groove-dev 0.27.15 → 0.27.18

package/node_modules/@groove-dev/daemon/src/federation/contracts.js

@@ -0,0 +1,112 @@
+// GROOVE — Federation Diplomatic Pouch Contracts
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+const CONTRACT_SCHEMAS = {
+  'task-request': {
+    required: ['taskId', 'description', 'requesterRole'],
+    optional: ['priority', 'suggestedRole', 'context', 'deadline'],
+  },
+  'task-accepted': {
+    required: ['taskId', 'assignedAgentId', 'assignedRole'],
+    optional: ['estimatedCompletion'],
+  },
+  'task-rejected': {
+    required: ['taskId', 'reason'],
+    optional: ['suggestion'],
+  },
+  'status-update': {
+    required: ['taskId', 'status'],
+    optional: ['progress', 'details', 'blockers'],
+  },
+  'delivery': {
+    required: ['taskId', 'result'],
+    optional: ['artifacts', 'summary', 'followUp'],
+  },
+  'question': {
+    required: ['questionId', 'text'],
+    optional: ['taskId', 'context', 'urgency'],
+  },
+  'capability-query': {
+    required: [],
+    optional: ['filter'],
+  },
+  'capability-response': {
+    required: ['roles', 'providerCount', 'agentCount'],
+    optional: ['availableRoles', 'busyAgents'],
+  },
+};
+
+const VALID_TYPES = new Set(Object.keys(CONTRACT_SCHEMAS));
+
+export function validateContract(contract) {
+  if (!contract || typeof contract !== 'object') {
+    return { valid: false, error: 'Contract must be an object' };
+  }
+  if (!contract.type || !VALID_TYPES.has(contract.type)) {
+    return { valid: false, error: `Invalid contract type: ${contract.type}` };
+  }
+  if (!contract.spec || typeof contract.spec !== 'object') {
+    return { valid: false, error: 'Contract must have a spec object' };
+  }
+
+  const schema = CONTRACT_SCHEMAS[contract.type];
+  for (const field of schema.required) {
+    if (contract.spec[field] === undefined || contract.spec[field] === null) {
+      return { valid: false, error: `Missing required field: spec.${field}` };
+    }
+  }
+
+  return { valid: true };
+}
+
+export function getContractTypes() {
+  return Object.keys(CONTRACT_SCHEMAS);
+}
+
+export class ContractHandlerRegistry {
+  constructor() {
+    this.handlers = new Map();
+  }
+
+  register(type, handler) {
+    if (!VALID_TYPES.has(type)) {
+      throw new Error(`Cannot register handler for unknown type: ${type}`);
+    }
+    this.handlers.set(type, handler);
+  }
+
+  async handle(contract, context) {
+    const validation = validateContract(contract);
+    if (!validation.valid) {
+      throw new Error(validation.error);
+    }
+
+    const handler = this.handlers.get(contract.type);
+    if (!handler) {
+      throw new Error(`No handler registered for type: ${contract.type}`);
+    }
+
+    return handler(contract, context);
+  }
+
+  has(type) {
+    return this.handlers.has(type);
+  }
+}
+
+export function createCapabilityResponse(daemon) {
+  const agents = daemon.registry.getAll();
+  const roles = new Set(agents.map(a => a.role));
+  const busy = agents.filter(a => a.status === 'running');
+
+  return {
+    type: 'capability-response',
+    spec: {
+      roles: Array.from(roles),
+      providerCount: agents.reduce((s, a) => { s.add(a.provider); return s; }, new Set()).size,
+      agentCount: agents.length,
+      availableRoles: Array.from(roles),
+      busyAgents: busy.length,
+    },
+  };
+}

