@venturewild/workspace 0.6.0 → 0.6.2

package/server/src/operator.mjs

@@ -1,92 +1,92 @@
-// Operator channel token — the consented "let the wild-workspace team help with
-// my install" capability (docs/SECURITY.md, docs/user-experience.md §5).
-//
-// SECURITY POSTURE: this channel is OFF by default. It only exists once a token
-// is minted (`wild-workspace operator enable`, an explicit user opt-in). With no
-// token, the operator role is unreachable and every /api/operator/* route 404s.
-// The token is a separate secret from the partner token (so it can be handed to
-// support + revoked independently), persisted 0600, and accepted ONLY in an
-// Authorization header — never a `?t=` query (it must not leak via logs /
-// history / referrer; SECURITY.md S1). Disabling deletes the token.
-
-import fs from 'node:fs';
-import path from 'node:path';
-import crypto from 'node:crypto';
-
-export function operatorFile(dataDir) {
-  return path.join(dataDir, 'operator.json');
-}
-
-// The token, or null when the channel is disabled (the common case).
-export function loadOperatorToken(dataDir) {
-  try {
-    const parsed = JSON.parse(fs.readFileSync(operatorFile(dataDir), 'utf8'));
-    return typeof parsed.operatorToken === 'string' && parsed.operatorToken
-      ? parsed.operatorToken
-      : null;
-  } catch {
-    return null;
-  }
-}
-
-// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
-// the value the server snapshotted at boot. Today `operator enable` writes the
-// token to disk but a long-running server keeps serving its cached "disabled"
-// state, so the channel 401s until a manual restart (the exact bug from the first
-// external install). A short TTL keeps this off the hot auth path — every request
-// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
-//
-// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
-// process don't read each other's tokens. `now` is injectable for tests.
-const _tokenCache = new Map(); // dataDir -> { token, at }
-export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
-  const t = now();
-  const hit = _tokenCache.get(dataDir);
-  if (hit && t - hit.at < ttlMs) return hit.token;
-  const token = loadOperatorToken(dataDir);
-  _tokenCache.set(dataDir, { token, at: t });
-  return token;
-}
-
-// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
-// a separate CLI process from the server, so they don't need this — it exists so
-// in-process callers (and tests) can force a re-read without waiting out the TTL.
-export function invalidateOperatorTokenCache(dataDir) {
-  if (dataDir === undefined) _tokenCache.clear();
-  else _tokenCache.delete(dataDir);
-}
-
-// Turn the channel on. Idempotent by default — returns the existing token if one
-// is already set (so a re-run doesn't invalidate the code the user already
-// shared). Pass { rotate:true } to force a fresh token. Returns the token, or
-// null if it couldn't be persisted.
-export function enableOperator(dataDir, { rotate = false } = {}) {
-  const existing = loadOperatorToken(dataDir);
-  if (existing && !rotate) return existing;
-  const token = crypto.randomBytes(24).toString('base64url');
-  try {
-    fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(
-      operatorFile(dataDir),
-      JSON.stringify({ operatorToken: token, enabledAt: Date.now() }, null, 2),
-      { mode: 0o600 },
-    );
-  } catch {
-    return null;
-  }
-  return token;
-}
-
-// Turn the channel off (revoke). Returns true if a token file was removed.
-export function disableOperator(dataDir) {
-  try {
-    fs.rmSync(operatorFile(dataDir));
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-export function operatorStatus(dataDir) {
-  return { enabled: Boolean(loadOperatorToken(dataDir)), file: operatorFile(dataDir) };
-}
+// Operator channel token — the consented "let the wild-workspace team help with
+// my install" capability (docs/SECURITY.md, docs/user-experience.md §5).
+//
+// SECURITY POSTURE: this channel is OFF by default. It only exists once a token
+// is minted (`wild-workspace operator enable`, an explicit user opt-in). With no
+// token, the operator role is unreachable and every /api/operator/* route 404s.
+// The token is a separate secret from the partner token (so it can be handed to
+// support + revoked independently), persisted 0600, and accepted ONLY in an
+// Authorization header — never a `?t=` query (it must not leak via logs /
+// history / referrer; SECURITY.md S1). Disabling deletes the token.
