eidoncore 3.3.7 → 3.7.2

package/bin.js

@@ -1,38 +1,38 @@
-#!/usr/bin/env node
-// ============================================================================
-// Eidon — bin shim
-//
-// This file is the `bin.eidon` entry point registered with npm.
-// It locates the native binary that postinstall downloaded and
-// spawns it with all arguments forwarded. Exit code is preserved.
-//
-// No npm dependencies — only Node.js built-ins.
-// ============================================================================
-'use strict';
-
-const path     = require('path');
-const fs       = require('fs');
-const { spawnSync } = require('child_process');
-
-const BINARY_NAME = process.platform === 'win32' ? 'eidon.exe' : 'eidon';
-const BINARY_PATH = path.join(__dirname, BINARY_NAME);
-
-if (!fs.existsSync(BINARY_PATH)) {
-  console.error(
-    '\n  Eidon binary not found.\n' +
-    '  Run: npm install -g eidon   (postinstall will re-download it)\n'
-  );
-  process.exit(1);
-}
-
-const result = spawnSync(BINARY_PATH, process.argv.slice(2), {
-  stdio: 'inherit',
-  env:   process.env,
-});
-
-if (result.error) {
-  console.error(`\n  Failed to launch eidon: ${result.error.message}\n`);
-  process.exit(1);
-}
-
-process.exit(result.status ?? 0);
+#!/usr/bin/env node
+// ============================================================================
+// Eidon — bin shim
+//
+// This file is the `bin.eidon` entry point registered with npm.
+// It locates the native binary that postinstall downloaded and
+// spawns it with all arguments forwarded. Exit code is preserved.
+//
+// No npm dependencies — only Node.js built-ins.
+// ============================================================================
+'use strict';
+
+const path     = require('path');
+const fs       = require('fs');
+const { spawnSync } = require('child_process');
+
+const BINARY_NAME = process.platform === 'win32' ? 'eidon.exe' : 'eidon';
+const BINARY_PATH = path.join(__dirname, BINARY_NAME);
+
+if (!fs.existsSync(BINARY_PATH)) {
+  console.error(
+    '\n  Eidon binary not found.\n' +
+    '  Run: npm install -g eidon   (postinstall will re-download it)\n'
+  );
+  process.exit(1);
+}
+
+const result = spawnSync(BINARY_PATH, process.argv.slice(2), {
+  stdio: 'inherit',
+  env:   process.env,
+});
+
+if (result.error) {
+  console.error(`\n  Failed to launch eidon: ${result.error.message}\n`);
+  process.exit(1);
+}
+
+process.exit(result.status ?? 0);

package/install.js

@@ -1,199 +1,250 @@
-#!/usr/bin/env node
-// ============================================================================
-// Eidon — postinstall binary downloader
-//
-// Runs automatically after `npm install -g eidon`.
-// Downloads the correct pre-compiled Eidon binary for the current platform,
-// verifies its SHA-256 checksum, and saves it next to this file.
-//
-// No npm dependencies — only Node.js built-ins.
