git-daemon 0.1.0

package/src/process.ts

@@ -0,0 +1,55 @@
+import { execa, type Options as ExecaOptions } from "execa";
+import treeKill from "tree-kill";
+import type { JobContext } from "./jobs";
+
+const attachLineReader = (
+  stream: NodeJS.ReadableStream | null,
+  onLine: (line: string) => void,
+) => {
+  if (!stream) {
+    return;
+  }
+  let buffer = "";
+  stream.on("data", (chunk: Buffer) => {
+    buffer += chunk.toString();
+    const lines = buffer.split(/\r?\n/);
+    buffer = lines.pop() ?? "";
+    for (const line of lines) {
+      if (line.length > 0) {
+        onLine(line);
+      }
+    }
+  });
+  stream.on("end", () => {
+    if (buffer.length > 0) {
+      onLine(buffer);
+    }
+  });
+};
+
+export const runCommand = async (
+  ctx: JobContext,
+  command: string,
+  args: string[],
+  options?: ExecaOptions,
+) => {
+  const subprocess = execa(command, args, {
+    ...options,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  if (subprocess.pid) {
+    ctx.setCancel(
+      () =>
+        new Promise<void>((resolve) => {
+          treeKill(subprocess.pid, "SIGTERM", () => resolve());
+        }),
+    );
+  }
+
+  attachLineReader(subprocess.stdout, ctx.logStdout);
+  attachLineReader(subprocess.stderr, ctx.logStderr);
+
+  await subprocess;
+};

package/src/security.ts

@@ -0,0 +1,80 @@
+import type { Request, Response, NextFunction } from "express";
+import { authInvalid, authRequired, originNotAllowed } from "./errors";
+import type { TokenStore } from "./tokens";
+
+const ALLOWED_HOSTS = new Set(["127.0.0.1", "localhost"]);
+
+export const getOrigin = (req: Request) => req.headers.origin || "";
+
+const isLoopbackAddress = (address: string | undefined) => {
+  if (!address) {
+    return false;
+  }
+  if (address === "127.0.0.1" || address === "::1") {
+    return true;
+  }
+  return address.startsWith("::ffff:127.0.0.1");
+};
+
+export const originGuard = (allowlist: string[]) => {
+  return (req: Request, res: Response, next: NextFunction) => {
+    const origin = getOrigin(req);
+    if (!origin || !allowlist.includes(origin)) {
+      return next(originNotAllowed());
+    }
+
+    res.setHeader("Access-Control-Allow-Origin", origin);
+    res.setHeader("Vary", "Origin");
+    res.setHeader(
+      "Access-Control-Allow-Headers",
+      "Authorization, Content-Type",
+    );
+    res.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
+    res.setHeader("Access-Control-Max-Age", "600");
+
+    if (req.method === "OPTIONS") {
+      res.status(204).end();
+      return;
+    }
+
+    next();
+  };
+};
+
+export const hostGuard = () => {
+  return (req: Request, _res: Response, next: NextFunction) => {
+    const host = req.headers.host?.split(":")[0];
+    if (!host || !ALLOWED_HOSTS.has(host)) {
+      return next(originNotAllowed());
+    }
+    next();
+  };
+};
+
+export const loopbackGuard = () => {
+  return (req: Request, _res: Response, next: NextFunction) => {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      return next(originNotAllowed());
+    }
+    next();
+  };
+};
+
+export const authGuard = (tokenStore: TokenStore) => {
+  return (req: Request, _res: Response, next: NextFunction) => {
+    const origin = getOrigin(req);
+    const auth = req.headers.authorization;
+    if (!auth) {
+      return next(authRequired());
+    }
+    const match = auth.match(/^Bearer (.+)$/i);
+    if (!match) {
+      return next(authInvalid());
+    }
+    const token = match[1];
+    if (!tokenStore.verifyToken(origin, token)) {
+      return next(authInvalid());
+    }
+    next();
+  };
+};

