avorelo 0.1.0 → 0.3.0

package/scripts/lib/http-hook-action.js

@@ -1,538 +0,0 @@
-"use strict";
-
-const http = require("http");
-const https = require("https");
-const dns = require("dns").promises;
-const net = require("net");
-const crypto = require("crypto");
-
-const DEFAULT_HTTP_POLICY = {
-  enabled: true,
-  mode: "strict",
-  allowedDomains: ["api.github.com", "www.reddit.com", "oauth.reddit.com", "api.linkedin.com"],
-  allowedSchemes: ["https"],
-  allowedMethods: ["POST"],
-  blockPrivateCidrs: true,
-  allowLocalhostInDev: false,
-  maxPayloadBytes: 16384,
-  maxResponseBytes: 32768,
-  timeoutMs: 1500,
-  maxRetries: 1,
-  backoffMs: 150,
-  requireHmac: true,
-  replayWindowSec: 300,
-  allowedPorts: [443],
-  maxRedirects: 0,
-  redactionAllowlist: ["event", "ts", "project", "sourcePlatform", "reasonCodes"],
-};
-
-class HookPolicyError extends Error {
-  constructor(code, message, policyRuleId = null) {
-    super(message);
-    this.name = "HookPolicyError";
-    this.code = code;
-    this.errorClass = "policy";
-    this.policyRuleId = policyRuleId;
-  }
-}
-
-class HookNetworkError extends Error {
-  constructor(code, message) {
-    super(message);
-    this.name = "HookNetworkError";
-    this.code = code;
-    this.errorClass = "network";
-  }
-}
-
-function normalizePolicy(input) {
-  const raw = input && typeof input === "object" ? input : {};
-  const policy = { ...DEFAULT_HTTP_POLICY, ...raw };
-
-  if (!["off", "strict", "aggressive"].includes(policy.mode)) {
-    policy.mode = DEFAULT_HTTP_POLICY.mode;
-  }
-
-  policy.enabled = policy.enabled !== false;
-  policy.allowedDomains = Array.isArray(policy.allowedDomains)
-    ? policy.allowedDomains.map((x) => String(x).trim().toLowerCase()).filter(Boolean)
-    : DEFAULT_HTTP_POLICY.allowedDomains.slice();
-  policy.allowedSchemes = Array.isArray(policy.allowedSchemes)
-    ? policy.allowedSchemes.map((x) => String(x).replace(/:$/g, "").toLowerCase()).filter(Boolean)
-    : DEFAULT_HTTP_POLICY.allowedSchemes.slice();
-  policy.allowedMethods = Array.isArray(policy.allowedMethods)
-    ? policy.allowedMethods.map((x) => String(x).toUpperCase()).filter(Boolean)
-    : DEFAULT_HTTP_POLICY.allowedMethods.slice();
-
-  policy.blockPrivateCidrs = policy.blockPrivateCidrs !== false;
-  policy.allowLocalhostInDev = policy.allowLocalhostInDev === true;
-  policy.maxPayloadBytes = Number.isFinite(Number(policy.maxPayloadBytes)) ? Math.max(256, Number(policy.maxPayloadBytes)) : DEFAULT_HTTP_POLICY.maxPayloadBytes;
-  policy.maxResponseBytes = Number.isFinite(Number(policy.maxResponseBytes)) ? Math.max(256, Number(policy.maxResponseBytes)) : DEFAULT_HTTP_POLICY.maxResponseBytes;
-  policy.timeoutMs = Number.isFinite(Number(policy.timeoutMs)) ? Math.max(100, Number(policy.timeoutMs)) : DEFAULT_HTTP_POLICY.timeoutMs;
-  policy.maxRetries = Number.isFinite(Number(policy.maxRetries)) ? Math.max(0, Number(policy.maxRetries)) : DEFAULT_HTTP_POLICY.maxRetries;
-  policy.backoffMs = Number.isFinite(Number(policy.backoffMs)) ? Math.max(10, Number(policy.backoffMs)) : DEFAULT_HTTP_POLICY.backoffMs;
