avorelo 0.1.0

package/scripts/lib/http-hook-action.js

@@ -0,0 +1,538 @@
+"use strict";
+
+const http = require("http");
+const https = require("https");
+const dns = require("dns").promises;
+const net = require("net");
+const crypto = require("crypto");
+
+const DEFAULT_HTTP_POLICY = {
+  enabled: true,
+  mode: "strict",
+  allowedDomains: ["api.github.com", "www.reddit.com", "oauth.reddit.com", "api.linkedin.com"],
+  allowedSchemes: ["https"],
+  allowedMethods: ["POST"],
+  blockPrivateCidrs: true,
+  allowLocalhostInDev: false,
+  maxPayloadBytes: 16384,
+  maxResponseBytes: 32768,
+  timeoutMs: 1500,
+  maxRetries: 1,
+  backoffMs: 150,
+  requireHmac: true,
+  replayWindowSec: 300,
+  allowedPorts: [443],
+  maxRedirects: 0,
+  redactionAllowlist: ["event", "ts", "project", "sourcePlatform", "reasonCodes"],
+};
+
+class HookPolicyError extends Error {
+  constructor(code, message, policyRuleId = null) {
+    super(message);
+    this.name = "HookPolicyError";
+    this.code = code;
+    this.errorClass = "policy";
+    this.policyRuleId = policyRuleId;
+  }
+}
+
+class HookNetworkError extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "HookNetworkError";
+    this.code = code;
+    this.errorClass = "network";
+  }
+}
+
+function normalizePolicy(input) {
+  const raw = input && typeof input === "object" ? input : {};
+  const policy = { ...DEFAULT_HTTP_POLICY, ...raw };
+
+  if (!["off", "strict", "aggressive"].includes(policy.mode)) {
+    policy.mode = DEFAULT_HTTP_POLICY.mode;
+  }
+
+  policy.enabled = policy.enabled !== false;
+  policy.allowedDomains = Array.isArray(policy.allowedDomains)
+    ? policy.allowedDomains.map((x) => String(x).trim().toLowerCase()).filter(Boolean)
+    : DEFAULT_HTTP_POLICY.allowedDomains.slice();
+  policy.allowedSchemes = Array.isArray(policy.allowedSchemes)
+    ? policy.allowedSchemes.map((x) => String(x).replace(/:$/g, "").toLowerCase()).filter(Boolean)
+    : DEFAULT_HTTP_POLICY.allowedSchemes.slice();
+  policy.allowedMethods = Array.isArray(policy.allowedMethods)
+    ? policy.allowedMethods.map((x) => String(x).toUpperCase()).filter(Boolean)
+    : DEFAULT_HTTP_POLICY.allowedMethods.slice();
+
+  policy.blockPrivateCidrs = policy.blockPrivateCidrs !== false;
+  policy.allowLocalhostInDev = policy.allowLocalhostInDev === true;
+  policy.maxPayloadBytes = Number.isFinite(Number(policy.maxPayloadBytes)) ? Math.max(256, Number(policy.maxPayloadBytes)) : DEFAULT_HTTP_POLICY.maxPayloadBytes;
+  policy.maxResponseBytes = Number.isFinite(Number(policy.maxResponseBytes)) ? Math.max(256, Number(policy.maxResponseBytes)) : DEFAULT_HTTP_POLICY.maxResponseBytes;
+  policy.timeoutMs = Number.isFinite(Number(policy.timeoutMs)) ? Math.max(100, Number(policy.timeoutMs)) : DEFAULT_HTTP_POLICY.timeoutMs;
+  policy.maxRetries = Number.isFinite(Number(policy.maxRetries)) ? Math.max(0, Number(policy.maxRetries)) : DEFAULT_HTTP_POLICY.maxRetries;
+  policy.backoffMs = Number.isFinite(Number(policy.backoffMs)) ? Math.max(10, Number(policy.backoffMs)) : DEFAULT_HTTP_POLICY.backoffMs;
+  policy.requireHmac = policy.requireHmac !== false;
