npm - clay-server - Versions diffs - 2.33.1 → 2.34.0-beta.1 - Mend

clay-server 2.33.1 → 2.34.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/lib/config.js +9 -13
package/lib/daemon.js +19 -17
package/lib/mate-datastore.js +337 -0
package/lib/os-users.js +57 -37
package/lib/project-http.js +3 -4
package/lib/project-image.js +3 -2
package/lib/project-mate-datastore.js +218 -0
package/lib/project.js +29 -0
package/lib/public/app.js +2 -0
package/lib/public/css/mates.css +175 -0
package/lib/public/css/messages.css +23 -0
package/lib/public/css/notifications-center.css +76 -0
package/lib/public/index.html +28 -0
package/lib/public/modules/app-messages.js +25 -0
package/lib/public/modules/mate-datastore-ui.js +270 -0
package/lib/public/modules/mate-sidebar.js +3 -0
package/lib/public/modules/tools.js +57 -5
package/lib/sdk-bridge.js +20 -13
package/lib/sdk-message-processor.js +7 -1
package/lib/updater.js +2 -2
package/lib/users.js +2 -2
package/lib/ws-schema.js +14 -0
package/lib/yoke/adapters/codex.js +1 -0
package/lib/yoke/index.js +20 -13
package/package.json +1 -1

package/lib/config.js CHANGED Viewed

@@ -2,31 +2,27 @@ var fs = require("fs");
 var path = require("path");
 var os = require("os");
 var net = require("net");
+var execFileSync = require("child_process").execFileSync;
+function isSafeSystemUserName(name) {
+  return typeof name === "string" && /^[a-z_][a-z0-9_-]*[$]?$/.test(name);
+}
 // When running under sudo, resolve the real user's home directory
 // so that ~/.clay/ points to the original user's data, not /root/.clay/
 function getRealHome() {
   var sudoUser = process.env.SUDO_USER;
-  if (sudoUser && sudoUser !== "root") {
+  if (sudoUser && sudoUser !== "root" && isSafeSystemUserName(sudoUser)) {
     // 1. Try getent passwd (works on most Linux, may fail with some NSS configs)
     try {
-      var entry = require("child_process")
-        .execSync("getent passwd " + sudoUser, { encoding: "utf8", timeout: 3000 })
-        .trim();
+      var entry = execFileSync("getent", ["passwd", sudoUser], { encoding: "utf8", timeout: 3000 }).trim();
       var home = entry.split(":")[5];
       if (home && fs.existsSync(home)) return home;
     } catch (e) {}
-    // 2. Try shell expansion of ~USER
-    try {
-      var home = require("child_process")
-        .execSync("eval echo ~" + sudoUser, { encoding: "utf8", timeout: 3000 })
-        .trim();
-      if (home && home !== "~" + sudoUser && fs.existsSync(home)) return home;
-    } catch (e2) {}
-    // 3. Direct path fallback (GCE, cloud VMs)
+    // 2. Direct path fallback (GCE, cloud VMs)
     var directHome = "/home/" + sudoUser;
     if (fs.existsSync(directHome)) return directHome;
-    // 4. SUDO_USER's original HOME (some sudo configs preserve it)
+    // 3. SUDO_USER's original HOME (some sudo configs preserve it)
     if (process.env.SUDO_HOME && fs.existsSync(process.env.SUDO_HOME)) return process.env.SUDO_HOME;
   }
   return os.homedir();

package/lib/daemon.js CHANGED Viewed

@@ -53,11 +53,11 @@ console.log("[daemon] UID: " + (typeof process.getuid === "function" ? process.g
 // --- OS users mode: check required system dependencies ---
 if (config.osUsers) {
-  var { execSync: checkExec } = require("child_process");
+  var checkExec = require("child_process").execFileSync;
