@wipcomputer/wip-ldm-os 0.4.85-alpha.2 → 0.4.85-alpha.21

package/src/hosted-mcp/app/pair.html

@@ -13,13 +13,21 @@
     --accent: #0033FF;
     --input-bg: #F5F3ED;
     --input-border: #E0DDD6;
+    --card-bg: #FFFFFF;
     --font: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
   }
   html, body { height: 100%; font-family: var(--font); background: var(--bg); color: var(--text); }
   .page { display: flex; flex-direction: column; align-items: center; justify-content: center; min-height: 100vh; padding: 24px; }
   .card { max-width: 420px; width: 100%; text-align: center; }
   h1 { font-size: 26px; font-weight: 600; letter-spacing: -0.02em; margin-bottom: 8px; }
-  .sub { font-size: 16px; color: var(--text-muted); margin-bottom: 32px; }
+  .sub { font-size: 16px; color: var(--text-muted); margin-bottom: 24px; }
+  .code-display {
+    font-family: ui-monospace, "SF Mono", monospace;
+    font-size: 28px; font-weight: 600; letter-spacing: 0.3em;
+    background: var(--card-bg); border: 1px solid var(--input-border);
+    border-radius: 12px; padding: 18px;
+    margin: 0 auto 20px; display: inline-block; min-width: 240px;
+  }
   input[type="text"] {
     width: 100%; padding: 18px; font-size: 22px; font-weight: 600;
     text-align: center; letter-spacing: 0.4em;
@@ -28,9 +36,10 @@
     text-transform: uppercase; font-family: ui-monospace, "SF Mono", monospace;
   }
   input[type="text"]:focus { border-color: var(--accent); outline: none; }
-  .btn { display: block; width: 100%; padding: 18px; border: none; border-radius: 12px; font-size: 18px; font-weight: 600; font-family: var(--font); cursor: pointer; margin-top: 16px; }
+  .btn { display: block; width: 100%; padding: 18px; border: none; border-radius: 12px; font-size: 18px; font-weight: 600; font-family: var(--font); cursor: pointer; margin-top: 12px; }
   .btn:active { transform: scale(0.98); }
   .btn-primary { background: var(--accent); color: white; }
+  .btn-secondary { background: var(--card-bg); color: var(--text-muted); border: 1px solid var(--input-border); }
   .btn:disabled { opacity: 0.5; cursor: not-allowed; }
   .status { margin-top: 18px; font-size: 14px; min-height: 1.4em; color: var(--text-muted); }
   .status.error { color: #b00020; }
@@ -41,78 +50,177 @@
 <body>
 <div class="page">
   <div class="card">
-    <h1>Pair your Mac</h1>
-    <div class="sub">Type the code printed by <code>codex-daemon link</code></div>
-    <input id="codeInput" type="text" maxlength="6" autocomplete="off" autocapitalize="characters" inputmode="text" placeholder="ABC123">
-    <button id="pairBtn" class="btn btn-primary" type="button">Pair</button>
-    <div id="status" class="status"></div>
-    <div class="footer">Signed in as <span id="handle">...</span> ... <a href="#" id="signout">sign out</a></div>
+    <!-- View 1: confirm pair (when URL has a valid code + user is signed in) -->
+    <div id="confirm-view" style="display: none;">
+      <h1>Pair this laptop with Codex Remote Control?</h1>
+      <div class="sub">A device wants to drive its local Codex session from your phone.</div>
+      <div class="code-display" id="confirm-code">______</div>
+      <button id="confirmBtn" class="btn btn-primary" type="button">Confirm</button>
+      <button id="cancelBtn" class="btn btn-secondary" type="button">Cancel</button>
+      <div id="status" class="status"></div>
+      <div class="footer">Signed in as <span id="handle">...</span></div>
+    </div>
+
+    <!-- View 2: manual code entry (fallback for bare /pair) -->
+    <div id="manual-view" style="display: none;">
+      <h1>Pair your laptop</h1>
+      <div class="sub">Type the 6-character code printed by <code>codex-daemon link</code></div>
+      <input id="codeInput" type="text" maxlength="6" autocomplete="off" autocapitalize="characters" inputmode="text" placeholder="ABCDEF">
+      <button id="manualBtn" class="btn btn-primary" type="button">Pair</button>
+      <div id="manualStatus" class="status"></div>
+      <div class="footer">Signed in as <span id="manualHandle">...</span></div>
+    </div>
+
+    <!-- View 3: success -->
+    <div id="success-view" style="display: none;">
+      <h1>Paired.</h1>
+      <div id="success-sub" class="sub">Your laptop will pick this up in a few seconds.</div>
+      <div class="footer">You can close this tab.</div>
+    </div>
   </div>
 </div>
 <script>
-function getApiKey() {
-  return sessionStorage.getItem("wip_api_key");
-}
-function getHandle() {
-  return sessionStorage.getItem("wip_handle") || "(unknown)";
-}
-function setStatus(msg, kind) {
-  const el = document.getElementById("status");
+// Real daemon alphabet: A-Z minus I and O, digits 2-9. L IS included.
+// Length 6. Per CODEX_PAIR_ALPHABET in server.mjs and plan C1+C3 round 5.
+var PAIR_CODE_REGEX = /^[ABCDEFGHJKLMNPQRSTUVWXYZ23456789]{6}$/;
+
+function getApiKey() { return sessionStorage.getItem('wip_api_key'); }
+function getHandle() { return sessionStorage.getItem('wip_handle') || '(unknown)'; }
+function getPairPresenceToken() { return sessionStorage.getItem('wip_codex_pair_presence_token'); }
+
+function setStatus(elId, msg, kind) {
+  var el = document.getElementById(elId);
   el.textContent = msg;
-  el.className = "status" + (kind ? " " + kind : "");
-}
-function ensureSignedIn() {
-  if (!getApiKey()) {
-    location.href = "/app/login.html?next=" + encodeURIComponent("/pair");
-    return false;
-  }
-  document.getElementById("handle").textContent = getHandle();
-  return true;
+  el.className = 'status' + (kind ? ' ' + kind : '');
 }
 