-// ============================================================================
-'use strict';
-
-const https    = require('https');
-const fs       = require('fs');
-const path     = require('path');
-const crypto   = require('crypto');
-const os       = require('os');
-const { execFileSync } = require('child_process');
-
-const RELEASES_BASE = 'https://releases.eidon.dev';
-const BINARY_NAME   = process.platform === 'win32' ? 'eidon.exe' : 'eidon';
-const BINARY_PATH   = path.join(__dirname, BINARY_NAME);
-
-// ── Platform detection ────────────────────────────────────────────────────
-function getPlatform() {
-  const p = process.platform;
-  const a = process.arch;
-  if (p === 'darwin')              return 'macos-arm64'; // ARM64 binary runs on both Apple Silicon and Intel (Rosetta 2)
-  if (p === 'linux'  && a === 'x64')    return 'linux-x64';
-  if (p === 'linux'  && a === 'arm64')  return 'linux-arm64';
-  if (p === 'win32'  && a === 'x64')    return 'windows-x64';
-  throw new Error(
-    `Eidon: unsupported platform ${p}/${a}.\n` +
-    `Please download manually from ${RELEASES_BASE}`
-  );
-}
-
-// ── HTTPS helpers (no external deps) ────────────────────────────────────
-function fetchJson(url) {
-  return new Promise((resolve, reject) => {
-    const req = https.get(url, { timeout: 15000 }, res => {
-      if (res.statusCode === 301 || res.statusCode === 302) {
-        return fetchJson(res.headers.location).then(resolve, reject);
-      }
-      if (res.statusCode !== 200) {
-        return reject(new Error(`HTTP ${res.statusCode} fetching ${url}`));
-      }
-      let body = '';
-      res.on('data', chunk => { body += chunk; });
-      res.on('end', () => {
-        try { resolve(JSON.parse(body)); }
-        catch (e) { reject(new Error(`Failed to parse manifest JSON: ${e.message}`)); }
-      });
-    });
-    req.on('error', reject);
-    req.on('timeout', () => { req.destroy(); reject(new Error('Request timed out')); });
-  });
-}
-
-function downloadFile(url, dest) {
-  return new Promise((resolve, reject) => {
-    const file = fs.createWriteStream(dest);
-    function follow(href) {
-      const req = https.get(href, { timeout: 120000 }, res => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          file.destroy();
-          return follow(res.headers.location);
-        }
-        if (res.statusCode !== 200) {
-          file.destroy();
-          fs.unlink(dest, () => {});
-          return reject(new Error(`HTTP ${res.statusCode} downloading binary`));
-        }
-        const total = parseInt(res.headers['content-length'] || '0', 10);
-        let received = 0;
-        let lastPct  = -1;
-        res.on('data', chunk => {
-          received += chunk.length;
-          if (total > 0) {
-            const pct = Math.floor((received / total) * 20); // 20-char bar
-            if (pct !== lastPct) {
-              lastPct = pct;
-              const bar = '█'.repeat(pct) + '░'.repeat(20 - pct);
-              process.stdout.write(`\r  [${bar}] ${Math.floor(received / 1024)}KB`);
-            }
-          }
-        });
-        res.pipe(file);
-        res.on('end', () => { process.stdout.write('\n'); });
-        file.on('finish', () => file.close(resolve));
-        file.on('error', err => { fs.unlink(dest, () => {}); reject(err); });
-      });
-      req.on('error', err => { fs.unlink(dest, () => {}); reject(err); });
-      req.on('timeout', () => { req.destroy(); reject(new Error('Download timed out')); });
-    }
-    follow(url);
-  });
-}
-
-// ── SHA-256 verification ─────────────────────────────────────────────────
-function sha256File(filePath) {
-  return new Promise((resolve, reject) => {
-    const hash = crypto.createHash('sha256');
-    const stream = fs.createReadStream(filePath);
-    stream.on('data', chunk => hash.update(chunk));
-    stream.on('end', () => resolve(hash.digest('hex')));
-    stream.on('error', reject);
-  });
-}
-
-// ── Main ─────────────────────────────────────────────────────────────────
-async function main() {
-  // Skip if binary already exists and matches (e.g. re-running postinstall)
-  if (fs.existsSync(BINARY_PATH)) {
-    try {
-      execFileSync(BINARY_PATH, ['--version'], { stdio: 'ignore' });
