chainlesschain 0.37.9 → 0.37.11

package/src/lib/cowork-adapter.js

@@ -0,0 +1,106 @@
+/**
+ * Cowork Adapter — bridges CLI's LLM infrastructure to cowork modules.
+ *
+ * Provides:
+ *  - Unified LLM chat function (works with any configured provider)
+ *  - Logger shim compatible with desktop modules
+ *  - Module initialization helper
+ */
+
+import { LLMProviderRegistry, BUILT_IN_PROVIDERS } from "./llm-providers.js";
+
+/**
+ * Create a chat completion function that routes through the active LLM provider.
+ *
+ * @param {object} [options]
+ * @param {string} [options.provider] - Provider name override
+ * @param {string} [options.model] - Model name override
+ * @param {string} [options.baseUrl] - Base URL override
+ * @param {string} [options.apiKey] - API key override
+ * @returns {(messages: object[], opts?: object) => Promise<string>}
+ */
+export function createChatFn(options = {}) {
+  const provider = options.provider || process.env.LLM_PROVIDER || "ollama";
+  const providerDef = BUILT_IN_PROVIDERS[provider] || BUILT_IN_PROVIDERS.ollama;
+  const model = options.model || process.env.LLM_MODEL || providerDef.models[0];
+  const baseUrl = options.baseUrl || providerDef.baseUrl;
+
+  return async function chat(messages, opts = {}) {
+    const currentModel = opts.model || model;
+    const maxTokens = opts.maxTokens || 2048;
+
+    if (provider === "ollama") {
+      const res = await fetch(`${baseUrl}/api/chat`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          model: currentModel,
+          messages,
+          stream: false,
+          options: { num_predict: maxTokens },
+        }),
+      });
+      if (!res.ok) throw new Error(`Ollama error: ${res.status}`);
+      const data = await res.json();
+      return data.message?.content || "";
+    }
+
+    if (provider === "anthropic") {
+      const key = options.apiKey || process.env[providerDef.apiKeyEnv];
+      if (!key) throw new Error("ANTHROPIC_API_KEY not set");
+      // Extract system message if present
+      const systemMsgs = messages.filter((m) => m.role === "system");
+      const otherMsgs = messages.filter((m) => m.role !== "system");
+      const body = {
+        model: currentModel,
+        max_tokens: maxTokens,
+        messages: otherMsgs,
+      };
+      if (systemMsgs.length > 0) {
+        body.system = systemMsgs.map((m) => m.content).join("\n");
+      }
+      const res = await fetch(`${baseUrl}/messages`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-api-key": key,
+          "anthropic-version": "2023-06-01",
+        },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) throw new Error(`Anthropic error: ${res.status}`);
+      const data = await res.json();
+      return data.content?.[0]?.text || "";
+    }
+
+    // OpenAI-compatible (openai, deepseek, dashscope, mistral, gemini)
+    const key = options.apiKey || process.env[providerDef.apiKeyEnv];
+    if (!key) throw new Error(`${providerDef.apiKeyEnv} not set`);
+
+    const res = await fetch(`${baseUrl}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${key}`,
+      },
+      body: JSON.stringify({
+        model: currentModel,
+        messages,
+        max_tokens: maxTokens,
+      }),
+    });
+    if (!res.ok) throw new Error(`API error: ${res.status}`);
+    const data = await res.json();
+    return data.choices?.[0]?.message?.content || "";
+  };
+}
+
+/**
+ * Logger shim — compatible with desktop module expectations
+ */
+export const coworkLogger = {
+  info: (...args) => console.log("[cowork]", ...args),
+  warn: (...args) => console.warn("[cowork]", ...args),
+  error: (...args) => console.error("[cowork]", ...args),
+  debug: () => {},
+};

package/src/lib/crypto-manager.js

@@ -0,0 +1,246 @@
+/**
+ * Crypto Manager — file encryption/decryption using AES-256-GCM.
+ * Uses Node.js built-in crypto module, no external dependencies.
