npm - chainlesschain - Versions diffs - 0.162.11 → 0.162.13 - Mend

chainlesschain 0.162.11 → 0.162.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/src/lib/personal-data-hub-wiring.js CHANGED Viewed

@@ -30,6 +30,8 @@ import { mkdirSync } from "node:fs";
 // won't let us name-import a CJS module unless it ships a separate ESM
 // shim, which we don't).
 import hub from "@chainlesschain/personal-data-hub";
+import wechatAdapterModule from "@chainlesschain/personal-data-hub/adapters/wechat";
+const { bootstrapWechatAdapter, probeWeChatEnv } = wechatAdapterModule;
 const {
   LocalVault,
   AdapterRegistry,
@@ -51,6 +53,18 @@ const {
 import { readFileSync, writeFileSync, existsSync } from "node:fs";
 import { getElectronUserDataDir } from "./paths.js";
+import {
+  getAIChatWizard,
+  createAccountsStore as createAIChatAccountsStore,
+  createVendorAdapterBridge as createAIChatVendorAdapterBridge,
+} from "./personal-data-hub-aichat-wizard.js";
+async function loadAIChatHealthChecker() {
+  const mod =
+    await import("@chainlesschain/personal-data-hub/adapters/ai-chat-history/health-checker");
+  return (mod.default || mod).createAIChatHealthChecker;
+}
 // ─── Lazy ESM imports of cli KG / BM25 ───────────────────────────────────
 let _kgMod = null;
@@ -211,6 +225,24 @@ async function initHub() {
     }
   }
+  // Phase 10.3.5 — AIChat HealthChecker (mirror of desktop wiring). cc ui
+  // typically only runs while the user has the web-shell open, but the
+  // periodic loop still validates persisted cookies so list-aichat-accounts
+  // can surface lastHealth reliably.
+  const aichatAccountsStore = createAIChatAccountsStore({ hubDir });
+  const aichatVendorAdapter = createAIChatVendorAdapterBridge();
+  const createAIChatHealthChecker = await loadAIChatHealthChecker();
+  const aichatHealthChecker = createAIChatHealthChecker({
+    accountsStore: aichatAccountsStore,
+    vendorAdapter: aichatVendorAdapter,
+  });
+  try {
+    aichatHealthChecker.start();
+  } catch (_err) {
+    // Continue boot even if checker fails to schedule
+  }
+  const aichatWizard = getAIChatWizard({ hubDir });
   return {
     vault,
     registry,
@@ -223,11 +255,50 @@ async function initHub() {
     emailAccountsPath,
     alipayAccountsPath,
     entityResolver,
+    aichatAccountsStore,
+    aichatWizard,
+    aichatHealthChecker,
     analysisSkillNames: ANALYSIS_SKILL_NAMES,
     async runSkill(name, options = {}) {
       return await runAnalysisSkill({ vault, llm }, name, options);
     },
     bm25: _bm25,
+    /** Phase 10.3.5 — see desktop wiring for full doc. */
+    async listAIChatAccounts() {
+      const entries = await aichatAccountsStore.list();
+      return (entries || []).map((e) => ({
+        vendor: e.vendor,
+        displayName: e.displayName || e.vendor,
+        registeredAt: e.registeredAt || null,
+        userId: e.userId || null,
+        lastSyncAt: e.lastSyncAt || null,
+        lastHealth: e.lastHealth || null,
+        cookieSpecVersion: e.cookieSpecVersion || null,
+        cookieNames: Object.keys(e.cookies || {}),
+      }));
+    },
+    async unregisterAIChatVendor(vendor) {
+      if (!vendor || typeof vendor !== "string") {
+        return { ok: false, reason: "VENDOR_REQUIRED" };
+      }
+      const before = await aichatAccountsStore.get(vendor);
+      if (!before) {
+        return { ok: false, reason: "NOT_REGISTERED", vendor };
+      }
+      await aichatAccountsStore.delete(vendor);
+      try {
+        await aichatWizard.rotateLoginPartition({ vendor });
+      } catch (_err) {
+        // best-effort
+      }
+      return { ok: true, vendor };
+    },
+    async runAIChatHealthCheckOnce() {
+      return await aichatHealthChecker.runOnce();
+    },
     registerMockAdapter(opts = {}) {
       if (registry.has(opts.name || "mock"))
         return registry.get(opts.name || "mock");
@@ -358,9 +429,122 @@ async function initHub() {
         zipPassword,
       });
     },
+    // ─── Phase 12.6.8 — WeChat env-probe + register / unregister / list ──
+    //
+    // cc ui mirror of the desktop wiring. Same JSON file layout
+    // (wechat-accounts.json under hubDir, mode 0o600) so the two shells
+    // share registrations when run side-by-side on the same machine.