-  policy.requireHmac = policy.requireHmac !== false;
-  policy.replayWindowSec = Number.isFinite(Number(policy.replayWindowSec)) ? Math.max(30, Number(policy.replayWindowSec)) : DEFAULT_HTTP_POLICY.replayWindowSec;
-  policy.allowedPorts = Array.isArray(policy.allowedPorts)
-    ? policy.allowedPorts
-        .map((x) => Number(x))
-        .filter((x) => Number.isInteger(x) && x > 0 && x <= 65535)
-    : DEFAULT_HTTP_POLICY.allowedPorts.slice();
-  policy.maxRedirects = Number.isFinite(Number(policy.maxRedirects)) ? Math.max(0, Number(policy.maxRedirects)) : (policy.mode === "strict" ? 0 : 2);
-  if (!Array.isArray(policy.redactionAllowlist)) {
-    policy.redactionAllowlist = DEFAULT_HTTP_POLICY.redactionAllowlist.slice();
-  }
-
-  if (policy.mode === "aggressive") {
-    if (policy.allowedMethods.length === 0) policy.allowedMethods = ["GET", "POST"];
-    if (policy.allowedSchemes.length === 0) policy.allowedSchemes = ["https", "http"];
-    if (policy.allowedPorts.length === 0) policy.allowedPorts = [443, 80];
-  }
-
-  return policy;
-}
-
-function signBody(body, secret, ts, nonce) {
-  const data = typeof body === "string" ? body : JSON.stringify(body || {});
-  const envelope = `${ts}.${nonce}.${data}`;
-  return crypto.createHmac("sha256", secret).update(envelope).digest("hex");
-}
-
-function hostnameAllowed(hostname, allowedDomains) {
-  if (!Array.isArray(allowedDomains) || allowedDomains.length === 0) return true;
-  const h = String(hostname || "").toLowerCase();
-  return allowedDomains.some((d) => h === d || h.endsWith(`.${d}`));
-}
-
-function defaultPortForScheme(scheme) {
-  return scheme === "https" ? 443 : scheme === "http" ? 80 : 0;
-}
-
-function validateEndpoint(endpoint, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  if (!policy.enabled || policy.mode === "off") {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "HTTP hook actions are disabled by policy.", "enabled");
-  }
-
-  let url;
-  try {
-    url = new URL(String(endpoint || ""));
-  } catch {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "Invalid endpoint URL.", "endpoint-format");
-  }
-
-  const scheme = String(url.protocol || "").replace(/:$/g, "").toLowerCase();
-  if (!policy.allowedSchemes.includes(scheme)) {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Scheme '${scheme}' is not allowed.`, "allowedSchemes");
-  }
-
-  if (url.username || url.password) {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "Embedded credentials in URL are not allowed.", "url-credentials");
-  }
-
-  if (!hostnameAllowed(url.hostname, policy.allowedDomains)) {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Host '${url.hostname}' is not allowlisted.`, "allowedDomains");
-  }
-
-  const port = url.port ? Number(url.port) : defaultPortForScheme(scheme);
-  if (!policy.allowedPorts.includes(port)) {
-    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Port '${port}' is not allowed.`, "allowedPorts");
-  }
-
-  return {
-    url,
-    scheme,
-    hostname: url.hostname,
-    port,
-    policy,
-  };
-}
-
-function isPrivateIPv4(ip) {
-  const parts = String(ip || "")
-    .split(".")