package/node_modules/@groove-dev/daemon/src/federation/whitelist.js

@@ -0,0 +1,190 @@
+// GROOVE — Federation IP Whitelist Manager
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { resolve } from 'path';
+import { EventEmitter } from 'events';
+
+const PROBE_INTERVAL = 15_000;
+const PROBE_TIMEOUT = 5_000;
+
+const PRIVATE_PATTERNS = [
+  /^127\./, /^10\./, /^192\.168\./, /^172\.(1[6-9]|2\d|3[01])\./,
+  /^0\./, /^169\.254\./, /^localhost$/i, /^::1$/, /^\[::1\]$/,
+  /^fc/i, /^fd/i, /^fe80/i,
+];
+
+function isPrivateIp(host) {
+  return PRIVATE_PATTERNS.some(p => p.test(host));
+}
+
+function validateIp(ip) {
+  if (!ip || typeof ip !== 'string') throw new Error('IP is required');
+  const trimmed = ip.trim();
+  if (trimmed.length > 253) throw new Error('IP too long');
+  if (isPrivateIp(trimmed)) throw new Error('Cannot whitelist private/local addresses');
+  if (/[;&|`$(){}]/.test(trimmed)) throw new Error('Invalid characters in IP');
+  return trimmed;
+}
+
+export class WhitelistManager extends EventEmitter {
+  constructor(federation) {
+    super();
+    this.federation = federation;
+    this.daemon = federation.daemon;
+    this.filePath = resolve(federation.fedDir, 'whitelist.json');
+    this.entries = this._load();
+    this._probeTimer = null;
+  }
+
+  _load() {
+    if (!existsSync(this.filePath)) return new Map();
+    try {
+      const data = JSON.parse(readFileSync(this.filePath, 'utf8'));
+      const map = new Map();
+      for (const entry of data) {
+        map.set(entry.ip, entry);
+      }
+      return map;
+    } catch {
+      return new Map();
+    }
+  }
+
+  _save() {
+    const dir = resolve(this.federation.fedDir);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    writeFileSync(this.filePath, JSON.stringify(Array.from(this.entries.values()), null, 2), { mode: 0o600 });
+  }
+
+  add(ip, port = 31415, name = '') {
+    const validated = validateIp(ip);
+    if (this.entries.has(validated)) {
+      throw new Error(`IP already whitelisted: ${validated}`);
+    }
+
+    const entry = {
+      ip: validated,
+      port: typeof port === 'number' ? port : 31415,
+      name: typeof name === 'string' ? name.trim().slice(0, 128) : '',
+      status: 'waiting',
+      addedAt: new Date().toISOString(),
+      lastProbe: null,
+      remoteDaemonId: null,
+    };
+
+    this.entries.set(validated, entry);
+    this._save();
+    this.daemon.audit.log('federation.whitelist.add', { ip: validated, port: entry.port });
+    this.emit('added', entry);
+    return entry;
+  }
+
+  remove(ip) {
+    const trimmed = ip?.trim();
+    if (!this.entries.has(trimmed)) {
+      throw new Error(`IP not in whitelist: ${trimmed}`);
+    }
+    const entry = this.entries.get(trimmed);
+    this.entries.delete(trimmed);
+    this._save();
+    this.daemon.audit.log('federation.whitelist.remove', { ip: trimmed });
+    this.emit('removed', { ip: trimmed, previousStatus: entry.status });
+    return true;
+  }
+
+  list() {
+    return Array.from(this.entries.values());
+  }
+
+  isWhitelisted(ip) {
+    return this.entries.has(ip?.trim());
+  }
+
+  getEntry(ip) {
+    return this.entries.get(ip?.trim()) || null;
+  }
+
+  startProbing() {
+    if (this._probeTimer) return;
+    this._probeTimer = setInterval(() => this._probeAll(), PROBE_INTERVAL);
+    this._probeAll();
+  }
+
+  stopProbing() {
+    if (this._probeTimer) {
+      clearInterval(this._probeTimer);
+      this._probeTimer = null;
+    }
+  }
+
+  async _probeAll() {
+    for (const entry of this.entries.values()) {
+      if (entry.status === 'connected') continue;
+      try {
+        await this._probePeer(entry);
+      } catch {
+        // Individual probe failures are expected
+      }
+    }
+  }
+
+  async _probePeer(entry) {
+    const url = `http://${entry.ip}:${entry.port}/api/federation/whitelist-check`;
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), PROBE_TIMEOUT);
+
+    try {
+      const res = await fetch(url, {
+        signal: controller.signal,
+        headers: { 'X-Groove-DaemonId': this.federation._daemonId() },
+      });
+      clearTimeout(timeout);
+
+      if (!res.ok) {
+        this._updateStatus(entry, 'waiting');
+        return;
+      }
+
+      const data = await res.json();
+      entry.lastProbe = new Date().toISOString();
+      entry.remoteDaemonId = data.daemonId || null;
+
+      if (data.whitelisted) {
+        this._updateStatus(entry, 'mutual');
+      } else {
+        this._updateStatus(entry, 'waiting');
+      }
+    } catch {
+      clearTimeout(timeout);
+      entry.lastProbe = new Date().toISOString();
+    }
+  }
+
+  _updateStatus(entry, newStatus) {
+    const oldStatus = entry.status;
+    if (oldStatus === newStatus) return;
+    entry.status = newStatus;
+    this._save();
+    this.emit('status-change', { ip: entry.ip, oldStatus, newStatus, entry });
+  }
+
+  setConnected(ip) {
+    const entry = this.entries.get(ip?.trim());
+    if (entry) {
+      this._updateStatus(entry, 'connected');
+    }
+  }
+
+  setDisconnected(ip) {
+    const entry = this.entries.get(ip?.trim());
+    if (entry && entry.status === 'connected') {
+      this._updateStatus(entry, 'mutual');
+    }
+  }
+
+  destroy() {
+    this.stopProbing();
+    this.removeAllListeners();
+  }
+}

package/node_modules/@groove-dev/daemon/src/federation.js

@@ -1,9 +1,13 @@
-// GROOVE — Federation (Ed25519 key exchange + contract signing)
+// GROOVE — Federation (Ed25519 key exchange + contract signing + v1 protocol)
 // FSL-1.1-Apache-2.0 — see LICENSE
 
