fraim 2.0.177 → 2.0.180

package/dist/src/services/oauth-helpers.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SUPPORTED_SURFACES = exports.SUPPORTED_OAUTH_PROVIDERS = void 0;
+exports.isSupportedProvider = isSupportedProvider;
+exports.generatePkceVerifier = generatePkceVerifier;
+exports.pkceChallenge = pkceChallenge;
+exports.generateStateNonce = generateStateNonce;
+exports.generateSessionId = generateSessionId;
+exports.generatePendingOAuthId = generatePendingOAuthId;
+exports.safeRedirectPath = safeRedirectPath;
+exports.isSupportedSurface = isSupportedSurface;
+exports.defaultRedirectForSurface = defaultRedirectForSurface;
+exports.pickSurfaceOrDefault = pickSurfaceOrDefault;
+exports.isLikelyValidEmail = isLikelyValidEmail;
+exports.clientIpFromReq = clientIpFromReq;
+const crypto_1 = require("crypto");
+exports.SUPPORTED_OAUTH_PROVIDERS = ['google', 'github'];
+function isSupportedProvider(value) {
+    return exports.SUPPORTED_OAUTH_PROVIDERS.includes(value);
+}
+function base64UrlEncode(buf) {
+    return buf.toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+function generatePkceVerifier() {
+    return base64UrlEncode((0, crypto_1.randomBytes)(32));
+}
+function pkceChallenge(verifier) {
+    return base64UrlEncode((0, crypto_1.createHash)('sha256').update(verifier).digest());
+}
+function generateStateNonce() {
+    return (0, crypto_1.randomBytes)(32).toString('hex');
+}
+function generateSessionId() {
+    return (0, crypto_1.randomBytes)(32).toString('hex');
+}
+function generatePendingOAuthId() {
+    return (0, crypto_1.randomBytes)(16).toString('hex');
+}
+const ALLOWED_REDIRECT_PREFIXES = [
+    '/',
+    '/account',
+    '/analytics',
+    '/fraim-brain',
+    '/auth/recovery',
+    '/auth/error',
+    '/api/auth/mobile',
+    '/oauth/mcp',
+];
+function safeRedirectPath(input, fallback = '/') {
+    if (!input || typeof input !== 'string')
+        return fallback;
+    if (input.includes('\n') || input.includes('\r'))
+        return fallback;
+    if (input.startsWith('//'))
+        return fallback;
+    if (!input.startsWith('/'))
+        return fallback;
+    let decoded;
+    try {
+        decoded = decodeURIComponent(input);
+        if (decoded.startsWith('//'))
+            return fallback;
+    }
+    catch {
+        return fallback;
+    }
+    // Path-traversal guard. Caught by issue #359 bug-bash: a value like
+    // `/account/../etc/passwd` would have matched the `/account/` prefix
+    // and been forwarded by the OAuth callback's res.redirect, after which
+    // the browser normalises it to `/etc/passwd` — escaping the whitelist.
+    // Reject any segment that traverses up. Also reject backslashes which
+    // some browsers (notably old IE/Edge) treat as forward slashes.
+    if (input.includes('\\') || decoded.includes('\\'))
+        return fallback;
+    const segments = input.split('?')[0].split('#')[0].split('/');
+    if (segments.some(seg => seg === '..' || seg === '%2e%2e' || seg.toLowerCase() === '%2e%2e'))
+        return fallback;
+    const pathOnly = input.split('?')[0].split('#')[0];
+    const matchesAllow = ALLOWED_REDIRECT_PREFIXES.some(prefix => pathOnly === prefix || pathOnly.startsWith(prefix + '/') || (prefix === '/' && pathOnly === '/'));
+    return matchesAllow ? input : fallback;
+}
+exports.SUPPORTED_SURFACES = ['analytics', 'brain', 'account', 'mobile'];
+function isSupportedSurface(value) {
+    return exports.SUPPORTED_SURFACES.includes(value);
+}
+function defaultRedirectForSurface(surface) {
+    switch (surface) {
+        case 'analytics': return '/#analytics';
+        case 'brain': return '/#brain';
+        case 'account': return '/account/';
+        case 'mobile': return '/api/auth/mobile/claim';
+    }
+}
+function pickSurfaceOrDefault(input, fallback = 'analytics') {
+    if (typeof input === 'string' && isSupportedSurface(input))
+        return input;
+    return fallback;
+}
+/**
+ * Cheap email-shape check. Not RFC 5322 compliant — that's intentional. The
+ * provider verifies the email separately on the OAuth path; the email-code
+ * path doesn't reveal whether the email exists. The check exists to reject
+ * obvious junk (whitespace, missing @ / TLD) before a DB write.
