@wipcomputer/wip-ldm-os 0.4.85-alpha.2 → 0.4.85-alpha.4

package/bin/ldm.js

@@ -738,6 +738,24 @@ function deployDocs() {
     console.log(`  + ${agentDocsCount} personalized doc(s) deployed to ${agentLibraryDest.replace(HOME, '~')}/`);
   }
 
+  // Migration-window compatibility write (added 2026-04-30).
+  // dev-guide-wipcomputerinc.md was migrated from ~/.ldm/shared/ to
+  // ~/.ldm/library/documentation/ on 2026-04-19, but agent boot files,
+  // ~/.claude/rules/, and other consumers still reference the old shared
+  // path. Without this write, the old path serves stale content and
+  // agents reading by the old path get pre-migration policy.
+  // Forward-migration (grep-update consumers, then remove this compat
+  // write) is tracked separately. See bugs/installer/ ticket
+  // 2026-04-30--cc-mini--dev-guide-split-path-migration.md.
+  const devGuideName = 'dev-guide-wipcomputerinc.md';
+  const devGuideNew = join(agentLibraryDest, devGuideName);
+  const devGuideOld = join(LDM_ROOT, 'shared', devGuideName);
+  if (existsSync(devGuideNew)) {
+    mkdirSync(dirname(devGuideOld), { recursive: true });
+    cpSync(devGuideNew, devGuideOld);
+    console.log(`  + Compat write: ${devGuideName} also deployed to ${devGuideOld.replace(HOME, '~')} (migration window)`);
+  }
+
   return docsCount + agentDocsCount;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.2",
+  "version": "0.4.85-alpha.4",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -26,6 +26,9 @@
     "test:ldm-install-bin-shim": "node scripts/test-ldm-install-preserves-foreign-bin.mjs",
     "test:doctor-cron-target": "node scripts/test-doctor-cron-target.mjs",
     "test:bin-manifest": "node scripts/test-bin-manifest.mjs",
+    "test:crc-agentid-tenant-boundary": "node scripts/test-crc-agentid-tenant-boundary.mjs",
+    "test:crc-pair-login-flow": "node scripts/test-crc-pair-login-flow.mjs",
+    "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"
   },

package/scripts/test-crc-agentid-tenant-boundary.mjs

@@ -0,0 +1,72 @@
+import { createHash } from "node:crypto";
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertNotContains(needle, label) {
+  if (server.includes(needle)) {
+    throw new Error(`${label} still contains forbidden text: ${needle}`);
+  }
+}
+
+assertContains('const ACCOUNT_TENANT_PREFIX = "acct:";', "account tenant prefix");
+assertContains('const LEGACY_API_KEY_TENANT_PREFIX = "key:";', "legacy key tenant prefix");
+assertContains('const RESERVED_AGENT_HANDLES = new Set([', "reserved handle set");
+assertContains('"parker-smoke-test",', "reserved parker smoke handle");
+assertContains('function accountTenantIdForUserId(userId)', "account tenant helper");
+assertContains('function identityForApiKey(key)', "api key identity helper");
+assertContains('return identityForApiKey(key);', "http auth uses identity helper");
+assertContains("const agentId = accountTenantIdForUserId(stored.userId);", "registration uses immutable account tenant");
+assertContains("await saveApiKey(apiKey, agentId, { handle: credentialLabel });", "registration stores handle separately");
+assertContains('json(res, 409, { error: "reserved_handle"', "reserved handle rejected");
+assertContains('json(res, 409, { error: "handle_taken"', "duplicate handle rejected");
+assertContains("p.handle = identity.handle;", "pair stores display handle separately");
+assertContains("handle: identity.handle,", "relay metadata returns display handle");
+assertContains("codexDaemons.has(identity.agentId)", "daemon presence uses tenant id");
+assertContains("codexDaemonPubkeys.get(identity.agentId)", "daemon pubkey uses tenant id");
+assertContains("agentId: identity.agentId,", "relay tickets bind tenant id");
+assertContains("handle: identity.handle,", "relay tickets preserve display handle");
+assertContains("codexDaemons.set(identity.agentId, ws);", "daemon ws keyed by tenant id");
+assertContains("const key = codexRelayKey(identity.agentId, threadId);", "web ws keyed by tenant id");
+assertContains("const daemonWs = codexDaemons.get(identity.agentId);", "web sends to tenant daemon");
+assertNotContains("const agentId = stored.username || (\"passkey-\"", "registration must not use chosen handle as tenant");
+assertNotContains("const existingKey = Object.entries(API_KEYS).find(([k, v]) => v === agentId);", "oauth must not reuse chosen handle as tenant");
+
+function legacyTenantIdForApiKey(key) {
+  return "key:" + createHash("sha256").update(key).digest("base64url").slice(0, 32);
+}
+
+function accountTenantIdForUserId(userId) {
+  return "acct:" + userId;
+}
+
+const chosenHandle = "parker-smoke-test";
+const accountA = accountTenantIdForUserId("user-a");
+const accountB = accountTenantIdForUserId("user-b");
+if (accountA === accountB) {
+  throw new Error("different user ids collapsed to one account tenant");
+}
+
+const legacyA = legacyTenantIdForApiKey("ck-a");
+const legacyB = legacyTenantIdForApiKey("ck-b");
+if (legacyA === legacyB) {
+  throw new Error("legacy API-key tenants collided");
+}
+
+const threadId = "thread-019dfa";
+const webKeyA = `${accountA}:${threadId}`;
+const webKeyB = `${accountB}:${threadId}`;
+if (webKeyA === webKeyB) {
+  throw new Error("same display handle can still collide across account tenants");
+}
+if (`${chosenHandle}:${threadId}` === webKeyA || `${chosenHandle}:${threadId}` === webKeyB) {
+  throw new Error("model still keys relay routes by display handle");
+}
+
+console.log("crc agentId tenant boundary checks passed");

