knoxis-helper 1.4.3 → 1.4.5

package/lib/knoxis-local-agent.js

@@ -28,6 +28,8 @@ const DEFAULT_PORT = parseInt(process.env.KNOXIS_AGENT_PORT || '3456', 10);
 const CERT_DIR = process.env.KNOXIS_CERT_DIR || path.join(os.homedir(), '.knoxis', 'certs');
 const CERT_FILE = process.env.KNOXIS_CERT_FILE || path.join(CERT_DIR, 'localhost.pem');
 const KEY_FILE = process.env.KNOXIS_CERT_KEY || path.join(CERT_DIR, 'localhost-key.pem');
+const PFX_FILE = process.env.KNOXIS_CERT_PFX || path.join(CERT_DIR, 'localhost.pfx');
+const PFX_PASS = 'knoxis-local'; // Not a real secret — self-signed cert for localhost only
 
 // Trusted origins for CORS (deployed frontends)
 const TRUSTED_ORIGINS = [
@@ -77,10 +79,116 @@ function generateSelfSignedCert() {
     return true;
   }
 
-  console.warn('⚠️  OpenSSL failed - running in HTTP mode');
+  console.warn('⚠️  OpenSSL not available');
   return false;
 }
 
+/**
+ * Windows fallback: generate a self-signed certificate via PowerShell.
+ * Uses New-SelfSignedCertificate (built into Windows 10+ / Server 2016+).
+ * Always produces a PFX file. Also attempts PEM export when .NET 5+ is present.
+ * Cert is created in the user's personal store (no admin required) and removed
+ * from the store after export.
+ */
+function generateSelfSignedCertWindows() {
+  console.log('🔐 Generating self-signed certificate via PowerShell...');
+
+  if (!fs.existsSync(CERT_DIR)) {
+    fs.mkdirSync(CERT_DIR, { recursive: true });
+  }
+
+  // Write a PS1 script to a temp file to avoid all shell-escaping issues.
+  const psLines = [
+    '$ErrorActionPreference = "Stop"',
+    '$cert = New-SelfSignedCertificate -Subject "CN=localhost" -DnsName "localhost","127.0.0.1" `',
+    '  -CertStoreLocation "Cert:\\CurrentUser\\My" -NotAfter (Get-Date).AddDays(365) `',
+    '  -KeyExportPolicy Exportable -KeySpec KeyExchange',
+    '$thumb = $cert.Thumbprint',
+    '',
+    '# Export PFX (works on all Windows versions with this cmdlet)',
+    '$pwd = ConvertTo-SecureString -String "' + PFX_PASS + '" -Force -AsPlainText',
+    'Export-PfxCertificate -Cert "Cert:\\CurrentUser\\My\\$thumb" -FilePath "' + PFX_FILE + '" -Password $pwd | Out-Null',
+    '',
+    '# Attempt PEM export — only works on .NET 5+ (PowerShell 7+)',
+    'try {',
+    '  $certDer = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)',
+    '  $certB64 = [Convert]::ToBase64String($certDer, "InsertLineBreaks")',
+    '  $certPem = "-----BEGIN CERTIFICATE-----`r`n$certB64`r`n-----END CERTIFICATE-----"',
+    '  [System.IO.File]::WriteAllText("' + CERT_FILE + '", $certPem)',
+    '',
+    '  $rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)',
+    '  $keyBytes = $rsa.ExportPkcs8PrivateKey()',
+    '  $keyB64 = [Convert]::ToBase64String($keyBytes, "InsertLineBreaks")',
+    '  $keyPem = "-----BEGIN PRIVATE KEY-----`r`n$keyB64`r`n-----END PRIVATE KEY-----"',
+    '  [System.IO.File]::WriteAllText("' + KEY_FILE + '", $keyPem)',
+    '} catch {',
+    '  # PEM export not available on this .NET version — PFX is sufficient',
+    '}',
+    '',
+    '# Remove cert from user store (the exported files are all we need)',
+    'Remove-Item "Cert:\\CurrentUser\\My\\$thumb" -Force -ErrorAction SilentlyContinue',
+  ];
+
+  const tmpScript = path.join(os.tmpdir(), 'knoxis-cert-' + Date.now() + '.ps1');
+  fs.writeFileSync(tmpScript, psLines.join('\r\n'), 'utf8');
+
+  try {
+    const result = spawnSync('powershell', [
+      '-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass',
+      '-File', tmpScript
+    ], { stdio: 'pipe', timeout: 30000 });
+
+    if (result.status === 0 && fs.existsSync(PFX_FILE)) {
+      console.log('✅ Certificate generated via PowerShell');
+      if (fs.existsSync(CERT_FILE) && fs.existsSync(KEY_FILE)) {
+        console.log('   PEM files exported (PFX + PEM)');
+      } else {
+        console.log('   PFX exported (PEM not available on this .NET version)');
+      }
+      return true;
+    }
+
+    console.warn('⚠️  PowerShell certificate generation failed');
+    if (result.stderr) {
+      const firstLine = result.stderr.toString().trim().split('\n')[0];
+      if (firstLine) console.warn('   ' + firstLine);
+    }
+    return false;
+  } finally {
+    try { fs.unlinkSync(tmpScript); } catch (e) {}
+  }
+}
+
+/**
+ * Try to create an HTTPS server from the available cert material.
+ * Returns { opts, source } on success, null on failure.
+ * Checks PEM first (cross-platform), then PFX (Windows PowerShell fallback).
+ */
+function tryLoadCerts() {
+  // Prefer PEM files (generated by openssl or PS .NET 5+)
+  try {
+    if (fs.existsSync(KEY_FILE) && fs.existsSync(CERT_FILE)) {
+      const key = fs.readFileSync(KEY_FILE);
+      const cert = fs.readFileSync(CERT_FILE);
+      return { opts: { key, cert }, source: 'PEM' };
+    }
+  } catch (err) {
+    console.warn('⚠️  Failed to load PEM certificates:', err.message);
+  }
+
+  // Fallback: PFX file (Windows PS 5.1 where PEM export isn't available)
+  try {
+    if (fs.existsSync(PFX_FILE)) {
+      const pfx = fs.readFileSync(PFX_FILE);
+      return { opts: { pfx, passphrase: PFX_PASS }, source: 'PFX' };
+    }
+  } catch (err) {
+    console.warn('⚠️  Failed to load PFX certificate:', err.message);
+  }
+
+  return null;
+}
+
 /**
  * Get CORS headers for the given request origin
  */
@@ -132,6 +240,38 @@ function buildShellCommand(command) {
   return { cmd: 'bash', args: ['-lc', command] };
 }
 