   var missing = [];
-  try { checkExec("which setfacl", { stdio: "ignore" }); } catch (e) { missing.push("acl (setfacl)"); }
-  try { checkExec("which git", { stdio: "ignore" }); } catch (e) { missing.push("git"); }
-  try { checkExec("which useradd", { stdio: "ignore" }); } catch (e) { missing.push("useradd"); }
+  try { checkExec("which", ["setfacl"], { stdio: "ignore" }); } catch (e) { missing.push("acl (setfacl)"); }
+  try { checkExec("which", ["git"], { stdio: "ignore" }); } catch (e) { missing.push("git"); }
+  try { checkExec("which", ["useradd"], { stdio: "ignore" }); } catch (e) { missing.push("useradd"); }
   if (missing.length > 0) {
     console.error("[daemon] OS users mode requires missing system packages: " + missing.join(", "));
     console.error("[daemon] Install with:  sudo apt install " + missing.map(function (m) { return m.split(" ")[0]; }).join(" "));
@@ -179,7 +179,7 @@ var relay = createServer({
   onCreateProject: function (projectName, wsUser) {
     console.log("[daemon] onCreateProject wsUser:", JSON.stringify(wsUser ? { id: wsUser.id, role: wsUser.role, username: wsUser.username, linuxUser: wsUser.linuxUser } : null));
     var os = require("os");
-    var { execSync } = require("child_process");
+    var execFileSync = require("child_process").execFileSync;
     var baseDir;
     if (config.osUsers) {
       baseDir = "/var/clay/projects";
@@ -199,21 +199,23 @@ var relay = createServer({
         if (linuxUser) {
           var uidGid = null;
           try {
-            var passwdLine = execSync("id -u " + linuxUser + " && id -g " + linuxUser, { encoding: "utf8" }).trim().split("\n");
-            uidGid = { uid: parseInt(passwdLine[0], 10), gid: parseInt(passwdLine[1], 10) };
+            uidGid = {
+              uid: parseInt(execFileSync("id", ["-u", linuxUser], { encoding: "utf8", stdio: "pipe" }).trim(), 10),
+              gid: parseInt(execFileSync("id", ["-g", linuxUser], { encoding: "utf8", stdio: "pipe" }).trim(), 10),
+            };
           } catch (e) {}
           if (uidGid) {
             fs.chmodSync(targetDir, 0o700);
-            execSync("chown -R " + linuxUser + ":" + linuxUser + " " + JSON.stringify(targetDir));
-            execSync("git init", { cwd: targetDir, uid: uidGid.uid, gid: uidGid.gid, env: { PATH: "/usr/local/bin:/usr/bin:/bin" } });
+            execFileSync("chown", ["-R", linuxUser + ":" + linuxUser, targetDir]);
+            execFileSync("git", ["init"], { cwd: targetDir, uid: uidGid.uid, gid: uidGid.gid, env: { PATH: "/usr/local/bin:/usr/bin:/bin" } });
           } else {
-            execSync("git init", { cwd: targetDir });
+            execFileSync("git", ["init"], { cwd: targetDir });
           }
         } else {
-          execSync("git init", { cwd: targetDir });
+          execFileSync("git", ["init"], { cwd: targetDir });
         }
       } else {
-        execSync("git init", { cwd: targetDir });
+        execFileSync("git", ["init"], { cwd: targetDir });
       }
     } catch (e) {
       try { fs.rmSync(targetDir, { recursive: true, force: true }); } catch (ce) {}
@@ -245,7 +247,8 @@ var relay = createServer({
   },
   onCloneProject: function (cloneUrl, wsUser, callback) {
     var os = require("os");
-    var { spawn, execSync } = require("child_process");
+    var spawn = require("child_process").spawn;