+
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+
+export function operatorFile(dataDir) {
+  return path.join(dataDir, 'operator.json');
+}
+
+// The token, or null when the channel is disabled (the common case).
+export function loadOperatorToken(dataDir) {
+  try {
+    const parsed = JSON.parse(fs.readFileSync(operatorFile(dataDir), 'utf8'));
+    return typeof parsed.operatorToken === 'string' && parsed.operatorToken
+      ? parsed.operatorToken
+      : null;
+  } catch {
+    return null;
+  }
+}
+
+// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
+// the value the server snapshotted at boot. Today `operator enable` writes the
+// token to disk but a long-running server keeps serving its cached "disabled"
+// state, so the channel 401s until a manual restart (the exact bug from the first
+// external install). A short TTL keeps this off the hot auth path — every request
+// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
+//
+// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
+// process don't read each other's tokens. `now` is injectable for tests.
+const _tokenCache = new Map(); // dataDir -> { token, at }
+export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
+  const t = now();
+  const hit = _tokenCache.get(dataDir);
+  if (hit && t - hit.at < ttlMs) return hit.token;
+  const token = loadOperatorToken(dataDir);
+  _tokenCache.set(dataDir, { token, at: t });
+  return token;
+}
+
+// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
+// a separate CLI process from the server, so they don't need this — it exists so
+// in-process callers (and tests) can force a re-read without waiting out the TTL.
+export function invalidateOperatorTokenCache(dataDir) {
+  if (dataDir === undefined) _tokenCache.clear();
+  else _tokenCache.delete(dataDir);
+}
+
+// Turn the channel on. Idempotent by default — returns the existing token if one
+// is already set (so a re-run doesn't invalidate the code the user already
+// shared). Pass { rotate:true } to force a fresh token. Returns the token, or
+// null if it couldn't be persisted.
+export function enableOperator(dataDir, { rotate = false } = {}) {
+  const existing = loadOperatorToken(dataDir);
+  if (existing && !rotate) return existing;
+  const token = crypto.randomBytes(24).toString('base64url');
+  try {
+    fs.mkdirSync(dataDir, { recursive: true });
+    fs.writeFileSync(
+      operatorFile(dataDir),
+      JSON.stringify({ operatorToken: token, enabledAt: Date.now() }, null, 2),
+      { mode: 0o600 },
+    );
+  } catch {
+    return null;
+  }
+  return token;
+}
+
+// Turn the channel off (revoke). Returns true if a token file was removed.
+export function disableOperator(dataDir) {
+  try {
+    fs.rmSync(operatorFile(dataDir));
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function operatorStatus(dataDir) {
+  return { enabled: Boolean(loadOperatorToken(dataDir)), file: operatorFile(dataDir) };
+}

package/server/src/pairing.mjs

@@ -1,137 +1,137 @@
-// In-memory store of pending "sign in this device" requests (Phase 2 device
-// approval). A new device calls POST /api/auth/pair/start → we mint a short
-// human CODE (the owner reads it off the new device) plus an unguessable
-// requestId (the device polls by THIS, never the code). The owner approves from
-// a partner session — which must echo the matching code (confused-deputy
-// defense) — and we attach a minted device token; the device claims it ONCE.
-//
-// Deliberately in-memory + ephemeral (5-min TTL): a pending request that
-// survived a restart would just be a longer attack window for no UX gain — the
-// device simply re-requests. The durable artifact is the minted token
-// (persisted via TokenRegistry), not the pairing record.
-
-import crypto from 'node:crypto';
-import { nanoid } from 'nanoid';
-
-const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
-const DEFAULT_MAX_PENDING = 5;
-
-// 6-digit zero-padded code. Used ONLY owner-side (the approver matches it
-// against the code shown on the new device). It is NEVER an auth credential on
-// the public poll path — the device authenticates by requestId — so its low
-// entropy is not an internet-facing brute-force surface.
-function makeCode() {
-  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
-}
-
-export class PairingStore {
-  constructor({ ttlMs = DEFAULT_TTL_MS, maxPending = DEFAULT_MAX_PENDING, clock = () => Date.now() } = {}) {
-    this.ttlMs = ttlMs;
-    this.maxPending = maxPending;
-    this.clock = clock;
-    // requestId -> { requestId, code, label, status, createdAt, expiresAt, token, sub, exp }
-    this.requests = new Map();
-  }
-
-  // Expire stale pending requests; drop terminal records a while after expiry to
-  // bound memory. Called on every accessor so the map self-cleans.