-      console.log('  Eidon binary already installed and working.');
-      return;
-    } catch {
-      // Binary exists but broken — re-download
-      fs.unlinkSync(BINARY_PATH);
-    }
-  }
-
-  console.log('\n  Installing Eidon...');
-
-  const platform = getPlatform();
-  console.log(`  Platform  : ${platform}`);
-
-  // Allow pinning: EIDON_VERSION=3.2.0 npm install -g eidon
-  const requestedVersion = process.env.EIDON_VERSION || '';
-  const manifestUrl = requestedVersion
-    ? `${RELEASES_BASE}/${requestedVersion}.json`
-    : `${RELEASES_BASE}/latest.json`;
-
-  console.log('  Fetching release manifest...');
-  const manifest = await fetchJson(manifestUrl);
-  const version  = manifest.version;
-  const asset    = manifest.assets && manifest.assets[platform];
-
-  if (!asset || !asset.url || !asset.sha256) {
-    throw new Error(
-      `No release asset found for platform "${platform}" in manifest.\n` +
-      `Please download manually from ${RELEASES_BASE}`
-    );
-  }
-
-  console.log(`  Version   : v${version}`);
-  console.log(`  Downloading binary...`);
-
-  const tmpPath = BINARY_PATH + '.download';
-  try {
-    await downloadFile(asset.url, tmpPath);
-  } catch (err) {
-    fs.unlink(tmpPath, () => {});
-    throw err;
-  }
-
-  // Verify SHA-256
-  console.log('  Verifying SHA-256...');
-  const actual   = await sha256File(tmpPath);
-  const expected = asset.sha256.toLowerCase();
-  if (actual !== expected) {
-    fs.unlinkSync(tmpPath);
-    throw new Error(
-      `SHA-256 mismatch — aborting (possible tampered binary)\n` +
-      `  Expected: ${expected}\n` +
-      `  Got     : ${actual}`
-    );
-  }
-  console.log('  SHA-256 verified.');
-
-  // Move into place and make executable
-  fs.renameSync(tmpPath, BINARY_PATH);
-  if (process.platform !== 'win32') fs.chmodSync(BINARY_PATH, 0o755);
-
-  // Smoke test
-  try {
-    const ver = execFileSync(BINARY_PATH, ['--version'], { encoding: 'utf8' }).trim();
-    console.log(`  Verified  : ${ver}`);
-  } catch {
-    console.warn('  WARNING: Binary installed but smoke test failed. Try running: eidon --version');
-  }
-
-  console.log(`\n  Eidon v${version} ready.\n`);
-  console.log('  Quick start:');
-  console.log('    eidon init          # configure your LLM (one-time wizard)');
-  console.log('    eidon analyze       # index your repo — run once');
-  console.log('    eidon install-mcp   # connect Cursor, VS Code, Claude Code...');
-  console.log('    eidon doctor        # health check before every session\n');
-}
-
-main().catch(err => {
-  console.error(`\n  Eidon install failed: ${err.message}\n`);
-  console.error(`  Download manually: ${RELEASES_BASE}`);
-  // Exit 0 — don't block npm install for users who don't need the binary yet
-  // (e.g. CI installs that only need the package metadata)
-  process.exit(0);
-});
+#!/usr/bin/env node
+// ============================================================================
+// Eidon — postinstall binary downloader
+//
+// Runs automatically after `npm install -g eidon`.
+// Downloads the correct pre-compiled Eidon binary for the current platform,
+// verifies its SHA-256 checksum, and saves it next to this file.
+//
+// No npm dependencies — only Node.js built-ins.
+// ============================================================================
+'use strict';
+
+const https    = require('https');
+const fs       = require('fs');
+const path     = require('path');
+const crypto   = require('crypto');
+const os       = require('os');
+const { execFileSync } = require('child_process');
+
+const RELEASES_BASE = 'https://releases.eidon.dev';
+const BINARY_NAME   = process.platform === 'win32' ? 'eidon.exe' : 'eidon';
+const BINARY_PATH   = path.join(__dirname, BINARY_NAME);
+
+// Ed25519 public key (DER/SPKI, hex-encoded) — matches the private key stored in
+// GitHub Actions secret MANIFEST_SIGNING_KEY. Together they ensure that even if
+// releases.eidon.dev is fully compromised, an attacker cannot serve a fake manifest
+// because they cannot forge a valid Ed25519 signature for the private key.
+// To rotate: run scripts/gen-manifest-keypair.js, update this constant, and update
+// the matching constant in src/cli/update.ts. Then set the new private key in
+// GitHub Actions secrets before your next release.