+    async probeWechatEnv(opts = {}) {
+      return await probeWeChatEnv({ exec: opts.exec });
+    },
+    async registerWechatAdapter(opts = {}) {
+      if (!opts || !opts.account || !opts.account.uin) {
+        return { ok: false, reason: "UIN_REQUIRED", message: "opts.account.uin required" };
+      }
+      let r;
+      try {
+        r = await bootstrapWechatAdapter({
+          account: opts.account,
+          dbPath: opts.dbPath || null,
+          wechatDataPath: opts.wechatDataPath || null,
+          fridaOpts: opts.fridaOpts || null,
+          keyProviderOverride: opts.keyProviderOverride || null,
+          exec: opts.exec,
+          _probe: opts._probe,
+        });
+      } catch (err) {
+        return {
+          ok: false,
+          reason: "BOOTSTRAP_THREW",
+          message: err && err.message ? err.message : String(err),
+        };
+      }
+      if (!r.ok) return r;
+      if (registry.has(r.adapter.name)) registry.unregister(r.adapter.name);
+      registry.register(r.adapter);
+      const wechatAccountsPath = join(hubDir, "wechat-accounts.json");
+      const accounts = loadWechatAccounts(wechatAccountsPath);
+      const next = accounts.filter(
+        (c) => !(c.account && c.account.uin === opts.account.uin),
+      );
+      next.push({
+        account: { uin: opts.account.uin },
+        dbPath: opts.dbPath || null,
+        wechatDataPath: opts.wechatDataPath || null,
+        chosenKeyProvider: r.keyProvider && r.keyProvider.name ? r.keyProvider.name : null,
+        registeredAt: Date.now(),
+        lastSyncAt: null,
+      });
+      saveWechatAccounts(wechatAccountsPath, next);
+      return {
+        ok: true,
+        name: r.adapter.name,
+        version: r.adapter.version,
+        capabilities: r.adapter.capabilities,
+        sensitivity: r.adapter.dataDisclosure.sensitivity,
+        chosenKeyProvider: r.keyProvider && r.keyProvider.name,
+        probe: r.probe,
+        registeredAt: next[next.length - 1].registeredAt,
+      };
+    },
+    async unregisterWechatAdapter(uin) {
+      if (!uin || typeof uin !== "string") {
+        return { ok: false, reason: "UIN_REQUIRED" };
+      }
+      const wechatAccountsPath = join(hubDir, "wechat-accounts.json");
+      const accounts = loadWechatAccounts(wechatAccountsPath);
+      const target = accounts.find(
+        (c) => c.account && c.account.uin === uin,
+      );
+      const next = accounts.filter(
+        (c) => !(c.account && c.account.uin === uin),
+      );
+      saveWechatAccounts(wechatAccountsPath, next);
+      if (target && registry.has("wechat")) registry.unregister("wechat");
+      return { ok: true, removed: !!target, uin };
+    },
+    listWechatAccounts() {
+      const wechatAccountsPath = join(hubDir, "wechat-accounts.json");
+      return loadWechatAccounts(wechatAccountsPath).map((row) => ({
+        uin: row.account ? row.account.uin : null,
+        dbPath: row.dbPath || null,
+        hasWechatDataPath: !!row.wechatDataPath,
+        chosenKeyProvider: row.chosenKeyProvider || null,
+        registeredAt: row.registeredAt || null,
+        lastSyncAt: row.lastSyncAt || null,
+      }));
+    },
   };
 }
+// ─── Phase 12.6.8 — WeChat account persistence helpers (cli mirror) ──────
+function loadWechatAccounts(filePath) {
+  try {
+    if (!existsSync(filePath)) return [];
+    const raw = readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch (_err) {
+    return [];
+  }
+}
+function saveWechatAccounts(filePath, accounts) {