+ */
+
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits for GCM
+const SALT_LENGTH = 32;
+const TAG_LENGTH = 16;
+const PBKDF2_ITERATIONS = 100000;
+const MAGIC_HEADER = Buffer.from("CCLC01"); // ChainLessChain v01
+
+/**
+ * Derive a key from a password using PBKDF2.
+ */
+export function deriveKey(password, salt) {
+  return crypto.pbkdf2Sync(
+    password,
+    salt,
+    PBKDF2_ITERATIONS,
+    KEY_LENGTH,
+    "sha512",
+  );
+}
+
+/**
+ * Encrypt a buffer with AES-256-GCM.
+ * Returns: MAGIC(6) + SALT(32) + IV(12) + TAG(16) + CIPHERTEXT
+ */
+export function encryptBuffer(plaintext, password) {
+  const salt = crypto.randomBytes(SALT_LENGTH);
+  const key = deriveKey(password, salt);
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+
+  return Buffer.concat([MAGIC_HEADER, salt, iv, tag, encrypted]);
+}
+
+/**
+ * Decrypt a buffer encrypted with encryptBuffer.
+ */
+export function decryptBuffer(data, password) {
+  // Validate magic header
+  if (
+    data.length <
+    MAGIC_HEADER.length + SALT_LENGTH + IV_LENGTH + TAG_LENGTH
+  ) {
+    throw new Error("Invalid encrypted data: too short");
+  }
+
+  const magic = data.subarray(0, MAGIC_HEADER.length);
+  if (!magic.equals(MAGIC_HEADER)) {
+    throw new Error(
+      "Invalid encrypted data: bad header (not a ChainlessChain encrypted file)",
+    );
+  }
+
+  let offset = MAGIC_HEADER.length;
+  const salt = data.subarray(offset, offset + SALT_LENGTH);
+  offset += SALT_LENGTH;
+  const iv = data.subarray(offset, offset + IV_LENGTH);
+  offset += IV_LENGTH;
+  const tag = data.subarray(offset, offset + TAG_LENGTH);
+  offset += TAG_LENGTH;
+  const ciphertext = data.subarray(offset);
+
+  const key = deriveKey(password, salt);
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  } catch (_err) {
+    throw new Error("Decryption failed: wrong password or corrupted data");
+  }
+}
+
+/**
+ * Encrypt a file to a .enc output file.
+ */
+export function encryptFile(inputPath, password, outputPath) {
+  if (!fs.existsSync(inputPath)) {
+    throw new Error(`File not found: ${inputPath}`);
+  }
+
+  const plaintext = fs.readFileSync(inputPath);
+  const encrypted = encryptBuffer(plaintext, password);
+
+  const outPath = outputPath || `${inputPath}.enc`;
+  fs.writeFileSync(outPath, encrypted);
+
+  return {
+    inputPath,
+    outputPath: outPath,
+    originalSize: plaintext.length,
+    encryptedSize: encrypted.length,
+  };
+}
+
+/**
+ * Decrypt a .enc file.
+ */
+export function decryptFile(inputPath, password, outputPath) {
+  if (!fs.existsSync(inputPath)) {
+    throw new Error(`File not found: ${inputPath}`);
+  }
+
+  const data = fs.readFileSync(inputPath);
+  const plaintext = decryptBuffer(data, password);
+
+  // Default output: remove .enc extension, or add .dec
+  const outPath =
+    outputPath ||
+    (inputPath.endsWith(".enc") ? inputPath.slice(0, -4) : `${inputPath}.dec`);
+
+  fs.writeFileSync(outPath, plaintext);
+
+  return {
+    inputPath,
+    outputPath: outPath,
+    encryptedSize: data.length,
+    decryptedSize: plaintext.length,
+  };
+}
+
+/**
+ * Check if a file is encrypted with our format.
+ */
+export function isEncryptedFile(filePath) {
+  try {
+    const fd = fs.openSync(filePath, "r");
+    const buf = Buffer.alloc(MAGIC_HEADER.length);
+    fs.readSync(fd, buf, 0, MAGIC_HEADER.length, 0);
+    fs.closeSync(fd);
+    return buf.equals(MAGIC_HEADER);
+  } catch (_err) {
+    return false;
+  }
+}
+
+/**
+ * Generate a random encryption key (hex string).