-document.getElementById("signout").addEventListener("click", (ev) => {
-  ev.preventDefault();
-  sessionStorage.removeItem("wip_api_key");
-  sessionStorage.removeItem("wip_handle");
-  location.href = "/app/login.html?next=" + encodeURIComponent("/pair");
-});
+// Read the code from /pair/<CODE>. Returns null if path is bare /pair or
+// the code doesn't match the daemon alphabet. Defense-in-depth: server
+// validates authoritatively via its route regex.
+function readCodeFromPath() {
+  var m = location.pathname.match(/^\/pair\/([A-Za-z0-9]+)\/?$/);
+  if (!m) return null;
+  var raw = m[1].trim().toUpperCase();
+  return PAIR_CODE_REGEX.test(raw) ? raw : null;
+}
 
-async function pair() {
-  const input = document.getElementById("codeInput");
-  const code = input.value.trim().toUpperCase();
-  if (code.length !== 6) {
-    setStatus("Enter the 6-character code shown on your Mac.", "error");
-    return;
+// POST the code to /api/codex-relay/pair-complete using the api_key
+// from sessionStorage as Bearer token. Daemon key pairing also sends the
+// short-lived token minted by the passkey verify step, so a stale ck- token
+// alone cannot replace a daemon. On success, show the success view.
+async function submitPair(code, statusElId) {
+  if (!PAIR_CODE_REGEX.test(code)) {
+    setStatus(statusElId, 'That does not look like a valid code.', 'error');
+    return false;
   }
-  const btn = document.getElementById("pairBtn");
-  btn.disabled = true;
-  setStatus("Pairing...");
+  setStatus(statusElId, 'Pairing...', '');
   try {
-    const res = await fetch("/api/codex-relay/pair-complete", {
-      method: "POST",
+    var res = await fetch('/api/codex-relay/pair-complete', {
+      method: 'POST',
       headers: {
-        "Content-Type": "application/json",
-        "Authorization": "Bearer " + getApiKey(),
+        'Content-Type': 'application/json',
+        'Authorization': 'Bearer ' + getApiKey(),
       },
-      body: JSON.stringify({ code }),
+      body: JSON.stringify({
+        code: code,
+        codex_pair_presence_token: getPairPresenceToken(),
+      }),
     });
-    const data = await res.json();
-    if (!res.ok) throw new Error(data.error || "Pairing failed");
-    setStatus("Paired. Your Mac will pick this up in a few seconds.", "success");
-    btn.textContent = "Done";
+    var data = await res.json();
+    if (!res.ok) {
+      var msg = (data && data.error) || 'Pairing failed.';
+      // If the code expired or was already used, suggest rerunning the daemon.
+      if (res.status === 410 || res.status === 404) {
+        msg += ' Run codex-daemon link again on your laptop to get a fresh code.';
+      }
+      if (res.status === 403 && data && data.error === 'fresh_presence_required') {
+        msg = 'Sign in again with your passkey to relink this daemon.';
+        sessionStorage.removeItem('wip_api_key');
+        sessionStorage.removeItem('wip_codex_pair_presence_token');
+        setTimeout(function() {
+          location.replace('/login?next=' + encodeURIComponent('/pair/' + code));
+        }, 1200);
+      }
+      setStatus(statusElId, msg, 'error');
+      return false;
+    }
+    sessionStorage.removeItem('wip_codex_pair_presence_token');
+    document.getElementById('success-sub').textContent = data.replaced_daemon_key
+      ? 'Remote Control relinked this laptop. Existing browser control tabs need to reconnect.'
+      : 'Your laptop will pick this up in a few seconds.';
+    document.getElementById('confirm-view').style.display = 'none';
+    document.getElementById('manual-view').style.display = 'none';
+    document.getElementById('success-view').style.display = 'block';
+    return true;
   } catch (err) {
-    setStatus(err.message || String(err), "error");
-    btn.disabled = false;
+    setStatus(statusElId, (err && err.message) || String(err), 'error');
+    return false;
   }
 }
 