+ */
+function isLikelyValidEmail(value) {
+    if (typeof value !== 'string')
+        return false;
+    if (value.length > 254)
+        return false;
+    return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value);
+}
+/**
+ * Best-effort client IP extraction. Honours `X-Forwarded-For` (first hop) when
+ * present — Express is configured with `trust proxy` 1 hop in the FRAIM server.
+ */
+function clientIpFromReq(req) {
+    const fwd = req.headers['x-forwarded-for'];
+    if (typeof fwd === 'string') {
+        const first = fwd.split(',')[0];
+        if (first && first.trim())
+            return first.trim();
+    }
+    return req.ip || 'unknown';
+}

package/dist/src/services/org-service.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrgService = void 0;
+class OrgService {
+    constructor(dbService) {
+        this.dbService = dbService;
+    }
+    async getPack(auth) {
+        const artifacts = await this.dbService.getOrgArtifacts(auth.orgId);
+        const version = artifacts.reduce((max, a) => Math.max(max, a.revision || 0), 0);
+        return {
+            files: artifacts.map(a => ({ relativePath: a.relativePath, content: a.content })),
+            version: String(version)
+        };
+    }
+    async publishArtifacts(auth, artifacts, approval) {
+        const existing = await this.dbService.getOrgArtifacts(auth.orgId);
+        const nextRevision = existing.reduce((max, a) => Math.max(max, a.revision || 0), 0) + 1;
+        const now = new Date();
+        for (const artifact of artifacts) {
+            const record = {
+                orgId: auth.orgId,
+                relativePath: artifact.relativePath,
+                content: artifact.content,
+                revision: nextRevision,
+                updatedAt: now,
+                proposedBy: approval.proposedBy,
+                approvedBy: approval.approvedBy
+            };
+            await this.dbService.upsertOrgArtifact(record);
+        }
+        const auditEntry = {
+            orgId: auth.orgId,
+            action: 'publish',
+            relativePaths: artifacts.map(a => a.relativePath),
+            proposedBy: approval.proposedBy,
+            approvedBy: approval.approvedBy,
+            at: now
+        };
+        await this.dbService.appendOrgAuditEntry(auditEntry);
+        return { version: String(nextRevision) };
+    }
+    /** Complete artifact set for export (R6.4, AC10). */
+    async exportPack(auth) {
+        return this.getPack(auth);
+    }
+    /**
+     * Redact every occurrence of a named identifier from the org's artifacts
+     * (GDPR erasure, AC10). Leaves an explicit [redacted] placeholder so the
+     * surrounding learning stays readable.