-    .map((x) => Number(x));
-  if (parts.length !== 4 || parts.some((x) => !Number.isInteger(x) || x < 0 || x > 255)) return false;
-
-  const [a, b] = parts;
-  if (a === 10) return true;
-  if (a === 127) return true;
-  if (a === 0) return true;
-  if (a === 169 && b === 254) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  if (a === 192 && b === 168) return true;
-  return false;
-}
-
-function isPrivateIPv6(ip) {
-  const v = String(ip || "").toLowerCase();
-  if (v === "::1" || v === "::") return true;
-  if (v.startsWith("fe80:")) return true;
-  if (v.startsWith("fc") || v.startsWith("fd")) return true;
-  return false;
-}
-
-function isPrivateAddress(ip) {
-  const kind = net.isIP(ip);
-  if (kind === 4) return isPrivateIPv4(ip);
-  if (kind === 6) return isPrivateIPv6(ip);
-  return false;
-}
-
-async function resolveAndBlockPrivateRanges(hostname, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  if (!policy.blockPrivateCidrs) return { ok: true, addresses: [] };
-
-  const host = String(hostname || "").toLowerCase();
-  const devMode = process.env.NODE_ENV !== "production";
-  const localhostAliases = new Set(["localhost", "127.0.0.1", "::1"]);
-  if (localhostAliases.has(host) && policy.allowLocalhostInDev && devMode) {
-    return { ok: true, addresses: [host], bypassReason: "allowLocalhostInDev" };
-  }
-
-  let addresses = [];
-  if (net.isIP(host)) {
-    addresses = [host];
-  } else {
-    try {
-      const resolved = await dns.lookup(host, { all: true });
-      addresses = resolved.map((x) => x.address).filter(Boolean);
-    } catch (e) {
-      throw new HookNetworkError("HTTP_DNS_LOOKUP_FAILED", String(e && e.message ? e.message : e));
-    }
-  }
-
-  const blocked = addresses.some((ip) => isPrivateAddress(ip));
-  if (blocked) {
-    throw new HookPolicyError(
-      "SEC_HTTP_PRIVATE_NETWORK_BLOCKED",
-      `Resolved private/internal target for host '${host}'.`,
-      "blockPrivateCidrs"
-    );
-  }
-
-  return { ok: true, addresses };
-}
-
-function enforceMethodAllowlist(method, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  const normalized = String(method || "POST").toUpperCase();
-  if (!policy.allowedMethods.includes(normalized)) {
-    throw new HookPolicyError("SEC_HTTP_METHOD_BLOCKED", `Method '${normalized}' is not allowed.`, "allowedMethods");
-  }
-  return normalized;
-}
-
-function enforcePayloadLimit(bytes, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  const n = Number(bytes || 0);
-  if (n > policy.maxPayloadBytes) {
-    throw new HookPolicyError(
-      "SEC_HTTP_PAYLOAD_OVERSIZE",
-      `Payload size ${n} exceeds max ${policy.maxPayloadBytes}.`,
-      "maxPayloadBytes"
-    );
-  }
-  return n;
-}
-
-function enforceResponseLimit(bytes, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  const n = Number(bytes || 0);
-  if (n > policy.maxResponseBytes) {
-    throw new HookPolicyError(
-      "SEC_HTTP_RESPONSE_OVERSIZE",
-      `Response size ${n} exceeds max ${policy.maxResponseBytes}.`,
-      "maxResponseBytes"
-    );
-  }
-  return n;
-}
-
-function verifyRedirectPolicy(statusCode, headers, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  const code = Number(statusCode || 0);
-  const location = headers && (headers.location || headers.Location);
-  if (code >= 300 && code < 400 && location && policy.maxRedirects === 0) {
-    throw new HookPolicyError(
-      "SEC_HTTP_REDIRECT_BLOCKED",
-      "Redirect responses are blocked by policy.",
-      "maxRedirects"
-    );
-  }
-  return true;
-}
-
-function buildSignedHeaders(ts, nonce, signature) {
-  return {
-    "X-CCO-Timestamp": String(ts),
-    "X-CCO-Nonce": String(nonce),
-    "X-CCO-Signature": String(signature),
-    "X-CCO-Signature-Alg": "hmac-sha256",