-if (ensureSignedIn()) {
-  document.getElementById("pairBtn").addEventListener("click", pair);
-  document.getElementById("codeInput").addEventListener("keydown", (ev) => {
-    if (ev.key === "Enter") pair();
+// ── Routing ──
+//
+// 1. If not signed in: redirect to /login?next=<this-path-with-code>.
+//    The existing Kaleidoscope login flow will QR + passkey + redirect
+//    back here. The server's `next` whitelist also enforces this shape.
+// 2. If signed in AND URL has a valid code: render the confirm view.
+//    User must tap Confirm before we POST pair-complete (per plan C7).
+// 3. If signed in but no code in URL (bare /pair): render the manual
+//    entry view. Fallback only.
+
+(function init() {
+  var code = readCodeFromPath();
+  var apiKey = getApiKey();
+
+  if (!apiKey) {
+    // Not signed in. Send through /login keeping the current path as next.
+    var nextParam = encodeURIComponent(location.pathname);
+    location.replace('/login?next=' + nextParam);
+    return;
+  }
+
+  if (code) {
+    // Signed in + URL has a valid code. Show confirm step.
+    var confirmView = document.getElementById('confirm-view');
+    document.getElementById('confirm-code').textContent = code;
+    document.getElementById('handle').textContent = getHandle();
+    confirmView.style.display = 'block';
+    document.getElementById('confirmBtn').addEventListener('click', async function() {
+      var confirmBtn = document.getElementById('confirmBtn');
+      var cancelBtn = document.getElementById('cancelBtn');
+      confirmBtn.disabled = true;
+      cancelBtn.disabled = true;
+      var ok = await submitPair(code, 'status');
+      // On failure, re-enable Confirm/Cancel so the user can retry or cancel.
+      // Server may have rejected the code as expired or already-used; the
+      // user should see the error and have the buttons back.
+      if (!ok) {
+        confirmBtn.disabled = false;
+        cancelBtn.disabled = false;
+      }
+    });
+    document.getElementById('cancelBtn').addEventListener('click', function() {
+      // Best-effort: just close the tab if we can; otherwise redirect home.
+      try { window.close(); } catch (e) {}
+      setTimeout(function() { location.replace('/'); }, 100);
+    });
+    return;
+  }
+
+  // Bare /pair, signed in. Manual code entry fallback.
+  var manualView = document.getElementById('manual-view');
+  document.getElementById('manualHandle').textContent = getHandle();
+  manualView.style.display = 'block';
+  function manualSubmit() {
+    var raw = document.getElementById('codeInput').value.trim().toUpperCase();
+    submitPair(raw, 'manualStatus');
+  }
+  document.getElementById('manualBtn').addEventListener('click', manualSubmit);
+  document.getElementById('codeInput').addEventListener('keydown', function(ev) {
+    if (ev.key === 'Enter') manualSubmit();
   });
-  document.getElementById("codeInput").focus();
-}
+  document.getElementById('codeInput').focus();
+})();
 </script>
 </body>
 </html>