+  policy.replayWindowSec = Number.isFinite(Number(policy.replayWindowSec)) ? Math.max(30, Number(policy.replayWindowSec)) : DEFAULT_HTTP_POLICY.replayWindowSec;
+  policy.allowedPorts = Array.isArray(policy.allowedPorts)
+    ? policy.allowedPorts
+        .map((x) => Number(x))
+        .filter((x) => Number.isInteger(x) && x > 0 && x <= 65535)
+    : DEFAULT_HTTP_POLICY.allowedPorts.slice();
+  policy.maxRedirects = Number.isFinite(Number(policy.maxRedirects)) ? Math.max(0, Number(policy.maxRedirects)) : (policy.mode === "strict" ? 0 : 2);
+  if (!Array.isArray(policy.redactionAllowlist)) {
+    policy.redactionAllowlist = DEFAULT_HTTP_POLICY.redactionAllowlist.slice();
+  }
+
+  if (policy.mode === "aggressive") {
+    if (policy.allowedMethods.length === 0) policy.allowedMethods = ["GET", "POST"];
+    if (policy.allowedSchemes.length === 0) policy.allowedSchemes = ["https", "http"];
+    if (policy.allowedPorts.length === 0) policy.allowedPorts = [443, 80];
+  }
+
+  return policy;
+}
+
+function signBody(body, secret, ts, nonce) {
+  const data = typeof body === "string" ? body : JSON.stringify(body || {});
+  const envelope = `${ts}.${nonce}.${data}`;
+  return crypto.createHmac("sha256", secret).update(envelope).digest("hex");
+}
+
+function hostnameAllowed(hostname, allowedDomains) {
+  if (!Array.isArray(allowedDomains) || allowedDomains.length === 0) return true;
+  const h = String(hostname || "").toLowerCase();
+  return allowedDomains.some((d) => h === d || h.endsWith(`.${d}`));
+}
+
+function defaultPortForScheme(scheme) {
+  return scheme === "https" ? 443 : scheme === "http" ? 80 : 0;
+}
+
+function validateEndpoint(endpoint, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  if (!policy.enabled || policy.mode === "off") {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "HTTP hook actions are disabled by policy.", "enabled");
+  }
+
+  let url;
+  try {
+    url = new URL(String(endpoint || ""));
+  } catch {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "Invalid endpoint URL.", "endpoint-format");
+  }
+
+  const scheme = String(url.protocol || "").replace(/:$/g, "").toLowerCase();
+  if (!policy.allowedSchemes.includes(scheme)) {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Scheme '${scheme}' is not allowed.`, "allowedSchemes");
+  }
+
+  if (url.username || url.password) {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", "Embedded credentials in URL are not allowed.", "url-credentials");
+  }
+
+  if (!hostnameAllowed(url.hostname, policy.allowedDomains)) {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Host '${url.hostname}' is not allowlisted.`, "allowedDomains");
+  }
+
+  const port = url.port ? Number(url.port) : defaultPortForScheme(scheme);
+  if (!policy.allowedPorts.includes(port)) {
+    throw new HookPolicyError("SEC_HTTP_ENDPOINT_BLOCKED", `Port '${port}' is not allowed.`, "allowedPorts");
+  }
+
+  return {
+    url,
+    scheme,
+    hostname: url.hostname,
+    port,
+    policy,
+  };
+}
+
+function isPrivateIPv4(ip) {
+  const parts = String(ip || "")
+    .split(".")