+     */
+    async redactIdentifier(auth, identifier, approvedBy) {
+        const needle = identifier.trim();
+        if (!needle)
+            return { filesChanged: 0 };
+        const artifacts = await this.dbService.getOrgArtifacts(auth.orgId);
+        const changed = [];
+        const now = new Date();
+        for (const artifact of artifacts) {
+            if (!artifact.content.includes(needle))
+                continue;
+            changed.push({
+                ...artifact,
+                content: artifact.content.split(needle).join('[redacted]'),
+                updatedAt: now,
+                proposedBy: approvedBy,
+                approvedBy
+            });
+        }
+        for (const record of changed) {
+            await this.dbService.upsertOrgArtifact(record);
+        }
+        if (changed.length > 0) {
+            await this.dbService.appendOrgAuditEntry({
+                orgId: auth.orgId,
+                action: 'redact',
+                relativePaths: changed.map(c => c.relativePath),
+                proposedBy: approvedBy,
+                approvedBy,
+                at: now
+            });
+        }
+        return { filesChanged: changed.length };
+    }
+    async getAudit(auth) {
+        return this.dbService.getOrgAuditEntries(auth.orgId);
+    }
+}
+exports.OrgService = OrgService;

package/dist/src/services/persona-entitlement-service.js

@@ -0,0 +1,288 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPersonaHireUrl = buildPersonaHireUrl;
+exports.syncPersonaEntitlementPurchase = syncPersonaEntitlementPurchase;
+exports.syncPersonaEntitlementFromCheckoutSession = syncPersonaEntitlementFromCheckoutSession;
+exports.getWorkspacePersonaState = getWorkspacePersonaState;
+exports.evaluatePersonaAccess = evaluatePersonaAccess;
+const persona_hiring_1 = require("../config/persona-hiring");
+const persona_capability_bundles_1 = require("../config/persona-capability-bundles");
+const workspace_identity_1 = require("./workspace-identity");
+const DEFAULT_JOB_CREDITS = 1;
+function normalizeEmail(email) {
+    return email.trim().toLowerCase();
+}
+function mergeMetadata(existingMetadata, nextMetadata) {
+    if (!existingMetadata && !nextMetadata) {
+        return undefined;
+    }
+    return {
+        ...(existingMetadata || {}),
+        ...(nextMetadata || {})
+    };
+}
+function buildPersonaHireUrl(personaKey, hireMode = 'job', returnTo) {
+    const params = new URLSearchParams({
+        persona: personaKey,
+        mode: hireMode
+    });
+    if (returnTo) {
+        params.set('returnTo', returnTo);
+    }
+    return `/pricing?${params.toString()}`;
+}
+async function resolveWorkspaceContext(dbService, input) {
+    const normalizedUserId = normalizeEmail(input.userId);
+    let apiKey = input.workspaceId ? await dbService.getApiKeyByWorkspaceId(input.workspaceId, false) : null;
+    if (!apiKey && input.stripeCustomerId) {
+        apiKey = await dbService.getApiKeyByStripeCustomerId(input.stripeCustomerId);
+    }
+    if (!apiKey) {
+        apiKey = await dbService.getApiKeyByUserId(normalizedUserId, false);
+    }
+    const workspaceId = (0, workspace_identity_1.resolveWorkspaceId)({
+        workspaceId: apiKey?.workspaceId || input.workspaceId || undefined,
+        stripeCustomerId: input.stripeCustomerId || apiKey?.stripeCustomerId || undefined,
+        email: normalizedUserId
+    }) || `user:${normalizedUserId}`;
+    if (apiKey && apiKey.workspaceId !== workspaceId) {
+        await dbService.updateApiKey(apiKey.key, { workspaceId });
+        apiKey.workspaceId = workspaceId;
+    }
+    return {
+        workspaceId,
+        orgId: apiKey?.orgId || input.orgId || 'default',
+        apiKey
+    };
+}
+async function syncPersonaEntitlementPurchase(dbService, input) {
+    const persona = persona_hiring_1.PERSONA_HIRE_CATALOG[input.personaKey];
+    const normalizedUserId = normalizeEmail(input.userId);
+    const workspace = await resolveWorkspaceContext(dbService, {
+        userId: normalizedUserId,
+        orgId: input.orgId,
+        stripeCustomerId: input.stripeCustomerId
+    });