+  writeFileSync(filePath, JSON.stringify(accounts, null, 2), {
+    encoding: "utf-8",
+    mode: 0o600,
+  });
+}
 // ─── Email account persistence (Phase 5.6) ───────────────────────────────
 function loadEmailAccounts(filePath) {
@@ -418,6 +602,11 @@ export async function getHub() {
 }
 export function close() {
+  if (_hub && _hub.aichatHealthChecker) {
+    try {
+      _hub.aichatHealthChecker.stop();
+    } catch (_e) {}
+  }
   if (_hub && _hub.vault) {
     try {
       _hub.vault.close();

package/src/lib/sync-cli-db.js ADDED Viewed

@@ -0,0 +1,194 @@
+/**
+ * CLI sync vault — better-sqlite3 wrapper exposing dbManager.run/all/get
+ * interface matching desktop's engine deps signature.
+ *
+ * Phase 3c follow-up Phase 2: cc sync run requires SQLite store for cursors,
+ * tombstones, and knowledge_items. CLI vault lives at
+ * `~/.chainlesschain/cli-vault.db` and is plain SQLite (no SQLCipher) —
+ * encryption is at the OS file-permission layer; users wanting strong
+ * crypto should use desktop with hardware U-Key.
+ *
+ * Schema mirrors desktop `database-schema.js` for the 3 sync-relevant
+ * tables (auto-initialized on first open):
+ *   - knowledge_items                  user notes (source of truth for sync)
+ *   - sync_external_provider_cursor    per-provider state
+ *   - sync_external_tombstones         per-provider delete queue
+ *   - trg_sync_ext_tombstone_on_delete trigger (auto-fan tombstone on delete)
+ */
+"use strict";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+function _ccDir() {
+  return (
+    process.env.CHAINLESSCHAIN_HOME ||
+    path.join(os.homedir(), ".chainlesschain")
+  );
+}
+function _vaultPath() {
+  return path.join(_ccDir(), "cli-vault.db");
+}
+const CLI_VAULT_SCHEMA = `
+CREATE TABLE IF NOT EXISTS knowledge_items (
+  id TEXT PRIMARY KEY,
+  title TEXT NOT NULL,
+  type TEXT NOT NULL DEFAULT 'note',
+  content TEXT,
+  tags TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE TABLE IF NOT EXISTS sync_external_provider_cursor (
+  provider_id TEXT NOT NULL,
+  account_key TEXT NOT NULL DEFAULT '',
+  last_sync_at INTEGER NOT NULL DEFAULT 0,
+  last_item_id TEXT,
+  remote_etag_map TEXT NOT NULL DEFAULT '{}',
+  remote_filename_map TEXT NOT NULL DEFAULT '{}',
+  last_run_status TEXT,
+  last_run_error TEXT,
+  last_run_duration_ms INTEGER,
+  items_pushed INTEGER NOT NULL DEFAULT 0,
+  items_skipped INTEGER NOT NULL DEFAULT 0,
+  items_deleted INTEGER NOT NULL DEFAULT 0,
+  created_at INTEGER NOT NULL DEFAULT (strftime('%s','now') * 1000),
+  updated_at INTEGER NOT NULL DEFAULT (strftime('%s','now') * 1000),
+  PRIMARY KEY (provider_id, account_key)
+);
+CREATE TABLE IF NOT EXISTS sync_external_tombstones (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  provider_id TEXT NOT NULL,
+  account_key TEXT NOT NULL DEFAULT '',
+  item_id TEXT NOT NULL,
+  resource_type TEXT,
+  deleted_at INTEGER NOT NULL,
+  retry_count INTEGER NOT NULL DEFAULT 0,
+  last_error TEXT,
+  UNIQUE(provider_id, account_key, item_id)
+);
+CREATE TRIGGER IF NOT EXISTS trg_sync_ext_tombstone_on_delete
+AFTER DELETE ON knowledge_items
+FOR EACH ROW
+BEGIN
+  INSERT OR IGNORE INTO sync_external_tombstones
+    (provider_id, account_key, item_id, resource_type, deleted_at)
+  SELECT c.provider_id, c.account_key, OLD.id, 'KNOWLEDGE_ITEM',
+         (strftime('%s','now') * 1000)
+  FROM sync_external_provider_cursor c;
+END;
+`;
+/**
+ * Wraps better-sqlite3 Database with the {run, all, get} surface that
+ * the desktop sync engine's deps.dbManager expects.
