mixdog 0.7.1

package/src/shared/user-cwd.mjs

@@ -0,0 +1,213 @@
+/**
+ * IMPORTANT — cwd model role:
+ * pwd() resolves the user's working directory for RELATIVE PATH RESOLUTION only.
+ * It is NOT a sandbox boundary. Sandbox decisions are governed by Claude Code's
+ * settings.json permissions govern sandbox decisions.
+ */
+
+/**
+ * user-cwd.mjs — shared helper to resolve the user's working directory
+ * from the persisted user-cwd.txt sentinel file, with an optional
+ * session-cwd override (process.env.MIXDOG_SESSION_CWD) that takes
+ * precedence when set.
+ *
+ * Single-source-of-truth model:
+ *   - captureOriginalUserCwd() reads MIXDOG_SESSION_CWD first (if set
+ *     to a valid directory), otherwise user-cwd.txt fresh on every
+ *     call. No in-memory freeze.
+ *   - rawUserCwd() reads ONLY user-cwd.txt (no env consult) — exposed
+ *     for the cwd-tool auto-init path so the env-var fallback cannot
+ *     become self-referential.
+ *   - AsyncLocalStorage override (runWithCwdOverride) isolates concurrent worker cwds.
+ *   - pwd() = override ?? originalCwd. Hot lookups short-circuit on the
+ *     override, so the no-override fallback path is cold and per-call
+ *     disk reads of user-cwd.txt are negligible.
+ */
+
+import { AsyncLocalStorage } from 'async_hooks'
+import { readFileSync, statSync, writeFileSync } from 'fs'
+import { join, resolve } from 'path'
+import { homedir } from 'os'
+
+const _cwdOverride = new AsyncLocalStorage()
+
+// process.cwd() is the server's LAUNCH directory. In daemon mode that IS
+// CLAUDE_PLUGIN_ROOT (the plugin install/cache root), so using it as a
+// relative-path base silently resolves into the DEPLOYED plugin copy instead
+// of the user's working tree — the exact cause of stale reads in a worker that
+// inherited no explicit cwd. Treat that one case as "no usable cwd" and fall
+// back to the home dir: a missing session signal then surfaces as ENOENT
+// (absolute paths required) rather than a silent stale read. Invariant check
+// (exact path equality with the known root), not a path-substring heuristic.
+export function _safeProcessCwd() {
+  const cwd = process.cwd()
+  const pluginRoot = process.env.CLAUDE_PLUGIN_ROOT
+  if (pluginRoot) {
+    try { if (resolve(cwd) === resolve(pluginRoot)) return homedir() } catch { /* fall through to cwd */ }
+  }
+  return cwd
+}
+
+// Hook payloads can deliver POSIX paths on Windows (e.g. `/c/Project`); Node's
+// path.resolve does not map MSYS-style drive prefixes, so the value must be
+// rewritten to the platform-native shape before path resolution.
+function _normalizePlatformCwd(p) {
+  if (!p || typeof p !== 'string') return p
+  if (process.platform !== 'win32') return resolve(p)
+  const m = p.match(/^[\/\\]([a-zA-Z])[\/\\](.*)$/)
+  const native = m ? `${m[1].toUpperCase()}:\\${m[2].replace(/\//g, '\\')}` : p
+  return resolve(native)
+}
+
+/**
+ * Resolve the session cwd from EXPLICIT signals only:
+ *   1. process.env.MIXDOG_SESSION_CWD — session-level override set via
+ *      the `cwd` MCP tool. Honoured only when non-empty AND the resolved
+ *      directory actually exists.
+ *   2. user-cwd.txt — single source of truth maintained by claude-code
+ *      (rewritten at every session start).
+ * Returns null when neither is available.
+ *
+ * Unlike captureOriginalUserCwd()/pwd(), this NEVER falls back to
+ * process.cwd(): the server's launch directory is not a session signal,
+ * and letting it leak into PROJECT CLASSIFICATION (resolveProjectScope)
+ * would misclassify rows under the service/plugin cwd. Use this for
+ * project_id resolution; use pwd() for relative-path resolution.
+ */
+export function explicitSessionCwd() {
+  const sessionRaw = process.env.MIXDOG_SESSION_CWD
+  if (typeof sessionRaw === 'string' && sessionRaw.length > 0) {
+    const normalized = _normalizePlatformCwd(sessionRaw)
+    if (normalized) {
+      try {
+        const st = statSync(normalized)
+        if (st.isDirectory()) return normalized
+      } catch { /* fall through to user-cwd.txt */ }
+    }
+  }
+  try {
+    const txt = readFileSync(join(process.env.CLAUDE_PLUGIN_DATA || '', 'user-cwd.txt'), 'utf8').trim()
+    return (txt && _normalizePlatformCwd(txt)) || null
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Resolve the Claude Code SESSION ENTRY root from CLAUDE_PROJECT_DIR — the
+ * directory the user launched Claude Code in, injected by the host on every
+ * run. This is an explicit host-provided invariant (not a heuristic guess),
+ * so it is the correct relative-path base when no session cwd has been set
+ * yet AND user-cwd.txt is unwritten (e.g. a hook fired with an empty
+ * _event.cwd). Returns null when the var is absent or not a live directory,
+ * so callers chain it ahead of the process.cwd() last resort.
