auxly-cli 1.0.21

package/README.md

@@ -0,0 +1,26 @@
+# auxly-cli
+
+Local-first unified memory system for AI agents. This package downloads the
+prebuilt [`auxly`](https://auxly.io) binary for your platform and verifies it
+against the project's **minisign-signed** checksum manifest before installing.
+
+```bash
+npm install -g auxly-cli
+auxly --help
+```
+
+## How it works
+
+- On install, a `postinstall` step downloads `auxly-<os>-<arch>` from the GitHub
+  release matching this package's version.
+- It fetches the signed `auxly-<version>-checksums.txt` + `.minisig`, verifies the
+  **minisign signature** against the pinned public key (compiled into the Go binary
+  too), and checks the binary's **SHA-256** against the signed manifest.
+- The verified binary is vendored locally and exposed as the `auxly` command.
+
+Set `AUXLY_REQUIRE_SIGNATURE=1` to hard-fail if a signed manifest is unavailable
+(by default, an unsigned legacy release installs over HTTPS without verification).
+
+Supported: macOS / Linux / Windows on x64 / arm64. Node ≥ 16.
+
+License: MIT · <https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli>

package/bin/auxly.js

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+'use strict'
+// Thin shim: exec the vendored auxly binary, forwarding args + stdio + exit code.
+const path = require('path')
+const { spawnSync } = require('child_process')
+
+const ext = process.platform === 'win32' ? '.exe' : ''
+const bin = path.join(__dirname, '..', 'vendor', `auxly${ext}`)
+
+const res = spawnSync(bin, process.argv.slice(2), { stdio: 'inherit' })
+if (res.error) {
+  if (res.error.code === 'ENOENT') {
+    console.error('auxly: binary not found — reinstall with `npm rebuild auxly-cli` or `npm i -g auxly-cli`')
+  } else {
+    console.error(`auxly: ${res.error.message}`)
+  }
+  process.exit(1)
+}
+process.exit(res.status === null ? 1 : res.status)