package/src/hosted-mcp/codex-relay-e2ee-registry.mjs

@@ -0,0 +1,208 @@
+import { createHash, randomUUID } from "node:crypto";
+
+export function normalizeCodexCryptoVersions(versions) {
+  const out = Array.isArray(versions)
+    ? versions.filter((v) => typeof v === "string" && v.length > 0 && v.length <= 32).slice(0, 8)
+    : [];
+  return out.length ? out : ["e2ee-v1"];
+}
+
+export function codexDaemonPubkeyFingerprint(pubkey) {
+  if (typeof pubkey !== "string" || !pubkey) return null;
+  return "sha256:" + createHash("sha256").update(pubkey).digest("base64url").slice(0, 16);
+}
+
+export function evaluateCodexDaemonReconnectPubkey(existingKey, incomingPubkey) {
+  const existingPubkey = typeof existingKey?.pubkey === "string" && existingKey.pubkey ? existingKey.pubkey : null;
+  const nextPubkey = typeof incomingPubkey === "string" && incomingPubkey && incomingPubkey.length <= 1024 ? incomingPubkey : null;
+  const oldFingerprint = codexDaemonPubkeyFingerprint(existingPubkey);
+  const newFingerprint = codexDaemonPubkeyFingerprint(nextPubkey);
+
+  if (!nextPubkey) {
+    return {
+      allowed: false,
+      reason: "invalid_daemon_pubkey",
+      replaced: false,
+      old_fingerprint: oldFingerprint,
+      new_fingerprint: newFingerprint,
+    };
+  }
+  if (!existingPubkey || existingPubkey === nextPubkey) {
+    return {
+      allowed: true,
+      reason: null,
+      replaced: false,
+      old_fingerprint: oldFingerprint,
+      new_fingerprint: newFingerprint,
+    };
+  }
+  return {
+    allowed: false,
+    reason: "fresh_pair_required",
+    replaced: true,
+    old_fingerprint: oldFingerprint,
+    new_fingerprint: newFingerprint,
+  };
+}
+
+export function buildCodexBootstrapPayload({ identity, threadId, daemonOnline, daemonKey }) {
+  return {
+    handle: identity.handle,
+    thread_id: threadId,
+    daemon_online: daemonOnline,
+    daemon_public_key: daemonKey ? daemonKey.pubkey : null,
+    daemon_crypto_versions: daemonKey ? daemonKey.crypto_versions : null,
+    supported_crypto_versions: ["e2ee-v1"],
+    e2ee_available: !!daemonKey,
+  };
+}
+
+export function createCodexDaemonPubkeyRegistry({
+  usePrisma,
+  prisma,
+  devMode = false,
+  logger = console,
+} = {}) {
+  const pubkeys = new Map();
+  const auditLog = [];
+
+  async function ensureStore() {
+    if (!usePrisma) return;
+    await prisma.$executeRawUnsafe(`
+      CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys (
+        tenant_id TEXT PRIMARY KEY,
+        pubkey TEXT NOT NULL,
+        crypto_versions_json TEXT NOT NULL,
+        registered_at TIMESTAMPTZ NOT NULL DEFAULT now()
+      )
+    `);
+  }
+
+  async function ensureAuditStore() {
+    if (!usePrisma) return;
+    await prisma.$executeRawUnsafe(`
+      CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_key_audit (
+        id TEXT PRIMARY KEY,
+        tenant_id TEXT NOT NULL,
+        source TEXT NOT NULL,
+        old_pubkey_fingerprint TEXT,
+        new_pubkey_fingerprint TEXT,
+        replaced BOOLEAN NOT NULL,
+        registered_at TIMESTAMPTZ NOT NULL DEFAULT now()
+      )
+    `);
+  }
+
+  async function loadFromDb() {
+    if (!usePrisma) return;
+    try {
+      await ensureStore();
+      const rows = await prisma.$queryRawUnsafe(`
+        SELECT tenant_id, pubkey, crypto_versions_json, registered_at
+        FROM codex_daemon_e2ee_keys
+      `);
+      for (const row of rows) {
+        let cryptoVersions = ["e2ee-v1"];
+        try { cryptoVersions = normalizeCodexCryptoVersions(JSON.parse(row.crypto_versions_json)); } catch {}
+        pubkeys.set(row.tenant_id, {
+          pubkey: row.pubkey,
+          crypto_versions: cryptoVersions,
+          registered_at: row.registered_at instanceof Date ? row.registered_at.toISOString() : String(row.registered_at),
+        });
+      }
+      logger.log("codex-relay: loaded " + rows.length + " persisted E2EE daemon pubkey(s)");
+    } catch (err) {
+      logger.error("codex-relay: failed to load persisted E2EE daemon pubkeys:", err.message);