+    const existing = await dbService.getPersonaEntitlement(workspace.workspaceId, input.personaKey, input.hireMode);
+    const currentPurchaseCount = existing?.purchasedCount || 0;
+    const isNewPurchase = !existing || (input.stripeCheckoutSessionId &&
+        existing.stripeCheckoutSessionId !== input.stripeCheckoutSessionId) || (input.stripeSubscriptionId &&
+        existing.stripeSubscriptionId !== input.stripeSubscriptionId);
+    const jobCreditsIncluded = input.hireMode === 'job'
+        ? (existing?.jobCreditsIncluded || 0) + (isNewPurchase ? DEFAULT_JOB_CREDITS : 0)
+        : 0;
+    const jobCreditsRemaining = input.hireMode === 'job'
+        ? (existing?.jobCreditsRemaining || 0) + (isNewPurchase ? DEFAULT_JOB_CREDITS : 0)
+        : null;
+    const entitlement = await dbService.upsertPersonaEntitlement({
+        workspaceId: workspace.workspaceId,
+        userId: normalizedUserId,
+        orgId: workspace.orgId,
+        personaKey: input.personaKey,
+        personaName: persona.displayName,
+        personaRole: persona.role,
+        hireMode: input.hireMode,
+        status: input.status || 'active',
+        stripeCustomerId: input.stripeCustomerId || existing?.stripeCustomerId || null,
+        stripeSubscriptionId: input.stripeSubscriptionId || existing?.stripeSubscriptionId || null,
+        stripeCheckoutSessionId: input.stripeCheckoutSessionId || existing?.stripeCheckoutSessionId || null,
+        purchaseSource: input.purchaseSource,
+        purchasedCount: currentPurchaseCount + (isNewPurchase ? 1 : 0),
+        jobCreditsIncluded,
+        jobCreditsRemaining,
+        activatedAt: existing?.activatedAt || new Date(),
+        expiresAt: input.expiresAt ?? existing?.expiresAt ?? null,
+        canceledAt: input.status === 'expired' ? new Date() : null,
+        metadata: mergeMetadata(existing?.metadata, input.metadata)
+    });
+    // Transition a legacy workspace into the persona system on first purchase.
+    if (workspace.apiKey?.key && !workspace.apiKey.personaSystemActive) {
+        await dbService.updateApiKey(workspace.apiKey.key, { personaSystemActive: true }).catch(() => { });
+    }
+    return entitlement;
+}
+async function syncPersonaEntitlementFromCheckoutSession(dbService, session, purchaseSource) {
+    const personaKey = session.metadata?.personaKey;
+    const rawHireMode = session.metadata?.hireMode;
+    const email = session.customer_details?.email || session.customer_email;
+    if (!personaKey || !(0, persona_hiring_1.isPersonaHireKey)(personaKey) || !email || !rawHireMode || (rawHireMode !== 'job' && rawHireMode !== 'fulltime')) {
+        return null;
+    }
+    const customerId = !session.customer
+        ? null
+        : (typeof session.customer === 'string' ? session.customer : session.customer.id);
+    const subscriptionId = !session.subscription
+        ? null
+        : (typeof session.subscription === 'string' ? session.subscription : session.subscription.id);
+    return await syncPersonaEntitlementPurchase(dbService, {
+        userId: email,
+        stripeCustomerId: customerId,
+        stripeSubscriptionId: subscriptionId,
+        stripeCheckoutSessionId: session.id,
+        personaKey,
+        hireMode: rawHireMode,
+        purchaseSource,
+        metadata: session.metadata || {}
+    });
+}
+async function getWorkspacePersonaState(dbService, userId, apiKey) {
+    const normalizedUserId = normalizeEmail(userId);
+    let apiKeyData = null;
+    if (apiKey) {
+        apiKeyData = await dbService.getApiKeyByKey(apiKey);
+    }
+    if (!apiKeyData) {
+        apiKeyData = await dbService.getApiKeyByUserId(normalizedUserId, false);
+    }
+    const workspace = await resolveWorkspaceContext(dbService, {
+        userId: normalizedUserId,
+        orgId: apiKeyData?.orgId,
+        stripeCustomerId: apiKeyData?.stripeCustomerId,
+        workspaceId: apiKeyData?.workspaceId
+    });
+    let entitlements = await dbService.getPersonaEntitlementsByWorkspaceId(workspace.workspaceId, false);
+    // Fallback: when the local dev workspace has no API key the workspaceId may not
+    // match the cust: prefix written by the Stripe checkout sync. Look up by userId.
