dondo-donuts 0.1.0

package/src/storage/crypto.ts

@@ -0,0 +1,24 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import { vaultKey } from './secret.ts';
+
+const VERSION_PREFIX = 'enc:v1:';
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+
+export const seal = async (text: string) => {
+    const iv = randomBytes(IV_BYTES);
+    const cipher = createCipheriv('aes-256-gcm', await vaultKey(), iv);
+    const body = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
+    return `${VERSION_PREFIX}${Buffer.concat([iv, cipher.getAuthTag(), body]).toString('base64')}`;
+};
+
+export const open = async (text: string) => {
+    if (!text.startsWith(VERSION_PREFIX)) {
+        return text;
+    }
+
+    const raw = Buffer.from(text.slice(VERSION_PREFIX.length), 'base64');
+    const decipher = createDecipheriv('aes-256-gcm', await vaultKey(), raw.subarray(0, IV_BYTES));
+    decipher.setAuthTag(raw.subarray(IV_BYTES, IV_BYTES + AUTH_TAG_BYTES));
+    return Buffer.concat([decipher.update(raw.subarray(IV_BYTES + AUTH_TAG_BYTES)), decipher.final()]).toString('utf8');
+};

package/src/storage/file.ts

@@ -0,0 +1,23 @@
+import { randomUUID } from 'node:crypto';
+import { chmod, mkdir, open, rename, rm } from 'node:fs/promises';
+import { dirname } from 'node:path';
+
+export const writePrivateFile = async (path: string, text: string) => {
+    await mkdir(dirname(path), { recursive: true });
+    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+    let handle: Awaited<ReturnType<typeof open>> | undefined;
+
+    try {
+        handle = await open(tempPath, 'w', 0o600);
+        await handle.writeFile(text, 'utf8');
+        await handle.sync();
+        await handle.close();
+        handle = undefined;
+        await rename(tempPath, path);
+        await chmod(path, 0o600);
+    } catch (error) {
+        await handle?.close().catch(() => {});
+        await rm(tempPath, { force: true }).catch(() => {});
+        throw error;
+    }
+};

package/src/storage/secret.ts

@@ -0,0 +1,50 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { VAULT_KEY_ACCOUNT, VAULT_KEY_SERVICE } from '../config.ts';
+import { isRunError, run } from '../shell.ts';
+
+let cachedKey: Buffer | undefined;
+
+const digestSecret = (secret: string) => createHash('sha256').update(secret).digest();
+
+const readVaultSecret = async () => {
+    return await run('security', ['find-generic-password', '-s', VAULT_KEY_SERVICE, '-a', VAULT_KEY_ACCOUNT, '-w'])
+        .then(({ stdout }) => stdout.trim())
+        .catch((error) => {
+            if (isRunError(error) && error.code === 44) {
+                return '';
+            }
+            throw error;
+        });
+};
+
+export const vaultKey = async () => {
+    if (cachedKey) {
+        return cachedKey;
+    }
+
+    const found = await readVaultSecret();
+    if (found) {
+        cachedKey = digestSecret(found);
+        return cachedKey;
+    }
+
+    const secret = randomBytes(32).toString('base64');
+    await run('security', [
+        'add-generic-password',
+        '-s',
+        VAULT_KEY_SERVICE,
+        '-a',
+        VAULT_KEY_ACCOUNT,
+        '-w',
+        secret,
+    ]).catch(async (error) => {
+        const racedSecret = await readVaultSecret();
+        if (racedSecret) {
+            return;
+        }
+        throw error;
+    });
+
+    cachedKey = digestSecret((await readVaultSecret()) || secret);
+    return cachedKey;
+};

