 
+  // The host-owner loopback grant (req 1) is only sound when the server is BOUND
+  // to loopback — then the port is reachable solely by on-host processes, so the
+  // (client-controlled) Host header can't be spoofed from the network. On a
+  // 0.0.0.0 / public bind we must NOT trust loopback-looking headers; tokens only.
+  const isLocalBind = ['127.0.0.1', 'localhost', '::1', '[::1]'].includes(
+    String(config.host || '127.0.0.1').toLowerCase(),
+  );
+
   // --- auth + role resolution ---
   async function resolveRole(c) {
     // 1. Authorization: Bearer — the only path that may carry the operator token.
@@ -619,7 +628,16 @@ export async function createServer(overrides = {}) {
     if (!config.publicMode) {
       return { role: ROLES.PARTNER, sub: 'local-partner', source: 'localhost' };
     }
-    // Public mode with no valid token: deny. No anonymous viewer access —
+    // Host-machine owner over GENUINE loopback (req 1: "same machine = no
+    // approval"). The owner opens localhost on the box that runs the workspace and
+    // is in — no device-approval. A tunneled visitor can never reach this: the
+    // relay stamps x-forwarded-host on every tunneled request (rejected by
+    // loopbackHeaders) and the server binds loopback. The only thing trusted here
+    // is an on-host process, which already holds the owner's files + secrets.
+    if (isLocalBind && isGenuineLoopback(c)) {
+      return { role: ROLES.PARTNER, sub: 'local-owner', source: 'loopback' };
+    }
+    // Public mode, not local, no valid token: deny. No anonymous viewer access —
     // a share JWT or the partner token is required. (Concern C1.)
     return { role: null, sub: 'anon', source: 'unauth', denied: true };
   }
@@ -692,6 +710,10 @@ export async function createServer(overrides = {}) {
     // request can reach it; the handler itself 404s anything that isn't real
     // loopback, so a public visitor can never use it.
     '/api/auth/bootstrap',
+    // Google sign-in return (req 2). A browser coming back from Google has no
+    // workspace token yet — it carries a bmo-sync vouch, which the handler
+    // verifies (an invalid vouch is rejected there), so being public is safe.
+    '/api/auth/google',
   ]);
   app.use('*', async (c, next) => {
     const session = await resolveRole(c);
@@ -760,14 +782,22 @@ export async function createServer(overrides = {}) {
   // with no forwarding headers + a loopback Host. (B1 — basis for first-device
   // bootstrap. A local process already has the user's filesystem + secrets, so
   // trusting it grants nothing it didn't already have.)
-  function isGenuineLoopback(c) {
-    const h = (n) => c.req.header(n);
-    if (h('x-forwarded-for') || h('x-forwarded-host') || h('x-forwarded-proto') || h('x-real-ip')) {
+  // Shared loopback predicate over a header getter — reused by the Hono path
+  // (isGenuineLoopback) and the raw-Node WS upgrade path (req.headers). A GENUINE
+  // local request carries NONE of the relay's forwarding headers (bmo-sync strips
+  // any client-supplied X-Forwarded-*/X-Real-IP and stamps its own on every
+  // tunneled request, so they can't be faked from the internet) and has a loopback
+  // Host. The server binds loopback, so only an on-host process can produce this.
+  function loopbackHeaders(get) {
+    if (get('x-forwarded-for') || get('x-forwarded-host') || get('x-forwarded-proto') || get('x-real-ip')) {
       return false;
     }
-    const hostname = String(h('host') || '').toLowerCase().split(':')[0];
+    const hostname = String(get('host') || '').toLowerCase().split(':')[0];
     return hostname === '127.0.0.1' || hostname === 'localhost' || hostname === '::1' || hostname === '[::1]';
   }
+  function isGenuineLoopback(c) {
+    return loopbackHeaders((n) => c.req.header(n));
+  }
 
   // --- auth: first-device bootstrap (B1) -------------------------------------
   // The everyday problem: a brand-new owner runs `wild-workspace` and wants to
@@ -862,6 +892,47 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, role: session.role, cookie: true });
   });
 