+    if (entitlements.length === 0) {
+        entitlements = await dbService.getPersonaEntitlementsByUserId(normalizedUserId, false);
+    }
+    const catalog = (0, persona_capability_bundles_1.listPersonaCapabilityBundles)().map((bundle) => ({
+        personaKey: bundle.personaKey,
+        personaName: bundle.catalogMetadata.displayName,
+        personaRole: bundle.catalogMetadata.role,
+        hireUrl: buildPersonaHireUrl(bundle.personaKey, bundle.defaultHireMode),
+        protectedJobs: bundle.protectedJobs
+    }));
+    const knownPersonaKeys = new Set(entitlements.map((entitlement) => entitlement.personaKey));
+    // Subscribed = explicitly opted in via flag, OR has ever had an active entitlement.
+    const subscriptionActive = apiKeyData?.personaSystemActive === true ||
+        entitlements.some((e) => e.status === 'active');
+    return {
+        featureFlagEnabled: true,
+        featureFlags: {
+            personaEntitlementsEnabled: true
+        },
+        subscriptionActive,
+        workspaceId: workspace.workspaceId,
+        userId: normalizedUserId,
+        apiKey: apiKeyData?.key || apiKey || null,
+        entitlements: entitlements.map((entitlement) => ({
+            personaKey: entitlement.personaKey,
+            personaName: entitlement.personaName,
+            personaRole: entitlement.personaRole,
+            hireMode: entitlement.hireMode,
+            status: entitlement.status,
+            jobCreditsRemaining: entitlement.jobCreditsRemaining,
+            expiresAt: entitlement.expiresAt ? entitlement.expiresAt.toISOString() : null,
+            hireUrl: buildPersonaHireUrl(entitlement.personaKey, entitlement.hireMode),
+            jobs: (0, persona_hiring_1.isPersonaHireKey)(entitlement.personaKey)
+                ? (0, persona_capability_bundles_1.getPersonaCapabilityBundle)(entitlement.personaKey).protectedJobs
+                : []
+        })),
+        catalog,
+        lockedPersonas: catalog
+            .filter((persona) => !knownPersonaKeys.has(persona.personaKey))
+            .map((persona) => ({
+            ...persona,
+            status: 'locked'
+        }))
+    };
+}
+async function evaluatePersonaAccess(dbService, userId, jobName, apiKey, returnTo) {
+    const normalizedUserId = normalizeEmail(userId);
+    let apiKeyData = null;
+    if (apiKey) {
+        apiKeyData = await dbService.getApiKeyByKey(apiKey);
+    }
+    if (!apiKeyData) {
+        apiKeyData = await dbService.getApiKeyByUserId(normalizedUserId, false);
+    }
+    const workspace = await resolveWorkspaceContext(dbService, {
+        userId: normalizedUserId,
+        orgId: apiKeyData?.orgId,
+        stripeCustomerId: apiKeyData?.stripeCustomerId,
+        workspaceId: apiKeyData?.workspaceId
+    });
+    const workspaceEntitlements = await dbService.getPersonaEntitlementsByWorkspaceId(workspace.workspaceId, false);
+    // Legacy bypass: if the workspace has never subscribed to the persona system,
+    // all jobs are freely accessible — no lock enforcement.