-  };
-}
-
-function verifyReplayWindow(ts, nonce, nonceCache, policyInput) {
-  const policy = normalizePolicy(policyInput);
-  const nowSec = Math.floor(Date.now() / 1000);
-  const msgTs = Number(ts);
-  const key = String(nonce || "").trim();
-
-  if (!Number.isFinite(msgTs) || !key) {
-    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Missing or invalid timestamp/nonce.", "replayWindowSec");
-  }
-
-  if (Math.abs(nowSec - msgTs) > policy.replayWindowSec) {
-    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Timestamp outside replay window.", "replayWindowSec");
-  }
-
-  const cache = nonceCache && typeof nonceCache === "object" ? nonceCache : {};
-  Object.keys(cache).forEach((n) => {
-    if (Math.abs(nowSec - Number(cache[n])) > policy.replayWindowSec) {
-      delete cache[n];
-    }
-  });
-
-  if (Object.prototype.hasOwnProperty.call(cache, key)) {
-    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Nonce was already used within replay window.", "replayWindowSec");
-  }
-
-  cache[key] = msgTs;
-  return cache;
-}
-
-function sanitizeResponsePreview(contentType, bytes, raw) {
-  const ct = String(contentType || "").toLowerCase();
-  const size = Number(bytes || 0);
-
-  if (!(ct.includes("json") || ct.startsWith("text/") || ct.includes("xml"))) {
-    return `<binary:${ct || "unknown"};bytes=${size}>`;
-  }
-
-  const text = String(raw || "");
-  return text.slice(0, 512);
-}
-
-function redactPayloadDeep(payload, keyPatternAllowlist) {
-  const allow = new Set((Array.isArray(keyPatternAllowlist) ? keyPatternAllowlist : []).map((x) => String(x).toLowerCase()));
-  const sensitive = /(token|secret|password|authorization|api[-_]?key|cookie|session|bearer|private.?key|client_secret)/i;
-
-  function walk(node, key) {
-    if (Array.isArray(node)) {
-      return node.map((item) => walk(item, key));
-    }
-
-    if (node && typeof node === "object") {
-      const out = {};
-      Object.keys(node).forEach((k) => {
-        out[k] = walk(node[k], k);
-      });
-      return out;
-    }
-
-    const keyName = String(key || "").toLowerCase();
-    if (keyName && sensitive.test(keyName) && !allow.has(keyName)) {
-      return "***";
-    }
-    return node;
-  }
-
-  return walk(payload && typeof payload === "object" ? payload : {}, "");
-}
-
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-async function requestOnce(opts) {
-  const url = opts.url;
-  const method = opts.method;
-  const timeoutMs = Number(opts.timeoutMs);
-  const headers = opts.headers;
-  const body = opts.body;
-  const policy = opts.policy;
-
-  const lib = url.protocol === "https:" ? https : http;
-
-  return new Promise((resolve, reject) => {
-    let settled = false;
-
-    function safeReject(err) {
-      if (settled) return;
-      settled = true;
-      reject(err);
-    }
-
-    function safeResolve(val) {
-      if (settled) return;
-      settled = true;
-      resolve(val);
-    }
-
-    const req = lib.request(
-      {
-        protocol: url.protocol,
-        hostname: url.hostname,
-        port: url.port,
-        path: `${url.pathname}${url.search}`,
-        method,
-        headers,
-        timeout: timeoutMs,
-      },
-      (res) => {
-        try {
-          verifyRedirectPolicy(res.statusCode, res.headers, policy);
-        } catch (err) {
-          safeReject(err);
-          req.destroy();
-          return;
-        }
-
-        const chunks = [];
-        let bytes = 0;
-
-        res.on("data", (c) => {
-          try {
-            const buf = Buffer.isBuffer(c) ? c : Buffer.from(String(c));
-            bytes += buf.length;
-            enforceResponseLimit(bytes, policy);
-            chunks.push(buf);
-          } catch (err) {
