codepiper 0.1.0

package/packages/daemon/src/auth/authService.ts

@@ -0,0 +1,496 @@
+/**
+ * Single-user authentication service.
+ *
+ * Handles password hashing (Bun.password / Argon2id), session tokens,
+ * TOTP MFA with QR code generation, and recovery codes.
+ */
+
+import * as crypto from "node:crypto";
+import * as OTPAuth from "otpauth";
+import QRCode from "qrcode";
+import { decrypt, type EncryptedBlob, encrypt } from "../crypto/encryption";
+import type { AuthSessionRecord, Database } from "../db/db";
+
+const SESSION_TOKEN_BYTES = 32;
+const SESSION_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+const ONBOARDING_TOKEN_BYTES = 32;
+const ONBOARDING_TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours
+const TOTP_WINDOW = 1; // ±1 step (90 seconds total)
+const RECOVERY_CODE_COUNT = 8;
+const MIN_PASSWORD_LENGTH = 8;
+
+export interface LoginResult {
+  token: string;
+}
+
+export interface MfaRequiredResult {
+  mfaRequired: true;
+}
+
+export interface MfaSetupRequiredResult {
+  mfaSetupRequired: true;
+  onboardingToken: string;
+}
+
+export interface TotpSetupResult {
+  secret: string;
+  otpauthUri: string;
+  qrDataUrl: string;
+}
+
+export interface TotpVerifyResult {
+  recoveryCodes: string[];
+}
+
+export interface OnboardingTotpVerifyResult extends TotpVerifyResult {
+  token: string;
+}
+
+export class AuthService {
+  private pendingTotpSecret: string | null = null;
+
+  constructor(
+    private db: Database,
+    private encryptionKey: Buffer
+  ) {}
+
+  // ─── Setup ────────────────────────────────────────────────────────
+
+  isSetupRequired(): boolean {
+    return !this.db.hasAuthConfig();
+  }
+
+  isMfaSetupPending(): boolean {
+    const config = this.db.getAuthConfig();
+    if (!config) {
+      return false;
+    }
+    return config.mfaSetupPending;
+  }
+
+  async setupPassword(
+    password: string,
+    _ip: string | null,
+    _userAgent: string | null
+  ): Promise<MfaSetupRequiredResult> {
+    if (!this.isSetupRequired()) {
+      throw new Error("Password is already configured");
+    }
+    this.validatePassword(password);
+
+    const hash = await Bun.password.hash(password, {
+      algorithm: "argon2id",
+      memoryCost: 65536,
+      timeCost: 3,
+    });
+
+    const onboarding = this.generateOnboardingToken();
+    this.db.createAuthConfig(hash, {
+      mfaSetupPending: true,
+      onboardingTokenHash: onboarding.tokenHash,
+      onboardingTokenExpiresAt: onboarding.expiresAt,
+    });
+
+    return {
+      mfaSetupRequired: true,
+      onboardingToken: onboarding.rawToken,
+    };
+  }
+
+  // ─── Login ────────────────────────────────────────────────────────
+
+  async login(
+    password: string,
+    totpCode: string | undefined,
+    ip: string | null,
+    userAgent: string | null
+  ): Promise<LoginResult | MfaRequiredResult | MfaSetupRequiredResult> {
+    const config = this.db.getAuthConfig();
+    if (!config) {
+      throw new Error("Authentication not configured");
+    }
+
+    const validPassword = await Bun.password.verify(password, config.passwordHash);
+    if (!validPassword) {
+      throw new AuthError("Invalid password", "INVALID_CREDENTIALS");
+    }
+
+    // Setup hardening: first-run is incomplete until MFA setup is verified.
