@wipcomputer/wip-ldm-os 0.4.85-alpha.10 → 0.4.85-alpha.12

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.10",
+  "version": "0.4.85-alpha.12",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {

package/scripts/test-crc-e2ee-key-persistence.mjs

@@ -1,80 +1,148 @@
 import { readFileSync } from "node:fs";
+import {
+  buildCodexBootstrapPayload,
+  createCodexDaemonPubkeyRegistry,
+} from "../src/hosted-mcp/codex-relay-e2ee-registry.mjs";
 
 const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+const registrySource = readFileSync("src/hosted-mcp/codex-relay-e2ee-registry.mjs", "utf8");
+const deployScript = readFileSync("src/hosted-mcp/deploy.sh", "utf8");
 
-function assertContains(needle, label) {
-  if (!server.includes(needle)) {
+function assertContains(haystack, needle, label) {
+  if (!haystack.includes(needle)) {
     throw new Error(`${label} missing expected text: ${needle}`);
   }
 }
 
-function assertBefore(first, second, label) {
-  const firstIndex = server.indexOf(first);
-  const secondIndex = server.indexOf(second);
+function assertBefore(haystack, first, second, label) {
+  const firstIndex = haystack.indexOf(first);
+  const secondIndex = haystack.indexOf(second);
   if (firstIndex === -1 || secondIndex === -1 || firstIndex >= secondIndex) {
     throw new Error(`${label} expected "${first}" before "${second}"`);
   }
 }
 
-assertContains("CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys", "persistent key table");
-assertContains("async function loadCodexDaemonPubkeysFromDb()", "boot load helper");
-assertContains("await loadCodexDaemonPubkeysFromDb();", "boot load call");
-assertContains("async function persistCodexDaemonPubkey(agentId, pubkey, cryptoVersions)", "persist helper");
-assertContains("function registerCodexDaemonPubkey(agentId, pubkey, cryptoVersions, source)", "registration helper");
-assertContains("codexDaemonPubkeys.set(agentId, {", "registration updates in-memory bootstrap cache");
-assertContains("return persistCodexDaemonPubkey(agentId, pubkey, normalizedVersions)", "registration persists after cache update");
-assertContains("await registerCodexDaemonPubkey(identity.agentId, p.daemon_public_key, p.crypto_versions, \"pair-complete\");", "pair-complete persists key");
-assertContains("if (envelope?.type === \"daemon.identity\") {", "daemon reconnect identity frame");
-assertContains("envelope.daemon_public_key", "daemon identity carries public key");
-assertContains("envelope.crypto_versions", "daemon identity carries crypto versions");
-assertContains("\"daemon-reconnect\"", "daemon reconnect source marker");
-assertContains("const daemonKey = codexDaemonPubkeys.get(identity.agentId) || null;", "bootstrap uses loaded or registered key");
+function assert(condition, label, detail = "") {
+  if (!condition) throw new Error(`${label}${detail ? ": " + detail : ""}`);
+}
+
+function bootstrapPayloadFor(registry, identity, threadId, daemonOnline = true) {
+  return buildCodexBootstrapPayload({
+    identity,
+    threadId,
+    daemonOnline,
+    daemonKey: registry.get(identity.agentId),
+  });
+}
+
+function createFakePrisma() {
+  const rows = new Map();
+  return {
+    rows,
+    async $executeRawUnsafe(sql, tenantId, pubkey, cryptoVersionsJson) {
+      if (/CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys/.test(sql)) return;
+      if (/INSERT INTO codex_daemon_e2ee_keys/.test(sql)) {
+        rows.set(tenantId, {
+          tenant_id: tenantId,
+          pubkey,
+          crypto_versions_json: cryptoVersionsJson,
+          registered_at: new Date("2026-05-11T17:37:18.000Z"),
+        });
+        return;
+      }
+      throw new Error("unexpected fake prisma execute: " + sql);
+    },
+    async $queryRawUnsafe(sql) {
+      if (/FROM codex_daemon_e2ee_keys/.test(sql)) return [...rows.values()];
+      throw new Error("unexpected fake prisma query: " + sql);
+    },
+  };
+}
+
+function createSilentLogger() {
+  return { log() {}, error() {} };
+}
+
+assertContains(registrySource, "CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys", "persistent key table");
+assertContains(registrySource, "async function loadFromDb()", "boot load helper");
+assertContains(registrySource, "async function persist(agentId, pubkey, cryptoVersions)", "persist helper");
+assertContains(registrySource, "function register(agentId, pubkey, cryptoVersions, source)", "registration helper");
+assertContains(registrySource, "pubkeys.set(agentId, {", "registration updates in-memory bootstrap cache");
+assertContains(registrySource, "return persist(agentId, pubkey, normalizedVersions)", "registration persists after cache update");
+assertContains(server, "await codexDaemonPubkeyRegistry.loadFromDb();", "server boot load call");
+assertContains(server, "await codexDaemonPubkeyRegistry.register(identity.agentId, p.daemon_public_key, p.crypto_versions, \"pair-complete\");", "pair-complete persists key");
+assertContains(server, "if (envelope?.type === \"daemon.identity\") {", "daemon reconnect identity frame");
+assertContains(server, "codexDaemonPubkeyRegistry.register(", "daemon reconnect register call");
+assertContains(server, "buildCodexBootstrapPayload({ identity, threadId, daemonOnline, daemonKey })", "bootstrap uses shared payload builder");
+assertContains(deployScript, "codex-relay-e2ee-registry.mjs", "hosted deploy copies registry module");
 assertBefore(
-  "await loadCodexDaemonPubkeysFromDb();",
+  server,
+  "await codexDaemonPubkeyRegistry.loadFromDb();",
   "function handleCodexBootstrap(req, res, threadId)",
   "persisted keys load before bootstrap handler",
 );
 