+    var execFileSync = require("child_process").execFileSync;
     var baseDir;
     if (config.osUsers) {
       baseDir = "/var/clay/projects";
@@ -262,9 +265,8 @@ var relay = createServer({
     var spawnOpts = { cwd: baseDir };
     if (config.osUsers && wsUser && wsUser.linuxUser) {
       try {
-        var passwdLine = execSync("id -u " + wsUser.linuxUser + " && id -g " + wsUser.linuxUser, { encoding: "utf8" }).trim().split("\n");
-        spawnOpts.uid = parseInt(passwdLine[0], 10);
-        spawnOpts.gid = parseInt(passwdLine[1], 10);
+        spawnOpts.uid = parseInt(execFileSync("id", ["-u", wsUser.linuxUser], { encoding: "utf8", stdio: "pipe" }).trim(), 10);
+        spawnOpts.gid = parseInt(execFileSync("id", ["-g", wsUser.linuxUser], { encoding: "utf8", stdio: "pipe" }).trim(), 10);
         spawnOpts.env = Object.assign({}, process.env, {
           HOME: "/home/" + wsUser.linuxUser,
           USER: wsUser.linuxUser
@@ -304,7 +306,7 @@ var relay = createServer({
       if (config.osUsers && wsUser && wsUser.linuxUser) {
         try {
           fs.chmodSync(targetDir, 0o700);
-          execSync("chown -R " + wsUser.linuxUser + ":" + wsUser.linuxUser + " " + JSON.stringify(targetDir));
+          execFileSync("chown", ["-R", wsUser.linuxUser + ":" + wsUser.linuxUser, targetDir]);
         } catch (e) {}
       }
       // Register project - creator always becomes owner

package/lib/mate-datastore.js ADDED Viewed

@@ -0,0 +1,337 @@
+var fs = require("fs");
+var path = require("path");
+var config = require("./config");
+var sqlite;
+try {
+  sqlite = require("node:sqlite");
+} catch (e) {
+  throw new Error("Mate datastores require Node 22.13.0 or newer with node:sqlite available.");
+}
+function parseNodeVersion(version) {
+  var parts = String(version || "").split(".");
+  return {
+    major: parseInt(parts[0] || "0", 10) || 0,
+    minor: parseInt(parts[1] || "0", 10) || 0,
+    patch: parseInt(parts[2] || "0", 10) || 0,
+  };
+}
+function assertNodeVersion() {
+  var v = parseNodeVersion(process.versions.node);
+  if (v.major < 22 || (v.major === 22 && v.minor < 13)) {
+    throw new Error("Mate datastores require Node 22.13.0 or newer.");
+  }
+}
+assertNodeVersion();
+var DatabaseSync = sqlite.DatabaseSync;
+var MAX_ROWS = 200;
+var MAX_RESULT_BYTES = 1024 * 1024;
+var DB_SIZE_WARNING_BYTES = 100 * 1024 * 1024;
+var PRAGMA_BUSY_TIMEOUT = 5000;
+var CLAY_META_VERSION = "1";
+var _dbCache = {};
+function getMateDbPath(opts) {
+  if (opts && opts.dbPath) return String(opts.dbPath);
+  if (opts && opts.mateDir) return path.join(String(opts.mateDir), "store.db");
+  var userId = opts && opts.userId ? String(opts.userId) : "default";
+  var mateId = opts && opts.mateId ? String(opts.mateId) : null;
+  if (!mateId) throw new Error("Mate datastore requires a mateId.");
+  return path.join(config.CONFIG_DIR, "mates", userId, mateId, "store.db");
+}
+function ensureParentDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+function getDbSizeBytes(dbPath) {
+  try {
+    return fs.statSync(dbPath).size;
+  } catch (e) {
+    return 0;
+  }
+}
+function openDatabase(dbPath) {
+  var db = new DatabaseSync(dbPath);
+  try { db.exec("PRAGMA journal_mode = WAL"); } catch (e) {}
+  try { db.exec("PRAGMA foreign_keys = ON"); } catch (e2) {}