package/src/tokens.ts

@@ -0,0 +1,95 @@
+import { promises as fs } from "fs";
+import crypto from "crypto";
+import { getTokensPath } from "./config";
+import type { TokenEntry, TokenStoreData } from "./types";
+
+const TOKEN_BYTES = 32;
+const HASH_BYTES = 32;
+
+export class TokenStore {
+  private entries: TokenEntry[] = [];
+  private readonly tokensPath: string;
+
+  constructor(configDir: string) {
+    this.tokensPath = getTokensPath(configDir);
+  }
+
+  async load() {
+    try {
+      const raw = await fs.readFile(this.tokensPath, "utf8");
+      const data = JSON.parse(raw) as TokenStoreData;
+      this.entries = Array.isArray(data.entries) ? data.entries : [];
+    } catch (err) {
+      if ((err as NodeJS.ErrnoException).code !== "ENOENT") {
+        throw err;
+      }
+      this.entries = [];
+      await this.save();
+    }
+    this.pruneExpired();
+  }
+
+  private async save() {
+    const payload: TokenStoreData = { entries: this.entries };
+    await fs.writeFile(this.tokensPath, JSON.stringify(payload, null, 2));
+  }
+
+  private pruneExpired() {
+    const now = Date.now();
+    this.entries = this.entries.filter((entry) => {
+      const expiresAt = Date.parse(entry.expiresAt);
+      return Number.isNaN(expiresAt) || expiresAt > now;
+    });
+  }
+
+  getActiveToken(origin: string): TokenEntry | undefined {
+    this.pruneExpired();
+    return this.entries.find((entry) => entry.origin === origin);
+  }
+
+  async issueToken(origin: string, ttlDays: number) {
+    const token = crypto.randomBytes(TOKEN_BYTES).toString("base64url");
+    const salt = crypto.randomBytes(16).toString("base64url");
+    const tokenHash = crypto
+      .scryptSync(token, salt, HASH_BYTES)
+      .toString("base64url");
+    const now = new Date();
+    const expiresAt = new Date(now.getTime() + ttlDays * 24 * 60 * 60 * 1000);
+
+    const entry: TokenEntry = {
+      origin,
+      tokenHash,
+      salt,
+      createdAt: now.toISOString(),
+      expiresAt: expiresAt.toISOString(),
+    };
+
+    this.entries = this.entries.filter((item) => item.origin !== origin);
+    this.entries.push(entry);
+    await this.save();
+
+    return {
+      token,
+      expiresAt: entry.expiresAt,
+    };
+  }
+
+  async revokeToken(origin: string) {
+    this.entries = this.entries.filter((item) => item.origin !== origin);
+    await this.save();
+  }
+
+  verifyToken(origin: string, token: string): boolean {
+    this.pruneExpired();
+    const entry = this.entries.find((item) => item.origin === origin);
+    if (!entry) {
+      return false;
+    }
+    const derived = crypto.scryptSync(token, entry.salt, HASH_BYTES);
+    const stored = Buffer.from(entry.tokenHash, "base64url");
+    if (stored.length !== derived.length) {
+      return false;
+    }
+    return crypto.timingSafeEqual(stored, derived);
+  }
+}

package/src/tools.ts

@@ -0,0 +1,45 @@
+import { execa } from "execa";
+import type { ToolInfo, Capabilities } from "./types";
+
+const detect = async (
+  command: string,
+  args: string[] = ["--version"],
+): Promise<ToolInfo> => {
+  try {
+    const result = await execa(command, args);
+    const version = result.stdout.trim();
+    return { installed: true, version };
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") {
+      return { installed: false };
+    }
+    return { installed: false };
+  }
+};
+
+export const detectCapabilities = async (): Promise<Capabilities> => {
+  const [git, node, npm, pnpm, yarn, code] = await Promise.all([
+    detect("git", ["--version"]),
+    detect("node", ["--version"]),
+    detect("npm", ["--version"]),
+    detect("pnpm", ["--version"]),
+    detect("yarn", ["--version"]),
+    detect("code", ["--version"]),
+  ]);
+
+  return {
+    tools: {
+      git,
+      node,
+      npm,
+      pnpm,
+      yarn,
+      code,
+    },
+  };
+};
+
+export const isToolInstalled = async (command: string) => {
+  const info = await detect(command, ["--version"]);
+  return info.installed;
+};

