@wipcomputer/wip-ldm-os 0.4.85-alpha.7 → 0.4.85-alpha.9

package/lib/deploy.mjs

@@ -1258,6 +1258,58 @@ function copySkillTree(skillDir, dest, copyFullFolder = false) {
   }
 }
 
+const SKILL_COMPANION_DIRS = ['references', 'agents', 'scripts', 'assets'];
+
+function listSkillCopyEntries(skillDir, copyFullFolder = false) {
+  if (copyFullFolder) {
+    try {
+      return readdirSync(skillDir)
+        .filter((entry) => entry !== '.DS_Store')
+        .sort();
+    } catch {
+      return ['SKILL.md'];
+    }
+  }
+
+  const entries = ['SKILL.md'];
+  for (const child of SKILL_COMPANION_DIRS) {
+    if (existsSync(join(skillDir, child))) entries.push(`${child}/`);
+  }
+  return entries;
+}
+
+function printSkillDryRunPlan({ sourceSkillDir, refsSrc, toolName, harnesses, workspace, entries }) {
+  const formatTargetEntries = (base) => entries.map((entry) => join(base, entry));
+  const harnessTargets = Object.entries(harnesses)
+    .filter(([, h]) => h.detected && h.skills)
+    .map(([name, h]) => ({ name, base: join(h.skills, toolName) }));
+
+  ok(`Skill: ${toolName}`);
+  log(`Source: ${sourceSkillDir}`);
+  log('Would copy:');
+  for (const entry of entries) log(`- ${entry}`);
+
+  const permanentBase = join(LDM_EXTENSIONS, toolName);
+  log('Permanent copy:');
+  for (const target of formatTargetEntries(permanentBase)) log(`- ${target}`);
+
+  if (harnessTargets.length > 0) {
+    log('Agent skill targets:');
+    for (const target of harnessTargets) {
+      log(`- ${target.name}: ${target.base}`);
+      for (const entryTarget of formatTargetEntries(target.base)) log(`  - ${entryTarget}`);
+    }
+  } else {
+    log('Agent skill targets: no detected skill harnesses');
+  }
+
+  if (existsSync(refsSrc) && workspace && existsSync(workspace)) {
+    const homeRefsDest = join(workspace, 'settings', 'docs', 'skills', toolName);
+    log('Workspace docs target:');
+    log(`- ${homeRefsDest} (references/ only)`);
+  }
+}
+
 function installSkillFolder(skillDir, toolName, opts = {}) {
   const { harnesses, workspace } = getHarnesses();
 
@@ -1281,17 +1333,8 @@ function installSkillFolder(skillDir, toolName, opts = {}) {
   if (!existsSync(refsSrc) && existsSync(permanentRefs)) refsSrc = permanentRefs;
 
   if (DRY_RUN) {
-    const targets = Object.entries(harnesses)
-      .filter(([,h]) => h.detected && h.skills)
-      .map(([,h]) => join(h.skills, toolName));
-    ok(`Skill: ${toolName}`);
-    log(`Source: ${sourceSkillDir}`);
-    if (targets.length > 0) {
-      log(`Targets:`);
-      for (const target of targets) log(`- ${target}`);
-    } else {
-      log(`Targets: no detected skill harnesses`);
-    }
+    const entries = listSkillCopyEntries(sourceSkillDir, opts.copyFullFolder);
+    printSkillDryRunPlan({ sourceSkillDir, refsSrc, toolName, harnesses, workspace, entries });
     return true;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.7",
+  "version": "0.4.85-alpha.9",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -24,11 +24,13 @@
     "test:installer-update-tracks": "node scripts/test-installer-update-tracks.mjs",
     "test:installer-hook-toolname": "node scripts/test-installer-hook-toolname.mjs",
     "test:installer-skill-directory": "node scripts/test-installer-skill-directory.mjs",
+    "test:installer-skill-dry-run-destinations": "node scripts/test-installer-skill-dry-run-destinations.mjs",
     "test:ldm-install-bin-shim": "node scripts/test-ldm-install-preserves-foreign-bin.mjs",
     "test:doctor-cron-target": "node scripts/test-doctor-cron-target.mjs",
     "test:bin-manifest": "node scripts/test-bin-manifest.mjs",
     "test:crc-agentid-tenant-boundary": "node scripts/test-crc-agentid-tenant-boundary.mjs",
     "test:crc-pair-login-flow": "node scripts/test-crc-pair-login-flow.mjs",
+    "test:crc-pair-status-poll-token": "node scripts/test-crc-pair-status-poll-token.mjs",
     "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"