+  try { db.exec("PRAGMA busy_timeout = " + PRAGMA_BUSY_TIMEOUT); } catch (e3) {}
+  return db;
+}
+function initClayMeta(db) {
+  var now = new Date().toISOString();
+  db.exec("CREATE TABLE IF NOT EXISTS clay_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL)");
+  var stmt = db.prepare("INSERT OR IGNORE INTO clay_meta (key, value) VALUES (?, ?)");
+  stmt.run("clay_meta_version", CLAY_META_VERSION);
+  stmt.run("created_at", now);
+  stmt.run("last_opened_at", now);
+  db.prepare("UPDATE clay_meta SET value = ? WHERE key = ?").run(now, "last_opened_at");
+}
+function ensureMateDatastore(opts) {
+  var dbPath = getMateDbPath(opts);
+  if (_dbCache[dbPath] && _dbCache[dbPath].db) return _dbCache[dbPath];
+  ensureParentDir(dbPath);
+  var db = openDatabase(dbPath);
+  initClayMeta(db);
+  var wrapper = {
+    db: db,
+    dbPath: dbPath,
+    sizeBytes: getDbSizeBytes(dbPath),
+    warning: getDbSizeBytes(dbPath) > DB_SIZE_WARNING_BYTES ? "Mate datastore exceeds 100 MB soft warning threshold." : null,
+  };
+  _dbCache[dbPath] = wrapper;
+  return wrapper;
+}
+function openMateDatastore(opts) {
+  return ensureMateDatastore(opts);
+}
+function closeMateDatastore(handle) {
+  var wrapper = unwrapHandle(handle);
+  if (!wrapper || !wrapper.db) return;
+  try {
+    wrapper.db.close();
+  } catch (e) {}
+  if (wrapper.dbPath && _dbCache[wrapper.dbPath]) delete _dbCache[wrapper.dbPath];
+}
+function closeAllMateDatastores() {
+  var keys = Object.keys(_dbCache);
+  for (var i = 0; i < keys.length; i++) {
+    closeMateDatastore(_dbCache[keys[i]]);
+  }
+}
+function unwrapHandle(handle) {
+  if (!handle) return null;
+  if (handle.db && handle.dbPath) return handle;
+  return { db: handle, dbPath: null, sizeBytes: 0, warning: null };
+}
+function normalizeSql(sql) {
+  var text = String(sql || "");
+  text = text.replace(/^\s*(?:--[^\n]*\n|\/\*[\s\S]*?\*\/\s*)*/g, "");
+  return text.trim();
+}
+function getFirstKeyword(sql) {
+  var text = normalizeSql(sql);
+  var match = text.match(/^([A-Za-z]+)/);
+  return match ? match[1].toUpperCase() : "";
+}
+function hasMultipleStatements(sql) {
+  var text = normalizeSql(sql);
+  if (text.indexOf(";") === -1) return false;
+  return !/;\s*$/.test(text) || text.slice(0, -1).indexOf(";") !== -1;
+}
+function isForbiddenSql(sql) {
+  var text = normalizeSql(sql).toUpperCase();
+  var banned = [
+    "ATTACH DATABASE",
+    "DETACH DATABASE",
+    "LOAD_EXTENSION",
+    "LOAD EXTENSION",
+  ];
+  for (var i = 0; i < banned.length; i++) {
+    if (text.indexOf(banned[i]) !== -1) return banned[i];
+  }
+  if (/PRAGMA\s+(?!table_info|table_xinfo|index_list|index_info|foreign_key_list)/i.test(text)) {
+    return "PRAGMA";
+  }
+  return "";
+}
+function isReadOnlyQuery(sql) {
+  var kw = getFirstKeyword(sql);
+  if (kw === "SELECT" || kw === "WITH") return true;
+  return false;
+}
+function isAllowedExec(sql) {
+  var kw = getFirstKeyword(sql);
+  return kw === "CREATE" || kw === "ALTER" || kw === "DROP" || kw === "INSERT" || kw === "UPDATE" || kw === "DELETE";
+}
+function bindParams(stmt, params) {
+  if (!params) return stmt;
+  if (!Array.isArray(params)) return stmt;
+  return stmt.run.apply(stmt, params);
+}
+function runQuery(handle, sql, params, limits) {
+  var wrapper = unwrapHandle(handle);
+  if (!wrapper || !wrapper.db) {