+    if (config.mfaSetupPending) {
+      const onboarding = this.generateOnboardingToken();
+      this.db.updateAuthOnboardingState(true, onboarding.tokenHash, onboarding.expiresAt);
+      return {
+        mfaSetupRequired: true,
+        onboardingToken: onboarding.rawToken,
+      };
+    }
+
+    // Check MFA
+    if (config.totpEnabled) {
+      if (!totpCode) {
+        return { mfaRequired: true };
+      }
+
+      const totpValid = this.verifyTotpCode(config, totpCode);
+      if (!totpValid) {
+        // Try recovery code
+        const recoveryValid = this.tryRecoveryCode(config, totpCode);
+        if (!recoveryValid) {
+          throw new AuthError("Invalid TOTP code", "INVALID_TOTP");
+        }
+      }
+    }
+
+    return this.createSession(ip, userAgent);
+  }
+
+  validateOnboardingToken(tokenHash: string): boolean {
+    const config = this.db.getAuthConfig();
+    if (!config) {
+      return false;
+    }
+    if (!config.mfaSetupPending) {
+      return false;
+    }
+    if (!(config.onboardingTokenHash && config.onboardingTokenExpiresAt)) {
+      return false;
+    }
+    if (Date.now() > config.onboardingTokenExpiresAt) {
+      this.db.updateAuthOnboardingState(true, null, null);
+      return false;
+    }
+
+    try {
+      if (tokenHash.length !== config.onboardingTokenHash.length) {
+        return false;
+      }
+      return crypto.timingSafeEqual(
+        Buffer.from(tokenHash, "hex"),
+        Buffer.from(config.onboardingTokenHash, "hex")
+      );
+    } catch {
+      return false;
+    }
+  }
+
+  // ─── Session Management ───────────────────────────────────────────
+
+  validateSession(tokenHash: string): boolean {
+    const session = this.db.getAuthSession(tokenHash);
+    if (!session) return false;
+    if (Date.now() > session.expiresAt) {
+      this.db.deleteAuthSession(tokenHash);
+      return false;
+    }
+    return true;
+  }
+
+  touchSession(tokenHash: string): void {
+    const newExpiry = Date.now() + SESSION_EXPIRY_MS;
+    this.db.touchAuthSession(tokenHash, newExpiry);
+  }
+
+  revokeSession(tokenHash: string): void {
+    this.db.deleteAuthSession(tokenHash);
+  }
+
+  revokeAllSessions(exceptTokenHash?: string): void {
+    if (exceptTokenHash) {
+      const sessions = this.db.listAuthSessions();
+      for (const session of sessions) {
+        if (session.tokenHash !== exceptTokenHash) {
+          this.db.deleteAuthSession(session.tokenHash);
+        }
+      }
+    } else {
+      this.db.deleteAllAuthSessions();
+    }
+  }
+
+  listSessions(): AuthSessionRecord[] {
+    return this.db.listAuthSessions();
+  }
+
+  cleanupExpiredSessions(): number {
+    return this.db.cleanupExpiredAuthSessions();
+  }
+
+  // ─── Password ─────────────────────────────────────────────────────
+
+  async changePassword(currentPassword: string, newPassword: string): Promise<void> {
+    const config = this.db.getAuthConfig();
+    if (!config) throw new Error("Authentication not configured");
+
+    const valid = await Bun.password.verify(currentPassword, config.passwordHash);
+    if (!valid) {
+      throw new AuthError("Current password is incorrect", "INVALID_CREDENTIALS");
+    }
+
+    this.validatePassword(newPassword);
+    const hash = await Bun.password.hash(newPassword, {
+      algorithm: "argon2id",
+      memoryCost: 65536,
+      timeCost: 3,
+    });
+
+    this.db.updateAuthPassword(hash);
+    // Revoke all sessions to force re-login
+    this.db.deleteAllAuthSessions();
+  }
+
+  async resetPassword(newPassword: string): Promise<void> {
+    this.validatePassword(newPassword);
+    const hash = await Bun.password.hash(newPassword, {
+      algorithm: "argon2id",
+      memoryCost: 65536,