-  prune() {
-    const now = this.clock();
-    for (const [id, r] of this.requests) {
-      if (r.status === 'pending' && r.expiresAt <= now) r.status = 'expired';
-      if (r.expiresAt + this.ttlMs <= now) this.requests.delete(id);
-    }
-  }
-
-  pendingCount() {
-    this.prune();
-    let n = 0;
-    for (const r of this.requests.values()) if (r.status === 'pending') n += 1;
-    return n;
-  }
-
-  // Returns { requestId, code, expiresAt } or null if the global pending cap is
-  // reached (anti-spam: bounds how cluttered the owner's approval list can get).
-  create({ label } = {}) {
-    if (this.pendingCount() >= this.maxPending) return null;
-    const now = this.clock();
-    const requestId = nanoid(16);
-    // Codes must be UNIQUE among pending so "owner types the code" resolves to
-    // exactly one request (collision odds are ~nil at maxPending=5, but be
-    // deterministic about it).
-    const pendingCodes = new Set(
-      [...this.requests.values()].filter((r) => r.status === 'pending').map((r) => r.code),
-    );
-    let code = makeCode();
-    for (let guard = 0; pendingCodes.has(code) && guard < 50; guard += 1) code = makeCode();
-    const rec = {
-      requestId,
-      code,
-      label: label || 'a device',
-      status: 'pending',
-      createdAt: now,
-      expiresAt: now + this.ttlMs,
-      token: null,
-      sub: null,
-      exp: null,
-    };
-    this.requests.set(requestId, rec);
-    return { requestId, code: rec.code, expiresAt: rec.expiresAt };
-  }
-
-
-  get(requestId) {
-    this.prune();
-    return this.requests.get(requestId) || null;
-  }
-
-  // Pending, non-expired requests for the owner's approval UI (includes the code
-  // so the owner can visually match it against the new device's screen).
-  listPending() {
-    this.prune();
-    // Includes the code so the owner can match it against the new device's
-    // screen and approve the right one if more than one is pending. Approval
-    // itself is by requestId (one tap); the code is the human "is this mine?"
-    // confirmation, not a typed secret.
-    return [...this.requests.values()]
-      .filter((r) => r.status === 'pending')
-      .map((r) => ({ requestId: r.requestId, code: r.code, label: r.label, createdAt: r.createdAt }));
-  }
-
-  // Approve a specific pending request (the one the owner tapped, having matched
-  // its code against the new device). Returns true on success. `tokenInfo` =
-  // { token, sub, exp } from mintDeviceToken.
-  approve(requestId, tokenInfo) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r || r.status !== 'pending') return false;
-    r.status = 'approved';
-    r.token = tokenInfo.token;
-    r.sub = tokenInfo.sub;
-    r.exp = tokenInfo.exp;
-    return true;
-  }
-
-  deny(requestId) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r || r.status !== 'pending') return false;
-    r.status = 'denied';
-    return true;
-  }
-
-  // One-shot token read: once approved, the device gets the token exactly once;
-  // a replayed poll yields { status:'claimed' } with no token.
-  claim(requestId) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r) return { status: 'expired' };
-    if (r.status === 'approved' && r.token) {
-      const token = r.token;
-      r.status = 'claimed';
-      r.token = null;
-      return { status: 'approved', token };
-    }
-    return { status: r.status };
-  }
-}
+// In-memory store of pending "sign in this device" requests (Phase 2 device
+// approval). A new device calls POST /api/auth/pair/start → we mint a short
+// human CODE (the owner reads it off the new device) plus an unguessable
+// requestId (the device polls by THIS, never the code). The owner approves from
+// a partner session — which must echo the matching code (confused-deputy
+// defense) — and we attach a minted device token; the device claims it ONCE.
+//
+// Deliberately in-memory + ephemeral (5-min TTL): a pending request that
+// survived a restart would just be a longer attack window for no UX gain — the
+// device simply re-requests. The durable artifact is the minted token
+// (persisted via TokenRegistry), not the pairing record.