package/src/types.ts

@@ -0,0 +1,111 @@
+export type Capability = "open-terminal" | "open-vscode" | "deps/install";
+
+export type ApprovalEntry = {
+  origin: string;
+  repoPath: string;
+  capabilities: Capability[];
+  approvedAt: string;
+};
+
+export type AppConfig = {
+  configVersion: number;
+  server: {
+    host: string;
+    port: number;
+  };
+  originAllowlist: string[];
+  workspaceRoot: string | null;
+  pairing: {
+    tokenTtlDays: number;
+  };
+  jobs: {
+    maxConcurrent: number;
+    timeoutSeconds: number;
+  };
+  deps: {
+    defaultSafer: boolean;
+  };
+  logging: {
+    directory: string;
+    maxFiles: number;
+    maxBytes: number;
+  };
+  approvals: {
+    entries: ApprovalEntry[];
+  };
+};
+
+export type ToolInfo = {
+  installed: boolean;
+  version?: string;
+};
+
+export type Capabilities = {
+  tools: {
+    git?: ToolInfo;
+    node?: ToolInfo;
+    npm?: ToolInfo;
+    pnpm?: ToolInfo;
+    yarn?: ToolInfo;
+    code?: ToolInfo;
+  };
+};
+
+export type TokenEntry = {
+  origin: string;
+  tokenHash: string;
+  salt: string;
+  createdAt: string;
+  expiresAt: string;
+};
+
+export type TokenStoreData = {
+  entries: TokenEntry[];
+};
+
+export type JobState = "queued" | "running" | "done" | "error" | "cancelled";
+
+export type JobEvent =
+  | {
+      type: "log";
+      stream: "stdout" | "stderr";
+      line: string;
+    }
+  | {
+      type: "progress";
+      kind: "git" | "deps";
+      percent?: number;
+      detail?: string;
+    }
+  | {
+      type: "state";
+      state: JobState;
+      message?: string;
+    };
+
+export type JobStatus = {
+  id: string;
+  state: JobState;
+  createdAt: string;
+  startedAt?: string;
+  finishedAt?: string;
+  error?: ApiErrorBody;
+};
+
+export type ApiErrorBody = {
+  errorCode:
+    | "auth_required"
+    | "auth_invalid"
+    | "origin_not_allowed"
+    | "rate_limited"
+    | "request_too_large"
+    | "workspace_required"
+    | "path_outside_workspace"
+    | "invalid_repo_url"
+    | "capability_not_granted"
+    | "job_not_found"
+    | "timeout"
+    | "internal_error";
+  message: string;
+  details?: Record<string, unknown>;
+};

package/src/typings/tree-kill.d.ts

@@ -0,0 +1,9 @@
+declare module "tree-kill" {
+  type Signal = NodeJS.Signals | number;
+  function treeKill(
+    pid: number,
+    signal?: Signal,
+    callback?: (err?: Error) => void,
+  ): void;
+  export default treeKill;
+}

package/src/validation.ts

@@ -0,0 +1,69 @@
+import { z } from "zod";
+
+const MAX_PATH_LENGTH = 4096;
+
+const isValidRepoUrl = (value: string) => {
+  if (value.startsWith("file://")) {
+    return false;
+  }
+  if (
+    value.startsWith("/") ||
+    value.startsWith("./") ||
+    value.startsWith("../")
+  ) {
+    return false;
+  }
+  if (/^git@[^:]+:.+/.test(value)) {
+    return true;
+  }
+  if (/^https:\/\/[^/]+\/.+/.test(value)) {
+    return true;
+  }
+  if (/^ssh:\/\/[^/]+\/.+/.test(value)) {
+    return true;
+  }
+  return false;
+};
+
+export const pairRequestSchema = z.discriminatedUnion("step", [
+  z.object({
+    step: z.literal("start"),
+  }),
+  z.object({
+    step: z.literal("confirm"),
+    code: z.string().min(1),
+  }),
+]);
+
+export const gitCloneRequestSchema = z.object({
+  repoUrl: z.string().min(1).refine(isValidRepoUrl),
+  destRelative: z.string().min(1).max(MAX_PATH_LENGTH),
+  options: z
+    .object({
+      branch: z.string().min(1).optional(),
+      depth: z.number().int().min(1).optional(),
+    })
+    .optional(),
+});
+
+export const gitFetchRequestSchema = z.object({
+  repoPath: z.string().min(1).max(MAX_PATH_LENGTH),
+  remote: z.string().min(1).optional(),
+  prune: z.boolean().optional(),
+});
+
+export const gitStatusQuerySchema = z.object({
+  repoPath: z.string().min(1).max(MAX_PATH_LENGTH),
+});
+
+export const osOpenRequestSchema = z.object({
+  target: z.enum(["folder", "terminal", "vscode"]),
+  path: z.string().min(1).max(MAX_PATH_LENGTH),
+});
+
+export const depsInstallRequestSchema = z.object({
+  repoPath: z.string().min(1).max(MAX_PATH_LENGTH),
+  manager: z.enum(["auto", "npm", "pnpm", "yarn"]).optional(),
+  mode: z.enum(["auto", "ci", "install"]).optional(),
+  safer: z.boolean().optional(),
+});