+ */
+function startRootCwd() {
+  const dir = process.env.CLAUDE_PROJECT_DIR
+  if (typeof dir === 'string' && dir.length > 0) {
+    const normalized = _normalizePlatformCwd(dir)
+    if (normalized) {
+      try {
+        if (statSync(normalized).isDirectory()) return normalized
+      } catch { /* not a live directory — fall through */ }
+    }
+  }
+  return null
+}
+
+/**
+ * Resolve the user's current working directory for RELATIVE PATH
+ * RESOLUTION. Same explicit precedence as explicitSessionCwd(), then the
+ * session-entry root (CLAUDE_PROJECT_DIR), with process.cwd() as the final
+ * fallback when no explicit session cwd exists.
+ *
+ * Read fresh on every call: hot lookups inside a worker are short-
+ * circuited by runWithCwdOverride AsyncLocalStorage long before reaching
+ * this function, so the no-override fallback path is cold and per-call
+ * disk reads are negligible.
+ */
+export function captureOriginalUserCwd() {
+  return explicitSessionCwd() ?? startRootCwd() ?? _safeProcessCwd()
+}
+
+/**
+ * Read the user-cwd.txt sentinel directly, with NO env-var consult.
+ * Used by the cwd-tool auto-init path to avoid self-reference when
+ * deciding whether to seed MIXDOG_SESSION_CWD from disk.
+ */
+export function rawUserCwd() {
+  try {
+    const txt = readFileSync(join(process.env.CLAUDE_PLUGIN_DATA || '', 'user-cwd.txt'), 'utf8').trim()
+    return _normalizePlatformCwd(txt) || startRootCwd() || _safeProcessCwd()
+  } catch {
+    return startRootCwd() ?? _safeProcessCwd()
+  }
+}
+
+/**
+ * Path of the persisted last-session-cwd sentinel, KEYED by the supervisor
+ * (run-mcp) PID injected as MIXDOG_SUPERVISOR_PID. The supervisor is one
+ * per terminal/MCP client and is preserved across a dev-sync child restart
+ * (only the child is killed + respawned), so its PID is a stable, per-
+ * terminal key that survives the restart. Keying by it makes the restore
+ * multi-terminal safe: terminal A's `cwd set` writes session-cwd-<pidA>.txt
+ * and terminal B writes session-cwd-<pidB>.txt, so a restart in one terminal
+ * can never restore the other terminal's cwd. When no supervisor PID is
+ * present (direct launch with no respawn lifecycle) a single 'solo' file is
+ * used — there is no cross-restart key in that mode, matching the absence of
+ * a respawning supervisor.
+ */
+function _lastSessionCwdFile(keyPid) {
+  // Explicit keyPid (a connection's leadPid in daemon mode) wins; otherwise
+  // fall back to this process's MIXDOG_SUPERVISOR_PID. Under the shared daemon
+  // a single process serves N terminals, so keying writes by the per-connection
+  // leadPid is what keeps one terminal's `cwd set` out of another's sentinel.
+  const raw = (keyPid != null && keyPid !== '') ? String(keyPid) : process.env.MIXDOG_SUPERVISOR_PID
+  const key = (typeof raw === 'string' && /^\d+$/.test(raw)) ? raw : 'solo'
+  return join(process.env.CLAUDE_PLUGIN_DATA || '', `session-cwd-${key}.txt`)
+}
+
+/**
+ * Best-effort persist the last session cwd to disk (keyed per supervisor —
+ * see _lastSessionCwdFile) so the respawned child of the SAME terminal can
+ * restore it. Errors are swallowed — a convenience signal, not a contract.
+ */
+export function writeLastSessionCwd(cwd, keyPid) {
+  try {
+    writeFileSync(_lastSessionCwdFile(keyPid), String(cwd))
+  } catch { /* best-effort */ }
+}
+
+/**
+ * Read the persisted last session cwd for THIS terminal (keyed per supervisor
+ * PID). Returns the normalized path only when the directory still exists;
+ * otherwise null. Consulted by the boot-time cwd auto-init (server-main.mjs)
+ * ahead of the user-cwd.txt seed so the last `cwd set` survives a dev-sync
+ * child restart that dropped MIXDOG_SESSION_CWD.
