npm - @wipcomputer/wip-ldm-os - Versions diffs - 0.4.85-alpha.7 → 0.4.85-alpha.8 - Mend

@wipcomputer/wip-ldm-os 0.4.85-alpha.7 → 0.4.85-alpha.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +2 -1
package/scripts/test-crc-pair-status-poll-token.mjs +73 -0
package/src/hosted-mcp/server.mjs +25 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.7",
+  "version": "0.4.85-alpha.8",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -29,6 +29,7 @@
     "test:bin-manifest": "node scripts/test-bin-manifest.mjs",
     "test:crc-agentid-tenant-boundary": "node scripts/test-crc-agentid-tenant-boundary.mjs",
     "test:crc-pair-login-flow": "node scripts/test-crc-pair-login-flow.mjs",
+    "test:crc-pair-status-poll-token": "node scripts/test-crc-pair-status-poll-token.mjs",
     "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"

package/scripts/test-crc-pair-status-poll-token.mjs ADDED Viewed

@@ -0,0 +1,73 @@
+import { readFileSync } from "node:fs";
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+function assertNotContains(needle, label) {
+  if (server.includes(needle)) {
+    throw new Error(`${label} still contains forbidden text: ${needle}`);
+  }
+}
+assertContains("function generateCodexPairPollToken()", "pair poll token generator");
+assertContains('return "ppt_" + randomBytes(32).toString("base64url");', "pair poll token entropy");
+assertContains("function getBearerToken(req)", "bearer token helper");
+assertContains("const pollToken = generateCodexPairPollToken();", "pair-init mints poll token");
+assertContains("poll_token: pollToken,", "pair state stores poll token");
+assertContains("poll_token_used: false,", "pair state tracks token consumption");
+assertContains("pair_poll_token: pollToken,", "pair-init returns poll token to daemon");
+assertContains('json(res, 401, { error: "pair_poll_token_expired" });', "expired token rejected");
+assertContains('json(res, 401, { error: "invalid_pair_poll_token" });', "missing or wrong token rejected");
+assertContains("if (!pollToken || pollToken !== p.poll_token || p.poll_token_used)", "pair-status validates token");
+assertContains("p.poll_token_used = true;", "completed credential response consumes token");
+function pairStatusModel(pair, bearer, now) {
+  if (now > pair.expires) return { code: 401, body: { error: "pair_poll_token_expired" } };
+  if (!bearer || bearer !== pair.poll_token || pair.poll_token_used) {
+    return { code: 401, body: { error: "invalid_pair_poll_token" } };
+  }
+  if (pair.status === "completed") {
+    pair.poll_token_used = true;
+    return { code: 200, body: { status: "completed", api_key: pair.apiKey, handle: pair.handle } };
+  }
+  return { code: 200, body: { status: pair.status } };
+}
+const pair = {
+  status: "pending",
+  expires: 10_000,
+  poll_token: "ppt_good",
+  poll_token_used: false,
+  apiKey: "ck_secret",
+  handle: "Parker",
+};
+if (pairStatusModel({ ...pair }, null, 1).code !== 401) {
+  throw new Error("missing poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_wrong", 1).code !== 401) {
+  throw new Error("wrong poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 20_000).code !== 401) {
+  throw new Error("expired poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 1).body.status !== "pending") {
+  throw new Error("correct poll token should return pending before completion");
+}
+const completedPair = { ...pair, status: "completed" };
+const completed = pairStatusModel(completedPair, "ppt_good", 1);
+if (completed.code !== 200 || completed.body.api_key !== "ck_secret") {
+  throw new Error("correct poll token should return completed credential once");
+}
+const replay = pairStatusModel(completedPair, "ppt_good", 1);
+if (replay.code !== 401) {
+  throw new Error("reused completed poll token should fail");
+}
+console.log("crc pair-status poll token checks passed");

package/src/hosted-mcp/server.mjs CHANGED Viewed

@@ -2599,7 +2599,7 @@ const httpServer = createServer(async (req, res) => {
 const CODEX_PAIR_EXPIRY_MS = 5 * 60 * 1000;
 const CODEX_PAIR_ALPHABET = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
-const codexPairings = {};       // pairing_id -> { code, status, expires, daemon_info, apiKey?, agentId?, handle?, daemon_public_key?, crypto_versions? }
+const codexPairings = {};       // pairing_id -> { code, status, expires, poll_token, poll_token_used?, daemon_info, apiKey?, agentId?, handle?, daemon_public_key?, crypto_versions? }
 const codexPairingByCode = {};  // code -> pairing_id (only while pending)
 const codexDaemons = new Map(); // agentId -> ws
 const codexWebClients = new Map(); // `${agentId}:${threadId}` -> Set<ws>
@@ -2689,16 +2689,30 @@ function generateCodexPairingCode() {
   throw new Error("Could not generate unique codex-relay pairing code");
 }
+function generateCodexPairPollToken() {
+  return "ppt_" + randomBytes(32).toString("base64url");
+}
+function getBearerToken(req) {
+  const auth = req.headers["authorization"];
+  if (typeof auth !== "string" || !auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token || null;
+}
 async function handleCodexPairInit(req, res) {
   let body = {};
   try { body = (await readBody(req)) || {}; } catch {}
   const code = generateCodexPairingCode();
   const pairingId = randomUUID();
+  const pollToken = generateCodexPairPollToken();
   const expires = Date.now() + CODEX_PAIR_EXPIRY_MS;
   codexPairings[pairingId] = {
     code,
     status: "pending",
     expires,
+    poll_token: pollToken,
+    poll_token_used: false,
     daemon_info: {
       hostname: typeof body.hostname === "string" ? body.hostname.slice(0, 64) : null,
       platform: typeof body.platform === "string" ? body.platform.slice(0, 32) : null,
@@ -2721,6 +2735,7 @@ async function handleCodexPairInit(req, res) {
   json(res, 200, {
     code,
     pairing_id: pairingId,
+    pair_poll_token: pollToken,
     web_url: ISSUER_URL + "/login?next=" + encodeURIComponent("/pair/" + code),
     expires_at: new Date(expires).toISOString(),
   });
@@ -2729,11 +2744,19 @@ async function handleCodexPairInit(req, res) {
 function handleCodexPairStatus(req, res, pairingId) {
   const p = codexPairings[pairingId];
   if (!p) { json(res, 404, { error: "pairing not found" }); return; }
-  if (p.status === "pending" && Date.now() > p.expires) {
+  if (Date.now() > p.expires) {
     p.status = "expired";
     if (codexPairingByCode[p.code] === pairingId) delete codexPairingByCode[p.code];
+    json(res, 401, { error: "pair_poll_token_expired" });
+    return;
+  }
+  const pollToken = getBearerToken(req);
+  if (!pollToken || pollToken !== p.poll_token || p.poll_token_used) {
+    json(res, 401, { error: "invalid_pair_poll_token" });
+    return;
   }
   if (p.status === "completed") {
+    p.poll_token_used = true;
     json(res, 200, { status: "completed", api_key: p.apiKey, handle: p.handle || p.agentId });
   } else {
     json(res, 200, { status: p.status });