habi-agent 0.1.0

package/src/server.ts

@@ -0,0 +1,255 @@
+/**
+ * HABI Local Identity Server
+ * Runs on localhost:7432 exclusively — never binds to 0.0.0.0
+ *
+ * Pure Node.js http — zero external dependencies.
+ * Security: localhost-only binding is the enforced hardware boundary.
+ */
+
+import * as http from 'http';
+import * as crypto from 'crypto';
+import { readHardwareIdentity, generateSessionFingerprint, sha256, HardwareIdentity } from './hardware';
+import { findContextFile, loadContext, assertOperation, assertMachineAuthorized, LoadedContext } from './context';
+
+const PORT = 7432;
+const BIND_HOST = '127.0.0.1'; // NEVER 0.0.0.0
+
+interface SessionState {
+  fingerprint: string;
+  hardwareId: string;
+  contextHash: string;
+  boundAt: number;
+  expiresAt: number;
+}
+
+function json(res: http.ServerResponse, status: number, body: unknown): void {
+  const payload = JSON.stringify(body);
+  res.writeHead(status, { 'Content-Type': 'application/json' });
+  res.end(payload);
+}
+
+function readBody(req: http.IncomingMessage): Promise<Record<string, unknown>> {
+  return new Promise((resolve, reject) => {
+    let raw = '';
+    req.on('data', (chunk: Buffer) => raw += chunk.toString());
+    req.on('end', () => {
+      try { resolve(raw ? JSON.parse(raw) : {}); }
+      catch { reject(new Error('Invalid JSON body')); }
+    });
+    req.on('error', reject);
+  });
+}
+
+export class HabiLocalServer {
+  private hardware: HardwareIdentity | null = null;
+  private context: LoadedContext | null = null;
+  private session: SessionState | null = null;
+  private server: http.Server | null = null;
+
+  // ── Security: reject anything not from localhost ────────────────────────
+  private isLocalhost(req: http.IncomingMessage): boolean {
+    const ip = req.socket.remoteAddress;
+    return ip === '127.0.0.1' || ip === '::1' || ip === '::ffff:127.0.0.1';
+  }
+
+  // ── Route handlers ──────────────────────────────────────────────────────
+  private handleHealth(res: http.ServerResponse): void {
+    json(res, 200, { ok: true, agent: 'habi-agent', version: '0.1.0', port: PORT });
+  }
+
+  private handleIdentity(res: http.ServerResponse): void {
+    try {
+      const hw = this.getHardware();
+      const sess = this.getOrCreateSession();
+      json(res, 200, {
+        ok: true,
+        hardware: {
+          fingerprint: hw.fingerprint,
+          type: hw.type,
+          iface: hw.iface,
+          platform: hw.platform,
+          hostname: hw.hostname,
+        },
+        session: {
+          fingerprint: sess.fingerprint,
+          boundAt: sess.boundAt,
+          expiresAt: sess.expiresAt,
+          active: Date.now() < sess.expiresAt,
+        },
+        agent: { version: '0.1.0', port: PORT },
+      });
+    } catch (err) {
+      json(res, 500, { ok: false, error: String(err) });
+    }
+  }
+
+  private handleVerify(res: http.ServerResponse): void {
+    try {
+      const hw = this.getHardware();
+      const sess = this.getOrCreateSession();
+      const now = Date.now();
+      if (now >= sess.expiresAt) {
+        this.session = null;
+        json(res, 200, { ok: false, verified: false, reason: 'Session expired — rebind required' });
+        return;
+      }
+      json(res, 200, {
+        ok: true,
+        verified: true,
+        fingerprint: sess.fingerprint,
+        hardwareId: hw.fingerprint,
+        hardwareType: hw.type,
+        expiresAt: sess.expiresAt,
+        expiresIn: Math.floor((sess.expiresAt - now) / 1000),
+      });
+    } catch (err) {
+      json(res, 500, { ok: false, verified: false, error: String(err) });
+    }
+  }
+
+  private async handleAssertContext(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
+    try {
+      const body = await readBody(req);
+      const operation = body.operation as string | undefined;
+      if (!operation) { json(res, 400, { ok: false, error: 'operation field required' }); return; }
+
+      const ctx = this.getContext();
+      if (!ctx) {
+        json(res, 200, { ok: true, allowed: true, warning: 'No Project Context File — permissive mode. Run: habi-agent init' });
+        return;
+      }
+
+      const hw = this.getHardware();
+      const machineCheck = assertMachineAuthorized(hw.fingerprint, ctx.context);
+      if (!machineCheck.allowed) {
+        json(res, 200, { ok: true, allowed: false, reason: machineCheck.reason, hardwareId: hw.fingerprint });
+        return;
+      }
+
+      const opCheck = assertOperation(operation, ctx.context);
+      json(res, 200, {
+        ok: true,
+        allowed: opCheck.allowed,