+ */
+export function generateKey() {
+  return crypto.randomBytes(KEY_LENGTH).toString("hex");
+}
+
+/**
+ * Hash a password for storage (SHA-256 + salt).
+ * Returns { hash, salt } as hex strings.
+ */
+export function hashPassword(password) {
+  const salt = crypto.randomBytes(16).toString("hex");
+  const hash = crypto
+    .createHash("sha256")
+    .update(password + salt)
+    .digest("hex");
+  return { hash, salt };
+}
+
+/**
+ * Verify a password against a stored hash+salt.
+ */
+export function verifyPassword(password, hash, salt) {
+  const computed = crypto
+    .createHash("sha256")
+    .update(password + salt)
+    .digest("hex");
+  return crypto.timingSafeEqual(
+    Buffer.from(computed, "hex"),
+    Buffer.from(hash, "hex"),
+  );
+}
+
+/**
+ * Ensure crypto metadata table exists.
+ */
+export function ensureCryptoTable(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS crypto_metadata (
+      key TEXT PRIMARY KEY,
+      value TEXT NOT NULL,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+}
+
+/**
+ * Set database encryption status.
+ */
+export function setDbEncryptionStatus(
+  db,
+  encrypted,
+  passwordHash,
+  passwordSalt,
+) {
+  ensureCryptoTable(db);
+  const stmt = db.prepare(
+    "INSERT OR REPLACE INTO crypto_metadata (key, value) VALUES (?, ?)",
+  );
+  stmt.run("db_encrypted", encrypted ? "true" : "false");
+  if (passwordHash) {
+    stmt.run("db_password_hash", passwordHash);
+    stmt.run("db_password_salt", passwordSalt);
+  }
+}
+
+/**
+ * Get database encryption status.
+ */
+export function getDbEncryptionStatus(db) {
+  ensureCryptoTable(db);
+  const row = db
+    .prepare("SELECT value FROM crypto_metadata WHERE key = ?")
+    .get("db_encrypted");
+  return row?.value === "true";
+}
+
+/**
+ * Get file info for encrypted file.
+ */
+export function getEncryptedFileInfo(filePath) {
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`File not found: ${filePath}`);
+  }
+
+  const stats = fs.statSync(filePath);
+  const encrypted = isEncryptedFile(filePath);
+
+  return {
+    path: path.resolve(filePath),
+    size: stats.size,
+    encrypted,
+    extension: path.extname(filePath),
+    modified: stats.mtime.toISOString(),
+  };
+}

package/src/lib/did-manager.js

@@ -0,0 +1,270 @@
+/**
+ * DID Manager — Decentralized Identity management for CLI.
+ * Ed25519 key generation, DID document creation, signing, and verification.
+ * Uses Node.js built-in crypto module (no external dependencies).
+ */
+
+import crypto from "crypto";
+
+/**
+ * Ensure DID tables exist.
+ */
+export function ensureDIDTables(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS did_identities (
+      did TEXT PRIMARY KEY,
+      display_name TEXT,
+      public_key TEXT NOT NULL,
+      secret_key TEXT NOT NULL,
+      did_document TEXT,
+      is_default INTEGER DEFAULT 0,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+}
+
+/**
+ * Generate an Ed25519 keypair.
+ * Returns { publicKey, secretKey } as hex strings.
+ */
+export function generateKeyPair() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" },
+  });
+  return {
+    publicKey: publicKey.toString("hex"),
+    secretKey: privateKey.toString("hex"),
+  };
+}
+
+/**
+ * Generate a DID from a public key.
+ * Format: did:chainless:<base64url-of-sha256-of-pubkey>
+ */
+export function generateDID(publicKeyHex) {
+  const hash = crypto
+    .createHash("sha256")
+    .update(Buffer.from(publicKeyHex, "hex"))
+    .digest();
+  const id = hash.toString("base64url").slice(0, 32);
+  return `did:chainless:${id}`;
+}
+
+/**
+ * Create a DID Document (W3C DID Core spec subset).
