@wipcomputer/wip-ldm-os 0.4.73-alpha.8 → 0.4.74

package/src/hosted-mcp/legal/internet-services/terms/site.html

@@ -0,0 +1,205 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Terms of Service - Kaleidoscope Demo</title>
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+  background: #FFFDF5;
+  color: #1a1a1a;
+  -webkit-font-smoothing: antialiased;
+  -webkit-text-size-adjust: 100%;
+  line-height: 1.6;
+}
+
+.container {
+  max-width: 640px;
+  margin: 0 auto;
+  padding: 16px 24px 80px;
+}
+
+.header {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  padding: calc(12px + env(safe-area-inset-top, 0px)) 20px 12px;
+  background: rgba(255, 253, 245, 0.8);
+  -webkit-backdrop-filter: saturate(180%) blur(20px);
+  backdrop-filter: saturate(180%) blur(20px);
+  border-bottom: 1px solid rgba(0, 0, 0, 0.06);
+  display: flex;
+  align-items: center;
+}
+
+.header a {
+  display: flex;
+  align-items: center;
+  text-decoration: none;
+}
+
+h1 {
+  font-size: 28px;
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  margin-bottom: 4px;
+}
+
+.subtitle {
+  font-size: 17px;
+  color: #8a8580;
+  margin-bottom: 8px;
+}
+
+.updated {
+  font-size: 13px;
+  color: #b0aaa4;
+  margin-bottom: 40px;
+}
+
+section {
+  padding: 28px 0;
+  border-top: 1px solid #e8e5de;
+}
+
+section:last-of-type {
+  border-bottom: 1px solid #e8e5de;
+}
+
+h2 {
+  font-size: 16px;
+  font-weight: 600;
+  letter-spacing: -0.01em;
+  margin-bottom: 12px;
+}
+
+p {
+  font-size: 15px;
+  line-height: 1.65;
+  color: #3a3a3a;
+  margin-bottom: 12px;
+}
+
+p:last-child {
+  margin-bottom: 0;
+}
+
+ul {
+  list-style: none;
+  padding: 0;
+  margin-bottom: 12px;
+}
+
+ul li {
+  font-size: 15px;
+  line-height: 1.65;
+  color: #3a3a3a;
+  padding-left: 16px;
+  position: relative;
+  margin-bottom: 4px;
+}
+
+ul li::before {
+  content: "\2022";
+  position: absolute;
+  left: 0;
+  color: #b0aaa4;
+}
+
+a {
+  color: #1a1a1a;
+}
+
+footer {
+  margin-top: 48px;
+  text-align: center;
+  font-size: 12px;
+  color: #b0aaa4;
+  line-height: 1.6;
+}
+
+footer span {
+  display: block;
+}
+</style>
+</head>
+<body>
+<div class="header">
+  <a id="navIcon" href="/demo/"></a>
+</div>
+<div class="container">
+
+  <h1>Terms of Service</h1>
+  <p class="subtitle">Kaleidoscope Demo</p>
+  <p class="updated">Last updated: April 2, 2026</p>
+
+  <section>
+    <p>This is a technology demonstration by WIP Computer, Inc.</p>
+  </section>
+
+  <section>
+    <h2>The Demo</h2>
+    <p>This demo showcases passkey authentication, biometric permission, and AI image generation. It is not a production service.</p>
+  </section>
+
+  <section>
+    <h2>Your Account</h2>
+    <p>Your account is created with a passkey. No email or password is stored. Your passkey lives on your device.</p>
+  </section>
+
+  <section>
+    <h2>Your Wallet</h2>
+    <p>The demo wallet starts with $5.00 in simulated credits. No real money is charged. The wallet balance is for demonstration purposes only.</p>
+  </section>
+
+  <section>
+    <h2>Generated Content</h2>
+    <p>Images generated through this demo are created using third-party AI APIs (xAI Grok Imagine). Generated content is dual-licensed:</p>
+    <ul>
+      <li>MIT License for personal, non-commercial use</li>
+      <li>Apache 2.0 License for commercial use</li>
+    </ul>
+    <p>Both you and WIP Computer, Inc. retain rights to generated content. We may use generated images for product development, marketing, and research.</p>
+  </section>
+
+  <section>
+    <h2>Uploaded Media</h2>
+    <p>Photos taken through the camera feature are processed locally in your browser. They are not uploaded to or stored on our servers. Camera access is optional and can be denied.</p>
+  </section>
+
+  <section>
+    <h2>No Warranty</h2>
+    <p>This demo is provided "as is" without warranty of any kind. WIP Computer, Inc. is not liable for any damages arising from use of this demo.</p>
+  </section>
+
+  <section>
+    <h2>Contact</h2>
+    <p><a href="mailto:hello@wip.computer">hello@wip.computer</a></p>
+  </section>
+
+  <footer>
+    <div id="kscope-footer" style="text-align:center;"></div>
+  </footer>
+  <script src="/demo/footer.js"></script>
+</div>
+<script>
+var SPRITE_COLS = 8, SPRITE_ROWS = 3, SPRITE_TOTAL = 24;
+var navIdx = Math.floor(Math.random() * SPRITE_TOTAL);
+function updateNavIcon() {
+  var el = document.getElementById('navIcon');
+  if (!el) return;
+  var col = navIdx % SPRITE_COLS;
+  var row = Math.floor(navIdx / SPRITE_COLS);
+  var bgPosX = (col / (SPRITE_COLS - 1)) * 100;
+  var bgPosY = (row / (SPRITE_ROWS - 1)) * 100;
+  el.innerHTML = '<div style="width:28px;height:28px;overflow:hidden;"><div style="width:100%;height:100%;background:url(/demo/sprites.png);background-size:' + (SPRITE_COLS * 100) + '% ' + (SPRITE_ROWS * 100) + '%;background-position:' + bgPosX + '% ' + bgPosY + '%;"></div></div>';
+  navIdx = (navIdx + 1) % SPRITE_TOTAL;
+}
+updateNavIcon();
+setInterval(updateNavIcon, 6000);
+</script>
+</body>
+</html>