+ */
+class CliVaultDbManager {
+  constructor(db) {
+    this.db = db;
+  }
+  /** Match desktop dbManager.run(sql, params=[]) */
+  run(sql, params = []) {
+    this.db.prepare(sql).run(...params);
+  }
+  /** Match desktop dbManager.get(sql, params=[]) → row or undefined */
+  get(sql, params = []) {
+    const row = this.db.prepare(sql).get(...params);
+    return row ?? undefined;
+  }
+  /** Match desktop dbManager.all(sql, params=[]) → rows */
+  all(sql, params = []) {
+    return this.db.prepare(sql).all(...params);
+  }
+  close() {
+    if (this.db && this.db.open) this.db.close();
+  }
+}
+/**
+ * Open (or create) the CLI vault. Auto-initializes schema on first open.
+ *
+ * @returns {Promise<{dbManager: CliVaultDbManager, vaultPath: string}>}
+ */
+async function openCliVault() {
+  const dir = _ccDir();
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  // Lazy-import better-sqlite3 — heavy native dep, defer until run-time
+  // (so the CLI doesn't even pay the require cost for non-sync commands).
+  let Database;
+  try {
+    Database = (await import("better-sqlite3")).default;
+  } catch (err) {
+    const e = new Error(
+      "CLI vault requires better-sqlite3 npm package. " +
+        "Run `npm install -g chainlesschain` to fetch the prebuilt binary, " +
+        "or `cd packages/cli && npm install` for the dev workspace. " +
+        "Underlying error: " +
+        (err?.message || String(err)),
+    );
+    e.code = "BETTER_SQLITE3_MISSING";
+    throw e;
+  }
+  const vp = _vaultPath();
+  const db = new Database(vp);
+  db.exec(CLI_VAULT_SCHEMA);
+  return { dbManager: new CliVaultDbManager(db), vaultPath: vp };
+}
+let _ccDirOverride = null;
+function _setCcDirForTest(dir) {
+  _ccDirOverride = dir;
+}
+function _resetCcDirForTest() {
+  _ccDirOverride = null;
+}
+// Re-wrap _ccDir/_vaultPath to honor override (test seam)
+const _originalCcDir = _ccDir;
+function _ccDirEffective() {
+  return _ccDirOverride ?? _originalCcDir();
+}
+function _vaultPathEffective() {
+  return path.join(_ccDirEffective(), "cli-vault.db");
+}
+async function openCliVaultT() {
+  const dir = _ccDirEffective();
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  let Database;
+  try {
+    Database = (await import("better-sqlite3")).default;
+  } catch (err) {
+    const e = new Error(
+      "CLI vault requires better-sqlite3 npm package: " + (err?.message || err),
+    );
+    e.code = "BETTER_SQLITE3_MISSING";
+    throw e;
+  }
+  const vp = _vaultPathEffective();
+  const db = new Database(vp);
+  db.exec(CLI_VAULT_SCHEMA);
+  return { dbManager: new CliVaultDbManager(db), vaultPath: vp };
+}
+export {
+  openCliVaultT as openCliVault,
+  CliVaultDbManager,
+  CLI_VAULT_SCHEMA,
+  _setCcDirForTest,
+  _resetCcDirForTest,
+  _vaultPathEffective as _vaultPath,
+};

package/src/lib/sync-credentials.js ADDED Viewed

@@ -0,0 +1,225 @@
+/**
+ * CLI sync provider credentials store — Phase 3c follow-up.