+        reason: opCheck.reason,
+        hardwareId: hw.fingerprint,
+        contextHash: ctx.contextHash,
+        project: ctx.context.project,
+      });
+    } catch (err) {
+      json(res, 500, { ok: false, error: String(err) });
+    }
+  }
+
+  private async handleAudit(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
+    try {
+      const body = await readBody(req);
+      const hw = this.getHardware();
+      const entry = {
+        ts: Date.now(),
+        hardwareId: hw.fingerprint,
+        sessionFingerprint: this.session?.fingerprint ?? 'UNBOUND',
+        ...body,
+      };
+      const entryHash = sha256(JSON.stringify(entry));
+      console.log(`[HABI AUDIT] ${new Date().toISOString()} ${body.eventType ?? 'EVENT'} ${entryHash.slice(0, 12)}`);
+      json(res, 200, { ok: true, entryHash });
+    } catch (err) {
+      json(res, 500, { ok: false, error: String(err) });
+    }
+  }
+
+  // ── Internal helpers ────────────────────────────────────────────────────
+  private getHardware(): HardwareIdentity {
+    if (!this.hardware) {
+      this.hardware = readHardwareIdentity();
+      console.log(`[HABI] Hardware: ${this.hardware.fingerprint} (${this.hardware.type}) on ${this.hardware.iface}`);
+    }
+    return this.hardware;
+  }
+
+  private getContext(): LoadedContext | null {
+    if (!this.context) {
+      const p = findContextFile();
+      if (p) {
+        this.context = loadContext(p);
+        console.log(`[HABI] Context: ${this.context.context.project} (${this.context.contextHash.slice(0, 12)}...)`);
+      }
+    }
+    return this.context;
+  }
+
+  private getOrCreateSession(): SessionState {
+    const now = Date.now();
+    if (this.session && now < this.session.expiresAt) return this.session;
+
+    const hw = this.getHardware();
+    const ctx = this.getContext();
+    const contextHash = ctx?.contextHash ?? sha256('no-context');
+    const fingerprint = generateSessionFingerprint(hw.fingerprint, contextHash, now);
+
+    this.session = {
+      fingerprint,
+      hardwareId: hw.fingerprint,
+      contextHash,
+      boundAt: now,
+      expiresAt: now + 15 * 60 * 1000,
+    };
+    console.log(`[HABI] Session: ${fingerprint.slice(0, 16)}... expires ${new Date(this.session.expiresAt).toISOString()}`);
+    return this.session;
+  }
+
+  // ── Start / stop ────────────────────────────────────────────────────────
+  start(): Promise<void> {
+    return new Promise((resolve, reject) => {
+      try {
+        this.getHardware();
+        this.getContext();
+        this.getOrCreateSession();
+
+        this.server = http.createServer(async (req, res) => {
+          // Localhost enforcement
+          if (!this.isLocalhost(req)) {
+            json(res, 403, { error: 'HABI agent is localhost-only' });
+            return;
+          }
+
+          const url = req.url ?? '/';
+          const method = req.method ?? 'GET';
+
+          if (url === '/health' && method === 'GET')         return this.handleHealth(res);
+          if (url === '/identity' && method === 'GET')       return this.handleIdentity(res);
+          if (url === '/verify' && method === 'POST')        return this.handleVerify(res);
+          if (url === '/assert-context' && method === 'POST') return this.handleAssertContext(req, res);
+          if (url === '/audit' && method === 'POST')         return this.handleAudit(req, res);
+
+          json(res, 404, { error: `Unknown route: ${method} ${url}` });
+        });
+
+        this.server.listen(PORT, BIND_HOST, () => {
+          const hw = this.hardware!;
+          console.log(`\n╔══════════════════════════════════════════════════╗`);
+          console.log(`║  HABI Agent running on ${BIND_HOST}:${PORT}         ║`);
+          console.log(`║  Hardware: ${hw.fingerprint.padEnd(34)} ║`);
+          console.log(`║  Type:     ${hw.type.padEnd(34)} ║`);
+          console.log(`╚══════════════════════════════════════════════════╝\n`);
+          resolve();
+        });
+
+        this.server.on('error', (err: NodeJS.ErrnoException) => {
+          if (err.code === 'EADDRINUSE') {
+            reject(new Error(`HABI: Port ${PORT} already in use. Another instance may be running.`));
+          } else {
+            reject(err);
+          }
+        });
+      } catch (err) {
+        reject(err);
+      }
+    });
+  }
+
+  stop(): void {
+    this.server?.close();
+    console.log('[HABI] Agent stopped.');
+  }
+}

package/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src",
+    "lib": ["ES2022"],
+    "types": ["node"]
+  },
+  "include": ["src"]
+}