package/scripts/test-crc-pair-status-poll-token.mjs

@@ -0,0 +1,73 @@
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertNotContains(needle, label) {
+  if (server.includes(needle)) {
+    throw new Error(`${label} still contains forbidden text: ${needle}`);
+  }
+}
+
+assertContains("function generateCodexPairPollToken()", "pair poll token generator");
+assertContains('return "ppt_" + randomBytes(32).toString("base64url");', "pair poll token entropy");
+assertContains("function getBearerToken(req)", "bearer token helper");
+assertContains("const pollToken = generateCodexPairPollToken();", "pair-init mints poll token");
+assertContains("poll_token: pollToken,", "pair state stores poll token");
+assertContains("poll_token_used: false,", "pair state tracks token consumption");
+assertContains("pair_poll_token: pollToken,", "pair-init returns poll token to daemon");
+assertContains('json(res, 401, { error: "pair_poll_token_expired" });', "expired token rejected");
+assertContains('json(res, 401, { error: "invalid_pair_poll_token" });', "missing or wrong token rejected");
+assertContains("if (!pollToken || pollToken !== p.poll_token || p.poll_token_used)", "pair-status validates token");
+assertContains("p.poll_token_used = true;", "completed credential response consumes token");
+
+function pairStatusModel(pair, bearer, now) {
+  if (now > pair.expires) return { code: 401, body: { error: "pair_poll_token_expired" } };
+  if (!bearer || bearer !== pair.poll_token || pair.poll_token_used) {
+    return { code: 401, body: { error: "invalid_pair_poll_token" } };
+  }
+  if (pair.status === "completed") {
+    pair.poll_token_used = true;
+    return { code: 200, body: { status: "completed", api_key: pair.apiKey, handle: pair.handle } };
+  }
+  return { code: 200, body: { status: pair.status } };
+}
+
+const pair = {
+  status: "pending",
+  expires: 10_000,
+  poll_token: "ppt_good",
+  poll_token_used: false,
+  apiKey: "ck_secret",
+  handle: "Parker",
+};
+
+if (pairStatusModel({ ...pair }, null, 1).code !== 401) {
+  throw new Error("missing poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_wrong", 1).code !== 401) {
+  throw new Error("wrong poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 20_000).code !== 401) {
+  throw new Error("expired poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 1).body.status !== "pending") {
+  throw new Error("correct poll token should return pending before completion");
+}
+
+const completedPair = { ...pair, status: "completed" };
+const completed = pairStatusModel(completedPair, "ppt_good", 1);
+if (completed.code !== 200 || completed.body.api_key !== "ck_secret") {
+  throw new Error("correct poll token should return completed credential once");
+}
+const replay = pairStatusModel(completedPair, "ppt_good", 1);
+if (replay.code !== 401) {
+  throw new Error("reused completed poll token should fail");
+}
+
+console.log("crc pair-status poll token checks passed");

package/scripts/test-installer-skill-dry-run-destinations.mjs

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+
+const home = mkdtempSync(join(tmpdir(), 'ldm-skill-dry-run-home-'));
+const source = mkdtempSync(join(tmpdir(), 'ldm-skill-dry-run-source-'));
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}
+
+try {
+  process.env.HOME = home;
+
+  for (const dir of ['.claude', '.openclaw', '.codex', '.agents']) {
+    mkdirSync(join(home, dir), { recursive: true });
+  }
+
+  const workspace = join(home, 'workspace');
+  mkdirSync(workspace, { recursive: true });
+  mkdirSync(join(home, '.ldm'), { recursive: true });
+  writeFileSync(join(home, '.ldm', 'config.json'), JSON.stringify({
+    workspace,
+    harnesses: {
+      'claude-code': {
+        detected: true,
+        home: join(home, '.claude'),
+        skills: join(home, '.claude', 'skills'),
+      },
+      openclaw: {
+        detected: true,
+        home: join(home, '.openclaw'),
+        skills: join(home, '.openclaw', 'skills'),
+      },
+      codex: {
+        detected: true,
+        home: join(home, '.codex'),
+        skills: join(home, '.codex', 'skills'),
+      },
+      'wip-agents': {
+        detected: true,
+        home: join(home, '.agents'),
+        skills: join(home, '.agents', 'skills'),
+      },
+    },
+  }, null, 2));
+
+  mkdirSync(join(source, 'references'), { recursive: true });
+  mkdirSync(join(source, 'agents'), { recursive: true });
+  writeFileSync(join(source, 'package.json'), JSON.stringify({
+    name: '@wipcomputer/wip-ai-chat-ui',
+    version: '0.1.1',
+  }, null, 2));
+  writeFileSync(join(source, 'SKILL.md'), '---\nname: wip-ai-chat-ui\ndescription: "test skill"\n---\n\n# Test Skill\n');
+  writeFileSync(join(source, 'references', 'stack.md'), '# Stack\n');
+  writeFileSync(join(source, 'agents', 'openai.yaml'), 'display_name: "WIP AI Chat UI"\n');
+
+  const { setFlags, installFromPath } = await import('../lib/deploy.mjs');
+
+  const lines = [];
+  const originalLog = console.log;
+  console.log = (...args) => lines.push(args.join(' '));
+
+  try {
+    setFlags({ dryRun: true, jsonOutput: false });
+    const result = await installFromPath(source);
+    assert(result.interfaces === 1, 'dry run should process one skill interface');
+  } finally {
+    console.log = originalLog;
+  }
+
+  const output = lines.join('\n');
+
+  for (const expected of [
+    'Would copy:',
+    '- SKILL.md',
+    '- references/',
+    '- agents/',
+    'Permanent copy:',
+    join(home, '.ldm', 'extensions', 'wip-ai-chat-ui', 'SKILL.md'),
+    join(home, '.ldm', 'extensions', 'wip-ai-chat-ui', 'references/'),
+    'Agent skill targets:',
+    `claude-code: ${join(home, '.claude', 'skills', 'wip-ai-chat-ui')}`,
+    join(home, '.claude', 'skills', 'wip-ai-chat-ui', 'SKILL.md'),
+    `openclaw: ${join(home, '.openclaw', 'skills', 'wip-ai-chat-ui')}`,
+    join(home, '.openclaw', 'skills', 'wip-ai-chat-ui', 'references/'),
+    `codex: ${join(home, '.codex', 'skills', 'wip-ai-chat-ui')}`,
+    `wip-agents: ${join(home, '.agents', 'skills', 'wip-ai-chat-ui')}`,
+    'Workspace docs target:',
+    `${join(workspace, 'settings', 'docs', 'skills', 'wip-ai-chat-ui')} (references/ only)`,
+  ]) {
+    assert(output.includes(expected), `dry-run output should include ${expected}\n\n${output}`);
+  }
+
+  console.log('installer skill dry-run destinations regression passed');
+} finally {
+  rmSync(home, { recursive: true, force: true });
+  rmSync(source, { recursive: true, force: true });
+}