-            safeReject(err);
-            req.destroy();
-          }
-        });
-
-        res.on("end", () => {
-          if (settled) return;
-          const buf = Buffer.concat(chunks);
-          const raw = buf.toString("utf8");
-          const contentType = res.headers["content-type"] || "";
-          safeResolve({
-            statusCode: res.statusCode || 0,
-            body: raw,
-            bytes,
-            headers: res.headers || {},
-            contentType,
-            preview: sanitizeResponsePreview(contentType, bytes, raw),
-          });
-        });
-      }
-    );
-
-    req.on("timeout", () => {
-      req.destroy(new HookNetworkError("HTTP_TIMEOUT", "Request timed out."));
-    });
-
-    req.on("error", (err) => {
-      if (err instanceof HookPolicyError || err instanceof HookNetworkError) {
-        safeReject(err);
-      } else {
-        safeReject(new HookNetworkError("HTTP_REQUEST_FAILED", String(err && err.message ? err.message : err)));
-      }
-    });
-
-    req.write(body);
-    req.end();
-  });
-}
-function isTransientNetworkError(err) {
-  if (!err) return false;
-  if (err instanceof HookNetworkError) return true;
-  const msg = String(err.message || err || "").toLowerCase();
-  return ["timeout", "econnreset", "etimedout", "enotfound", "eai_again", "socket hang up"].some((m) => msg.includes(m));
-}
-
-async function requestWithTimeout(opts) {
-  const endpoint = String(opts.endpoint || "");
-  const policy = normalizePolicy(opts.policy || {});
-  const preflight = validateEndpoint(endpoint, policy);
-
-  await resolveAndBlockPrivateRanges(preflight.hostname, policy);
-
-  const method = enforceMethodAllowlist(opts.method || "POST", policy);
-  const payload = opts.payload || {};
-  const body = JSON.stringify(payload);
-  const bodyBytes = Buffer.byteLength(body, "utf8");
-  enforcePayloadLimit(bodyBytes, policy);
-
-  const timeoutMs = Number(opts.timeoutMs || policy.timeoutMs);
-  const ts = Number(opts.ts || Math.floor(Date.now() / 1000));
-  const nonce = String(opts.nonce || crypto.randomUUID());
-  const nonceCache = verifyReplayWindow(ts, nonce, opts.nonceCache || {}, policy);
-
-  const headers = {
-    "Content-Type": "application/json",
-    "Content-Length": bodyBytes,
-  };
-
-  const secret = opts.secret ? String(opts.secret) : "";
-  if (policy.requireHmac && !secret) {
-    throw new HookPolicyError("SEC_HTTP_UNSIGNED_BLOCKED", "HMAC secret is required by policy.", "requireHmac");
-  }
-
-  if (secret) {
-    const signature = signBody(body, secret, ts, nonce);
-    Object.assign(headers, buildSignedHeaders(ts, nonce, signature));
-  }
-
-  const attempts = Math.max(1, Number(policy.maxRetries || 0) + 1);
-  let lastError = null;
-
-  for (let i = 0; i < attempts; i += 1) {
-    try {
-      const response = await requestOnce({
-        url: preflight.url,
-        method,
-        timeoutMs,
-        headers,
-        body,
-        policy,
-      });
-
-      return {
-        statusCode: response.statusCode,
-        body: response.body,
-        preview: response.preview,
-        bytes: response.bytes,
-        headers: response.headers,
-        contentType: response.contentType,
-        ts,
-        nonce,
-        nonceCache,
-      };
-    } catch (err) {
-      if (err instanceof HookPolicyError) throw err;
-      lastError = err;
-      if (!isTransientNetworkError(err) || i === attempts - 1) {
-        throw err;
-      }
-      await sleep(Number(policy.backoffMs || 100) * (i + 1));
-    }
-  }
-
-  throw lastError || new HookNetworkError("HTTP_UNKNOWN", "Unknown HTTP hook failure.");
-}
-
-module.exports = {
-  DEFAULT_HTTP_POLICY,
-  HookPolicyError,
-  HookNetworkError,
-  normalizePolicy,
-  validateEndpoint,