+ */
+export function createDIDDocument(did, publicKeyHex, displayName) {
+  return {
+    "@context": ["https://www.w3.org/ns/did/v1"],
+    id: did,
+    controller: did,
+    verificationMethod: [
+      {
+        id: `${did}#key-1`,
+        type: "Ed25519VerificationKey2020",
+        controller: did,
+        publicKeyHex: publicKeyHex,
+      },
+    ],
+    authentication: [`${did}#key-1`],
+    assertionMethod: [`${did}#key-1`],
+    service: displayName
+      ? [
+          {
+            id: `${did}#profile`,
+            type: "ProfileService",
+            serviceEndpoint: { name: displayName },
+          },
+        ]
+      : [],
+    created: new Date().toISOString(),
+  };
+}
+
+/**
+ * Create a new DID identity and store in DB.
+ */
+export function createIdentity(db, displayName) {
+  ensureDIDTables(db);
+
+  const keys = generateKeyPair();
+  const did = generateDID(keys.publicKey);
+  const doc = createDIDDocument(did, keys.publicKey, displayName);
+
+  // If no identities exist, this becomes the default
+  const count = db.prepare("SELECT COUNT(*) as c FROM did_identities").get().c;
+  const isDefault = count === 0 ? 1 : 0;
+
+  db.prepare(
+    `INSERT INTO did_identities (did, display_name, public_key, secret_key, did_document, is_default)
+     VALUES (?, ?, ?, ?, ?, ?)`,
+  ).run(
+    did,
+    displayName || null,
+    keys.publicKey,
+    keys.secretKey,
+    JSON.stringify(doc),
+    isDefault,
+  );
+
+  return {
+    did,
+    displayName,
+    publicKey: keys.publicKey,
+    document: doc,
+    isDefault: isDefault === 1,
+  };
+}
+
+/**
+ * Get identity by DID or prefix.
+ */
+export function getIdentity(db, didOrPrefix) {
+  ensureDIDTables(db);
+  return db
+    .prepare("SELECT * FROM did_identities WHERE did LIKE ?")
+    .get(`${didOrPrefix}%`);
+}
+
+/**
+ * Get all identities.
+ */
+export function getAllIdentities(db) {
+  ensureDIDTables(db);
+  return db
+    .prepare(
+      "SELECT * FROM did_identities ORDER BY is_default DESC, created_at DESC",
+    )
+    .all();
+}
+
+/**
+ * Get the default identity.
+ */
+export function getDefaultIdentity(db) {
+  ensureDIDTables(db);
+  return db.prepare("SELECT * FROM did_identities WHERE is_default = 1").get();
+}
+
+/**
+ * Set an identity as the default.
+ */
+export function setDefaultIdentity(db, did) {
+  ensureDIDTables(db);
+  const identity = getIdentity(db, did);
+  if (!identity) return false;
+
+  db.prepare("UPDATE did_identities SET is_default = ? WHERE did LIKE ?").run(
+    0,
+    "%",
+  );
+  db.prepare("UPDATE did_identities SET is_default = ? WHERE did = ?").run(
+    1,
+    identity.did,
+  );
+  return true;
+}
+
+/**
+ * Delete an identity by DID.
+ */
+export function deleteIdentity(db, did) {
+  ensureDIDTables(db);
+  const identity = getIdentity(db, did);
+  if (!identity) return false;
+
+  const result = db
+    .prepare("DELETE FROM did_identities WHERE did = ?")
+    .run(identity.did);
+  if (result.changes > 0 && identity.is_default) {
+    // Promote next identity to default
+    const next = db
+      .prepare("SELECT did FROM did_identities ORDER BY created_at ASC LIMIT 1")
+      .get();
+    if (next) {
+      db.prepare("UPDATE did_identities SET is_default = 1 WHERE did = ?").run(
+        next.did,
+      );
+    }
+  }
+  return result.changes > 0;
+}
+
+/**
+ * Sign a message using an identity's secret key.
+ * Returns the signature as hex string.