package/install.js

@@ -0,0 +1,109 @@
+#!/usr/bin/env node
+'use strict'
+// postinstall: download the matching auxly binary for this platform from the
+// GitHub release that corresponds to THIS package version, verify it against the
+// minisign-signed checksum manifest (pinned key), and drop it in vendor/.
+//
+// Pure Node stdlib — no dependencies. Mirrors the security posture of
+// scripts/install.sh + internal/update/verify.go (SHA-256 integrity + minisign).
+
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+const https = require('https')
+const { sha256Hex, manifestHasHash, verifyMinisign } = require('./lib/verify')
+
+const REPO = 'Tzamun-Arabia-IT-Co/auxly-memory-cli'
+const { version } = require('./package.json')
+
+function target() {
+  const platform = { darwin: 'darwin', linux: 'linux', win32: 'windows' }[os.platform()]
+  const arch = { x64: 'amd64', arm64: 'arm64' }[os.arch()]
+  if (!platform || !arch) {
+    throw new Error(`unsupported platform/arch: ${os.platform()}/${os.arch()}`)
+  }
+  const ext = platform === 'windows' ? '.exe' : ''
+  return { platform, arch, ext, binName: `auxly-${platform}-${arch}${ext}` }
+}
+
+// GET with redirect following (GitHub release assets redirect to a CDN). Returns a Buffer.
+function fetchBuffer(url, redirects = 0) {
+  return new Promise((resolve, reject) => {
+    if (redirects > 8) return reject(new Error('too many redirects'))
+    https
+      .get(url, { headers: { 'User-Agent': 'auxly-npm-installer' } }, (res) => {
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          res.resume()
+          const next = new URL(res.headers.location, url).toString()
+          return resolve(fetchBuffer(next, redirects + 1))
+        }
+        if (res.statusCode !== 200) {
+          res.resume()
+          return reject(new Error(`HTTP ${res.statusCode} for ${url}`))
+        }
+        const chunks = []
+        res.on('data', (c) => chunks.push(c))
+        res.on('end', () => resolve(Buffer.concat(chunks)))
+      })
+      .on('error', reject)
+  })
+}
+
+async function main() {
+  const { binName, ext } = target()
+  const base = `https://github.com/${REPO}/releases/download/v${version}`
+  const manifestName = `auxly-${version}-checksums.txt`
+
+  console.log(`auxly: downloading ${binName} (v${version})…`)
+  const bin = await fetchBuffer(`${base}/${binName}`)
+
+  // Integrity + authenticity. Every release this package targets (it is version-
+  // locked to a release tag) ships a signed manifest, so verification is REQUIRED
+  // by default — a missing or junk manifest aborts rather than silently installing
+  // an unverified binary. AUXLY_ALLOW_UNSIGNED=1 relaxes this for emergencies.
+  const allowUnsigned = process.env.AUXLY_ALLOW_UNSIGNED === '1'
+  let manifest, sig
+  try {
+    manifest = (await fetchBuffer(`${base}/${manifestName}`)).toString('utf8')
+    sig = (await fetchBuffer(`${base}/${manifestName}.minisig`)).toString('utf8')
+  } catch (e) {
+    if (!allowUnsigned) {
+      throw new Error(
+        `signed manifest unavailable (${e.message}) and verification is required ` +
+          '— set AUXLY_ALLOW_UNSIGNED=1 only if you accept an unverified install'
+      )
+    }
+    console.warn(`auxly: AUXLY_ALLOW_UNSIGNED=1 — installing without verification (${e.message})`)
+    return writeBinary(bin)
+  }
+
+  if (!/^[0-9a-f]{64}\s+\S/m.test(manifest)) {
+    if (!allowUnsigned) {
+      throw new Error('fetched manifest is not a checksums file — refusing to install')
+    }
+    console.warn('auxly: AUXLY_ALLOW_UNSIGNED=1 — manifest is not a checksums file; installing unverified')
+    return writeBinary(bin)
+  }
+
+  verifyMinisign(Buffer.from(manifest, 'utf8'), sig) // throws on failure
+  if (!manifestHasHash(manifest, sha256Hex(bin))) {
+    throw new Error('downloaded binary SHA-256 is not in the signed manifest — refusing to install')
+  }
+  console.log('auxly: signature + checksum verified ✔')
+  return writeBinary(bin)
+}
+
+function writeBinary(bin) {
+  const { ext } = target()
+  const vendorDir = path.join(__dirname, 'vendor')
+  fs.mkdirSync(vendorDir, { recursive: true })
+  const dest = path.join(vendorDir, `auxly${ext}`)
+  fs.writeFileSync(dest, bin, { mode: 0o755 })
+  console.log(`auxly: installed -> ${dest}`)
+}
+
+main().catch((err) => {
+  console.error(`\nauxly install failed: ${err.message}`)
+  console.error('You can install manually from https://github.com/' + REPO + '/releases')
+  process.exit(1)
+})