+      if (!devMode) process.exit(1);
+    }
+  }
+
+  async function persist(agentId, pubkey, cryptoVersions) {
+    if (!usePrisma) return;
+    await ensureStore();
+    await prisma.$executeRawUnsafe(
+      `INSERT INTO codex_daemon_e2ee_keys
+        (tenant_id, pubkey, crypto_versions_json, registered_at)
+       VALUES ($1, $2, $3, now())
+       ON CONFLICT (tenant_id)
+       DO UPDATE SET
+        pubkey = EXCLUDED.pubkey,
+        crypto_versions_json = EXCLUDED.crypto_versions_json,
+        registered_at = EXCLUDED.registered_at`,
+      agentId,
+      pubkey,
+      JSON.stringify(cryptoVersions),
+    );
+  }
+
+  async function recordAudit(agentId, previousPubkey, nextPubkey, source, registeredAt) {
+    const oldFingerprint = codexDaemonPubkeyFingerprint(previousPubkey);
+    const newFingerprint = codexDaemonPubkeyFingerprint(nextPubkey);
+    const replaced = !!(previousPubkey && previousPubkey !== nextPubkey);
+    const entry = {
+      tenant_id: agentId,
+      source,
+      old_pubkey_fingerprint: oldFingerprint,
+      new_pubkey_fingerprint: newFingerprint,
+      replaced,
+      registered_at: registeredAt,
+    };
+    auditLog.push(entry);
+    if (!usePrisma) return;
+    await ensureAuditStore();
+    await prisma.$executeRawUnsafe(
+      `INSERT INTO codex_daemon_e2ee_key_audit
+        (id, tenant_id, source, old_pubkey_fingerprint, new_pubkey_fingerprint, replaced, registered_at)
+       VALUES ($1, $2, $3, $4, $5, $6, $7::timestamptz)`,
+      randomUUID(),
+      agentId,
+      source,
+      oldFingerprint,
+      newFingerprint,
+      replaced,
+      registeredAt,
+    );
+  }
+
+  function register(agentId, pubkey, cryptoVersions, source) {
+    if (typeof agentId !== "string" || !agentId) return Promise.resolve(false);
+    if (typeof pubkey !== "string" || !pubkey || pubkey.length > 1024) return Promise.resolve(false);
+    const previous = pubkeys.get(agentId) || null;
+    const normalizedVersions = normalizeCodexCryptoVersions(cryptoVersions);
+    const registeredAt = new Date().toISOString();
+    pubkeys.set(agentId, {
+      pubkey,
+      crypto_versions: normalizedVersions,
+      registered_at: registeredAt,
+    });
+    logger.log("codex-relay: registered E2EE pubkey for " + agentId + " via " + source);
+    return persist(agentId, pubkey, normalizedVersions)
+      .then(() => recordAudit(agentId, previous?.pubkey || null, pubkey, source, registeredAt))
+      .then(() => ({
+        registered: true,
+        replaced: !!(previous?.pubkey && previous.pubkey !== pubkey),
+        old_fingerprint: codexDaemonPubkeyFingerprint(previous?.pubkey || null),
+        new_fingerprint: codexDaemonPubkeyFingerprint(pubkey),
+      }))
+      .catch((err) => {
+        logger.error("codex-relay: failed to persist E2EE pubkey for " + agentId + ":", err.message);
+        if (!devMode) throw err;
+        return false;
+      });
+  }
+
+  return {
+    pubkeys,
+    auditLog,
+    ensureStore,
+    ensureAuditStore,
+    loadFromDb,
+    register,
+    get(agentId) {
+      return pubkeys.get(agentId) || null;
+    },
+    clearMemoryForTest() {
+      pubkeys.clear();
+    },
+  };
+}

package/src/hosted-mcp/demo/index.html

@@ -1233,13 +1233,9 @@ if (sessionStorage.getItem('lesa-token')) {
   showChat();
 }
 
-// If user has an account (created at /login), show sign-in mode
-if (localStorage.getItem('kscope-has-account') && !sessionStorage.getItem('lesa-token')) {
-  document.getElementById('createBtn').textContent = 'Enter the Kaleidoscope';
-  document.getElementById('createBtn').onclick = function() { doSignIn(); };
-  document.getElementById('handleInputWrap').style.display = 'none';
-  document.getElementById('signInBtn').parentElement.style.display = 'none';
-}
+// /demo/ always shows the original create-account UI. Do not key off
+// localStorage["kscope-has-account"] to swap into sign-in mode here;
+// that coupled /login state to /demo/ rendering.
 
 // Handle send (not used in demo flow, but wired up)
 function handleSend() {