package/scripts/test-crc-e2ee-session-route.mjs

@@ -0,0 +1,122 @@
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertBefore(first, second, label) {
+  const firstIndex = server.indexOf(first);
+  const secondIndex = firstIndex === -1 ? -1 : server.indexOf(second, firstIndex + first.length);
+  if (firstIndex === -1 || secondIndex === -1 || firstIndex >= secondIndex) {
+    throw new Error(`${label} expected "${first}" before "${second}"`);
+  }
+}
+
+assertContains("const codexWebClients = new Map(); // `${agentId}:${threadId}` -> Set<ws>", "thread-keyed web client sets");
+assertContains("const codexE2eeSessionRoutes = new Map(); // `${agentId}:${e2eeSession}` -> { threadId, webKey, ws }", "e2ee session route map");
+assertContains("function registerCodexE2eeSessionRoute(agentId, e2eeSession, threadId, ws)", "route registration helper");
+assertContains("codexE2eeSessionRoutes.set(codexRelayKey(agentId, e2eeSession), { threadId, webKey, ws });", "route map stores e2ee session to thread");
+assertContains("function addCodexWebClient(webKey, ws)", "web client set add helper");
+assertContains("function removeCodexWebClient(webKey, ws)", "web client set remove helper");
+assertContains("function openCodexWebClientsForKey(webKey)", "web client set read helper");
+assertContains("function resolveCodexWebClientsForDaemonFrame(agentId, routeId)", "daemon route resolver");
+assertContains("const routed = codexE2eeSessionRoutes.get(codexRelayKey(agentId, routeId));", "daemon route lookup uses e2ee session map");
+assertContains("if (routed && routed.ws && routed.ws.readyState === routed.ws.OPEN) return [routed.ws];", "daemon route resolves to active owner socket");
+assertContains("return openCodexWebClientsForKey(codexRelayKey(agentId, routeId));", "daemon route keeps direct thread fallback");
+assertContains("const targets = resolveCodexWebClientsForDaemonFrame(identity.agentId, sessionId);", "daemon frames use route resolver");
+assertContains("for (const target of targets) {", "daemon frames send to every resolved target");
+assertContains("if (isCodexE2eeEnvelope(envelope) && envelope.session) {", "web e2ee messages are detected");
+assertContains("registerCodexE2eeSessionRoute(identity.agentId, envelope.session, threadId, ws);", "web e2ee session is registered");
+assertContains("const clientCount = addCodexWebClient(key, ws);", "new web connections are added without replacing existing clients");
+assertContains("removeCodexWebClient(key, ws);", "close cleanup removes only the closing socket");
+assertContains("removeCodexE2eeRoutesForWeb(identity.agentId, threadId, ws);", "close cleanup");
+assertContains("if (route.webKey === webKey && (!ws || route.ws === ws)) {", "cleanup only removes routes owned by the closing socket");
+assertBefore(
+  "registerCodexE2eeSessionRoute(identity.agentId, envelope.session, threadId, ws);",
+  "daemonWs.send(text);",
+  "web session route registered before forwarding to daemon",
+);
+if (server.includes("const previous = codexWebClients.get(key);")) {
+  throw new Error("web client replacement lookup is still present");
+}
+if (server.includes("codexWebClients.set(key, ws);")) {
+  throw new Error("web client singleton set is still present");
+}
+
+const OPEN = 1;
+const agentId = "parker-smoke-test";
+const threadId = "thread-123";
+const e2eeSession = "e2ee-random-session-456";
+if (e2eeSession === threadId) {
+  throw new Error("test setup must use a random E2EE session distinct from threadId");
+}
+
+const modelWebClients = new Map();
+const modelRoutes = new Map();
+const webSocketA = { readyState: OPEN, OPEN };
+const webSocketB = { readyState: OPEN, OPEN };
+const webSocketC = { readyState: OPEN, OPEN };
+const webKey = `${agentId}:${threadId}`;
+
+function modelAddWebClient(ws) {
+  let clients = modelWebClients.get(webKey);
+  if (!clients) {
+    clients = new Set();
+    modelWebClients.set(webKey, clients);
+  }
+  clients.add(ws);
+}
+
+function modelRegister(session, ws) {
+  modelRoutes.set(`${agentId}:${session}`, { webKey, ws });
+}
+
+function modelResolve(routeId) {
+  const route = modelRoutes.get(`${agentId}:${routeId}`);
+  if (route && route.ws.readyState === route.ws.OPEN) return [route.ws];
+  const clients = modelWebClients.get(`${agentId}:${routeId}`) || new Set();
+  return [...clients].filter((webWs) => webWs.readyState === webWs.OPEN);
+}
+
+function modelRemoveOwnedRoutes(ws) {
+  for (const [routeKey, route] of modelRoutes) {
+    if (route.webKey === webKey && route.ws === ws) modelRoutes.delete(routeKey);
+  }
+}
+
+function modelRemoveWebClient(ws) {
+  const clients = modelWebClients.get(webKey);
+  if (!clients) return;
+  clients.delete(ws);
+  if (clients.size === 0) modelWebClients.delete(webKey);
+}
+
+modelAddWebClient(webSocketA);
+modelAddWebClient(webSocketB);
+modelRegister(e2eeSession, webSocketA);
+if (modelResolve(e2eeSession)[0] !== webSocketA) {
+  throw new Error("random E2EE session did not route to the owning thread web socket");
+}
+const threadTargets = modelResolve(threadId);
+if (threadTargets.length !== 2 || !threadTargets.includes(webSocketA) || !threadTargets.includes(webSocketB)) {
+  throw new Error("direct thread fallback did not broadcast to every thread web socket");
+}
+
+modelRemoveOwnedRoutes(webSocketA);
+modelRemoveWebClient(webSocketA);
+modelAddWebClient(webSocketC);
+modelRegister(e2eeSession, webSocketC);
+modelRemoveOwnedRoutes(webSocketA);
+if (modelResolve(e2eeSession)[0] !== webSocketC) {
+  throw new Error("old socket cleanup removed or stole the replacement E2EE route");
+}
+const remainingThreadTargets = modelResolve(threadId);
+if (remainingThreadTargets.length !== 2 || !remainingThreadTargets.includes(webSocketB) || !remainingThreadTargets.includes(webSocketC)) {
+  throw new Error("closing one web socket removed another browser client");
+}
+
+console.log("crc e2ee session route checks passed");