+const MANIFEST_PUBKEY_HEX = '302a300506032b657003210009880b8bfc7ae6dcc3a9e6dd207709b25df819bd19a94e5acb5b1b0d343dc5cd';
+
+// ── Platform detection ────────────────────────────────────────────────────
+function getPlatform() {
+  const p = process.platform;
+  const a = process.arch;
+  if (p === 'darwin')              return 'macos-arm64'; // ARM64 binary runs on both Apple Silicon and Intel (Rosetta 2)
+  if (p === 'linux'  && a === 'x64')    return 'linux-x64';
+  if (p === 'linux'  && a === 'arm64')  return 'linux-arm64';
+  if (p === 'win32'  && a === 'x64')    return 'windows-x64';
+  throw new Error(
+    `Eidon: unsupported platform ${p}/${a}.\n` +
+    `Please download manually from ${RELEASES_BASE}`
+  );
+}
+
+// ── HTTPS helpers (no external deps) ────────────────────────────────────
+function fetchText(url) {
+  return new Promise((resolve, reject) => {
+    if (!url.startsWith('https://')) {
+      return reject(new Error(`Refusing non-HTTPS URL: ${url}`));
+    }
+    const req = https.get(url, { timeout: 15000 }, res => {
+      if (res.statusCode === 301 || res.statusCode === 302) {
+        const loc = res.headers.location || '';
+        if (!loc.startsWith('https://')) {
+          return reject(new Error(`Redirect to non-HTTPS blocked: ${loc}`));
+        }
+        return fetchText(loc).then(resolve, reject);
+      }
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} fetching ${url}`));
+      }
+      const chunks = [];
+      res.on('data', chunk => chunks.push(chunk));
+      res.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Request timed out')); });
+  });
+}
+
+// Fetch + Ed25519 verify a manifest JSON.
+// 1. Fetch <url>       — raw manifest text (must be exactly what was signed)
+// 2. Fetch <url>.sig   — hex-encoded Ed25519 signature (soft-fail: warn if missing)
+// 3. Verify signature  — hard-fail if signature is present but invalid
+// 4. Parse + return    — JSON is only parsed after integrity is confirmed
+async function fetchAndVerifyManifest(url) {
+  const manifestText = await fetchText(url);
+
+  // Attempt to fetch the signature (non-fatal if server doesn't have it yet)
+  let sigHex = null;
+  try { sigHex = (await fetchText(url + '.sig')).trim(); } catch { /* no sig file */ }
+
+  if (sigHex) {
+    try {
+      const pubKey = { key: Buffer.from(MANIFEST_PUBKEY_HEX, 'hex'), format: 'der', type: 'spki' };
+      const sig    = Buffer.from(sigHex, 'hex');
+      const valid  = crypto.verify(null, Buffer.from(manifestText), pubKey, sig);
+      if (!valid) {
+        throw new Error(
+          'Ed25519 signature verification FAILED — manifest may be tampered.\n' +
+          'Refusing to install. Please report this at https://github.com/BAGADIR/Eidon/issues'
+        );
+      }
+      console.log('  Manifest signature verified ✓');
+    } catch (err) {
+      if (err.message.includes('signature verification FAILED')) throw err;
+      // Crypto error (bad key format, etc.) — log and continue with SHA-256 only
+      console.warn(`  Warning: could not verify manifest signature (${err.message}). Proceeding with SHA-256 only.`);
+    }
+  } else {
+    console.warn('  Warning: manifest signature not found (.sig). Proceeding with SHA-256 verification only.');
+  }
+
+  try { return JSON.parse(manifestText); }
+  catch (e) { throw new Error(`Failed to parse manifest JSON: ${e.message}`); }
+}
+
+function downloadFile(url, dest) {
+  return new Promise((resolve, reject) => {
+    const file = fs.createWriteStream(dest);
+    function follow(href) {
+      const req = https.get(href, { timeout: 120000 }, res => {
+        if (res.statusCode === 301 || res.statusCode === 302) {
+          file.destroy();
+          return follow(res.headers.location);
+        }
+        if (res.statusCode !== 200) {
+          file.destroy();
+          fs.unlink(dest, () => {});
+          return reject(new Error(`HTTP ${res.statusCode} downloading binary`));
+        }
+        const total = parseInt(res.headers['content-length'] || '0', 10);
+        let received = 0;
+        let lastPct  = -1;
+        res.on('data', chunk => {
+          received += chunk.length;
+          if (total > 0) {
+            const pct = Math.floor((received / total) * 20); // 20-char bar
+            if (pct !== lastPct) {
+              lastPct = pct;