-const modelPubkeys = new Map();
-const persistedRows = new Map();
+const identity = {
+  agentId: "acct:test-user-a",
+  tenantId: "acct:test-user-a",
+  handle: "Parker smoke test",
+  apiKey: "ck-test",
+};
+const threadId = "019dfa1e-0c3d-7f01-86b9-9a22cd452bde";
 
-function normalizeVersions(versions) {
-  const out = Array.isArray(versions)
-    ? versions.filter((v) => typeof v === "string" && v.length > 0 && v.length <= 32).slice(0, 8)
-    : [];
-  return out.length ? out : ["e2ee-v1"];
-}
+const fakePrisma = createFakePrisma();
+const registryBeforeRestart = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  prisma: fakePrisma,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+await registryBeforeRestart.register(identity.agentId, "spki-key-before-restart", ["e2ee-v1"], "pair-complete");
 
-function modelRegister(agentId, pubkey, versions) {
-  const normalized = normalizeVersions(versions);
-  modelPubkeys.set(agentId, { pubkey, crypto_versions: normalized });
-  persistedRows.set(agentId, { pubkey, crypto_versions_json: JSON.stringify(normalized) });
-}
+const beforeRestartBootstrap = bootstrapPayloadFor(registryBeforeRestart, identity, threadId);
+assert(beforeRestartBootstrap.e2ee_available === true, "bootstrap reports e2ee before restart");
+assert(beforeRestartBootstrap.daemon_public_key === "spki-key-before-restart", "bootstrap returns registered daemon key before restart");
 
-function modelBootLoad() {
-  const restored = new Map();
-  for (const [agentId, row] of persistedRows) {
-    restored.set(agentId, {
-      pubkey: row.pubkey,
-      crypto_versions: normalizeVersions(JSON.parse(row.crypto_versions_json)),
-    });
-  }
-  return restored;
-}
+const registryAfterRestart = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  prisma: fakePrisma,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+await registryAfterRestart.loadFromDb();
 