+      timeCost: 3,
+    });
+
+    if (this.isSetupRequired()) {
+      this.db.createAuthConfig(hash);
+    } else {
+      this.db.updateAuthPassword(hash);
+    }
+    this.db.updateAuthOnboardingState(false, null, null);
+    this.db.deleteAllAuthSessions();
+  }
+
+  // ─── MFA ──────────────────────────────────────────────────────────
+
+  async generateTotpSetup(): Promise<TotpSetupResult> {
+    const secret = new OTPAuth.Secret();
+    const totp = new OTPAuth.TOTP({
+      issuer: "CodePiper",
+      label: "admin",
+      algorithm: "SHA1",
+      digits: 6,
+      period: 30,
+      secret,
+    });
+
+    const otpauthUri = totp.toString();
+    const qrDataUrl = await QRCode.toDataURL(otpauthUri);
+
+    // Store pending secret (not persisted until verified)
+    this.pendingTotpSecret = secret.base32;
+
+    return {
+      secret: secret.base32,
+      otpauthUri,
+      qrDataUrl,
+    };
+  }
+
+  async verifyAndEnableTotp(totpCode: string): Promise<TotpVerifyResult> {
+    if (!this.pendingTotpSecret) {
+      throw new AuthError(
+        "No pending TOTP setup. Please start MFA setup again.",
+        "NO_PENDING_TOTP"
+      );
+    }
+
+    const totp = new OTPAuth.TOTP({
+      issuer: "CodePiper",
+      label: "admin",
+      algorithm: "SHA1",
+      digits: 6,
+      period: 30,
+      secret: OTPAuth.Secret.fromBase32(this.pendingTotpSecret),
+    });
+
+    const delta = totp.validate({ token: totpCode, window: TOTP_WINDOW });
+    if (delta === null) {
+      throw new AuthError("Invalid TOTP code", "INVALID_TOTP");
+    }
+
+    // Encrypt and persist
+    const blob = encrypt(this.pendingTotpSecret, this.encryptionKey);
+    const encryptedSecret = JSON.stringify(blob);
+
+    // Generate recovery codes
+    const recoveryCodes = this.generateRecoveryCodes();
+    const hashedCodes = recoveryCodes.map((code) =>
+      this.hashRecoveryCode(code.replace(/-/g, "").toLowerCase())
+    );
+    const recoveryBlob = encrypt(JSON.stringify(hashedCodes), this.encryptionKey);
+    const encryptedRecovery = JSON.stringify(recoveryBlob);
+
+    this.db.updateAuthTotp(encryptedSecret, true, encryptedRecovery);
+    this.db.updateAuthOnboardingState(false, null, null);
+    this.pendingTotpSecret = null;
+
+    return { recoveryCodes };
+  }
+
+  async completeOnboardingMfa(
+    totpCode: string,
+    ip: string | null,
+    userAgent: string | null
+  ): Promise<OnboardingTotpVerifyResult> {
+    const config = this.db.getAuthConfig();
+    if (!config?.mfaSetupPending) {
+      throw new AuthError("MFA onboarding is not pending", "MFA_SETUP_NOT_PENDING");
+    }
+
+    const result = await this.verifyAndEnableTotp(totpCode);
+    const session = this.createSession(ip, userAgent);
+    return {
+      recoveryCodes: result.recoveryCodes,
+      token: session.token,
+    };
+  }
+
+  resetMfa(): void {
+    this.db.updateAuthTotp(null, false, null);
+    this.db.updateAuthOnboardingState(false, null, null);
+    this.db.deleteAllAuthSessions();
+  }
+
+  // ─── Private Helpers ──────────────────────────────────────────────
+
+  private createSession(ip: string | null, userAgent: string | null): LoginResult {
+    const rawToken = crypto.randomBytes(SESSION_TOKEN_BYTES).toString("hex");
+    const tokenHash = hashToken(rawToken);
+    const expiresAt = Date.now() + SESSION_EXPIRY_MS;
+
+    this.db.createAuthSession(tokenHash, ip, userAgent, expiresAt);
+
+    return { token: rawToken };
+  }
+
+  private validatePassword(password: string): void {
+    if (!password || password.length < MIN_PASSWORD_LENGTH) {
+      throw new AuthError(
+        `Password must be at least ${MIN_PASSWORD_LENGTH} characters`,
+        "WEAK_PASSWORD"
+      );
+    }
+  }
+