+    .map((x) => Number(x));
+  if (parts.length !== 4 || parts.some((x) => !Number.isInteger(x) || x < 0 || x > 255)) return false;
+
+  const [a, b] = parts;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 0) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  return false;
+}
+
+function isPrivateIPv6(ip) {
+  const v = String(ip || "").toLowerCase();
+  if (v === "::1" || v === "::") return true;
+  if (v.startsWith("fe80:")) return true;
+  if (v.startsWith("fc") || v.startsWith("fd")) return true;
+  return false;
+}
+
+function isPrivateAddress(ip) {
+  const kind = net.isIP(ip);
+  if (kind === 4) return isPrivateIPv4(ip);
+  if (kind === 6) return isPrivateIPv6(ip);
+  return false;
+}
+
+async function resolveAndBlockPrivateRanges(hostname, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  if (!policy.blockPrivateCidrs) return { ok: true, addresses: [] };
+
+  const host = String(hostname || "").toLowerCase();
+  const devMode = process.env.NODE_ENV !== "production";
+  const localhostAliases = new Set(["localhost", "127.0.0.1", "::1"]);
+  if (localhostAliases.has(host) && policy.allowLocalhostInDev && devMode) {
+    return { ok: true, addresses: [host], bypassReason: "allowLocalhostInDev" };
+  }
+
+  let addresses = [];
+  if (net.isIP(host)) {
+    addresses = [host];
+  } else {
+    try {
+      const resolved = await dns.lookup(host, { all: true });
+      addresses = resolved.map((x) => x.address).filter(Boolean);
+    } catch (e) {
+      throw new HookNetworkError("HTTP_DNS_LOOKUP_FAILED", String(e && e.message ? e.message : e));
+    }
+  }
+
+  const blocked = addresses.some((ip) => isPrivateAddress(ip));
+  if (blocked) {
+    throw new HookPolicyError(
+      "SEC_HTTP_PRIVATE_NETWORK_BLOCKED",
+      `Resolved private/internal target for host '${host}'.`,
+      "blockPrivateCidrs"
+    );
+  }
+
+  return { ok: true, addresses };
+}
+
+function enforceMethodAllowlist(method, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  const normalized = String(method || "POST").toUpperCase();
+  if (!policy.allowedMethods.includes(normalized)) {
+    throw new HookPolicyError("SEC_HTTP_METHOD_BLOCKED", `Method '${normalized}' is not allowed.`, "allowedMethods");
+  }
+  return normalized;
+}
+
+function enforcePayloadLimit(bytes, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  const n = Number(bytes || 0);
+  if (n > policy.maxPayloadBytes) {
+    throw new HookPolicyError(
+      "SEC_HTTP_PAYLOAD_OVERSIZE",
+      `Payload size ${n} exceeds max ${policy.maxPayloadBytes}.`,
+      "maxPayloadBytes"
+    );
+  }
+  return n;
+}
+
+function enforceResponseLimit(bytes, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  const n = Number(bytes || 0);
+  if (n > policy.maxResponseBytes) {
+    throw new HookPolicyError(
+      "SEC_HTTP_RESPONSE_OVERSIZE",
+      `Response size ${n} exceeds max ${policy.maxResponseBytes}.`,
+      "maxResponseBytes"
+    );
+  }
+  return n;
+}
+
+function verifyRedirectPolicy(statusCode, headers, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  const code = Number(statusCode || 0);
+  const location = headers && (headers.location || headers.Location);
+  if (code >= 300 && code < 400 && location && policy.maxRedirects === 0) {
+    throw new HookPolicyError(
+      "SEC_HTTP_REDIRECT_BLOCKED",
+      "Redirect responses are blocked by policy.",
+      "maxRedirects"
+    );
+  }
+  return true;
+}
+
+function buildSignedHeaders(ts, nonce, signature) {
+  return {
+    "X-CCO-Timestamp": String(ts),
+    "X-CCO-Nonce": String(nonce),
+    "X-CCO-Signature": String(signature),
+    "X-CCO-Signature-Alg": "hmac-sha256",
+  };
+}
+
+function verifyReplayWindow(ts, nonce, nonceCache, policyInput) {
