log-llm-config 1.3.34 → 1.3.35

package/dist/log_config_files/auth/auth_flow.js

@@ -1,76 +1,22 @@
-import { mkdirSync, writeFileSync } from 'node:fs';
 import path from 'node:path';
 import { postStartupPayload } from '../../endpoint_client/index.js';
-import { createSignature } from '../sender/signing.js';
+import { ensureAuthentication as ensureTofuAuthentication } from 'optimus-tofu';
 import { loadEndpointBase } from '../sender/endpoint_config.js';
-import { getAuthKeyPath, readStoredAuthKey } from './auth_key_store.js';
+import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 import { hookRunLog } from '../runtime/hook_logger.js';
-function resolveApiBase(endpoint) {
-    try {
-        return new URL(endpoint).origin;
-    }
-    catch {
-        return endpoint.replace(/\/+$/, '');
-    }
-}
-function persistAuthKey(key, keyId, hardwareUuid) {
-    const authPath = getAuthKeyPath();
-    if (!authPath)
-        return;
-    mkdirSync(path.dirname(authPath), { recursive: true, mode: 0o700 });
-    writeFileSync(authPath, JSON.stringify({ key, key_id: keyId ?? null, hardware_uuid: hardwareUuid, stored_at: new Date().toISOString() }, null, 2), { encoding: 'utf8', mode: 0o600 });
-}
-async function verifyStoredKey(hardwareUuid, storedKey, authUrl) {
-    const verifyPayload = { hardware_uuid: hardwareUuid };
-    const signature = createSignature(verifyPayload, storedKey.key);
-    const requestBody = { hardware_uuid: hardwareUuid, signature, key_id: storedKey.key_id || '' };
-    try {
-        const response = await postStartupPayload(authUrl, requestBody);
-        if (response.status === 'authenticated') {
-            console.log('Auth key verified successfully.');
-            hookRunLog(`auth: verified key_id_suffix=${(storedKey.key_id || '').slice(-8) || '(none)'}`);
-            return storedKey;
-        }
-        if (response.status === 'key_issued' && response.key) {
-            console.log('Stored key was invalid, received new key from server.');
-            hookRunLog('auth: new_key_issued (stored key was invalid)');
-            persistAuthKey(response.key, response.key_id, hardwareUuid);
-            return { key: response.key, key_id: response.key_id, hardware_uuid: hardwareUuid };
-        }
-        console.warn('Key verification failed, will request new key.');
-        return null;
-    }
-    catch (error) {
-        console.warn(`Failed to verify key: ${error instanceof Error ? error.message : String(error)}, will request new key.`);
-        return null;
-    }
-}
-async function requestNewKey(hardwareUuid, authUrl) {
-    console.log('No valid auth key found, performing authentication handshake...');
-    try {
-        const response = await postStartupPayload(authUrl, { hardware_uuid: hardwareUuid });
-        if (response.status === 'key_issued' && response.key) {
-            hookRunLog('auth: handshake_new_key');
-            persistAuthKey(response.key, response.key_id, hardwareUuid);
-            console.log(`Stored new auth key at ${getAuthKeyPath()}`);
-            return { key: response.key, key_id: response.key_id, hardware_uuid: hardwareUuid };
-        }
-        throw new Error(`Authentication failed: ${response.error || response.message || 'Unknown error'}`);
-    }
-    catch (error) {
-        throw new Error(`Failed to authenticate: ${error instanceof Error ? error.message : String(error)}`);
-    }
-}
+const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
 /** Ensure authentication — verify stored key or request new one via handshake. */
 async function ensureAuthentication(hardwareUuid) {
-    const endpoint = loadEndpointBase();
-    const authUrl = `${resolveApiBase(endpoint)}/endpoint_security/auth/`;
-    const storedKey = readStoredAuthKey();
-    if (storedKey?.key && storedKey.hardware_uuid === hardwareUuid) {
-        const verified = await verifyStoredKey(hardwareUuid, storedKey, authUrl);
-        if (verified)
-            return verified;
-    }
-    return requestNewKey(hardwareUuid, authUrl);
+    const key = await ensureTofuAuthentication({
+        hardwareUuid,
+        endpointBase: loadEndpointBase(),
+        authRelativePath: AUTH_KEY_RELATIVE_PATH,
+        postJson: (endpointUrl, body) => postStartupPayload(endpointUrl, body),
+        onLog: (message) => {
+            if (message.startsWith('auth:'))
+                hookRunLog(message);
+        },
+    });
+    return key;
 }
 export { ensureAuthentication };

package/dist/log_config_files/auth/auth_key_store.js

@@ -1,29 +1,14 @@
-import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
+import { getAuthKeyPath as getSharedAuthKeyPath, readStoredAuthKey as readSharedStoredAuthKey, } from 'optimus-tofu';
 import { OPT_AI_SEC_MANAGEMENT_REL } from '../../bootstrap_constants.js';
 const AUTH_KEY_RELATIVE_PATH = path.join(OPT_AI_SEC_MANAGEMENT_REL, 'auth_key.txt');
+const AUTH_KEY_OPTIONS = { authRelativePath: AUTH_KEY_RELATIVE_PATH };
 /** Return absolute path to auth_key.txt, or null if home dir is unavailable. */
 function getAuthKeyPath() {
-    const homeDir = process.env.HOME || process.env.USERPROFILE;
-    if (!homeDir)
-        return null;
-    return path.join(homeDir, AUTH_KEY_RELATIVE_PATH);
+    return getSharedAuthKeyPath(AUTH_KEY_OPTIONS);
 }
 /** Read and parse the stored auth key, or return null if absent/unreadable. */
 function readStoredAuthKey() {
-    const authPath = getAuthKeyPath();
-    if (!authPath || !existsSync(authPath))
-        return null;
-    try {
-        const raw = readFileSync(authPath, 'utf8');
-        const parsed = JSON.parse(raw);
-        if (parsed?.key && parsed?.hardware_uuid) {
-            return parsed;
-        }
-    }
-    catch (error) {
-        console.warn(`Unable to read stored auth key: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    return null;
+    return readSharedStoredAuthKey(AUTH_KEY_OPTIONS);
 }
 export { getAuthKeyPath, readStoredAuthKey };