+  private verifyTotpCode(
+    config: { totpSecretEncrypted: string | null; totpEnabled: boolean },
+    code: string
+  ): boolean {
+    if (!config.totpSecretEncrypted) return false;
+
+    let secret: string;
+    try {
+      const blob: EncryptedBlob = JSON.parse(config.totpSecretEncrypted);
+      secret = decrypt(blob, this.encryptionKey);
+    } catch (err) {
+      console.error("[auth] Failed to decrypt TOTP secret — encryption key may have changed:", err);
+      throw new AuthError(
+        "Unable to verify TOTP: encrypted data is corrupt or the encryption key has changed. Use CLI 'codepiper auth reset-mfa' to reset MFA.",
+        "TOTP_DECRYPT_FAILED"
+      );
+    }
+
+    const totp = new OTPAuth.TOTP({
+      issuer: "CodePiper",
+      label: "admin",
+      algorithm: "SHA1",
+      digits: 6,
+      period: 30,
+      secret: OTPAuth.Secret.fromBase32(secret),
+    });
+
+    const delta = totp.validate({ token: code, window: TOTP_WINDOW });
+    return delta !== null;
+  }
+
+  private tryRecoveryCode(
+    config: { recoveryCodesEncrypted: string | null },
+    code: string
+  ): boolean {
+    if (!config.recoveryCodesEncrypted) return false;
+
+    let hashedCodes: string[];
+    try {
+      const blob: EncryptedBlob = JSON.parse(config.recoveryCodesEncrypted);
+      const hashedCodesJson = decrypt(blob, this.encryptionKey);
+      hashedCodes = JSON.parse(hashedCodesJson);
+    } catch (err) {
+      console.error("[auth] Failed to decrypt recovery codes:", err);
+      throw new AuthError(
+        "Unable to verify recovery code: encrypted data is corrupt. Use CLI 'codepiper auth reset-mfa' to reset MFA.",
+        "RECOVERY_DECRYPT_FAILED"
+      );
+    }
+
+    const inputHash = this.hashRecoveryCode(code.replace(/-/g, "").toLowerCase());
+
+    // Constant-time comparison over fixed iteration count to prevent timing leaks
+    let matchIndex = -1;
+    for (let i = 0; i < RECOVERY_CODE_COUNT; i++) {
+      const storedHash = hashedCodes[i];
+      if (storedHash !== undefined) {
+        if (crypto.timingSafeEqual(Buffer.from(storedHash, "hex"), Buffer.from(inputHash, "hex"))) {
+          matchIndex = i;
+        }
+      }
+    }
+
+    if (matchIndex === -1) return false;
+
+    // Remove used recovery code and log usage
+    console.warn(`[auth] Recovery code used (${hashedCodes.length - 1} remaining)`);
+    hashedCodes.splice(matchIndex, 1);
+    const newBlob = encrypt(JSON.stringify(hashedCodes), this.encryptionKey);
+    const config2 = this.db.getAuthConfig();
+    if (config2) {
+      this.db.updateAuthTotp(
+        config2.totpSecretEncrypted,
+        config2.totpEnabled,
+        JSON.stringify(newBlob)
+      );
+    }
+
+    return true;
+  }
+
+  private generateRecoveryCodes(): string[] {
+    const codes: string[] = [];
+    for (let i = 0; i < RECOVERY_CODE_COUNT; i++) {
+      const raw = crypto.randomBytes(4).toString("hex"); // 8 hex chars
+      codes.push(`${raw.slice(0, 4)}-${raw.slice(4, 8)}`);
+    }
+    return codes;
+  }
+
+  private hashRecoveryCode(code: string): string {
+    return crypto.createHash("sha256").update(code).digest("hex");
+  }
+
+  private generateOnboardingToken(): {
+    rawToken: string;
+    tokenHash: string;
+    expiresAt: number;
+  } {
+    const rawToken = crypto.randomBytes(ONBOARDING_TOKEN_BYTES).toString("hex");
+    return {
+      rawToken,
+      tokenHash: hashToken(rawToken),
+      expiresAt: Date.now() + ONBOARDING_TOKEN_EXPIRY_MS,
+    };
+  }
+}
+
+/**
+ * Hash a raw session token for storage.
+ */
+export function hashToken(rawToken: string): string {
+  return crypto.createHash("sha256").update(rawToken).digest("hex");
+}
+
+/**
+ * Auth-specific error with error code.