-modelRegister("acct:user-a", "spki-key-a", ["e2ee-v1"]);
-const afterRestart = modelBootLoad();
-if (afterRestart.get("acct:user-a")?.pubkey !== "spki-key-a") {
-  throw new Error("boot load did not restore persisted daemon pubkey");
-}
+const afterRestartBootstrap = bootstrapPayloadFor(registryAfterRestart, identity, threadId);
+assert(afterRestartBootstrap.e2ee_available === true, "bootstrap reports e2ee after restart from persisted key");
+assert(afterRestartBootstrap.daemon_public_key === "spki-key-before-restart", "bootstrap restores persisted daemon key after restart");
+assert(afterRestartBootstrap.daemon_crypto_versions?.[0] === "e2ee-v1", "bootstrap restores crypto versions after restart");
 
-modelRegister("acct:user-a", "spki-key-b", []);
-const afterReconnect = modelBootLoad();
-if (afterReconnect.get("acct:user-a")?.pubkey !== "spki-key-b") {
-  throw new Error("daemon reconnect did not replace persisted daemon pubkey");
-}
-if (afterReconnect.get("acct:user-a")?.crypto_versions?.[0] !== "e2ee-v1") {
-  throw new Error("daemon reconnect did not default crypto version");
-}
+const emptyFakePrisma = createFakePrisma();
+const registryBeforeReconnect = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  prisma: emptyFakePrisma,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+await registryBeforeReconnect.loadFromDb();
+const beforeReconnectBootstrap = bootstrapPayloadFor(registryBeforeReconnect, identity, threadId);
+assert(beforeReconnectBootstrap.e2ee_available === false, "bootstrap is not e2ee available before daemon reconnect when no key exists");
+assert(beforeReconnectBootstrap.daemon_public_key === null, "bootstrap has no daemon key before daemon reconnect");
+
+await registryBeforeReconnect.register(identity.agentId, "spki-key-from-daemon-reconnect", [], "daemon-reconnect");
+const afterReconnectBootstrap = bootstrapPayloadFor(registryBeforeReconnect, identity, threadId);
+assert(afterReconnectBootstrap.e2ee_available === true, "bootstrap reports e2ee after daemon reconnect self-heal");
+assert(afterReconnectBootstrap.daemon_public_key === "spki-key-from-daemon-reconnect", "bootstrap returns daemon reconnect key");
+assert(afterReconnectBootstrap.daemon_crypto_versions?.[0] === "e2ee-v1", "daemon reconnect defaults crypto version");
+
+const registryAfterReconnectRestart = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  prisma: emptyFakePrisma,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+await registryAfterReconnectRestart.loadFromDb();
+const afterReconnectRestartBootstrap = bootstrapPayloadFor(registryAfterReconnectRestart, identity, threadId);
+assert(afterReconnectRestartBootstrap.e2ee_available === true, "daemon reconnect key is persisted for the next restart");
+assert(afterReconnectRestartBootstrap.daemon_public_key === "spki-key-from-daemon-reconnect", "daemon reconnect key survives restart");
 
-console.log("crc e2ee key persistence checks passed");
+console.log("crc e2ee key persistence restart regression checks passed");