+ */
+export function signMessage(db, did, message) {
+  ensureDIDTables(db);
+  const identity = getIdentity(db, did);
+  if (!identity) throw new Error(`Identity not found: ${did}`);
+
+  const privateKey = crypto.createPrivateKey({
+    key: Buffer.from(identity.secret_key, "hex"),
+    format: "der",
+    type: "pkcs8",
+  });
+
+  const signature = crypto.sign(null, Buffer.from(message, "utf8"), privateKey);
+  return signature.toString("hex");
+}
+
+/**
+ * Verify a signature against a message and public key.
+ */
+export function verifySignature(publicKeyHex, message, signatureHex) {
+  try {
+    const publicKey = crypto.createPublicKey({
+      key: Buffer.from(publicKeyHex, "hex"),
+      format: "der",
+      type: "spki",
+    });
+
+    return crypto.verify(
+      null,
+      Buffer.from(message, "utf8"),
+      publicKey,
+      Buffer.from(signatureHex, "hex"),
+    );
+  } catch (_err) {
+    // Invalid key or signature format
+    return false;
+  }
+}
+
+/**
+ * Verify a signature using a DID from the database.
+ */
+export function verifyWithDID(db, did, message, signatureHex) {
+  const identity = getIdentity(db, did);
+  if (!identity) throw new Error(`Identity not found: ${did}`);
+  return verifySignature(identity.public_key, message, signatureHex);
+}
+
+/**
+ * Export identity (public data only, no secret key).
+ */
+export function exportIdentity(db, did) {
+  const identity = getIdentity(db, did);
+  if (!identity) return null;
+
+  return {
+    did: identity.did,
+    displayName: identity.display_name,
+    publicKey: identity.public_key,
+    document: JSON.parse(identity.did_document || "{}"),
+    createdAt: identity.created_at,
+  };
+}
+
+/**
+ * Resolve a DID — returns the DID document.
+ * Currently local-only resolution.
+ */
+export function resolveDID(db, did) {
+  const identity = getIdentity(db, did);
+  if (!identity) return null;
+  return JSON.parse(identity.did_document || "{}");
+}

package/src/lib/ensure-utf8.js

@@ -0,0 +1,59 @@
+/**
+ * Ensure UTF-8 encoding on Windows to prevent Chinese character garbling (乱码).
+ *
+ * Windows console defaults to the system codepage (e.g. CP936/GBK for Chinese),
+ * which causes UTF-8 output from Node.js to display as garbled text.
+ * This module sets the console codepage to 65001 (UTF-8) and configures
+ * Node.js streams to use UTF-8 encoding.
+ */
+
+import { execSync } from "child_process";
+
+/**
+ * Call this as early as possible in the process entry point.
+ */
+export function ensureUtf8() {
+  if (process.platform !== "win32") return;
+
+  // Set Windows console codepage to UTF-8
+  try {
+    execSync("chcp 65001", { stdio: "ignore" });
+  } catch (_err) {
+    // Ignore - may fail in non-interactive environments
+  }
+
+  // Ensure stdout/stderr use UTF-8 encoding
+  if (process.stdout.setDefaultEncoding) {
+    process.stdout.setDefaultEncoding("utf8");
+  }
+  if (process.stderr.setDefaultEncoding) {
+    process.stderr.setDefaultEncoding("utf8");
+  }
+
+  // Set environment variable so child processes inherit UTF-8
+  process.env.PYTHONIOENCODING = "utf-8";
+  process.env.LANG = "en_US.UTF-8";
+}
+
+/**
+ * Get spawn options that ensure UTF-8 output from child processes on Windows.
+ * Use this when spawning cmd.exe or other system processes.
+ *
+ * @param {object} [opts] - Additional spawn options to merge
+ * @returns {object} Spawn options with encoding set to utf-8
+ */
+export function getUtf8SpawnOptions(opts = {}) {
+  if (process.platform !== "win32") return { encoding: "utf-8", ...opts };
+
+  return {
+    encoding: "utf-8",
+    env: {
+      ...process.env,
+      PYTHONIOENCODING: "utf-8",
+      // Force cmd.exe to use UTF-8 codepage
+      CHCP: "65001",
+      ...opts.env,
+    },
+    ...opts,
+  };
+}