+ */
+export class AuthError extends Error {
+  constructor(
+    message: string,
+    public code: string
+  ) {
+    super(message);
+    this.name = "AuthError";
+  }
+}

package/packages/daemon/src/auth/rateLimiter.ts

@@ -0,0 +1,137 @@
+/**
+ * In-memory sliding window rate limiter with escalating lockout.
+ *
+ * Lockout tiers:
+ *   - 5 failures in 15 min  → locked 15 min
+ *   - 10 failures in 1 hour → locked 1 hour
+ *   - 20+ failures in 24 h  → locked 24 hours
+ */
+
+interface AttemptRecord {
+  count: number;
+  firstAt: number;
+  lockedUntil: number | null;
+}
+
+export interface RateLimitResult {
+  allowed: boolean;
+  retryAfterMs?: number;
+}
+
+const TIERS = [
+  { maxAttempts: 5, windowMs: 15 * 60 * 1000, lockMs: 15 * 60 * 1000 },
+  { maxAttempts: 10, windowMs: 60 * 60 * 1000, lockMs: 60 * 60 * 1000 },
+  { maxAttempts: 20, windowMs: 24 * 60 * 60 * 1000, lockMs: 24 * 60 * 60 * 1000 },
+];
+
+const CLEANUP_INTERVAL_MS = 15 * 60 * 1000;
+const SMALLEST_TIER = TIERS[0];
+const LARGEST_TIER = TIERS[TIERS.length - 1];
+
+export class RateLimiter {
+  private attempts = new Map<string, AttemptRecord>();
+  private cleanupTimer: ReturnType<typeof setInterval> | null = null;
+
+  constructor() {
+    this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL_MS);
+    // Don't keep the process alive just for cleanup
+    if (this.cleanupTimer.unref) {
+      this.cleanupTimer.unref();
+    }
+  }
+
+  check(key: string): RateLimitResult {
+    const now = Date.now();
+    const record = this.attempts.get(key);
+
+    if (!record) {
+      return { allowed: true };
+    }
+
+    // If currently locked, check if lock has expired
+    if (record.lockedUntil !== null) {
+      if (now < record.lockedUntil) {
+        return { allowed: false, retryAfterMs: record.lockedUntil - now };
+      }
+      // Lock expired — reset record
+      this.attempts.delete(key);
+      return { allowed: true };
+    }
+
+    // Check each tier (highest first — most restrictive)
+    for (let i = TIERS.length - 1; i >= 0; i--) {
+      const tier = TIERS[i];
+      if (!tier) {
+        continue;
+      }
+      if (now - record.firstAt <= tier.windowMs && record.count >= tier.maxAttempts) {
+        // Lock the account
+        record.lockedUntil = now + tier.lockMs;
+        return { allowed: false, retryAfterMs: tier.lockMs };
+      }
+    }
+
+    // If the smallest window has expired, reset the counter
+    if (!SMALLEST_TIER || now - record.firstAt > SMALLEST_TIER.windowMs) {
+      this.attempts.delete(key);
+      return { allowed: true };
+    }
+
+    return { allowed: true };
+  }
+
+  recordFailure(key: string): void {
+    const now = Date.now();
+    const record = this.attempts.get(key);
+
+    if (!record) {
+      this.attempts.set(key, { count: 1, firstAt: now, lockedUntil: null });
+      return;
+    }
+
+    // If outside the largest window, start fresh
+    if (!LARGEST_TIER) {
+      this.attempts.set(key, { count: 1, firstAt: now, lockedUntil: null });
+      return;
+    }
+    const largestWindow = LARGEST_TIER.windowMs;
+    if (now - record.firstAt > largestWindow) {
+      this.attempts.set(key, { count: 1, firstAt: now, lockedUntil: null });
+      return;
+    }
+
+    record.count++;
+  }
+
+  recordSuccess(key: string): void {
+    this.attempts.delete(key);
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    const largestWindow = LARGEST_TIER?.windowMs;
+    if (largestWindow === undefined) {
+      this.attempts.clear();
+      return;
+    }
+
+    for (const [key, record] of this.attempts) {
+      // Remove entries whose largest window has expired and are not locked
+      if (now - record.firstAt > largestWindow && record.lockedUntil === null) {
+        this.attempts.delete(key);
+      }
+      // Remove entries whose lock has expired
+      if (record.lockedUntil !== null && now > record.lockedUntil) {
+        this.attempts.delete(key);
+      }
+    }
+  }
+
+  destroy(): void {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+    this.attempts.clear();
+  }
+}

package/packages/daemon/src/config/pricing.ts

@@ -0,0 +1,79 @@
+/**
+ * Anthropic API pricing configuration.