package/dist/log_config_files/sender/endpoint_config.js

@@ -1,65 +1,11 @@
-import { existsSync, readFileSync } from 'node:fs';
-import path from 'node:path';
-const DEFAULT_ENDPOINT = 'https://demo.optimuslabs.io/';
-/**
- * Walk up from `dir` looking for `optimus_dev.env`, stopping at the filesystem
- * root. Returns the first path found, or null. Mirrors how git finds .git.
- */
-function findEnvFileUpward(dir) {
-    let current = dir;
-    while (true) {
-        const candidate = path.join(current, 'optimus_dev.env');
-        if (existsSync(candidate))
-            return candidate;
-        const parent = path.dirname(current);
-        if (parent === current)
-            return null; // filesystem root
-        current = parent;
-    }
-}
-function parseEndpointFromFile(filePath) {
-    try {
-        const envContent = readFileSync(filePath, 'utf8');
-        for (const line of envContent.split(/\r?\n/)) {
-            const trimmed = line.trim();
-            if (!trimmed || trimmed.startsWith('#'))
-                continue;
-            const [key, ...rest] = trimmed.split('=');
-            if (key === 'OPTIMUS_ENDPOINT') {
-                const value = rest.join('=').trim();
-                if (value)
-                    return value.replace(/\/+$/, '') + '/';
-            }
-        }
-    }
-    catch {
-        // ignore
-    }
-    return null;
-}
+import { getEndpointSource as getSharedEndpointSource, loadEndpointBase, } from "optimus-tofu";
 /** Where endpoint came from (for logging). */
 function getEndpointSource() {
-    if (process.env.OPTIMUS_ENDPOINT?.trim())
-        return 'env';
-    const found = findEnvFileUpward(process.cwd());
-    if (found && parseEndpointFromFile(found))
-        return 'file';
-    return 'default';
-}
-/**
- * Load OPTIMUS_ENDPOINT: env var wins, then walk up from cwd looking for
- * optimus_dev.env, then default (https://demo.optimuslabs.io/).
- */
-function loadEndpointBase() {
-    const fromEnv = process.env.OPTIMUS_ENDPOINT?.trim();
-    if (fromEnv)
-        return fromEnv.replace(/\/+$/, '') + '/';
-    const found = findEnvFileUpward(process.cwd());
-    if (found) {
-        const value = parseEndpointFromFile(found);
-        if (value)
-            return value;
-    }
-    return DEFAULT_ENDPOINT;
+    const source = getSharedEndpointSource();
+    if (source === "file")
+        return "file";
+    if (source === "default")
+        return "default";
+    return "env";
 }
 export { loadEndpointBase, getEndpointSource };

package/dist/log_config_files/sender/signing.js

@@ -1,15 +1 @@
-import crypto from 'node:crypto';
-import { createRequire } from 'node:module';
-const canonicalize = createRequire(import.meta.url)('canonicalize');
-/** RFC 8785 canonical JSON — must match server's rfc8785.dumps() exactly. */
-function canonicalizePayload(payload) {
-    const out = canonicalize(payload);
-    return out ?? '{}';
-}
-/** Create HMAC-SHA256 signature for a payload (canonicalize then sign). */
-function createSignature(payload, keyHex) {
-    const canonicalPayload = canonicalizePayload(payload);
-    const keyBuffer = Buffer.from(keyHex, 'hex');
-    return crypto.createHmac('sha256', keyBuffer).update(canonicalPayload).digest('hex');
-}
-export { canonicalizePayload, createSignature };
+export { canonicalizePayload, createSignature } from 'optimus-tofu';

package/dist/log_uuid/startup_sender.js

@@ -1,4 +1,4 @@
-import crypto from 'node:crypto';
+import { createSignature as createSharedSignature } from 'optimus-tofu';
 import { classifyEndpointResponse, postStartupPayload } from '../endpoint_client/index.js';
 import { resolveHardwareUuid } from './hardware_uuid.js';
 import { writeAuthKey, readStoredAuthKey, loadEndpointBase, buildStartupEndpointUrl } from './auth_key_store.js';
@@ -16,8 +16,8 @@ const canonicalizeValue = (value) => {
 };
 const canonicalStringify = (value) => JSON.stringify(canonicalizeValue(value));
 const createSignature = (payloadSummary, keyHex) => {
-    const keyBuffer = Buffer.from(keyHex, 'hex');
-    return crypto.createHmac('sha256', keyBuffer).update(canonicalStringify(payloadSummary)).digest('hex');
+    // Keep this adapter for backward compatibility of public exports in log_uuid.
+    return createSharedSignature(payloadSummary, keyHex);
 };
 const getMetadata = () => ({
     github_username: process.env.GITHUB_USER || process.env.GH_USER || '',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "log-llm-config",
-  "version": "1.3.34",
+  "version": "1.3.35",
   "description": "CLI helpers for logging hardware UUIDs and posting startup payloads to Optimus Security.",
   "type": "module",
   "bin": {
@@ -56,6 +56,7 @@
   },
   "dependencies": {
     "axios": "^1.15.0",
-    "canonicalize": "^2.1.0"
+    "canonicalize": "^2.1.0",
+    "optimus-tofu": "^0.1.0"
   }
 }