package/src/workspace.ts

@@ -0,0 +1,83 @@
+import path from "path";
+import { promises as fs } from "fs";
+import { pathOutsideWorkspace, workspaceRequired } from "./errors";
+
+export class MissingPathError extends Error {}
+
+const MAX_PATH_LENGTH = 4096;
+
+export const ensureWorkspaceRoot = (root: string | null) => {
+  if (!root) {
+    throw workspaceRequired();
+  }
+  if (root.length > MAX_PATH_LENGTH) {
+    throw pathOutsideWorkspace();
+  }
+  return root;
+};
+
+const realpathSafe = async (target: string) => {
+  try {
+    return await fs.realpath(target);
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") {
+      return null;
+    }
+    throw err;
+  }
+};
+
+export const resolveInsideWorkspace = async (
+  workspaceRoot: string,
+  candidate: string,
+  allowMissing = false,
+) => {
+  if (candidate.length > MAX_PATH_LENGTH) {
+    throw pathOutsideWorkspace();
+  }
+
+  const rootReal = await fs.realpath(workspaceRoot);
+  const resolved = path.resolve(rootReal, candidate);
+
+  if (!isInside(rootReal, resolved)) {
+    throw pathOutsideWorkspace();
+  }
+
+  const realResolved = await realpathSafe(resolved);
+  if (realResolved) {
+    if (!isInside(rootReal, realResolved)) {
+      throw pathOutsideWorkspace();
+    }
+    return realResolved;
+  }
+
+  if (!allowMissing) {
+    throw new MissingPathError("Path does not exist.");
+  }
+
+  const parent = path.dirname(resolved);
+  const parentReal = await realpathSafe(parent);
+  if (parentReal && !isInside(rootReal, parentReal)) {
+    throw pathOutsideWorkspace();
+  }
+  return resolved;
+};
+
+const isInside = (root: string, candidate: string) => {
+  const relative = path.relative(root, candidate);
+  if (relative === "") {
+    return true;
+  }
+  return !relative.startsWith("..") && !path.isAbsolute(relative);
+};
+
+export const ensureRelative = (target: string) => {
+  if (path.isAbsolute(target)) {
+    throw pathOutsideWorkspace();
+  }
+  const normalized = path.normalize(target);
+  if (normalized === "." || normalized.startsWith("..")) {
+    throw pathOutsideWorkspace();
+  }
+  return target;
+};