package/scripts/test-crc-pair-login-flow.mjs

@@ -0,0 +1,40 @@
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+const loginFiles = [
+  "src/hosted-mcp/app/kaleidoscope-login.html",
+  "src/hosted-mcp/demo/login.html",
+];
+
+function assertContains(source, needle, label) {
+  if (!source.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertBefore(source, first, second, label) {
+  const firstIndex = source.indexOf(first);
+  const secondIndex = source.indexOf(second);
+  if (firstIndex === -1 || secondIndex === -1 || firstIndex >= secondIndex) {
+    throw new Error(`${label} expected "${first}" before "${second}"`);
+  }
+}
+
+assertContains(server, "const PAIR_NEXT_REGEX = /^\\/pair\\/[ABCDEFGHJKLMNPQRSTUVWXYZ23456789]{6}$/;", "server pair regex");
+assertContains(server, "const REMOTE_CONTROL_NEXT_REGEX = /^\\/codex-remote-control\\/", "server remote-control regex");
+assertContains(server, "purpose,           // \"pair\" | null", "server stores pair purpose");
+assertContains(server, "next: next || null, // sanitized `/pair/<CODE>` or null", "server stores sanitized next");
+assertContains(server, "json(res, 200, { status: \"approved\", agentId: entry.agentId });", "server strips desktop pair status");
+assertContains(server, "json(res, 200, { ok: true, next: entry.next });", "server returns next to phone approve");
+
+for (const file of loginFiles) {
+  const html = readFileSync(file, "utf8");
+  assertContains(html, "function isPairNextOnDesktop()", `${file} desktop pair helper`);
+  assertContains(html, "} else if (isPairNextOnDesktop()) {", `${file} auto-start desktop pair QR`);
+  assertContains(html, "startQrLogin('', 'signin');", `${file} pair QR uses sign-in mode`);
+  assertContains(html, "if (approveResponse && typeof approveResponse.next === 'string' && isWhitelistedNext(approveResponse.next))", `${file} consumes approve next`);
+  assertContains(html, "if (urlNext && PAIR_NEXT_REGEX.test(urlNext))", `${file} desktop pair approved branch`);
+  assertBefore(html, "if (isPairNextOnDesktop() && !qrSessionMode)", "if (needsCustomQR() && !qrSessionMode)", `${file} create button forces pair QR before normal QR fallback`);
+}
+
+console.log("crc pair login flow checks passed");