+ */
+export function readLastSessionCwd(keyPid) {
+  try {
+    const content = readFileSync(_lastSessionCwdFile(keyPid), 'utf8')
+    const normalized = _normalizePlatformCwd(content.trim())
+    if (normalized && statSync(normalized).isDirectory()) return normalized
+    return null
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Run fn inside an async context where pwd() returns cwd.
+ * All descendant async calls within fn see cwd as their working directory.
+ */
+export function runWithCwdOverride(cwd, fn) {
+  return _cwdOverride.run(cwd, fn)
+}
+
+/**
+ * Current effective working directory:
+ *   override set by runWithCwdOverride (innermost wins) ?? original user cwd.
+ */
+export function pwd() {
+  return _cwdOverride.getStore() ?? captureOriginalUserCwd()
+}

package/src/shared/user-data-guard.mjs

@@ -0,0 +1,238 @@
+import {
+  copyFileSync,
+  existsSync,
+  mkdirSync,
+  readdirSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+} from 'fs';
+import { dirname, join, resolve } from 'path';
+import { homedir } from 'os';
+import { createHash } from 'crypto';
+
+export function getBackupRoot() {
+  return process.env.MIXDOG_USER_DATA_BACKUP_ROOT
+    || join(homedir(), '.claude', 'backups', 'mixdog-user-data');
+}
+const RECOVERY_NOTICE = 'RECOVERY-REQUIRED.txt';
+
+const USER_DATA_FILES = [
+  'mixdog-config.json',
+  'user-workflow.json',
+  'user-workflow.md',
+  'history/user.md',
+  'history/bot.md',
+];
+
+const USER_DATA_DIRS = [
+  'schedules',
+  'webhooks',
+  'roles',
+  'workflows',
+];
+
+function stamp() {
+  return new Date().toISOString().replace(/[:.]/g, '-');
+}
+
+function safeReason(reason) {
+  return String(reason || 'snapshot').replace(/[^a-z0-9_.-]+/gi, '-').slice(0, 48) || 'snapshot';
+}
+
+function initMarkerPath(dataDir) {
+  const id = createHash('sha256').update(String(dataDir || 'unknown')).digest('hex').slice(0, 16);
+  return join(getBackupRoot(), `.initialized-${id}.json`);
+}
+
+function isPlainObject(value) {
+  return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+
+export function hasUserDataInitMarker(dataDir) {
+  return existsSync(initMarkerPath(dataDir));
+}
+
+/** Skip single-section wipe remnants (e.g. `{ search: … }` only). */
+export function isStructurallyCompleteMixdogConfigBackup(parsed) {
+  if (!isPlainObject(parsed)) return false;
+  if (Object.keys(parsed).length <= 1) return false;
+  if (!parsed.agent && !parsed.channels) return false;
+  return true;
+}
+
+/**
+ * Newest backup first: return the first structurally complete mixdog-config.json
+ * (skips degenerate single-section snapshots from a prior failed RMW).
+ */
+export function loadLatestMixdogConfigFromBackup(_dataDir) {
+  const root = getBackupRoot();
+  let entries = [];
+  try {
+    entries = readdirSync(root, { withFileTypes: true })
+      .filter((entry) => entry.isDirectory())
+      .map((entry) => entry.name)
+      .sort()
+      .reverse();
+  } catch {
+    return null;
+  }
+  for (const name of entries) {
+    const cfgPath = join(root, name, 'mixdog-config.json');
+    if (!existsSync(cfgPath)) continue;
+    try {
+      const parsed = JSON.parse(readFileSync(cfgPath, 'utf8'));
+      if (isStructurallyCompleteMixdogConfigBackup(parsed)) return parsed;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+function copyTree(src, dst, copied) {
+  const st = statSync(src);
+  if (st.isDirectory()) {
+    for (const name of readdirSync(src)) {
+      copyTree(join(src, name), join(dst, name), copied);
+    }
+    return;
+  }
+  if (!st.isFile()) return;
+  mkdirSync(dirname(dst), { recursive: true });
+  copyFileSync(src, dst);
+  copied.push(dst);
+}
+
+function pruneBackups(keep = 40) {
+  let entries = [];
+  try {
+    entries = readdirSync(getBackupRoot(), { withFileTypes: true })
+      .filter((entry) => entry.isDirectory())
+      .map((entry) => entry.name)
+      .sort()
+      .reverse();
+  } catch {
+    return;
+  }
+  for (const name of entries.slice(keep)) {
+    try { rmSync(join(getBackupRoot(), name), { recursive: true, force: true }); } catch {}
+  }
+}
+
+export function markUserDataInitialized(dataDir) {
+  try {
+    mkdirSync(getBackupRoot(), { recursive: true });
+    writeFileSync(initMarkerPath(dataDir), JSON.stringify({
+      dataDir,
+      updatedAt: new Date().toISOString(),
+    }, null, 2) + '\n', 'utf8');