+  // Google sign-in return (req 2). bmo-sync ran the Google OAuth centrally, checked
+  // the verified email against THIS account's owner, and handed the browser back a
+  // short-lived vouch via <slug>.venturewild.llc/?gv=<vouch>. The SPA POSTs it here;
+  // we verify it against the shared account secret, re-confirm the owner email +
+  // slug, then mint the SAME durable, individually-revocable device token a device
+  // approval would — so any device the owner signs into with Google is in, no
+  // second-device approval and no nag. Public-allowlisted: the vouch IS the
+  // credential, so an invalid one is rejected here (401/403), never trusted.
+  app.post('/api/auth/google', async (c) => {
+    // accountToken is kept top-level on config (out of the broadcast config.account).
+    if (!config.accountToken) {
+      return c.json({ error: 'not-linked' }, 400); // not slug-linked → no Google sign-in
+    }
+    let body = {};
+    try { body = await c.req.json(); } catch { /* empty body ok */ }
+    const vouch = typeof body.vouch === 'string' ? body.vouch : c.req.query('gv');
+    const v = await verifyGoogleVouch(vouch, config.accountToken);
+    if (!v.ok) {
+      log('[auth]', `google vouch rejected: ${v.reason}`);
+      return c.json({ error: 'invalid-vouch' }, 401);
+    }
+    // The vouch proves "bmo-sync verified this Google identity for this account".
+    // Re-enforce that it's the OWNER of THIS install (email + slug) so a vouch
+    // minted for another workspace can't be replayed here.
+    if (!emailMatches(v.email, config.account.email)) {
+      log('[auth]', `google vouch email mismatch (${v.email})`);
+      return c.json({ error: 'not-owner' }, 403);
+    }
+    if (v.slug && config.account.slug && v.slug !== config.account.slug) {
+      return c.json({ error: 'wrong-workspace' }, 403);
+    }
+    const device = await mintDeviceToken({ secret: config.shareSecret, workspaceId: config.workspaceId });
+    tokenRegistry.add({ ...device, kind: 'device', label: `Google (${v.email})`, createdAt: Date.now() });
+    const now = Math.floor(Date.now() / 1000);
+    const maxAge = Math.max(60, device.exp - now);
+    c.header('Set-Cookie', authCookieAttrs(device.token, maxAge));
+    auditAction(c, 'google-signin', `email=${v.email} sub=${device.sub}`);
+    log('[auth]', `google sign-in → durable device sub=${device.sub} email=${v.email} ttl=${maxAge}s`);
+    return c.json({ ok: true, role: 'partner', cookie: true });
+  });
+
   app.post('/api/auth/logout', (c) => {
     c.header('Set-Cookie', authCookieAttrs('', 0));
     return c.json({ ok: true });
@@ -2078,6 +2149,11 @@ export async function createServer(overrides = {}) {
     } else if (!cookieToken && !tokenFromQuery && !config.publicMode) {
       role = ROLES.PARTNER;
       sub = 'local-partner';
+    } else if (!cookieToken && !tokenFromQuery && isLocalBind && loopbackHeaders((n) => req.headers[n])) {
+      // Host-machine owner over genuine loopback (req 1) — mirror resolveRole so
+      // the chat WS works for the local owner with no token, same as the SPA.
+      role = ROLES.PARTNER;
+      sub = 'local-owner';
     }
     // Deny: public mode with no token, or any invalid/revoked token. An
     // invalid token must NOT silently fall back to partner. (Concern C1.)

package/server/src/supervisor.mjs

@@ -606,7 +606,7 @@ export class WorkspaceSupervisor {
     process.on('exit', () => this.releaseLock());
     process.on('SIGTERM', () => process.exit(0));
     process.on('SIGINT', () => process.exit(0));
-    this.log(`supervisor start pid=${process.pid} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
+    this.log(`supervisor start pid=${process.pid} v${this.selfVersion || '?'} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
     this.timer = setInterval(() => { this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`)); }, this.pollMs);
     this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));