+  const policy = normalizePolicy(policyInput);
+  const nowSec = Math.floor(Date.now() / 1000);
+  const msgTs = Number(ts);
+  const key = String(nonce || "").trim();
+
+  if (!Number.isFinite(msgTs) || !key) {
+    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Missing or invalid timestamp/nonce.", "replayWindowSec");
+  }
+
+  if (Math.abs(nowSec - msgTs) > policy.replayWindowSec) {
+    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Timestamp outside replay window.", "replayWindowSec");
+  }
+
+  const cache = nonceCache && typeof nonceCache === "object" ? nonceCache : {};
+  Object.keys(cache).forEach((n) => {
+    if (Math.abs(nowSec - Number(cache[n])) > policy.replayWindowSec) {
+      delete cache[n];
+    }
+  });
+
+  if (Object.prototype.hasOwnProperty.call(cache, key)) {
+    throw new HookPolicyError("SEC_HTTP_REPLAY_BLOCKED", "Nonce was already used within replay window.", "replayWindowSec");
+  }
+
+  cache[key] = msgTs;
+  return cache;
+}
+
+function sanitizeResponsePreview(contentType, bytes, raw) {
+  const ct = String(contentType || "").toLowerCase();
+  const size = Number(bytes || 0);
+
+  if (!(ct.includes("json") || ct.startsWith("text/") || ct.includes("xml"))) {
+    return `<binary:${ct || "unknown"};bytes=${size}>`;
+  }
+
+  const text = String(raw || "");
+  return text.slice(0, 512);
+}
+
+function redactPayloadDeep(payload, keyPatternAllowlist) {
+  const allow = new Set((Array.isArray(keyPatternAllowlist) ? keyPatternAllowlist : []).map((x) => String(x).toLowerCase()));
+  const sensitive = /(token|secret|password|authorization|api[-_]?key|cookie|session|bearer|private.?key|client_secret)/i;
+
+  function walk(node, key) {
+    if (Array.isArray(node)) {
+      return node.map((item) => walk(item, key));
+    }
+
+    if (node && typeof node === "object") {
+      const out = {};
+      Object.keys(node).forEach((k) => {
+        out[k] = walk(node[k], k);
+      });
+      return out;
+    }
+
+    const keyName = String(key || "").toLowerCase();
+    if (keyName && sensitive.test(keyName) && !allow.has(keyName)) {
+      return "***";
+    }
+    return node;
+  }
+
+  return walk(payload && typeof payload === "object" ? payload : {}, "");
+}
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function requestOnce(opts) {
+  const url = opts.url;
+  const method = opts.method;
+  const timeoutMs = Number(opts.timeoutMs);
+  const headers = opts.headers;
+  const body = opts.body;
+  const policy = opts.policy;
+
+  const lib = url.protocol === "https:" ? https : http;
+
+  return new Promise((resolve, reject) => {
+    let settled = false;
+
+    function safeReject(err) {
+      if (settled) return;
+      settled = true;
+      reject(err);
+    }
+
+    function safeResolve(val) {
+      if (settled) return;
+      settled = true;
+      resolve(val);
+    }
+
+    const req = lib.request(
+      {
+        protocol: url.protocol,
+        hostname: url.hostname,
+        port: url.port,
+        path: `${url.pathname}${url.search}`,
+        method,
+        headers,
+        timeout: timeoutMs,
+      },
+      (res) => {
+        try {
+          verifyRedirectPolicy(res.statusCode, res.headers, policy);
+        } catch (err) {
+          safeReject(err);
+          req.destroy();
+          return;
+        }
+
+        const chunks = [];
+        let bytes = 0;
+
+        res.on("data", (c) => {
+          try {
+            const buf = Buffer.isBuffer(c) ? c : Buffer.from(String(c));
+            bytes += buf.length;
+            enforceResponseLimit(bytes, policy);
+            chunks.push(buf);
+          } catch (err) {
+            safeReject(err);
+            req.destroy();