package/src/hosted-mcp/codex-relay-e2ee-registry.mjs

@@ -0,0 +1,114 @@
+export function normalizeCodexCryptoVersions(versions) {
+  const out = Array.isArray(versions)
+    ? versions.filter((v) => typeof v === "string" && v.length > 0 && v.length <= 32).slice(0, 8)
+    : [];
+  return out.length ? out : ["e2ee-v1"];
+}
+
+export function buildCodexBootstrapPayload({ identity, threadId, daemonOnline, daemonKey }) {
+  return {
+    handle: identity.handle,
+    thread_id: threadId,
+    daemon_online: daemonOnline,
+    daemon_public_key: daemonKey ? daemonKey.pubkey : null,
+    daemon_crypto_versions: daemonKey ? daemonKey.crypto_versions : null,
+    supported_crypto_versions: ["e2ee-v1"],
+    e2ee_available: !!daemonKey,
+  };
+}
+
+export function createCodexDaemonPubkeyRegistry({
+  usePrisma,
+  prisma,
+  devMode = false,
+  logger = console,
+} = {}) {
+  const pubkeys = new Map();
+
+  async function ensureStore() {
+    if (!usePrisma) return;
+    await prisma.$executeRawUnsafe(`
+      CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys (
+        tenant_id TEXT PRIMARY KEY,
+        pubkey TEXT NOT NULL,
+        crypto_versions_json TEXT NOT NULL,
+        registered_at TIMESTAMPTZ NOT NULL DEFAULT now()
+      )
+    `);
+  }
+
+  async function loadFromDb() {
+    if (!usePrisma) return;
+    try {
+      await ensureStore();
+      const rows = await prisma.$queryRawUnsafe(`
+        SELECT tenant_id, pubkey, crypto_versions_json, registered_at
+        FROM codex_daemon_e2ee_keys
+      `);
+      for (const row of rows) {
+        let cryptoVersions = ["e2ee-v1"];
+        try { cryptoVersions = normalizeCodexCryptoVersions(JSON.parse(row.crypto_versions_json)); } catch {}
+        pubkeys.set(row.tenant_id, {
+          pubkey: row.pubkey,
+          crypto_versions: cryptoVersions,
+          registered_at: row.registered_at instanceof Date ? row.registered_at.toISOString() : String(row.registered_at),
+        });
+      }
+      logger.log("codex-relay: loaded " + rows.length + " persisted E2EE daemon pubkey(s)");
+    } catch (err) {
+      logger.error("codex-relay: failed to load persisted E2EE daemon pubkeys:", err.message);
+      if (!devMode) process.exit(1);
+    }
+  }
+
+  async function persist(agentId, pubkey, cryptoVersions) {
+    if (!usePrisma) return;
+    await ensureStore();
+    await prisma.$executeRawUnsafe(
+      `INSERT INTO codex_daemon_e2ee_keys
+        (tenant_id, pubkey, crypto_versions_json, registered_at)
+       VALUES ($1, $2, $3, now())
+       ON CONFLICT (tenant_id)
+       DO UPDATE SET
+        pubkey = EXCLUDED.pubkey,
+        crypto_versions_json = EXCLUDED.crypto_versions_json,
+        registered_at = EXCLUDED.registered_at`,
+      agentId,
+      pubkey,
+      JSON.stringify(cryptoVersions),
+    );
+  }
+
+  function register(agentId, pubkey, cryptoVersions, source) {
+    if (typeof agentId !== "string" || !agentId) return Promise.resolve(false);
+    if (typeof pubkey !== "string" || !pubkey || pubkey.length > 1024) return Promise.resolve(false);
+    const normalizedVersions = normalizeCodexCryptoVersions(cryptoVersions);
+    const registeredAt = new Date().toISOString();
+    pubkeys.set(agentId, {
+      pubkey,
+      crypto_versions: normalizedVersions,
+      registered_at: registeredAt,
+    });
+    logger.log("codex-relay: registered E2EE pubkey for " + agentId + " via " + source);
+    return persist(agentId, pubkey, normalizedVersions)
+      .then(() => true)
+      .catch((err) => {
+        logger.error("codex-relay: failed to persist E2EE pubkey for " + agentId + ":", err.message);
+        if (!devMode) throw err;
+        return false;
+      });
+  }
+
+  return {
+    pubkeys,
+    ensureStore,
+    loadFromDb,
+    register,
+    get(agentId) {
+      return pubkeys.get(agentId) || null;
+    },
+    clearMemoryForTest() {
+      pubkeys.clear();
+    },
+  };
+}

package/src/hosted-mcp/deploy.sh

@@ -116,6 +116,7 @@ if [ "$SKIP_APP" -ne 1 ]; then
   add_file "server.mjs"   "${APP_REMOTE_DIR}/server.mjs"
   add_file "inbox.mjs"    "${APP_REMOTE_DIR}/inbox.mjs"
   add_file "tools.mjs"    "${APP_REMOTE_DIR}/tools.mjs"
+  add_file "codex-relay-e2ee-registry.mjs" "${APP_REMOTE_DIR}/codex-relay-e2ee-registry.mjs"
   add_file "package.json" "${APP_REMOTE_DIR}/package.json"
   # Phone app static files (codex-remote-control, login).
   if [ -d "${SCRIPT_DIR}/app" ]; then

package/src/hosted-mcp/server.mjs

@@ -23,6 +23,10 @@ import {
 import QRCode from "qrcode";
 import { WebSocketServer } from "ws";
 import { parse as parseUrlQs } from "node:querystring";
+import {
+  buildCodexBootstrapPayload,
+  createCodexDaemonPubkeyRegistry,
+} from "./codex-relay-e2ee-registry.mjs";
 