package/src/hosted-mcp/legal/privacy/en-ww/index.html

@@ -0,0 +1,230 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Privacy Policy - Kaleidoscope Demo</title>
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+  background: #FFFDF5;
+  color: #1a1a1a;
+  -webkit-font-smoothing: antialiased;
+  -webkit-text-size-adjust: 100%;
+  line-height: 1.6;
+}
+
+.container {
+  max-width: 640px;
+  margin: 0 auto;
+  padding: 16px 24px 80px;
+}
+
+.header {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  padding: calc(12px + env(safe-area-inset-top, 0px)) 20px 12px;
+  background: rgba(255, 253, 245, 0.8);
+  -webkit-backdrop-filter: saturate(180%) blur(20px);
+  backdrop-filter: saturate(180%) blur(20px);
+  border-bottom: 1px solid rgba(0, 0, 0, 0.06);
+  display: flex;
+  align-items: center;
+}
+
+.header a {
+  display: flex;
+  align-items: center;
+  text-decoration: none;
+}
+
+h1 {
+  font-size: 28px;
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  margin-bottom: 4px;
+}
+
+.subtitle {
+  font-size: 17px;
+  color: #8a8580;
+  margin-bottom: 8px;
+}
+
+.updated {
+  font-size: 13px;
+  color: #b0aaa4;
+  margin-bottom: 40px;
+}
+
+section {
+  padding: 28px 0;
+  border-top: 1px solid #e8e5de;
+}
+
+section:last-of-type {
+  border-bottom: 1px solid #e8e5de;
+}
+
+h2 {
+  font-size: 16px;
+  font-weight: 600;
+  letter-spacing: -0.01em;
+  margin-bottom: 12px;
+}
+
+p {
+  font-size: 15px;
+  line-height: 1.65;
+  color: #3a3a3a;
+  margin-bottom: 12px;
+}
+
+p:last-child {
+  margin-bottom: 0;
+}
+
+ul {
+  list-style: none;
+  padding: 0;
+  margin-bottom: 12px;
+}
+
+ul li {
+  font-size: 15px;
+  line-height: 1.65;
+  color: #3a3a3a;
+  padding-left: 16px;
+  position: relative;
+  margin-bottom: 4px;
+}
+
+ul li::before {
+  content: "\2022";
+  position: absolute;
+  left: 0;
+  color: #b0aaa4;
+}
+
+a {
+  color: #1a1a1a;
+}
+
+footer {
+  margin-top: 48px;
+  text-align: center;
+  font-size: 12px;
+  color: #b0aaa4;
+  line-height: 1.6;
+}
+
+footer span {
+  display: block;
+}
+</style>
+</head>
+<body>
+<div class="header">
+  <a id="navIcon" href="/demo/"></a>
+</div>
+<div class="container">
+
+  <h1>Privacy Policy</h1>
+  <p class="subtitle">Kaleidoscope Demo</p>
+  <p class="updated">Last updated: April 2, 2026</p>
+
+  <section>
+    <p>WIP Computer, Inc. ("we", "us") operates the Kaleidoscope demo at wip.computer/demo.</p>
+  </section>
+
+  <section>
+    <h2>What We Collect</h2>
+    <ul>
+      <li>Passkey credential ID and public key (for authentication)</li>
+      <li>Username (optional, if you provide one)</li>
+      <li>Wallet balance (simulated, for demo purposes)</li>
+    </ul>
+  </section>
+
+  <section>
+    <h2>What We Do NOT Collect</h2>
+    <ul>
+      <li>Email addresses (unless voluntarily provided later)</li>
+      <li>Passwords (passkeys only, no passwords exist)</li>