+              const bar = '█'.repeat(pct) + '░'.repeat(20 - pct);
+              process.stdout.write(`\r  [${bar}] ${Math.floor(received / 1024)}KB`);
+            }
+          }
+        });
+        res.pipe(file);
+        res.on('end', () => { process.stdout.write('\n'); });
+        file.on('finish', () => file.close(resolve));
+        file.on('error', err => { fs.unlink(dest, () => {}); reject(err); });
+      });
+      req.on('error', err => { fs.unlink(dest, () => {}); reject(err); });
+      req.on('timeout', () => { req.destroy(); reject(new Error('Download timed out')); });
+    }
+    follow(url);
+  });
+}
+
+// ── SHA-256 verification ─────────────────────────────────────────────────
+function sha256File(filePath) {
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash('sha256');
+    const stream = fs.createReadStream(filePath);
+    stream.on('data', chunk => hash.update(chunk));
+    stream.on('end', () => resolve(hash.digest('hex')));
+    stream.on('error', reject);
+  });
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────
+async function main() {
+  // Skip if binary already exists and matches (e.g. re-running postinstall)
+  if (fs.existsSync(BINARY_PATH)) {
+    try {
+      execFileSync(BINARY_PATH, ['--version'], { stdio: 'ignore' });
+      console.log('  Eidon binary already installed and working.');
+      return;
+    } catch {
+      // Binary exists but broken — re-download
+      fs.unlinkSync(BINARY_PATH);
+    }
+  }
+
+  console.log('\n  Installing Eidon...');
+
+  const platform = getPlatform();
+  console.log(`  Platform  : ${platform}`);
+
+  // Allow pinning: EIDON_VERSION=3.2.0 npm install -g eidon
+  const requestedVersion = process.env.EIDON_VERSION || '';
+  const manifestUrl = requestedVersion
+    ? `${RELEASES_BASE}/${requestedVersion}.json`
+    : `${RELEASES_BASE}/latest.json`;
+
+  console.log('  Fetching release manifest...');
+  const manifest = await fetchAndVerifyManifest(manifestUrl);
+  const version  = manifest.version;
+  const asset    = manifest.assets && manifest.assets[platform];
+
+  if (!asset || !asset.url || !asset.sha256) {
+    throw new Error(
+      `No release asset found for platform "${platform}" in manifest.\n` +
+      `Please download manually from ${RELEASES_BASE}`
+    );
+  }
+
+  console.log(`  Version   : v${version}`);
+  console.log(`  Downloading binary...`);
+
+  const tmpPath = BINARY_PATH + '.download';
+  try {
+    await downloadFile(asset.url, tmpPath);
+  } catch (err) {
+    fs.unlink(tmpPath, () => {});
+    throw err;
+  }
+
+  // Verify SHA-256
+  console.log('  Verifying SHA-256...');
+  const actual   = await sha256File(tmpPath);
+  const expected = asset.sha256.toLowerCase();
+  if (actual !== expected) {
+    fs.unlinkSync(tmpPath);
+    throw new Error(
+      `SHA-256 mismatch — aborting (possible tampered binary)\n` +
+      `  Expected: ${expected}\n` +
+      `  Got     : ${actual}`
+    );
+  }
+  console.log('  SHA-256 verified.');
+
+  // Move into place and make executable
+  fs.renameSync(tmpPath, BINARY_PATH);
+  if (process.platform !== 'win32') fs.chmodSync(BINARY_PATH, 0o755);
+
+  // Smoke test
+  try {
+    const ver = execFileSync(BINARY_PATH, ['--version'], { encoding: 'utf8' }).trim();
+    console.log(`  Verified  : ${ver}`);
+  } catch {
+    console.warn('  WARNING: Binary installed but smoke test failed. Try running: eidon --version');
+  }
+
+  console.log(`\n  Eidon v${version} ready.\n`);
+  console.log('  Quick start:');
+  console.log('    eidon init          # configure your LLM (one-time wizard)');
+  console.log('    eidon analyze       # index your repo — run once');
+  console.log('    eidon install-mcp   # connect Cursor, VS Code, Claude Code...');
+  console.log('    eidon doctor        # health check before every session\n');
+}
+
+main().catch(err => {
+  console.error(`\n  Eidon install failed: ${err.message}\n`);
+  console.error(`  Download manually: ${RELEASES_BASE}`);
+  // Exit 0 — don't block npm install for users who don't need the binary yet
+  // (e.g. CI installs that only need the package metadata)
+  process.exit(0);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eidoncore",
-  "version": "3.3.7",
+  "version": "3.7.2",
   "description": "Your AI finally knows your whole codebase. Structural graph intelligence for every AI tool you use.",
   "keywords": [
     "ai",