+    return makeError("MATE_DATASTORE_UNAVAILABLE", "Mate datastore is not available.");
+  }
+  var text = normalizeSql(sql);
+  if (!text) return makeError("SQLITE_QUERY_REJECTED", "Query SQL is required.");
+  if (hasMultipleStatements(text)) return makeError("SQLITE_QUERY_REJECTED", "Multiple statements are not allowed in query mode.");
+  var forbidden = isForbiddenSql(text);
+  if (forbidden) return makeError("SQLITE_FORBIDDEN", forbidden + " is not allowed in Mate datastores.");
+  if (!isReadOnlyQuery(text)) return makeError("SQLITE_QUERY_REJECTED", "Only SELECT and WITH queries are allowed.");
+  try {
+    var stmt = wrapper.db.prepare(text);
+    var rows = Array.isArray(params) ? stmt.all.apply(stmt, params) : stmt.all();
+    rows = sanitizeValue(rows);
+    var rowCount = rows.length;
+    var maxRows = limits && typeof limits.maxRows === "number" ? limits.maxRows : MAX_ROWS;
+    var truncated = false;
+    if (rows.length > maxRows) {
+      rows = rows.slice(0, maxRows);
+      truncated = true;
+    }
+    var result = {
+      ok: true,
+      rows: rows,
+      rowCount: rowCount,
+      truncated: truncated,
+    };
+    if (wrapper.warning) result.warning = wrapper.warning;
+    if (limits && limits.includeSizeInfo) {
+      result.sizeBytes = wrapper.sizeBytes;
+    }
+    if (Buffer.byteLength(JSON.stringify(result), "utf8") > (limits && limits.maxBytes ? limits.maxBytes : MAX_RESULT_BYTES)) {
+      return makeError("SQLITE_RESULT_TOO_LARGE", "Query result exceeds the 1 MB response limit.");
+    }
+    return result;
+  } catch (e) {
+    return normalizeSqliteError(e, "SQLITE_EXEC_FAILED", "Query failed.");
+  }
+}
+function runExec(handle, sql, params, limits) {
+  var wrapper = unwrapHandle(handle);
+  if (!wrapper || !wrapper.db) {
+    return makeError("MATE_DATASTORE_UNAVAILABLE", "Mate datastore is not available.");
+  }
+  var text = normalizeSql(sql);
+  if (!text) return makeError("MATE_DATASTORE_BAD_INPUT", "SQL is required.");
+  if (hasMultipleStatements(text)) return makeError("SQLITE_EXEC_FAILED", "Multiple statements are not allowed in exec mode.");
+  var forbidden = isForbiddenSql(text);
+  if (forbidden) return makeError("SQLITE_FORBIDDEN", forbidden + " is not allowed in Mate datastores.");
+  if (!isAllowedExec(text)) return makeError("SQLITE_EXEC_FAILED", "Only CREATE, ALTER, DROP, INSERT, UPDATE, and DELETE are allowed in exec mode.");
+  try {
+    var stmt = wrapper.db.prepare(text);
+    var runResult = Array.isArray(params) ? stmt.run.apply(stmt, params) : stmt.run();
+    var result = {
+      ok: true,
+      changes: typeof runResult.changes === "number" ? runResult.changes : 0,
+      lastInsertRowid: typeof runResult.lastInsertRowid !== "undefined" ? sanitizeValue(runResult.lastInsertRowid) : null,
+    };
+    if (wrapper.warning) result.warning = wrapper.warning;
+    if (limits && limits.includeSizeInfo) {
+      result.sizeBytes = getDbSizeBytes(wrapper.dbPath);
+    }
+    if (Buffer.byteLength(JSON.stringify(result), "utf8") > (limits && limits.maxBytes ? limits.maxBytes : MAX_RESULT_BYTES)) {
+      return makeError("SQLITE_RESULT_TOO_LARGE", "Execution result exceeds the 1 MB response limit.");
+    }
+    wrapper.sizeBytes = getDbSizeBytes(wrapper.dbPath);
+    if (wrapper.sizeBytes > DB_SIZE_WARNING_BYTES) {