package/lib/verify.js

@@ -0,0 +1,91 @@
+'use strict'
+// Minisign verification for the auxly npm wrapper.
+//
+// The auxly release CI signs the checksum manifest with minisign (prehashed
+// "ED" mode: ed25519 over BLAKE2b-512 of the file). This module verifies that
+// signature against the PINNED public key — the same key compiled into the Go
+// binary (internal/update/verify.go) — plus the SHA-256 integrity of the
+// downloaded binary against the signed manifest. Pure Node stdlib, no deps:
+// crypto.createHash('blake2b512') + crypto.verify(null, …, ed25519).
+
+const crypto = require('crypto')
+
+// Pinned minisign public key (base64). MUST match internal/update/verify.go.
+const PUBKEY_B64 = 'RWQfIGHWpXR4MtPvcbWwN1J7mx9FGsCaHMmdIpGMZAKDvmILC2Of5Q/K'
+
+// SPKI DER prefix for a raw 32-byte Ed25519 public key.
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex')
+
+function sha256Hex(buf) {
+  return crypto.createHash('sha256').update(buf).digest('hex')
+}
+
+// True if hashHex appears as the first whitespace-delimited field of any manifest
+// line (mirrors manifestHasHash in internal/update/verify.go — a full field match,
+// never a substring).
+function manifestHasHash(manifestText, hashHex) {
+  const want = hashHex.toLowerCase()
+  return manifestText.split('\n').some((line) => {
+    const first = line.trim().split(/\s+/)[0]
+    return first && first.toLowerCase() === want
+  })
+}
+
+function ed25519PublicKey(raw32) {
+  const der = Buffer.concat([ED25519_SPKI_PREFIX, raw32])
+  return crypto.createPublicKey({ key: der, format: 'der', type: 'spki' })
+}
+
+// Verify a minisign signature (.minisig text) over fileBuf using the pinned key.
+// Verifies BOTH the file signature and the global (trusted-comment) signature,
+// exactly as the minisign CLI does. Throws on any failure.
+function verifyMinisign(fileBuf, minisigText) {
+  const pub = Buffer.from(PUBKEY_B64, 'base64') // [2 algo][8 keyid][32 key]
+  if (pub.length !== 42) throw new Error('pinned public key malformed')
+  const pubKeyId = pub.subarray(2, 10)
+  const key = ed25519PublicKey(pub.subarray(10, 42))
+
+  // .minisig layout (4 meaningful lines):
+  //   0: untrusted comment: …
+  //   1: base64( [2 algo][8 keyid][64 sig] )
+  //   2: trusted comment: <text>
+  //   3: base64( [64 global sig] )  — ed25519 over (sig || trusted-comment text)
+  const lines = minisigText.split('\n')
+  const sigLine = (lines[1] || '').trim()
+  const trustedLine = (lines[2] || '')
+  const globalLine = (lines[3] || '').trim()
+  if (!sigLine || !globalLine) throw new Error('minisig truncated')
+
+  const sigBlob = Buffer.from(sigLine, 'base64')
+  if (sigBlob.length !== 74) throw new Error('minisig signature block malformed')
+  const algo = sigBlob.subarray(0, 2).toString('latin1')
+  const sigKeyId = sigBlob.subarray(2, 10)
+  const sig = sigBlob.subarray(10, 74)
+  if (!sigKeyId.equals(pubKeyId)) throw new Error('minisign key id mismatch')
+
+  let message
+  if (algo === 'ED') {
+    message = crypto.createHash('blake2b512').update(fileBuf).digest() // prehashed
+  } else if (algo === 'Ed') {
+    message = fileBuf // legacy
+  } else {
+    throw new Error('unsupported minisign algorithm: ' + algo)
+  }
+  if (!crypto.verify(null, message, key, sig)) {
+    throw new Error('minisign file signature is INVALID')
+  }
+
+  // Global signature binds the trusted comment to the signature.
+  const prefix = 'trusted comment:'
+  const idx = trustedLine.indexOf(prefix)
+  const trustedComment = idx >= 0 ? trustedLine.slice(idx + prefix.length).replace(/^\s/, '') : ''
+  const globalSig = Buffer.from(globalLine, 'base64')
+  if (globalSig.length !== 64) throw new Error('minisig global signature malformed')
+  const globalMsg = Buffer.concat([sig, Buffer.from(trustedComment, 'utf8')])
+  if (!crypto.verify(null, globalMsg, key, globalSig)) {
+    throw new Error('minisign trusted-comment signature is INVALID')
+  }
+  return { trustedComment }
+}
+
+module.exports = { sha256Hex, manifestHasHash, verifyMinisign, PUBKEY_B64 }

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "auxly-cli",
+  "version": "1.0.21",
+  "description": "Local-first unified memory system for AI agents — installs the prebuilt, signature-verified auxly binary.",
+  "keywords": [
+    "auxly",
+    "ai",
+    "memory",
+    "mcp",
+    "cli",
+    "agents"
+  ],
+  "homepage": "https://auxly.io",
+  "bugs": "https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli/issues",
+  "license": "MIT",
+  "author": "Tzamun Arabia IT Co. <hi@auxly.io>",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli.git",
+    "directory": "npm"
+  },
+  "bin": {
+    "auxly": "bin/auxly.js"
+  },
+  "scripts": {
+    "postinstall": "node install.js"
+  },
+  "files": [
+    "install.js",
+    "bin/auxly.js",
+    "lib/verify.js",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=16"
+  },
+  "os": [
+    "darwin",
+    "linux",
+    "win32"
+  ],
+  "cpu": [
+    "x64",
+    "arm64"
+  ]
+}