+/**
+ * Build a cross-platform command to pipe a file's contents to stdout.
+ * Uses `type` on Windows (cmd.exe) and `cat` on Unix.
+ */
+function buildCatCommand(filePath) {
+  if (os.platform() === 'win32') {
+    return `type "${filePath}"`;
+  }
+  return `cat "${filePath}"`;
+}
+
+/**
+ * Build a cross-platform command string that sets environment variables
+ * before running a child command.
+ *   Unix:    VAR="val" command
+ *   Windows: set "VAR=val" && command
+ * @param {Record<string,string>} envVars
+ * @param {string} command
+ */
+function buildEnvCommand(envVars, command) {
+  if (os.platform() === 'win32') {
+    const sets = Object.entries(envVars)
+      .map(([k, v]) => `set "${k}=${v}"`)
+      .join(' && ');
+    return `${sets} && ${command}`;
+  }
+  const prefix = Object.entries(envVars)
+    .map(([k, v]) => `${k}="${v}"`)
+    .join(' ');
+  return `${prefix} ${command}`;
+}
+
 function commandExists(cmd) {
   const detector = os.platform() === 'win32' ? 'where' : 'which';
   const result = spawnSync(detector, [cmd], { stdio: 'ignore' });
@@ -509,7 +649,7 @@ async function handleRequest(req, res) {
       if (prompt && prompt.trim().length > 0) {
         promptFile = path.join(os.tmpdir(), 'knoxis-task-' + (sessionId || Date.now()) + '.txt');
         fs.writeFileSync(promptFile, prompt, 'utf8');
-        finalCommand = 'cat "' + promptFile + '" | claude --dangerously-skip-permissions';
+        finalCommand = buildCatCommand(promptFile) + ' | claude --dangerously-skip-permissions';
         console.log('📝 Task written to ' + promptFile + ' (' + prompt.length + ' chars)');
       }
 