-import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey, createHash } from 'crypto';
+import { generateKeyPairSync, sign, verify, createPublicKey, createPrivateKey, createHash, randomBytes } from 'crypto';
 import { existsSync, mkdirSync, writeFileSync, readFileSync, unlinkSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { WhitelistManager } from './federation/whitelist.js';
+import { ConnectionManager } from './federation/connection.js';
+import { AmbassadorManager } from './federation/ambassador.js';
+import { ContractHandlerRegistry, createCapabilityResponse } from './federation/contracts.js';
 
 // Peer IDs must be safe for filenames — hex only (from SHA-256 fingerprint)
 const PEER_ID_PATTERN = /^[a-f0-9]{1,64}$/;
@@ -66,10 +70,11 @@ export class Federation {
    * @returns {{ payload: object, signature: string }}
    */
   sign(payload) {
-    const data = Buffer.from(JSON.stringify(payload), 'utf8');
+    const enriched = { ...payload, timestamp: Date.now(), nonce: randomBytes(16).toString('hex') };
+    const data = Buffer.from(JSON.stringify(enriched), 'utf8');
     const sig = sign(null, data, this.privateKey);
     return {
-      payload,
+      payload: enriched,
       signature: sig.toString('base64'),
     };
   }
@@ -86,6 +91,12 @@ export class Federation {
     if (!peer) return false;
 
     try {
+      // Replay protection: reject messages older than 5 minutes
+      if (payload.timestamp && (Date.now() - payload.timestamp > 5 * 60 * 1000)) {
+        console.warn(`[federation] Rejected stale message from ${peerId}`);
+        return false;
+      }
+
       const data = Buffer.from(JSON.stringify(payload), 'utf8');
       const sig = Buffer.from(signature, 'base64');
       const pubKey = createPublicKey(peer.publicKey);
@@ -132,6 +143,26 @@ export class Federation {
    * @returns {object} pairing result
    */
   async initiatePairing(remoteUrl) {
+    // SSRF protection: block private/reserved IPs
+    try {
+      const parsed = new URL(remoteUrl);
+      if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+        throw new Error('Only HTTP(S) URLs allowed');
+      }
+      const host = parsed.hostname;
+      const privatePatterns = [
+        /^127\./, /^10\./, /^192\.168\./, /^172\.(1[6-9]|2\d|3[01])\./,
+        /^0\./, /^169\.254\./, /^localhost$/i, /^::1$/, /^\[::1\]$/,
+        /^fc/i, /^fd/i, /^fe80/i,
+      ];
+      if (privatePatterns.some(p => p.test(host))) {
+        throw new Error('Cannot pair with private/local addresses');
+      }
+    } catch (err) {
+      if (err.message.includes('Cannot pair') || err.message.includes('Only HTTP')) throw err;
+      throw new Error(`Invalid remote URL: ${err.message}`);
+    }
+
     const localInfo = this._localInfo();
 
     // Send our public key to the remote daemon's pairing endpoint
@@ -189,7 +220,12 @@ export class Federation {
    * @param {object} remoteInfo — { id, name, host, port, publicKey }
    * @returns {object} our info + public key for the remote to store
    */
-  acceptPairing(remoteInfo) {
+  acceptPairing(remoteInfo, callerIp) {
+    // Gate: caller IP must be whitelisted (bi-directional requirement)
+    if (!callerIp || !this.whitelist?.isWhitelisted(callerIp)) {
+      throw new Error('Pairing rejected: caller IP not whitelisted');
+    }
+
     if (!remoteInfo.id || !remoteInfo.publicKey) {
       throw new Error('Invalid pairing request: missing id or publicKey');
     }
@@ -207,13 +243,13 @@ export class Federation {
     this._savePeer({
       id: remoteInfo.id,
       name: remoteInfo.name || remoteInfo.id,
-      host: remoteInfo.host,
+      host: callerIp,
       port: remoteInfo.port,
       publicKey: remoteInfo.publicKey,
       pairedAt: new Date().toISOString(),
     });
 
-    this.daemon.audit.log('federation.pair', { peerId: remoteInfo.id, peerHost: remoteInfo.host });
+    this.daemon.audit.log('federation.pair', { peerId: remoteInfo.id, peerHost: callerIp });
 