package/src/hosted-mcp/server.mjs

@@ -2599,7 +2599,7 @@ const httpServer = createServer(async (req, res) => {
 
 const CODEX_PAIR_EXPIRY_MS = 5 * 60 * 1000;
 const CODEX_PAIR_ALPHABET = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
-const codexPairings = {};       // pairing_id -> { code, status, expires, daemon_info, apiKey?, agentId?, handle?, daemon_public_key?, crypto_versions? }
+const codexPairings = {};       // pairing_id -> { code, status, expires, poll_token, poll_token_used?, daemon_info, apiKey?, agentId?, handle?, daemon_public_key?, crypto_versions? }
 const codexPairingByCode = {};  // code -> pairing_id (only while pending)
 const codexDaemons = new Map(); // agentId -> ws
 const codexWebClients = new Map(); // `${agentId}:${threadId}` -> Set<ws>
@@ -2689,16 +2689,30 @@ function generateCodexPairingCode() {
   throw new Error("Could not generate unique codex-relay pairing code");
 }
 
+function generateCodexPairPollToken() {
+  return "ppt_" + randomBytes(32).toString("base64url");
+}
+
+function getBearerToken(req) {
+  const auth = req.headers["authorization"];
+  if (typeof auth !== "string" || !auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token || null;
+}
+
 async function handleCodexPairInit(req, res) {
   let body = {};
   try { body = (await readBody(req)) || {}; } catch {}
   const code = generateCodexPairingCode();
   const pairingId = randomUUID();
+  const pollToken = generateCodexPairPollToken();
   const expires = Date.now() + CODEX_PAIR_EXPIRY_MS;
   codexPairings[pairingId] = {
     code,
     status: "pending",
     expires,
+    poll_token: pollToken,
+    poll_token_used: false,
     daemon_info: {
       hostname: typeof body.hostname === "string" ? body.hostname.slice(0, 64) : null,
       platform: typeof body.platform === "string" ? body.platform.slice(0, 32) : null,
@@ -2721,6 +2735,7 @@ async function handleCodexPairInit(req, res) {
   json(res, 200, {
     code,
     pairing_id: pairingId,
+    pair_poll_token: pollToken,
     web_url: ISSUER_URL + "/login?next=" + encodeURIComponent("/pair/" + code),
     expires_at: new Date(expires).toISOString(),
   });
@@ -2729,11 +2744,19 @@ async function handleCodexPairInit(req, res) {
 function handleCodexPairStatus(req, res, pairingId) {
   const p = codexPairings[pairingId];
   if (!p) { json(res, 404, { error: "pairing not found" }); return; }
-  if (p.status === "pending" && Date.now() > p.expires) {
+  if (Date.now() > p.expires) {
     p.status = "expired";
     if (codexPairingByCode[p.code] === pairingId) delete codexPairingByCode[p.code];
+    json(res, 401, { error: "pair_poll_token_expired" });
+    return;
+  }
+  const pollToken = getBearerToken(req);
+  if (!pollToken || pollToken !== p.poll_token || p.poll_token_used) {
+    json(res, 401, { error: "invalid_pair_poll_token" });
+    return;
   }
   if (p.status === "completed") {
+    p.poll_token_used = true;
     json(res, 200, { status: "completed", api_key: p.apiKey, handle: p.handle || p.agentId });
   } else {
     json(res, 200, { status: p.status });