+ *
+ * Electron 的 `safeStorage` 在 CLI 没法用，所以这里搭一个 file-based equivalent:
+ *
+ *   - Master key 自动生成 (32 字节 random) 落 `~/.chainlesschain/sync-credentials.key`
+ *     文件 mode 0600 (Unix) / NTFS ACL (Win — fs.chmodSync 容错)
+ *   - 凭据 JSON 编 AES-256-GCM (iv 12B + auth tag 16B)
+ *     落 `~/.chainlesschain/sync-credentials.enc`
+ *   - SENSITIVE_FIELDS 镜像 desktop secure-config-storage.js 用于 sanitize
+ *
+ * 与 desktop sync-credentials.js 同 surface：
+ *   getCredentials / setCredentials / clearCredentials / hasCredentials /
+ *   getCredentialsSanitized / ALLOWED_PROVIDER_IDS
+ *
+ * 威胁模型：root/admin 能读 master key 文件即破，是 CLI 工具合理 baseline
+ * （同 git ~/.netrc / ~/.aws/credentials）。OS keyring 强加密留 v0.2。
+ */
+"use strict";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import crypto from "node:crypto";
+const SENSITIVE_FIELDS = ["sync.webdav.password", "sync.oss.secretAccessKey"];
+const ALLOWED_PROVIDER_IDS = ["webdav", "oss"];
+const MASK = "********";
+const AES_ALG = "aes-256-gcm";
+const IV_LEN = 12;
+const TAG_LEN = 16;
+const KEY_LEN = 32;
+let _ccDirOverride = null;
+function _ccDir() {
+  if (_ccDirOverride) return _ccDirOverride;
+  return (
+    process.env.CHAINLESSCHAIN_HOME ||
+    path.join(os.homedir(), ".chainlesschain")
+  );
+}
+function _keyPath() {
+  return path.join(_ccDir(), "sync-credentials.key");
+}
+function _vaultPath() {
+  return path.join(_ccDir(), "sync-credentials.enc");
+}
+function _ensureDir() {
+  const dir = _ccDir();
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+}
+function _loadOrCreateMasterKey() {
+  _ensureDir();
+  const kp = _keyPath();
+  if (fs.existsSync(kp)) {
+    const buf = fs.readFileSync(kp);
+    if (buf.length !== KEY_LEN) {
+      throw new Error(
+        `sync-credentials: master key file ${kp} has wrong length ` +
+          `(${buf.length} bytes, expected ${KEY_LEN}). Delete + regenerate manually if intentional.`,
+      );
+    }
+    return buf;
+  }
+  const key = crypto.randomBytes(KEY_LEN);
+  fs.writeFileSync(kp, key);
+  try {
+    fs.chmodSync(kp, 0o600);
+  } catch (_e) {
+    /* non-fatal: NTFS / older fs */
+  }
+  return key;
+}
+function _encryptBlob(plainJson) {
+  const key = _loadOrCreateMasterKey();
+  const iv = crypto.randomBytes(IV_LEN);
+  const cipher = crypto.createCipheriv(AES_ALG, key, iv);
+  const enc = Buffer.concat([
+    cipher.update(plainJson, "utf-8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+  // file layout: [iv (12)] [tag (16)] [ciphertext]
+  return Buffer.concat([iv, tag, enc]);
+}
+function _decryptBlob(buf) {
+  if (!Buffer.isBuffer(buf) || buf.length < IV_LEN + TAG_LEN + 1) {
+    throw new Error("sync-credentials: enc file too small or invalid");
+  }
+  const key = _loadOrCreateMasterKey();
+  const iv = buf.subarray(0, IV_LEN);
+  const tag = buf.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const enc = buf.subarray(IV_LEN + TAG_LEN);
+  const decipher = crypto.createDecipheriv(AES_ALG, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(enc), decipher.final()]).toString(