     // Return our info so the remote can store us
     const localInfo = this._localInfo();
@@ -341,12 +377,135 @@ export class Federation {
     }));
   }
 
+  // --- v1 Protocol ---
+
+  initialize() {
+    this.whitelist = new WhitelistManager(this);
+    this.connections = new ConnectionManager(this);
+    this.ambassadors = new AmbassadorManager(this);
+    this.contractHandlers = new ContractHandlerRegistry();
+
+    this.contractHandlers.register('capability-query', (_contract, _ctx) => {
+      return createCapabilityResponse(this.daemon);
+    });
+
+    this.whitelist.on('status-change', ({ ip, newStatus, entry }) => {
+      this.daemon.broadcast({ type: 'federation:whitelist', data: this.whitelist.list() });
+      if (newStatus === 'mutual') {
+        this.connections.onMutual(ip, entry.port, entry.remoteDaemonId);
+      }
+    });
+
+    this.connections.on('message', ({ message, peerId, daemonId, inbound }) => {
+      const senderId = inbound ? daemonId : peerId;
+      if (message.type === 'pouch' && message.senderId && message.payload && message.signature) {
+        try {
+          this.ambassadors.receivePouch(message.senderId, message.payload, message.signature);
+        } catch (err) {
+          console.warn(`[federation] Pouch error from ${senderId}: ${err.message}`);
+        }
+      }
+    });
+
+    this.whitelist.startProbing();
+    console.log(`[federation] v1 initialized — daemon ${this._daemonId()}`);
+  }
+
+  handleKnock(senderId, publicKey, payload, signature, callerIp) {
+    if (!senderId || !publicKey || !payload || !signature) {
+      throw new Error('Missing knock fields');
+    }
+
+    // Gate: caller IP must be in our whitelist (bi-directional requirement)
+    if (!callerIp || !this.whitelist?.isWhitelisted(callerIp)) {
+      throw new Error('Knock rejected: caller IP not whitelisted');
+    }
+
+    validatePeerId(senderId);
+
+    try {
+      createPublicKey(publicKey);
+    } catch {
+      throw new Error('Invalid public key in knock');
+    }
+
+    // Register peer key only after whitelist gate passes
+    if (!this.peers.has(senderId)) {
+      this._savePeer({
+        id: senderId,
+        name: senderId,
+        host: callerIp,
+        port: null,
+        publicKey,
+        pairedAt: new Date().toISOString(),
+      });
+    }
+
+    if (!this.verify(senderId, payload, signature)) {
+      throw new Error('Knock signature verification failed');
+    }
+
+    this.daemon.audit.log('federation.knock', { senderId, callerIp });
+
+    return {
+      accepted: true,
+      peerId: this._daemonId(),
+      peerName: this._daemonId(),
+      publicKey: this.getPublicKeyPem(),
+    };
+  }
+
+  handleWsUpgrade(ws, daemonId, callerIp, signatureHeader) {
+    // Gate: caller IP must be whitelisted (bi-directional requirement)
+    if (!callerIp || !this.whitelist?.isWhitelisted(callerIp)) {
+      ws.close(4001, 'IP not whitelisted');
+      return;
+    }
+
+    if (!daemonId || !this.peers.has(daemonId)) {
+      ws.close(4001, 'Unknown daemon');
+      return;
+    }
+
+    // Verify the cryptographic signature header
+    if (!signatureHeader) {
+      ws.close(4003, 'Missing signature');
+      return;
+    }
+    try {
+      const decoded = JSON.parse(Buffer.from(signatureHeader, 'base64').toString());
+      if (!decoded.payload || !decoded.signature || !this.verify(daemonId, decoded.payload, decoded.signature)) {
+        ws.close(4003, 'Signature verification failed');
+        return;
+      }
+    } catch {
+      ws.close(4003, 'Malformed signature header');
+      return;
+    }
+
+    this.connections.handleInboundConnection(ws, daemonId);
+    this.daemon.broadcast({ type: 'federation:whitelist', data: this.whitelist?.list() || [] });
+  }
+
+  isWhitelisted(ip) {
+    return this.whitelist?.isWhitelisted(ip) || false;
+  }
+
   getStatus() {
     return {
       id: this._daemonId(),
       peers: this.getPeers(),
       peerCount: this.peers.size,
       hasKeypair: existsSync(this.keyPath),
+      whitelist: this.whitelist?.list() || [],
+      connections: this.connections?.getStatus() || [],
+      ambassadors: this.ambassadors?.getStatus() || { ambassadors: [], totalQueued: 0 },
     };
   }
+
+  destroy() {
+    this.whitelist?.destroy();
+    this.connections?.destroy();
+    this.ambassadors?.destroy();
+  }
 }