+          }
+        });
+
+        res.on("end", () => {
+          if (settled) return;
+          const buf = Buffer.concat(chunks);
+          const raw = buf.toString("utf8");
+          const contentType = res.headers["content-type"] || "";
+          safeResolve({
+            statusCode: res.statusCode || 0,
+            body: raw,
+            bytes,
+            headers: res.headers || {},
+            contentType,
+            preview: sanitizeResponsePreview(contentType, bytes, raw),
+          });
+        });
+      }
+    );
+
+    req.on("timeout", () => {
+      req.destroy(new HookNetworkError("HTTP_TIMEOUT", "Request timed out."));
+    });
+
+    req.on("error", (err) => {
+      if (err instanceof HookPolicyError || err instanceof HookNetworkError) {
+        safeReject(err);
+      } else {
+        safeReject(new HookNetworkError("HTTP_REQUEST_FAILED", String(err && err.message ? err.message : err)));
+      }
+    });
+
+    req.write(body);
+    req.end();
+  });
+}
+function isTransientNetworkError(err) {
+  if (!err) return false;
+  if (err instanceof HookNetworkError) return true;
+  const msg = String(err.message || err || "").toLowerCase();
+  return ["timeout", "econnreset", "etimedout", "enotfound", "eai_again", "socket hang up"].some((m) => msg.includes(m));
+}
+
+async function requestWithTimeout(opts) {
+  const endpoint = String(opts.endpoint || "");
+  const policy = normalizePolicy(opts.policy || {});
+  const preflight = validateEndpoint(endpoint, policy);
+
+  await resolveAndBlockPrivateRanges(preflight.hostname, policy);
+
+  const method = enforceMethodAllowlist(opts.method || "POST", policy);
+  const payload = opts.payload || {};
+  const body = JSON.stringify(payload);
+  const bodyBytes = Buffer.byteLength(body, "utf8");
+  enforcePayloadLimit(bodyBytes, policy);
+
+  const timeoutMs = Number(opts.timeoutMs || policy.timeoutMs);
+  const ts = Number(opts.ts || Math.floor(Date.now() / 1000));
+  const nonce = String(opts.nonce || crypto.randomUUID());
+  const nonceCache = verifyReplayWindow(ts, nonce, opts.nonceCache || {}, policy);
+
+  const headers = {
+    "Content-Type": "application/json",
+    "Content-Length": bodyBytes,
+  };
+
+  const secret = opts.secret ? String(opts.secret) : "";
+  if (policy.requireHmac && !secret) {
+    throw new HookPolicyError("SEC_HTTP_UNSIGNED_BLOCKED", "HMAC secret is required by policy.", "requireHmac");
+  }
+
+  if (secret) {
+    const signature = signBody(body, secret, ts, nonce);
+    Object.assign(headers, buildSignedHeaders(ts, nonce, signature));
+  }
+
+  const attempts = Math.max(1, Number(policy.maxRetries || 0) + 1);
+  let lastError = null;
+
+  for (let i = 0; i < attempts; i += 1) {
+    try {
+      const response = await requestOnce({
+        url: preflight.url,
+        method,
+        timeoutMs,
+        headers,
+        body,
+        policy,
+      });
+
+      return {
+        statusCode: response.statusCode,
+        body: response.body,
+        preview: response.preview,
+        bytes: response.bytes,
+        headers: response.headers,
+        contentType: response.contentType,
+        ts,
+        nonce,
+        nonceCache,
+      };
+    } catch (err) {
+      if (err instanceof HookPolicyError) throw err;
+      lastError = err;
+      if (!isTransientNetworkError(err) || i === attempts - 1) {
+        throw err;
+      }
+      await sleep(Number(policy.backoffMs || 100) * (i + 1));
+    }
+  }
+
+  throw lastError || new HookNetworkError("HTTP_UNKNOWN", "Unknown HTTP hook failure.");
+}
+
+module.exports = {
+  DEFAULT_HTTP_POLICY,
+  HookPolicyError,
+  HookNetworkError,
+  normalizePolicy,
+  validateEndpoint,