+    const subscriptionActive = apiKeyData?.personaSystemActive === true ||
+        workspaceEntitlements.some((e) => e.status === 'active');
+    if (!subscriptionActive) {
+        return {
+            allowed: true,
+            personaKey: null,
+            workspaceId: workspace.workspaceId,
+            ownedPersonaKeys: []
+        };
+    }
+    const ownedPersonaKeys = Array.from(new Set(workspaceEntitlements
+        .filter((entitlement) => entitlement.status === 'active')
+        .map((entitlement) => entitlement.personaKey)
+        .filter((personaKey) => (0, persona_hiring_1.isPersonaHireKey)(personaKey))));
+    const protectedPersonaKey = (0, persona_capability_bundles_1.getProtectedPersonaForJob)(jobName);
+    if (!protectedPersonaKey) {
+        return {
+            allowed: true,
+            personaKey: null,
+            workspaceId: workspace.workspaceId,
+            ownedPersonaKeys
+        };
+    }
+    const fulltimeEntitlement = await dbService.getPersonaEntitlement(workspace.workspaceId, protectedPersonaKey, 'fulltime');
+    if (fulltimeEntitlement && fulltimeEntitlement.status === 'active') {
+        return {
+            allowed: true,
+            personaKey: protectedPersonaKey,
+            workspaceId: workspace.workspaceId,
+            ownedPersonaKeys,
+            entitlement: fulltimeEntitlement
+        };
+    }
+    const jobEntitlement = await dbService.getPersonaEntitlement(workspace.workspaceId, protectedPersonaKey, 'job');
+    if (jobEntitlement && jobEntitlement.status === 'active' && (jobEntitlement.jobCreditsRemaining || 0) > 0) {
+        return {
+            allowed: true,
+            personaKey: protectedPersonaKey,
+            workspaceId: workspace.workspaceId,
+            ownedPersonaKeys,
+            entitlement: jobEntitlement
+        };
+    }
+    const bundle = (0, persona_capability_bundles_1.getPersonaCapabilityBundle)(protectedPersonaKey);
+    const persona = persona_hiring_1.PERSONA_HIRE_CATALOG[protectedPersonaKey];
+    const priorEntitlement = fulltimeEntitlement || jobEntitlement || null;
+    const ownedOtherPersonas = ownedPersonaKeys
+        .filter((personaKey) => personaKey !== protectedPersonaKey)
+        .map((personaKey) => persona_hiring_1.PERSONA_HIRE_CATALOG[personaKey].displayName);
+    let message = bundle?.lockCopy || `This job requires ${persona.displayName}. Hire them to unlock it.`;
+    let hireUrl = buildPersonaHireUrl(protectedPersonaKey, bundle?.defaultHireMode || 'job', returnTo);
+    let ctaLabel = `Hire ${persona.displayName}`;
+    if (priorEntitlement?.status === 'suspended') {
+        message = `${persona.displayName} is currently suspended for this workspace because billing needs attention. Update billing to restore ${persona.displayName} for this request.`;
+        hireUrl = process.env.STRIPE_BILLING_PORTAL_URL || '/billing';
+        ctaLabel = `Restore ${persona.displayName}`;
+    }
+    else if (priorEntitlement?.status === 'expired') {
+        message = `${persona.displayName} was previously active in this workspace but is no longer active. Reactivate ${persona.displayName} to resume this request.`;
+        ctaLabel = `Reactivate ${persona.displayName}`;
+    }
+    else if (ownedOtherPersonas.length > 0) {
+        message = `${persona.displayName} owns this job, and your workspace has not hired ${persona.displayName} yet. You currently have ${ownedOtherPersonas.join(' and ')} active. ${ctaLabel} to unlock this request.`;
+    }
+    return {
+        allowed: false,
+        personaKey: protectedPersonaKey,
+        workspaceId: workspace.workspaceId,
+        ownedPersonaKeys,
+        entitlement: priorEntitlement,
+        lock: {
+            personaKey: protectedPersonaKey,
+            personaName: persona.displayName,
+            personaRole: persona.role,
+            message,
+            hireUrl,
+            ctaLabel
+        }
+    };
+}