package/tests/app.test.ts

@@ -0,0 +1,122 @@
+import { describe, expect, it } from "vitest";
+import request from "supertest";
+import path from "path";
+import os from "os";
+import { promises as fs } from "fs";
+import pino from "pino";
+import { createApp, type DaemonContext } from "../src/app";
+import { TokenStore } from "../src/tokens";
+import { PairingManager } from "../src/pairing";
+import { JobManager } from "../src/jobs";
+import type { AppConfig } from "../src/types";
+
+const createTempDir = async () =>
+  fs.mkdtemp(path.join(os.tmpdir(), "git-daemon-test-"));
+
+const createConfig = (
+  workspaceRoot: string | null,
+  origin: string,
+): AppConfig => ({
+  configVersion: 1,
+  server: { host: "127.0.0.1", port: 0 },
+  originAllowlist: [origin],
+  workspaceRoot,
+  pairing: { tokenTtlDays: 30 },
+  jobs: { maxConcurrent: 1, timeoutSeconds: 60 },
+  deps: { defaultSafer: true },
+  logging: { directory: "logs", maxFiles: 1, maxBytes: 1024 },
+  approvals: { entries: [] },
+});
+
+const createContext = async (workspaceRoot: string | null, origin: string) => {
+  const configDir = await createTempDir();
+  const config = createConfig(workspaceRoot, origin);
+  const tokenStore = new TokenStore(configDir);
+  await tokenStore.load();
+  const pairingManager = new PairingManager(
+    tokenStore,
+    config.pairing.tokenTtlDays,
+  );
+  const jobManager = new JobManager(
+    config.jobs.maxConcurrent,
+    config.jobs.timeoutSeconds,
+  );
+  const logger = pino({ enabled: false });
+  const capabilities = { tools: {} };
+  const ctx: DaemonContext = {
+    config,
+    configDir,
+    tokenStore,
+    pairingManager,
+    jobManager,
+    capabilities,
+    logger,
+    version: "0.1.0",
+    build: undefined,
+  };
+  return { ctx, app: createApp(ctx) };
+};
+
+describe("Git Daemon API", () => {
+  const origin = "http://localhost:5173";
+
+  it("rejects missing Origin header", async () => {
+    const { app } = await createContext(null, origin);
+    const res = await request(app).get("/v1/meta").set("Host", "127.0.0.1");
+    expect(res.status).toBe(403);
+    expect(res.body.errorCode).toBe("origin_not_allowed");
+  });
+
+  it("returns meta for allowed origin", async () => {
+    const { app } = await createContext(null, origin);
+    const res = await request(app)
+      .get("/v1/meta")
+      .set("Origin", origin)
+      .set("Host", "127.0.0.1");
+    expect(res.status).toBe(200);
+    expect(res.body.version).toBeTypeOf("string");
+    expect(res.body.pairing).toBeTruthy();
+  });
+
+  it("requires auth for protected routes", async () => {
+    const { app } = await createContext(null, origin);
+    const res = await request(app)
+      .get("/v1/git/status")
+      .query({ repoPath: "repo" })
+      .set("Origin", origin)
+      .set("Host", "127.0.0.1");
+    expect(res.status).toBe(401);
+    expect(res.body.errorCode).toBe("auth_required");
+  });
+
+  it("returns workspace_required when not configured", async () => {
+    const { app, ctx } = await createContext(null, origin);
+    const { token } = await ctx.tokenStore.issueToken(origin, 30);
+
+    const res = await request(app)
+      .get("/v1/git/status")
+      .query({ repoPath: "repo" })
+      .set("Origin", origin)
+      .set("Host", "127.0.0.1")
+      .set("Authorization", `Bearer ${token}`);
+
+    expect(res.status).toBe(409);
+    expect(res.body.errorCode).toBe("workspace_required");
+  });
+
+  it("validates repoUrl on clone", async () => {
+    const workspaceRoot = await createTempDir();
+    const { app, ctx } = await createContext(workspaceRoot, origin);
+    const { token } = await ctx.tokenStore.issueToken(origin, 30);
+
+    const res = await request(app)
+      .post("/v1/git/clone")
+      .set("Origin", origin)
+      .set("Host", "127.0.0.1")
+      .set("Authorization", `Bearer ${token}`)
+      .send({ repoUrl: "file:///tmp/repo", destRelative: "repo" });
+
+    expect(res.status).toBe(422);
+    expect(res.body.errorCode).toBe("invalid_repo_url");
+  });
+});

package/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "rootDir": "src",
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true,
+    "resolveJsonModule": true
+  },
+  "include": ["src", "tests", "vitest.config.ts"]
+}

package/vitest.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    environment: "node",
+    include: ["tests/**/*.test.ts"],
+  },
+});