 // ── Settings ─────────────────────────────────────────────────────────
 
@@ -2607,7 +2611,7 @@ const codexE2eeSessionRoutes = new Map(); // `${agentId}:${e2eeSession}` -> { th
 
 // E2EE substrate (Phase 2.5).
 //
-// codexDaemonPubkeys: per tenant id, the most recently paired daemon's
+// codexDaemonPubkeyRegistry: per tenant id, the most recently paired daemon's
 //   public key (P-256 SPKI base64url) + supported crypto versions +
 //   registration timestamp. This is what the browser fetches via
 //   bootstrap before opening an encrypted session.
@@ -2616,92 +2620,17 @@ const codexE2eeSessionRoutes = new Map(); // `${agentId}:${e2eeSession}` -> { th
 //   ?token=ck-... in the browser WebSocket URL. Bound to a specific
 //   (agentId, threadId) so a leaked ticket cannot drive a different
 //   route, even by the same authenticated user.
-const codexDaemonPubkeys = new Map();   // tenantId -> { pubkey, crypto_versions, registered_at }
 const codexRelayTickets = new Map();    // ticket -> { agentId, threadId, expires, used }
 const CODEX_RELAY_TICKET_TTL_MS = 60 * 1000; // 60s; browser must connect immediately
 
-async function ensureCodexDaemonPubkeyStore() {
-  if (!usePrisma) return;
-  await prisma.$executeRawUnsafe(`
-    CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys (
-      tenant_id TEXT PRIMARY KEY,
-      pubkey TEXT NOT NULL,
-      crypto_versions_json TEXT NOT NULL,
-      registered_at TIMESTAMPTZ NOT NULL DEFAULT now()
-    )
-  `);
-}
-
-function normalizeCodexCryptoVersions(versions) {
-  const out = Array.isArray(versions)
-    ? versions.filter((v) => typeof v === "string" && v.length > 0 && v.length <= 32).slice(0, 8)
-    : [];
-  return out.length ? out : ["e2ee-v1"];
-}
-
-async function loadCodexDaemonPubkeysFromDb() {
-  if (!usePrisma) return;
-  try {
-    await ensureCodexDaemonPubkeyStore();
-    const rows = await prisma.$queryRawUnsafe(`
-      SELECT tenant_id, pubkey, crypto_versions_json, registered_at
-      FROM codex_daemon_e2ee_keys
-    `);
-    for (const row of rows) {
-      let cryptoVersions = ["e2ee-v1"];
-      try { cryptoVersions = normalizeCodexCryptoVersions(JSON.parse(row.crypto_versions_json)); } catch {}
-      codexDaemonPubkeys.set(row.tenant_id, {
-        pubkey: row.pubkey,
-        crypto_versions: cryptoVersions,
-        registered_at: row.registered_at instanceof Date ? row.registered_at.toISOString() : String(row.registered_at),
-      });
-    }
-    console.log("codex-relay: loaded " + rows.length + " persisted E2EE daemon pubkey(s)");
-  } catch (err) {
-    console.error("codex-relay: failed to load persisted E2EE daemon pubkeys:", err.message);
-    if (!DEV_MODE) process.exit(1);
-  }
-}
-
-async function persistCodexDaemonPubkey(agentId, pubkey, cryptoVersions) {
-  if (!usePrisma) return;
-  await ensureCodexDaemonPubkeyStore();
-  await prisma.$executeRawUnsafe(
-    `INSERT INTO codex_daemon_e2ee_keys
-      (tenant_id, pubkey, crypto_versions_json, registered_at)
-     VALUES ($1, $2, $3, now())
-     ON CONFLICT (tenant_id)
-     DO UPDATE SET
-      pubkey = EXCLUDED.pubkey,
-      crypto_versions_json = EXCLUDED.crypto_versions_json,
-      registered_at = EXCLUDED.registered_at`,
-    agentId,
-    pubkey,
-    JSON.stringify(cryptoVersions),
-  );
-}
-
-function registerCodexDaemonPubkey(agentId, pubkey, cryptoVersions, source) {
-  if (typeof agentId !== "string" || !agentId) return Promise.resolve(false);
-  if (typeof pubkey !== "string" || !pubkey || pubkey.length > 1024) return Promise.resolve(false);
-  const normalizedVersions = normalizeCodexCryptoVersions(cryptoVersions);
-  const registeredAt = new Date().toISOString();
-  codexDaemonPubkeys.set(agentId, {
-    pubkey,
-    crypto_versions: normalizedVersions,
-    registered_at: registeredAt,
-  });
-  console.log("codex-relay: registered E2EE pubkey for " + agentId + " via " + source);
-  return persistCodexDaemonPubkey(agentId, pubkey, normalizedVersions)
-    .then(() => true)
-    .catch((err) => {
-      console.error("codex-relay: failed to persist E2EE pubkey for " + agentId + ":", err.message);
-      if (!DEV_MODE) throw err;
-      return false;
-    });
-}
+const codexDaemonPubkeyRegistry = createCodexDaemonPubkeyRegistry({
+  usePrisma,
+  prisma,
+  devMode: DEV_MODE,
+  logger: console,
+});
 