+    "utf-8",
+  );
+}
+function loadAll() {
+  const vp = _vaultPath();
+  if (!fs.existsSync(vp)) return {};
+  const buf = fs.readFileSync(vp);
+  try {
+    return JSON.parse(_decryptBlob(buf));
+  } catch (err) {
+    throw new Error(
+      `sync-credentials: decrypt failed (${err?.message}). ` +
+        `Vault may be corrupted or master key changed. ` +
+        `Remove ${vp} + reconfigure to recover.`,
+    );
+  }
+}
+function saveAll(all) {
+  _ensureDir();
+  fs.writeFileSync(_vaultPath(), _encryptBlob(JSON.stringify(all)));
+  return true;
+}
+function assertProviderId(providerId) {
+  if (!ALLOWED_PROVIDER_IDS.includes(providerId)) {
+    throw new Error(
+      `sync-credentials: unknown provider id '${providerId}' ` +
+        `(allowed: ${ALLOWED_PROVIDER_IDS.join(", ")})`,
+    );
+  }
+}
+function sanitize(all) {
+  if (!all || typeof all !== "object") return all;
+  const clone = JSON.parse(JSON.stringify(all));
+  for (const dotPath of SENSITIVE_FIELDS) {
+    const parts = dotPath.split(".");
+    let cur = clone;
+    for (let i = 0; i < parts.length - 1; i++) {
+      if (cur && typeof cur === "object" && parts[i] in cur) {
+        cur = cur[parts[i]];
+      } else {
+        cur = null;
+        break;
+      }
+    }
+    const last = parts[parts.length - 1];
+    if (
+      cur &&
+      typeof cur === "object" &&
+      cur[last] != null &&
+      cur[last] !== ""
+    ) {
+      cur[last] = MASK;
+    }
+  }
+  return clone;
+}
+function getCredentials(providerId) {
+  assertProviderId(providerId);
+  return loadAll()?.sync?.[providerId] ?? {};
+}
+function getCredentialsSanitized(providerId) {
+  assertProviderId(providerId);
+  return sanitize(loadAll())?.sync?.[providerId] ?? {};
+}
+function hasCredentials(providerId) {
+  return Object.values(getCredentials(providerId)).some(
+    (v) => v !== null && v !== undefined && v !== "",
+  );
+}
+function setCredentials(providerId, creds) {
+  assertProviderId(providerId);
+  if (!creds || typeof creds !== "object") {
+    throw new Error("sync-credentials: creds must be an object");
+  }
+  const all = loadAll();
+  if (!all.sync || typeof all.sync !== "object") all.sync = {};
+  all.sync[providerId] = { ...creds };
+  return saveAll(all);
+}
+function clearCredentials(providerId) {
+  assertProviderId(providerId);
+  const all = loadAll();
+  if (all?.sync?.[providerId]) {
+    delete all.sync[providerId];
+    return saveAll(all);
+  }
+  return true;
+}
+/** Test seam: override the resolved chainlesschain dir without env leak. */
+function _setCcDirForTest(dir) {
+  _ccDirOverride = dir;
+}
+function _resetCcDirForTest() {
+  _ccDirOverride = null;
+}
+export {
+  ALLOWED_PROVIDER_IDS,
+  SENSITIVE_FIELDS,
+  MASK,
+  getCredentials,
+  getCredentialsSanitized,
+  hasCredentials,
+  setCredentials,
+  clearCredentials,
+  _setCcDirForTest,
+  _resetCcDirForTest,
+  _keyPath,
+  _vaultPath,
+};