-  resolveAndBlockPrivateRanges,
-  enforceMethodAllowlist,
-  enforcePayloadLimit,
-  enforceResponseLimit,
-  verifyRedirectPolicy,
-  buildSignedHeaders,
-  verifyReplayWindow,
-  sanitizeResponsePreview,
-  redactPayloadDeep,
-  requestWithTimeout,
-  signBody,
-  isTransientNetworkError,
-};
-
-
-

package/scripts/lib/install-ai-readiness.js

@@ -1,84 +0,0 @@
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-const { nowIso } = require("./fsx");
-
-const CONTRACT = "avorelo.installAiReadiness.v1";
-const SCHEMA_VERSION = 1;
-const ARTIFACT_REL = ".claude/cco/orchestration/ai-install/latest-prompt.json";
-
-function safeReadJson(absPath) {
-  try {
-    if (!fs.existsSync(absPath)) return null;
-    return JSON.parse(fs.readFileSync(absPath, "utf8").replace(/^\uFEFF/, ""));
-  } catch {
-    return null;
-  }
-}
-
-function buildInstallAiReadiness(cwd) {
-  const receipt = safeReadJson(path.join(cwd, ARTIFACT_REL));
-  const prelaunchReadiness = safeReadJson(path.join(cwd, ".claude/cco/orchestration/prelaunch-readiness/latest-activation-readiness.json"));
-  const launchHardening = safeReadJson(path.join(cwd, ".claude/cco/orchestration/launch-hardening/latest-gate.json"));
-
-  const hasApprovalBoundaries = Array.isArray(receipt?.approvalBoundaries) && receipt.approvalBoundaries.length > 0;
-  const hasCommands = Array.isArray(receipt?.commandSequence) && receipt.commandSequence.length > 0;
-  const hasRecoveryPath = Boolean(launchHardening) || hasCommands;
-  const hasFirstValuePath = Boolean(prelaunchReadiness?.firstValuePath || prelaunchReadiness?.firstValue || prelaunchReadiness?.firstValueJourney);
-
-  const missingEvidence = [];
-  const safeNextActions = [];
-
-  if (!receipt) {
-    missingEvidence.push("AI install prompt receipt is missing.");
-    safeNextActions.push("Run: node bin/avorelo install-ai --json");
-  }
-  if (receipt && hasApprovalBoundaries !== true) {
-    missingEvidence.push("Install prompt exists but approval boundaries are not explicit.");
-    safeNextActions.push("Run: node bin/avorelo install-ai --json");
-  }
-  if (receipt && receipt.activationAvailable !== true) {
-    missingEvidence.push("Install prompt does not confirm activation availability.");
-    safeNextActions.push("Run: node bin/avorelo activate --json");
-  }
-  if (receipt && receipt.prelaunchAvailable !== true) {
-    missingEvidence.push("Install prompt does not confirm prelaunch readiness availability.");
-    safeNextActions.push("Run: node bin/avorelo prelaunch-readiness --json");
-  }
-  if (!hasFirstValuePath) {
-    missingEvidence.push("First-value path is not confirmed in prelaunch readiness artifacts.");
-    safeNextActions.push("Run: node bin/avorelo first-value-check --json");
-  }
-  if (!hasRecoveryPath) {
-    missingEvidence.push("No recovery path is visible from install readiness artifacts.");
-    safeNextActions.push("Run: node bin/avorelo launch-hardening --json");
-  }
-
-  const status = missingEvidence.length === 0 ? "pass" : "warn";
-
-  return {
-    contract: CONTRACT,
-    schemaVersion: SCHEMA_VERSION,
-    createdAt: nowIso(),
-    status,
-    artifactPath: ARTIFACT_REL,
-    activationAvailable: receipt?.activationAvailable === true,
-    prelaunchAvailable: receipt?.prelaunchAvailable === true,
-    approvalBoundariesAvailable: hasApprovalBoundaries,
-    firstValuePathAvailable: hasFirstValuePath,
-    recoveryPathAvailable: hasRecoveryPath,
-    missingEvidence,
-    safeNextActions: safeNextActions.length ? safeNextActions : ["Run: node bin/avorelo full-readiness --json"],
-    noPublicLaunchClaim: true,
-    redacted: true,
-  };
-}
-
-module.exports = {
-  CONTRACT,
-  SCHEMA_VERSION,
-  ARTIFACT_REL,
-  buildInstallAiReadiness,
-};