+  resolveAndBlockPrivateRanges,
+  enforceMethodAllowlist,
+  enforcePayloadLimit,
+  enforceResponseLimit,
+  verifyRedirectPolicy,
+  buildSignedHeaders,
+  verifyReplayWindow,
+  sanitizeResponsePreview,
+  redactPayloadDeep,
+  requestWithTimeout,
+  signBody,
+  isTransientNetworkError,
+};
+
+
+

package/scripts/lib/install-ai-readiness.js

@@ -0,0 +1,84 @@
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+const { nowIso } = require("./fsx");
+
+const CONTRACT = "avorelo.installAiReadiness.v1";
+const SCHEMA_VERSION = 1;
+const ARTIFACT_REL = ".claude/cco/orchestration/ai-install/latest-prompt.json";
+
+function safeReadJson(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    return JSON.parse(fs.readFileSync(absPath, "utf8").replace(/^\uFEFF/, ""));
+  } catch {
+    return null;
+  }
+}
+
+function buildInstallAiReadiness(cwd) {
+  const receipt = safeReadJson(path.join(cwd, ARTIFACT_REL));
+  const prelaunchReadiness = safeReadJson(path.join(cwd, ".claude/cco/orchestration/prelaunch-readiness/latest-activation-readiness.json"));
+  const launchHardening = safeReadJson(path.join(cwd, ".claude/cco/orchestration/launch-hardening/latest-gate.json"));
+
+  const hasApprovalBoundaries = Array.isArray(receipt?.approvalBoundaries) && receipt.approvalBoundaries.length > 0;
+  const hasCommands = Array.isArray(receipt?.commandSequence) && receipt.commandSequence.length > 0;
+  const hasRecoveryPath = Boolean(launchHardening) || hasCommands;
+  const hasFirstValuePath = Boolean(prelaunchReadiness?.firstValuePath || prelaunchReadiness?.firstValue || prelaunchReadiness?.firstValueJourney);
+
+  const missingEvidence = [];
+  const safeNextActions = [];
+
+  if (!receipt) {
+    missingEvidence.push("AI install prompt receipt is missing.");
+    safeNextActions.push("Run: node bin/avorelo install-ai --json");
+  }
+  if (receipt && hasApprovalBoundaries !== true) {
+    missingEvidence.push("Install prompt exists but approval boundaries are not explicit.");
+    safeNextActions.push("Run: node bin/avorelo install-ai --json");
+  }
+  if (receipt && receipt.activationAvailable !== true) {
+    missingEvidence.push("Install prompt does not confirm activation availability.");
+    safeNextActions.push("Run: node bin/avorelo activate --json");
+  }
+  if (receipt && receipt.prelaunchAvailable !== true) {
+    missingEvidence.push("Install prompt does not confirm prelaunch readiness availability.");
+    safeNextActions.push("Run: node bin/avorelo prelaunch-readiness --json");
+  }
+  if (!hasFirstValuePath) {
+    missingEvidence.push("First-value path is not confirmed in prelaunch readiness artifacts.");
+    safeNextActions.push("Run: node bin/avorelo first-value-check --json");
+  }
+  if (!hasRecoveryPath) {
+    missingEvidence.push("No recovery path is visible from install readiness artifacts.");
+    safeNextActions.push("Run: node bin/avorelo launch-hardening --json");
+  }
+
+  const status = missingEvidence.length === 0 ? "pass" : "warn";
+
+  return {
+    contract: CONTRACT,
+    schemaVersion: SCHEMA_VERSION,
+    createdAt: nowIso(),
+    status,
+    artifactPath: ARTIFACT_REL,
+    activationAvailable: receipt?.activationAvailable === true,
+    prelaunchAvailable: receipt?.prelaunchAvailable === true,
+    approvalBoundariesAvailable: hasApprovalBoundaries,
+    firstValuePathAvailable: hasFirstValuePath,
+    recoveryPathAvailable: hasRecoveryPath,
+    missingEvidence,
+    safeNextActions: safeNextActions.length ? safeNextActions : ["Run: node bin/avorelo full-readiness --json"],
+    noPublicLaunchClaim: true,
+    redacted: true,
+  };
+}
+
+module.exports = {
+  CONTRACT,
+  SCHEMA_VERSION,
+  ARTIFACT_REL,
+  buildInstallAiReadiness,
+};