+
+import crypto from 'node:crypto';
+import { nanoid } from 'nanoid';
+
+const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_MAX_PENDING = 5;
+
+// 6-digit zero-padded code. Used ONLY owner-side (the approver matches it
+// against the code shown on the new device). It is NEVER an auth credential on
+// the public poll path — the device authenticates by requestId — so its low
+// entropy is not an internet-facing brute-force surface.
+function makeCode() {
+  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
+}
+
+export class PairingStore {
+  constructor({ ttlMs = DEFAULT_TTL_MS, maxPending = DEFAULT_MAX_PENDING, clock = () => Date.now() } = {}) {
+    this.ttlMs = ttlMs;
+    this.maxPending = maxPending;
+    this.clock = clock;
+    // requestId -> { requestId, code, label, status, createdAt, expiresAt, token, sub, exp }
+    this.requests = new Map();
+  }
+
+  // Expire stale pending requests; drop terminal records a while after expiry to
+  // bound memory. Called on every accessor so the map self-cleans.
+  prune() {
+    const now = this.clock();
+    for (const [id, r] of this.requests) {
+      if (r.status === 'pending' && r.expiresAt <= now) r.status = 'expired';
+      if (r.expiresAt + this.ttlMs <= now) this.requests.delete(id);
+    }
+  }
+
+  pendingCount() {
+    this.prune();
+    let n = 0;
+    for (const r of this.requests.values()) if (r.status === 'pending') n += 1;
+    return n;
+  }
+
+  // Returns { requestId, code, expiresAt } or null if the global pending cap is
+  // reached (anti-spam: bounds how cluttered the owner's approval list can get).
+  create({ label } = {}) {
+    if (this.pendingCount() >= this.maxPending) return null;
+    const now = this.clock();
+    const requestId = nanoid(16);
+    // Codes must be UNIQUE among pending so "owner types the code" resolves to
+    // exactly one request (collision odds are ~nil at maxPending=5, but be
+    // deterministic about it).
+    const pendingCodes = new Set(
+      [...this.requests.values()].filter((r) => r.status === 'pending').map((r) => r.code),
+    );
+    let code = makeCode();
+    for (let guard = 0; pendingCodes.has(code) && guard < 50; guard += 1) code = makeCode();
+    const rec = {
+      requestId,
+      code,
+      label: label || 'a device',
+      status: 'pending',
+      createdAt: now,
+      expiresAt: now + this.ttlMs,
+      token: null,
+      sub: null,
+      exp: null,
+    };
+    this.requests.set(requestId, rec);
+    return { requestId, code: rec.code, expiresAt: rec.expiresAt };
+  }
+
+
+  get(requestId) {
+    this.prune();
+    return this.requests.get(requestId) || null;
+  }
+
+  // Pending, non-expired requests for the owner's approval UI (includes the code
+  // so the owner can visually match it against the new device's screen).
+  listPending() {
+    this.prune();
+    // Includes the code so the owner can match it against the new device's
+    // screen and approve the right one if more than one is pending. Approval
+    // itself is by requestId (one tap); the code is the human "is this mine?"
+    // confirmation, not a typed secret.
+    return [...this.requests.values()]
+      .filter((r) => r.status === 'pending')
+      .map((r) => ({ requestId: r.requestId, code: r.code, label: r.label, createdAt: r.createdAt }));
+  }
+
+  // Approve a specific pending request (the one the owner tapped, having matched
+  // its code against the new device). Returns true on success. `tokenInfo` =
+  // { token, sub, exp } from mintDeviceToken.
+  approve(requestId, tokenInfo) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'approved';
+    r.token = tokenInfo.token;
+    r.sub = tokenInfo.sub;
+    r.exp = tokenInfo.exp;
+    return true;
+  }
+
+  deny(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'denied';
+    return true;
+  }
+
+  // One-shot token read: once approved, the device gets the token exactly once;
+  // a replayed poll yields { status:'claimed' } with no token.
+  claim(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r) return { status: 'expired' };
+    if (r.status === 'approved' && r.token) {
+      const token = r.token;
+      r.status = 'claimed';
+      r.token = null;
+      return { status: 'approved', token };
+    }
+    return { status: r.status };
+  }
+}