package/src/hosted-mcp/app/footer.js

@@ -0,0 +1,74 @@
+// Shared footer for all Kaleidoscope pages (production-owned).
+// Include with: <div id="kscope-footer"></div><script src="/app/footer.js"></script>
+(function() {
+  var container = document.getElementById('kscope-footer');
+  if (!container) return;
+
+  var mobile = navigator.maxTouchPoints > 0 && window.innerWidth < 768;
+
+  // Desktop: fixed at bottom. Mobile: in page flow (below fold).
+  if (mobile) {
+    container.style.cssText = 'background:#FFFDF5;padding:16px 0;';
+  } else {
+    container.style.cssText = 'position:fixed;bottom:0;left:0;right:0;background:#FFFDF5;padding:16px 0;';
+  }
+
+  var inner = document.createElement('div');
+  inner.style.cssText = 'max-width:980px;margin:0 auto;padding:0 24px;border-top:1px solid rgba(0,0,0,0.06);padding-top:16px;text-align:left;font-size:13px;color:#a8a4a0;line-height:1.6;';
+
+  // On mobile, copyright and links on separate lines (like Apple)
+  if (mobile) {
+    inner.innerHTML = '<p style="margin:0;">WIP Computer, Inc.</p>'
+      + '<p style="margin:2px 0 0;">Learning Dreaming Machines</p>'
+      + '<p style="margin:8px 0 0;">Copyright &copy; 2026 WIP Computer, Inc. All rights reserved.</p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/legal/privacy/en-ww/" style="color:#a8a4a0;text-decoration:none;">Privacy Policy</a> &nbsp;|&nbsp; '
+      + '<a href="/legal/internet-services/terms/site.html" style="color:#a8a4a0;text-decoration:none;">Terms of Use</a></p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/agent.txt" style="color:#a8a4a0;text-decoration:none;">Are you an AI Agent?</a></p>'
+      + '<p style="margin:4px 0 0;">Made in California.</p>';
+  } else {
+    inner.innerHTML = '<p style="margin:0;">WIP Computer, Inc.</p>'
+      + '<p style="margin:2px 0 0;">Learning Dreaming Machines</p>'
+      + '<p style="margin:8px 0 0;">Copyright &copy; 2026 WIP Computer, Inc. All rights reserved. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'
+      + '<a href="/legal/privacy/en-ww/" style="color:#a8a4a0;text-decoration:none;">Privacy Policy</a> &nbsp;|&nbsp; '
+      + '<a href="/legal/internet-services/terms/site.html" style="color:#a8a4a0;text-decoration:none;">Terms of Use</a></p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/agent.txt" style="color:#a8a4a0;text-decoration:none;">Are you an AI Agent?</a> &nbsp;|&nbsp; '
+      + '<a id="localPasskeysToggle" onclick="toggleLocalPasskeys()" style="color:#a8a4a0;text-decoration:none;cursor:pointer;display:inline-flex;align-items:center;gap:4px;vertical-align:middle;">'
+      + '<span id="passkeys-dot" style="display:inline-block;width:8px;height:8px;border-radius:50%;"></span> '
+      + '<span id="passkeys-label">Local passkeys off</span></a></p>'
+      + '<p style="margin:4px 0 0;">Made in California.</p>';
+  }
+
+  container.appendChild(inner);
+
+  // Local passkeys toggle
+  if (!window.isLocalPasskeysOn) {
+    window.isLocalPasskeysOn = function() { return localStorage.getItem('localPasskeys') === 'on'; };
+  }
+  if (!window.toggleLocalPasskeys) {
+    window.toggleLocalPasskeys = function() {
+      var on = isLocalPasskeysOn();
+      localStorage.setItem('localPasskeys', on ? 'off' : 'on');
+      updatePasskeysDot();
+    };
+  }
+  if (!window.updatePasskeysDot) {
+    window.updatePasskeysDot = function() {
+      var dot = document.getElementById('passkeys-dot');
+      var label = document.getElementById('passkeys-label');
+      if (!dot) return;
+      if (isLocalPasskeysOn()) {
+        dot.style.background = '#2E7D32';
+        dot.style.opacity = '1';
+        if (label) label.textContent = 'Local passkeys on';
+      } else {
+        dot.style.background = '#D32F2F';
+        dot.style.opacity = '0.4';
+        if (label) label.textContent = 'Local passkeys off';
+      }
+    };
+  }
+  updatePasskeysDot();
+})();