@@ -768,17 +908,17 @@ async function handleRequest(req, res) {
         const scriptPath = resolveInteractiveScript();
         if (scriptPath) {
           // Interactive mode: multi-turn with Groq pair programmer
-          command = `KNOXIS_TASK_FILE="${promptFile}" node "${scriptPath}"`;
+          command = buildEnvCommand({ KNOXIS_TASK_FILE: promptFile }, `node "${scriptPath}"`);
           mode = 'interactive';
           console.log(`🤝 Interactive mode: ${scriptPath}`);
         } else {
           // Interactive requested but script not found - fall back to single-shot
           console.warn('⚠️ Interactive script not found, falling back to single-shot');
-          command = `cat "${promptFile}" | claude --dangerously-skip-permissions`;
+          command = buildCatCommand(promptFile) + ' | claude --dangerously-skip-permissions';
         }
       } else {
         // Standard single-shot mode: pipe task to Claude
-        command = `cat "${promptFile}" | claude --dangerously-skip-permissions`;
+        command = buildCatCommand(promptFile) + ' | claude --dangerously-skip-permissions';
       }
 
       if (headless) {
@@ -876,7 +1016,15 @@ end tell
 }
 
 /**
- * Open terminal on Windows
+ * Open terminal on Windows.
+ *
+ * If the agent is running elevated (admin), Windows won't let us spawn an
+ * unelevated child directly — `start cmd` inherits the parent's integrity
+ * level. We detect that case and route through a one-shot scheduled task
+ * at /rl LIMITED, which runs as the interactive user at medium integrity.
+ * That matters because claude's credentials live under the user's real
+ * %USERPROFILE%\.claude\, not the admin profile, so an elevated cmd can't
+ * find them and hangs on launch.
  */
 function openWindowsTerminal(workspaceDir, command) {
   return new Promise((resolve, reject) => {
@@ -884,16 +1032,57 @@ function openWindowsTerminal(workspaceDir, command) {
       fs.mkdirSync(workspaceDir, { recursive: true });
     }
 
-    const fullCommand = `start cmd /K "cd /d "${workspaceDir}" && ${command}"`;
+    // `net session` exits 0 only when elevated.
+    exec('net session >nul 2>&1', (elevErr) => {
+      const isElevated = !elevErr;
 
-    exec(fullCommand, (error) => {
-      if (error) {
-        console.error('❌ Windows terminal error:', error);
-        reject(error);
-      } else {
-        console.log('✅ Terminal opened on Windows');
-        resolve();
+      if (!isElevated) {
+        const fullCommand = `start cmd /K "cd /d "${workspaceDir}" && ${command}"`;
+        exec(fullCommand, (error) => {
+          if (error) {
+            console.error('❌ Windows terminal error:', error);
+            reject(error);
+          } else {
+            console.log('✅ Terminal opened on Windows');
+            resolve();
+          }
+        });
+        return;
       }
+
+      const tempBat = path.join(
+        os.tmpdir(),
+        `knoxis-launch-${process.pid}-${Date.now()}.bat`
+      );
+      const batContent = `@echo off\r\ncd /d "${workspaceDir}"\r\n${command}\r\ncmd /K\r\n`;
+      fs.writeFileSync(tempBat, batContent);
+
+      const taskName = `KnoxisSpawn_${process.pid}_${Date.now()}`;
+      const createCmd = `schtasks /create /tn "${taskName}" /tr "${tempBat}" /sc once /st 00:00 /it /rl LIMITED /f`;
+
+      exec(createCmd, (cErr) => {
+        if (cErr) {
+          try { fs.unlinkSync(tempBat); } catch (_) {}
+          console.error('❌ Windows terminal error (schtasks create):', cErr);
+          return reject(cErr);
+        }
+
+        exec(`schtasks /run /tn "${taskName}"`, (rErr) => {
+          // Task registration cleanup. Leave the .bat in %TEMP% — cmd may
+          // still have an open handle to it, and the OS cleans %TEMP%.
+          setTimeout(() => {
+            exec(`schtasks /delete /tn "${taskName}" /f`, () => {});
+          }, 5000);
+
+          if (rErr) {
+            console.error('❌ Windows terminal error (schtasks run):', rErr);
+            reject(rErr);
+          } else {
+            console.log('✅ Terminal opened on Windows (de-elevated via scheduled task)');
+            resolve();
+          }
+        });
+      });
     });
   });
 }
@@ -930,34 +1119,38 @@ function openLinuxTerminal(workspaceDir, command) {
 }
 
 function createServer() {
-  // Try to load existing certs
-  try {
-    if (fs.existsSync(KEY_FILE) && fs.existsSync(CERT_FILE)) {
-      const key = fs.readFileSync(KEY_FILE);
-      const cert = fs.readFileSync(CERT_FILE);
+  // 1. Try to load existing certs (PEM or PFX)
+  const existing = tryLoadCerts();
+  if (existing) {
+    try {
       serverMeta.secure = true;
-      return https.createServer({ key, cert }, handleRequest);
+      console.log('🔒 Loaded existing ' + existing.source + ' certificate');
+      return https.createServer(existing.opts, handleRequest);
+    } catch (err) {
+      console.warn('⚠️  Failed to create HTTPS server from existing certs:', err.message);
     }
-  } catch (err) {
-    console.warn('⚠️  Failed to load TLS certificates:', err.message);
   }
 