-await loadCodexDaemonPubkeysFromDb();
+await codexDaemonPubkeyRegistry.loadFromDb();
 
 function codexRelayKey(agentId, id) {
   return agentId + ":" + id;
@@ -2876,7 +2805,7 @@ async function handleCodexPairComplete(req, res) {
   // authenticated immutable tenant id. The display handle is returned
   // as metadata only.
   if (p.daemon_public_key) {
-    await registerCodexDaemonPubkey(identity.agentId, p.daemon_public_key, p.crypto_versions, "pair-complete");
+    await codexDaemonPubkeyRegistry.register(identity.agentId, p.daemon_public_key, p.crypto_versions, "pair-complete");
   }
   delete codexPairingByCode[code];
   console.log("codex-relay: paired daemon for tenant " + identity.agentId + " handle " + identity.handle);
@@ -2901,16 +2830,8 @@ function handleCodexBootstrap(req, res, threadId) {
   if (!identity) { json(res, 401, { error: "Unauthorized" }); return; }
   if (!threadId) { json(res, 400, { error: "missing threadId" }); return; }
   const daemonOnline = codexDaemons.has(identity.agentId);
-  const daemonKey = codexDaemonPubkeys.get(identity.agentId) || null;
-  json(res, 200, {
-    handle: identity.handle,
-    thread_id: threadId,
-    daemon_online: daemonOnline,
-    daemon_public_key: daemonKey ? daemonKey.pubkey : null,
-    daemon_crypto_versions: daemonKey ? daemonKey.crypto_versions : null,
-    supported_crypto_versions: ["e2ee-v1"],
-    e2ee_available: !!daemonKey,
-  });
+  const daemonKey = codexDaemonPubkeyRegistry.get(identity.agentId);
+  json(res, 200, buildCodexBootstrapPayload({ identity, threadId, daemonOnline, daemonKey }));
 }
 
 // POST /api/codex-relay/ws-ticket
@@ -3141,7 +3062,7 @@ httpServer.on("upgrade", (req, socket, head) => {
         let envelope = null;
         try { envelope = JSON.parse(text); } catch {}
         if (envelope?.type === "daemon.identity") {
-          void registerCodexDaemonPubkey(
+          void codexDaemonPubkeyRegistry.register(
             identity.agentId,
             envelope.daemon_public_key,
             envelope.crypto_versions,