package/src/storage/vault.test.ts

@@ -0,0 +1,72 @@
+import { expect, it } from 'bun:test';
+import { mkdtemp, rm, stat } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { readVault, updateVault, writeVault } from './vault.ts';
+
+const tempVault = async () => {
+    const dir = await mkdtemp(join(tmpdir(), 'dondo-vault-test-'));
+    return { dir, path: join(dir, 'vault.json') };
+};
+
+it('should read a missing vault as nested empty platform sections', async () => {
+    const { dir, path } = await tempVault();
+    try {
+        await expect(readVault(path)).resolves.toEqual({
+            antigravity: { data: {}, limits: {} },
+            codex: { data: {}, limits: {} },
+        });
+    } finally {
+        await rm(dir, { force: true, recursive: true });
+    }
+});
+
+it('should write the vault with private file permissions', async () => {
+    const { dir, path } = await tempVault();
+    try {
+        await writeVault({ antigravity: { data: {}, limits: {} }, codex: { data: {}, limits: {} } }, path);
+
+        expect((await stat(path)).mode & 0o777).toBe(0o600);
+    } finally {
+        await rm(dir, { force: true, recursive: true });
+    }
+});
+
+it('should include the vault path in corrupt JSON errors', async () => {
+    const { dir, path } = await tempVault();
+    try {
+        await Bun.write(path, '{');
+
+        await expect(readVault(path)).rejects.toThrow(`Vault file is not valid JSON: ${path}`);
+    } finally {
+        await rm(dir, { force: true, recursive: true });
+    }
+});
+
+it('should serialize queued vault updates', async () => {
+    const { dir, path } = await tempVault();
+    try {
+        await Promise.all([
+            updateVault(async (vault) => {
+                vault.antigravity.limits.a = {
+                    fetchedAt: 'a',
+                    quota: { error: 'a', ok: false },
+                };
+                return { result: undefined };
+            }, path),
+            updateVault(async (vault) => {
+                vault.codex.limits.b = {
+                    fetchedAt: 'b',
+                    quota: { error: 'b', ok: false },
+                };
+                return { result: undefined };
+            }, path),
+        ]);
+
+        const vault = await readVault(path);
+        expect(vault.antigravity.limits.a?.fetchedAt).toBe('a');
+        expect(vault.codex.limits.b?.fetchedAt).toBe('b');
+    } finally {
+        await rm(dir, { force: true, recursive: true });
+    }
+});