+ *
+ * Prices are in USD per million tokens.
+ * Source: https://platform.claude.com/docs/en/about-claude/pricing
+ *
+ * Update this file when Anthropic changes pricing.
+ * Last updated: 2026-02-15
+ */
+
+export interface ModelPricing {
+  input: number;
+  output: number;
+  cacheWrite: number;
+  cacheRead: number;
+}
+
+/**
+ * Pricing table keyed by short model family name.
+ * Model IDs like "claude-opus-4-6" are matched via getPricingForModel().
+ */
+export const MODEL_PRICING: Record<string, ModelPricing> = {
+  "opus-4.6": { input: 5, output: 25, cacheWrite: 6.25, cacheRead: 0.5 },
+  "opus-4.5": { input: 5, output: 25, cacheWrite: 6.25, cacheRead: 0.5 },
+  "opus-4.1": { input: 15, output: 75, cacheWrite: 18.75, cacheRead: 1.5 },
+  "opus-4": { input: 15, output: 75, cacheWrite: 18.75, cacheRead: 1.5 },
+  "sonnet-4.5": { input: 3, output: 15, cacheWrite: 3.75, cacheRead: 0.3 },
+  "sonnet-4": { input: 3, output: 15, cacheWrite: 3.75, cacheRead: 0.3 },
+  "haiku-4.5": { input: 1, output: 5, cacheWrite: 1.25, cacheRead: 0.1 },
+  "haiku-3.5": { input: 0.8, output: 4, cacheWrite: 1, cacheRead: 0.08 },
+  "haiku-3": { input: 0.25, output: 1.25, cacheWrite: 0.3, cacheRead: 0.03 },
+};
+
+function lookupPricing(key: string): ModelPricing {
+  const pricing = MODEL_PRICING[key];
+  if (!pricing) {
+    throw new Error(`Missing pricing entry for model key: ${key}`);
+  }
+  return pricing;
+}
+
+/** Default pricing for unknown models (uses Sonnet 4.5 rates). */
+const DEFAULT_PRICING = lookupPricing("sonnet-4.5");
+
+/**
+ * Match a full model ID (e.g. "claude-opus-4-6", "claude-sonnet-4-5-20250929")
+ * to its pricing entry.
+ */
+export function getPricingForModel(model: string): ModelPricing {
+  if (model.includes("opus-4-6") || model.includes("opus-4.6")) return lookupPricing("opus-4.6");
+  if (model.includes("opus-4-5") || model.includes("opus-4.5")) return lookupPricing("opus-4.5");
+  if (model.includes("opus-4-1") || model.includes("opus-4.1")) return lookupPricing("opus-4.1");
+  if (model.includes("opus")) return lookupPricing("opus-4");
+  if (model.includes("sonnet-4-5") || model.includes("sonnet-4.5"))
+    return lookupPricing("sonnet-4.5");
+  if (model.includes("sonnet")) return lookupPricing("sonnet-4");
+  if (model.includes("haiku-4-5") || model.includes("haiku-4.5")) return lookupPricing("haiku-4.5");
+  if (model.includes("haiku-3-5") || model.includes("haiku-3.5")) return lookupPricing("haiku-3.5");
+  if (model.includes("haiku")) return lookupPricing("haiku-3");
+  return DEFAULT_PRICING;
+}
+
+/**
+ * Calculate estimated equivalent API cost from token counts.
+ */
+export function calculateCost(
+  promptTokens: number,
+  completionTokens: number,
+  cacheCreation: number,
+  cacheRead: number,
+  pricing: ModelPricing
+): number {
+  return (
+    (promptTokens / 1_000_000) * pricing.input +
+    (completionTokens / 1_000_000) * pricing.output +
+    (cacheCreation / 1_000_000) * pricing.cacheWrite +
+    (cacheRead / 1_000_000) * pricing.cacheRead
+  );
+}