-  // No certs exist - try to generate them
-  if (!fs.existsSync(CERT_FILE) || !fs.existsSync(KEY_FILE)) {
-    const generated = generateSelfSignedCert();
-    if (generated && fs.existsSync(KEY_FILE) && fs.existsSync(CERT_FILE)) {
+  // 2. Generate new certs — try openssl first, then Windows PowerShell
+  let generated = generateSelfSignedCert();
+  if (!generated && os.platform() === 'win32') {
+    generated = generateSelfSignedCertWindows();
+  }
+
+  if (generated) {
+    const fresh = tryLoadCerts();
+    if (fresh) {
       try {
-        const key = fs.readFileSync(KEY_FILE);
-        const cert = fs.readFileSync(CERT_FILE);
         serverMeta.secure = true;
-        return https.createServer({ key, cert }, handleRequest);
+        console.log('🔒 Using freshly generated ' + fresh.source + ' certificate');
+        return https.createServer(fresh.opts, handleRequest);
       } catch (err) {
-        console.warn('⚠️  Failed to load generated certificates:', err.message);
+        console.warn('⚠️  Failed to create HTTPS server from generated certs:', err.message);
       }
     }
   }
 
-  // Fallback to HTTP (will cause mixed content issues from HTTPS frontends)
+  // 3. Fallback to HTTP (will cause mixed content issues from HTTPS frontends)
   serverMeta.secure = false;
   console.warn('');
   console.warn('⚠️  RUNNING IN HTTP MODE - This will cause 405/CORS errors from HTTPS frontends!');
@@ -1154,14 +1347,14 @@ function connectRelayWebSocket() {
             // Interactive mode: use multi-turn pair programming script
             const scriptPath = resolveInteractiveScript();
             if (scriptPath) {
-              command = `KNOXIS_TASK_FILE="${promptFile}" node "${scriptPath}"`;
+              command = buildEnvCommand({ KNOXIS_TASK_FILE: promptFile }, `node "${scriptPath}"`);
               console.log(`   🤝 Interactive mode: ${scriptPath}`);
             } else {
-              command = `cat "${promptFile}" | claude --dangerously-skip-permissions`;
+              command = buildCatCommand(promptFile) + ' | claude --dangerously-skip-permissions';
               console.warn(`   ⚠️ Interactive script not found, falling back to single-shot`);
             }
           } else {
-            command = `cat "${promptFile}" | claude --dangerously-skip-permissions`;
+            command = buildCatCommand(promptFile) + ' | claude --dangerously-skip-permissions';
           }
           console.log(`   📝 Task written to ${promptFile} (${taskPrompt.length} chars)`);
         } else {
@@ -1380,9 +1573,17 @@ server.listen(serverMeta.port, () => {
     console.warn('║  Browsers will block requests from HTTPS sites (like qig.ai) ║');
     console.warn('╚══════════════════════════════════════════════════════════════╝');
     console.warn('');
-    console.warn('To fix this, either:');
-    console.warn(`  1. Install OpenSSL and restart (auto-generates certs)`);
-    console.warn(`  2. Manually place certs in: ${CERT_DIR}`);
+    if (os.platform() === 'win32') {
+      console.warn('To fix this on Windows, try one of:');
+      console.warn('  1. winget install ShiningLight.OpenSSL.Light   (then restart)');
+      console.warn('  2. choco install openssl                      (then restart)');
+      console.warn('  3. Install Git for Windows (ships with OpenSSL)');
+      console.warn(`  4. Manually place PEM or PFX certs in: ${CERT_DIR}`);
+    } else {
+      console.warn('To fix this, either:');
+      console.warn('  1. Install OpenSSL and restart (auto-generates certs)');
+      console.warn(`  2. Manually place certs in: ${CERT_DIR}`);
+    }
     console.warn('');
   } else {
     console.log('✅ HTTPS enabled - ready for secure connections from deployed frontends');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "knoxis-helper",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "Local helper for Knoxis pair programming - connects your machine to Knoxis on qig.ai",
   "bin": {
     "knoxis-helper": "./bin/knoxis-helper.js"