+      <li>Biometric data (Face ID / fingerprint verification happens on your device, we never receive biometric data)</li>
+      <li>Photos (camera captures are processed in your browser, never uploaded)</li>
+      <li>Browsing history or tracking data</li>
+      <li>Cookies (we use sessionStorage only, cleared when you close the browser)</li>
+    </ul>
+  </section>
+
+  <section>
+    <h2>How We Use Your Data</h2>
+    <ul>
+      <li>Authentication: verifying your passkey when you sign in</li>
+      <li>Demo functionality: tracking simulated wallet balance</li>
+      <li>Product improvement: aggregate usage patterns (no personal data)</li>
+    </ul>
+  </section>
+
+  <section>
+    <h2>Third-Party Services</h2>
+    <ul>
+      <li>xAI (Grok Imagine API): receives text prompts for image generation. Does not receive your photos or personal data.</li>
+      <li>No analytics services</li>
+      <li>No advertising networks</li>
+      <li>No data brokers</li>
+    </ul>
+  </section>
+
+  <section>
+    <h2>Data Storage</h2>
+    <p>Your passkey data is stored on our server at wip.computer. It is not encrypted at rest in this demo version. Production versions will implement end-to-end encryption where we architecturally cannot read your data.</p>
+  </section>
+
+  <section>
+    <h2>Data Deletion</h2>
+    <p>Contact <a href="mailto:hello@wip.computer">hello@wip.computer</a> to request deletion of your passkey data.</p>
+  </section>
+
+  <section>
+    <h2>Your Rights</h2>
+    <p>You can delete your passkey from your device at any time through your device settings (Settings > Passwords on iOS, chrome://settings/passwords on Chrome).</p>
+  </section>
+
+  <section>
+    <h2>Changes</h2>
+    <p>We may update this policy. Changes will be reflected in the "Last updated" date.</p>
+  </section>
+
+  <section>
+    <h2>Contact</h2>
+    <p><a href="mailto:hello@wip.computer">hello@wip.computer</a></p>
+  </section>
+
+  <footer>
+    <div id="kscope-footer" style="text-align:center;"></div>
+  </footer>
+  <script src="/demo/footer.js"></script>
+</div>
+<script>
+var SPRITE_COLS = 8, SPRITE_ROWS = 3, SPRITE_TOTAL = 24;
+var navIdx = Math.floor(Math.random() * SPRITE_TOTAL);
+function updateNavIcon() {
+  var el = document.getElementById('navIcon');
+  if (!el) return;
+  var col = navIdx % SPRITE_COLS;
+  var row = Math.floor(navIdx / SPRITE_COLS);
+  var bgPosX = (col / (SPRITE_COLS - 1)) * 100;
+  var bgPosY = (row / (SPRITE_ROWS - 1)) * 100;
+  el.innerHTML = '<div style="width:28px;height:28px;overflow:hidden;"><div style="width:100%;height:100%;background:url(/demo/sprites.png);background-size:' + (SPRITE_COLS * 100) + '% ' + (SPRITE_ROWS * 100) + '%;background-position:' + bgPosX + '% ' + bgPosY + '%;"></div></div>';
+  navIdx = (navIdx + 1) % SPRITE_TOTAL;
+}
+updateNavIcon();
+setInterval(updateNavIcon, 6000);
+</script>
+</body>
+</html>