package/src/storage/vault.ts

@@ -0,0 +1,130 @@
+import { VAULT_PATH } from '../config.ts';
+import { publicError } from '../errors.ts';
+import type { AppVault, CodexSnapshot, CodexVault, PlatformVault, Snapshot, VaultSection } from '../types.ts';
+import { open, seal } from './crypto.ts';
+import { writePrivateFile } from './file.ts';
+
+type VaultUpdate<T> = {
+    result: T;
+    write?: boolean;
+};
+
+const emptySection = <T>(): VaultSection<T> => ({ data: {}, limits: {} });
+
+const isRecord = (value: unknown): value is Record<string, unknown> => {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+};
+
+let vaultQueue = Promise.resolve();
+
+const normalizeVault = (raw: unknown): AppVault => {
+    const input = isRecord(raw) ? raw : {};
+    const antigravity = isRecord(input.antigravity) ? input.antigravity : {};
+    const codex = isRecord(input.codex) ? input.codex : {};
+
+    return {
+        antigravity: {
+            data: isRecord(antigravity.data) ? (antigravity.data as Record<string, Snapshot>) : {},
+            limits: isRecord(antigravity.limits) ? (antigravity.limits as PlatformVault['limits']) : {},
+        },
+        codex: {
+            data: isRecord(codex.data) ? (codex.data as Record<string, CodexSnapshot>) : {},
+            limits: isRecord(codex.limits) ? (codex.limits as CodexVault['limits']) : {},
+        },
+    };
+};
+
+const decryptPlatform = async (platform: PlatformVault): Promise<PlatformVault> => ({
+    data: Object.fromEntries(
+        await Promise.all(
+            Object.entries(platform.data ?? {}).map(async ([key, snap]) => [
+                key,
+                { ...snap, password: await open(snap.password) },
+            ]),
+        ),
+    ),
+    limits: platform.limits ?? {},
+});
+
+const encryptPlatform = async (platform: PlatformVault): Promise<PlatformVault> => ({
+    data: Object.fromEntries(
+        await Promise.all(
+            Object.entries(platform.data ?? {}).map(async ([key, snap]) => [
+                key,
+                { ...snap, password: await seal(snap.password) },
+            ]),
+        ),
+    ),
+    limits: platform.limits ?? {},
+});
+
+const decryptCodex = async (codex: CodexVault): Promise<CodexVault> => ({
+    data: Object.fromEntries(
+        await Promise.all(
+            Object.entries(codex.data ?? {}).map(async ([key, snap]) => [
+                key,
+                { ...snap, auth: await open(snap.auth) },
+            ]),
+        ),
+    ),
+    limits: codex.limits ?? {},
+});
+
+const encryptCodex = async (codex: CodexVault): Promise<CodexVault> => ({
+    data: Object.fromEntries(
+        await Promise.all(
+            Object.entries(codex.data ?? {}).map(async ([key, snap]) => [
+                key,
+                { ...snap, auth: await seal(snap.auth) },
+            ]),
+        ),
+    ),
+    limits: codex.limits ?? {},
+});
+
+const readVaultFile = async (path: string): Promise<AppVault> => {
+    const text = await Bun.file(path).text();
+    let parsed: unknown = {};
+    try {
+        parsed = text.trim() ? JSON.parse(text) : {};
+    } catch {
+        throw publicError(500, `Vault file is not valid JSON: ${path}`);
+    }
+    const vault = normalizeVault(parsed);
+    return { antigravity: await decryptPlatform(vault.antigravity), codex: await decryptCodex(vault.codex) };
+};
+
+export const writeVault = async (vault: AppVault, path = VAULT_PATH) => {
+    await writePrivateFile(
+        path,
+        `${JSON.stringify(
+            { antigravity: await encryptPlatform(vault.antigravity), codex: await encryptCodex(vault.codex) },
+            null,
+            2,
+        )}\n`,
+    );
+};
+
+export const readVault = async (path = VAULT_PATH): Promise<AppVault> => {
+    const file = Bun.file(path);
+    if (!(await file.exists())) {
+        return { antigravity: emptySection<Snapshot>(), codex: emptySection<CodexSnapshot>() };
+    }
+    return readVaultFile(path);
+};
+
+export const updateVault = async <T>(operation: (vault: AppVault) => Promise<VaultUpdate<T>>, path = VAULT_PATH) => {
+    const queued = vaultQueue.then(async () => {
+        const vault = await readVault(path);
+        const update = await operation(vault);
+        if (update.write !== false) {
+            await writeVault(vault, path);
+        }
+        return update.result;
+    });
+    vaultQueue = queued.then(
+        () => undefined,
+        () => undefined,
+    );
+    return queued;
+};

package/src/types.ts

@@ -0,0 +1,54 @@
+export type Snapshot = {
+    service: string;
+    account: string;
+    label: string;
+    kind: string;
+    password: string;
+    createdAt: string;
+    updatedAt: string;
+};
+
+export type TokenPayload = {
+    token?: {
+        access_token?: string;
+        refresh_token?: string;
+        expiry?: string;
+        token_type?: string;
+    };
+    auth_method?: string;
+};
+
+export type ModelLimit = {
+    percentage: number;
+    resetTime: string;
+    displayName: string;
+};
+
+export type LimitResult =
+    | { ok: true; tier: string; expires: string; models: Record<string, ModelLimit> }
+    | { ok: false; error: string };
+
+export type LimitCache = {
+    fetchedAt: string;
+    quota: LimitResult;
+};
+
+export type VaultSection<T> = {
+    data: Record<string, T>;
+    limits: Record<string, LimitCache>;
+};
+
+export type PlatformVault = VaultSection<Snapshot>;
+
+export type CodexSnapshot = {
+    auth: string;
+    createdAt: string;
+    updatedAt: string;
+};
+
+export type CodexVault = VaultSection<CodexSnapshot>;
+
+export type AppVault = {
+    antigravity: PlatformVault;
+    codex: CodexVault;
+};