+  } catch {}
+}
+
+export function backupUserData(dataDir, reason = 'snapshot') {
+  if (process.env.MIXDOG_SKIP_USER_DATA_BACKUP === '1' || process.env.MIXDOG_SKIP_USER_DATA_BACKUP === 'true') {
+    return { dir: null, copied: [] };
+  }
+  if (!dataDir || !existsSync(dataDir)) return { dir: null, copied: [] };
+  const backupDir = join(getBackupRoot(), `${stamp()}-${safeReason(reason)}`);
+  const copied = [];
+  for (const rel of USER_DATA_FILES) {
+    const src = join(dataDir, rel);
+    if (existsSync(src)) copyTree(src, join(backupDir, rel), copied);
+  }
+  for (const rel of USER_DATA_DIRS) {
+    const src = join(dataDir, rel);
+    if (existsSync(src)) copyTree(src, join(backupDir, rel), copied);
+  }
+  if (copied.length > 0) {
+    markUserDataInitialized(dataDir);
+    pruneBackups();
+    process.stderr.write(`[user-data-backup] ${reason}: copied ${copied.length} file(s) to ${backupDir}\n`);
+  }
+  return { dir: copied.length > 0 ? backupDir : null, copied };
+}
+
+export function shouldSeedMissingUserData(dataDir, rel) {
+  if (!dataDir) return true;
+  if (existsSync(join(dataDir, rel))) {
+    markUserDataInitialized(dataDir);
+    return false;
+  }
+  const markerPath = initMarkerPath(dataDir);
+  if (!existsSync(markerPath)) return true;
+  try {
+    mkdirSync(dataDir, { recursive: true });
+    writeFileSync(join(dataDir, RECOVERY_NOTICE), [
+      'Mixdog refused to recreate missing user data from defaults.',
+      '',
+      `Missing file: ${rel}`,
+      `Data dir: ${dataDir}`,
+      `Backup root: ${getBackupRoot()}`,
+      '',
+      'Restore the missing file from backup, or delete the backup marker',
+      markerPath,
+      'only if this is an intentional fresh reset.',
+      '',
+    ].join('\n'), 'utf8');
+  } catch {}
+  process.stderr.write(`[seed-guard] refused default seed for missing ${rel}; restore from ${getBackupRoot()} or intentionally reset marker\n`);
+  return false;
+}
+
+// Names that mark a directory as the user-data ROOT. A package-manager run
+// (bun install) or recursive delete targeting any directory that IS the data
+// root, or that contains any of these, would wipe user state — so refuse.
+const USER_DATA_SENTINELS = [
+  'mixdog-config.json',
+  'user-workflow.json',
+  'user-workflow.md',
+  'roles',
+  'schedules',
+  'webhooks',
+];
+
+// Subdir name this code OWNS and may freely create/install/delete inside.
+const OWNED_SUBDIR = '.deps';
+
+// On Windows the filesystem is case-insensitive, so path comparisons must be
+// case-folded to stop variants like '.../Data/.deps' from bypassing the
+// target===root / dirname===root equality checks.
+const CASE_INSENSITIVE = process.platform === 'win32';
+
+function normCase(p) {
+  return CASE_INSENSITIVE ? String(p).toLowerCase() : String(p);
+}
+
+/**
+ * Hard guard: throws unless `targetDir` is EXACTLY the owned subdir directly
+ * under the user-data root (`<dataDir>/<ownedSubdir>`). Every other path under
+ * the data root is refused — including the root itself, sentinel dirs, and
+ * arbitrary subdirs. Call BEFORE any `bun install` / recursive delete.
+ *
+ * @param {string} targetDir      directory a destructive op is about to touch
+ * @param {string} dataDir        the user-data root to protect
+ * @param {string} [op]           label for the error message
+ * @param {string} [ownedSubdir]  the single owned subdir name (default '.deps')
+ * @returns {string}              the resolved owned path (only on allow)
+ */
+export function assertSafeOwnedDir(targetDir, dataDir, op = 'destructive op', ownedSubdir = OWNED_SUBDIR) {
+  if (!targetDir) throw new Error(`[data-guard] ${op} refused: empty target dir`);
+  if (!dataDir) throw new Error(`[data-guard] ${op} refused: empty data dir`);
+
+  // STRICT WHITELIST: the ONLY path this code may touch is the exact owned
+  // subdir directly under the data root (`<dataDir>/<ownedSubdir>`). Every
+  // other path — under the data root OR anywhere else on disk — is refused.
+  const target = resolve(targetDir);
+  const allowed = resolve(join(dataDir, ownedSubdir));
+
+  if (normCase(target) === normCase(allowed)) {
+    return target;
+  }
+
+  throw new Error(
+    `[data-guard] ${op} refused: ${target} is not the owned dir. ` +
+    `Only the exact owned subdir (${allowed}) may be operated on.`
+  );
+}