@wipcomputer/wip-ldm-os 0.4.85-alpha.18 → 0.4.85-alpha.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -38,6 +38,9 @@ assertContains(server, 'json(res, 410, { error: "code expired or already used" }
|
|
|
38
38
|
assertContains(server, "invalidateCodexBrowserSessionsForAgent(identity.agentId, \"daemon key replaced\")", "daemon replacement invalidates stale browser sessions");
|
|
39
39
|
assertContains(server, "evaluateCodexDaemonReconnectPubkey(", "daemon reconnect checks existing key policy");
|
|
40
40
|
assertContains(server, "daemon key change requires fresh pair", "changed daemon reconnect key requires pair flow");
|
|
41
|
+
assertContains(server, "daemonIdentityAccepted = activateCodexDaemonWs();", "daemon only becomes active after identity is accepted");
|
|
42
|
+
assertContains(server, "daemon already online", "duplicate daemon cannot evict an online daemon");
|
|
43
|
+
assertContains(server, "daemon identity required", "daemon frames require identity before routing");
|
|
41
44
|
assertContains(server, "p.replaced_daemon_key = !!daemonKeyResult?.replaced;", "pair state records replacement status");
|
|
42
45
|
assertContains(server, "replaced_daemon_key: !!p.replaced_daemon_key", "pair-status exposes relink replacement status");
|
|
43
46
|
assertContains(pairHtml, "codex_pair_presence_token: getPairPresenceToken()", "pair page sends pair presence token");
|
|
@@ -87,6 +90,9 @@ assert(changedReconnectPolicy.new_fingerprint === codexDaemonPubkeyFingerprint("
|
|
|
87
90
|
const invalidReconnectPolicy = evaluateCodexDaemonReconnectPubkey({ pubkey: "daemon-reconnect-key" }, "");
|
|
88
91
|
assert(invalidReconnectPolicy.allowed === false, "daemon reconnect rejects missing pubkey");
|
|
89
92
|
assert(invalidReconnectPolicy.reason === "invalid_daemon_pubkey", "missing daemon reconnect pubkey has explicit reason");
|
|
93
|
+
const oversizedReconnectPolicy = evaluateCodexDaemonReconnectPubkey(null, "x".repeat(1025));
|
|
94
|
+
assert(oversizedReconnectPolicy.allowed === false, "daemon reconnect rejects oversized pubkey");
|
|
95
|
+
assert(oversizedReconnectPolicy.reason === "invalid_daemon_pubkey", "oversized daemon reconnect pubkey has explicit reason");
|
|
90
96
|
|
|
91
97
|
const executeCalls = [];
|
|
92
98
|
const persistedRegistry = createCodexDaemonPubkeyRegistry({
|
|
@@ -14,7 +14,7 @@ export function codexDaemonPubkeyFingerprint(pubkey) {
|
|
|
14
14
|
|
|
15
15
|
export function evaluateCodexDaemonReconnectPubkey(existingKey, incomingPubkey) {
|
|
16
16
|
const existingPubkey = typeof existingKey?.pubkey === "string" && existingKey.pubkey ? existingKey.pubkey : null;
|
|
17
|
-
const nextPubkey = typeof incomingPubkey === "string" && incomingPubkey ? incomingPubkey : null;
|
|
17
|
+
const nextPubkey = typeof incomingPubkey === "string" && incomingPubkey && incomingPubkey.length <= 1024 ? incomingPubkey : null;
|
|
18
18
|
const oldFingerprint = codexDaemonPubkeyFingerprint(existingPubkey);
|
|
19
19
|
const newFingerprint = codexDaemonPubkeyFingerprint(nextPubkey);
|
|
20
20
|
|
|
@@ -3132,10 +3132,19 @@ httpServer.on("upgrade", (req, socket, head) => {
|
|
|
3132
3132
|
|
|
3133
3133
|
if (isDaemon) {
|
|
3134
3134
|
codexRelayWss.handleUpgrade(req, socket, head, (ws) => {
|
|
3135
|
-
|
|
3136
|
-
|
|
3137
|
-
|
|
3138
|
-
|
|
3135
|
+
let daemonIdentityAccepted = false;
|
|
3136
|
+
function activateCodexDaemonWs() {
|
|
3137
|
+
const previous = codexDaemons.get(identity.agentId);
|
|
3138
|
+
if (previous && previous !== ws && previous.readyState === previous.OPEN) {
|
|
3139
|
+
console.warn("codex-relay: rejected duplicate daemon reconnect for online tenant " + identity.agentId);
|
|
3140
|
+
try { ws.close(4004, "daemon already online"); } catch {}
|
|
3141
|
+
return false;
|
|
3142
|
+
}
|
|
3143
|
+
if (previous && previous !== ws) try { previous.close(4000, "replaced"); } catch {}
|
|
3144
|
+
codexDaemons.set(identity.agentId, ws);
|
|
3145
|
+
console.log("codex-relay: daemon online for " + identity.agentId);
|
|
3146
|
+
return true;
|
|
3147
|
+
}
|
|
3139
3148
|
// F-001 per-thread isolation. Daemon -> web routing must NOT
|
|
3140
3149
|
// fan out every frame to every same-agent web socket; that
|
|
3141
3150
|
// breaks isolation when one user has multiple threads open.
|
|
@@ -3180,11 +3189,21 @@ httpServer.on("upgrade", (req, socket, head) => {
|
|
|
3180
3189
|
envelope.daemon_public_key,
|
|
3181
3190
|
envelope.crypto_versions,
|
|
3182
3191
|
"daemon-reconnect",
|
|
3183
|
-
).
|
|
3192
|
+
).then((result) => {
|
|
3193
|
+
if (!result?.registered) {
|
|
3194
|
+
try { ws.close(1011, "daemon identity persistence failed"); } catch {}
|
|
3195
|
+
return;
|
|
3196
|
+
}
|
|
3197
|
+
daemonIdentityAccepted = activateCodexDaemonWs();
|
|
3198
|
+
}).catch(() => {
|
|
3184
3199
|
try { ws.close(1011, "daemon identity persistence failed"); } catch {}
|
|
3185
3200
|
});
|
|
3186
3201
|
return;
|
|
3187
3202
|
}
|
|
3203
|
+
if (!daemonIdentityAccepted) {
|
|
3204
|
+
try { ws.close(1008, "daemon identity required"); } catch {}
|
|
3205
|
+
return;
|
|
3206
|
+
}
|
|
3188
3207
|
const sessionId = envelope?.session || envelope?.sessionId || envelope?.threadId;
|
|
3189
3208
|
if (sessionId) {
|
|
3190
3209
|
const targets = resolveCodexWebClientsForDaemonFrame(identity.agentId, sessionId);
|