+      wrapper.warning = "Mate datastore exceeds 100 MB soft warning threshold.";
+      result.warning = wrapper.warning;
+    }
+    return result;
+  } catch (e) {
+    return normalizeSqliteError(e, "SQLITE_EXEC_FAILED", "Execution failed.");
+  }
+}
+function listSchemaObjects(handle) {
+  var wrapper = unwrapHandle(handle);
+  if (!wrapper || !wrapper.db) {
+    return makeError("MATE_DATASTORE_UNAVAILABLE", "Mate datastore is not available.");
+  }
+  try {
+    var rows = wrapper.db.prepare(
+      "SELECT name, type, sql FROM sqlite_master WHERE type IN ('table', 'view', 'index') AND name NOT LIKE 'sqlite_%' ORDER BY type, name"
+    ).all();
+    return { ok: true, objects: rows };
+  } catch (e) {
+    return normalizeSqliteError(e, "SQLITE_EXEC_FAILED", "Failed to list schema objects.");
+  }
+}
+function describeTable(handle, tableName) {
+  var wrapper = unwrapHandle(handle);
+  if (!wrapper || !wrapper.db) {
+    return makeError("MATE_DATASTORE_UNAVAILABLE", "Mate datastore is not available.");
+  }
+  if (!isSafeIdentifier(tableName)) {
+    return makeError("MATE_DATASTORE_BAD_INPUT", "Table name is invalid.");
+  }
+  try {
+    var info = wrapper.db.prepare("SELECT name, type, sql FROM sqlite_master WHERE name = ? AND type IN ('table', 'view')").get(tableName);
+    if (!info) return makeError("SQLITE_TABLE_NOT_FOUND", "Table not found.");
+    var columns = wrapper.db.prepare("PRAGMA table_info(" + quoteIdentifier(tableName) + ")").all();
+    var indexes = wrapper.db.prepare("PRAGMA index_list(" + quoteIdentifier(tableName) + ")").all();
+    return {
+      ok: true,
+      table: tableName,
+      columns: columns,
+      indexes: indexes,
+      createSql: info.sql || null,
+    };
+  } catch (e) {
+    return normalizeSqliteError(e, "SQLITE_EXEC_FAILED", "Failed to describe table.");
+  }
+}
+function isSafeIdentifier(name) {
+  return typeof name === "string" && /^[A-Za-z_][A-Za-z0-9_]*$/.test(name);
+}
+function quoteIdentifier(name) {
+  return '"' + String(name).replace(/"/g, '""') + '"';
+}
+function makeError(code, message) {
+  return { ok: false, code: code, message: message };
+}
+function sanitizeValue(value) {
+  if (typeof value === "bigint") return value.toString();
+  if (Array.isArray(value)) return value.map(sanitizeValue);
+  if (value && typeof value === "object") {
+    var out = {};
+    var keys = Object.keys(value);
+    for (var i = 0; i < keys.length; i++) {
+      out[keys[i]] = sanitizeValue(value[keys[i]]);
+    }
+    return out;
+  }
+  return value;
+}
+function normalizeSqliteError(err, fallbackCode, fallbackMessage) {
+  var message = err && err.message ? String(err.message) : fallbackMessage;
+  var code = fallbackCode;
+  if (message.indexOf("no such table") !== -1) code = "SQLITE_TABLE_NOT_FOUND";
+  if (message.indexOf("no such column") !== -1) code = "SQLITE_QUERY_REJECTED";
+  return { ok: false, code: code, message: message };
+}
+module.exports = {
+  openMateDatastore: openMateDatastore,
+  ensureMateDatastore: ensureMateDatastore,
+  listSchemaObjects: listSchemaObjects,
+  describeTable: describeTable,
+  runQuery: runQuery,
+  runExec: runExec,
+  closeMateDatastore: closeMateDatastore,
+  closeAllMateDatastores: closeAllMateDatastores,
+  getMateDbPath: getMateDbPath,
+};