package/src/hosted-mcp/nginx/mcp-oauth.conf

@@ -0,0 +1,98 @@
+# OAuth 2.0 + WebAuthn endpoints for MCP server
+# Use exact match (=) for .well-known to override the regex deny on dotfiles
+location = /.well-known/oauth-authorization-server {
+    proxy_pass http://127.0.0.1:18800/.well-known/oauth-authorization-server;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location = /.well-known/oauth-protected-resource {
+    proxy_pass http://127.0.0.1:18800/.well-known/oauth-protected-resource;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location /oauth/ {
+    proxy_pass http://127.0.0.1:18800/oauth/;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+# WebAuthn passkey authentication
+location /webauthn/ {
+    proxy_pass http://127.0.0.1:18800/webauthn/;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+# Signup and login pages
+location = /signup {
+    proxy_pass http://127.0.0.1:18800/signup;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location = /login/ {
+    proxy_pass http://127.0.0.1:18800/login/;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location = /login {
+    proxy_pass http://127.0.0.1:18800/login;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+# Agent approval page (server-generated)
+location = /approve {
+    proxy_pass http://127.0.0.1:18800/approve;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+# Device pairing API (Bridge Phase A)
+location /api/pair/ {
+    proxy_pass http://127.0.0.1:18800/api/pair/;
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+}
+
+# Legal pages (production paths)
+location /legal/ {
+    proxy_pass http://127.0.0.1:18800/legal/;
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+}
+
+# Legal pages (production paths)

package/src/hosted-mcp/nginx/mcp-server.conf

@@ -0,0 +1,17 @@
+# MCP server reverse proxy
+# Location block to add inside the wip.computer server block
+location /mcp {
+    proxy_pass http://127.0.0.1:18800/mcp;
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # SSE support (for MCP Streamable HTTP GET streams)
+    proxy_set_header Connection '';
+    proxy_buffering off;
+    proxy_cache off;
+    proxy_read_timeout 86400;
+    chunked_transfer_encoding on;
+}

package/src/hosted-mcp/nginx/wip.computer.conf

@@ -0,0 +1,45 @@
+server {
+    server_name wip.computer www.wip.computer;
+
+    root /var/www/wip.computer/public_html;
+    index index.html index.htm;
+
+    access_log /var/log/nginx/wip.computer.access.log;
+    error_log /var/log/nginx/wip.computer.error.log;
+
+    location / {
+        autoindex off;
+        try_files $uri $uri/ /index.html;
+    }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location ~ /\. {
+        deny all;
+    }
+
+    listen [::]:443 ssl;
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/wip.computer/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/wip.computer/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+    if ($host = www.wip.computer) {
+        return 301 https://$host$request_uri;
+    }
+
+    if ($host = wip.computer) {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 80;
+    listen [::]:80;
+
+    server_name wip.computer www.wip.computer;
+    return 404;
+}