mover-os 4.7.2 → 4.7.3

package/install.js

@@ -749,10 +749,32 @@ const POLAR_ORG_ID = process.env.POLAR_ORG_ID || "ba863394-6bca-4965-952a-06b7c0
 // ─── Payload Download ────────────────────────────────────────────────────────
 const DOWNLOAD_URL = "https://moveros.dev/api/download";
 
+// Generates or reads a stable machine ID. Hardware-derived hash so the same
+// physical machine produces the same ID even if the file is deleted (defeats
+// casual sharing where someone copies just the license key but not the file).
+function getMachineId(moverDir) {
+  const idPath = path.join(moverDir, ".machine-id");
+  // If file exists and is well-formed, reuse it
+  try {
+    const existing = fs.readFileSync(idPath, "utf8").trim();
+    if (existing && /^[a-f0-9]{32,}$/i.test(existing)) return existing;
+  } catch { /* file doesn't exist, fall through */ }
+  // Generate hardware-derived ID: hash(cpu_model + hostname + os_release + platform)
+  const crypto = require("crypto");
+  const cpuModel = (os.cpus()[0] && os.cpus()[0].model) || "unknown-cpu";
+  const fingerprint = `${cpuModel}|${os.hostname()}|${os.release()}|${os.platform()}|${os.arch()}`;
+  const id = crypto.createHash("sha256").update(fingerprint).digest("hex");
+  try {
+    fs.writeFileSync(idPath, id, { mode: 0o600 });
+  } catch { /* non-fatal — we'll just regenerate next run */ }
+  return id;
+}
+
 async function downloadPayload(key) {
   const https = require("https");
   const moverDir = path.join(os.homedir(), ".mover");
   fs.mkdirSync(moverDir, { recursive: true, mode: 0o700 });
+  const machineId = getMachineId(moverDir);
   // Clean old staged src/ before extracting fresh
   const stagedSrc = path.join(moverDir, "src");
   if (fs.existsSync(stagedSrc)) {
@@ -767,12 +789,16 @@ async function downloadPayload(key) {
       hostname: url.hostname,
       path: url.pathname,
       method: "GET",
-      headers: { "X-License-Key": key.trim() },
+      headers: { "X-License-Key": key.trim(), "X-Machine-Id": machineId },
       timeout: 60000,
     }, (res) => {
       if (res.statusCode === 301 || res.statusCode === 302) {
         // Follow redirect — only to trusted domains
         const redirectUrl = new URL(res.headers.location);
+        if (redirectUrl.protocol !== 'https:') {
+          reject(new Error('Refusing non-HTTPS redirect'));
+          return;
+        }
         const trusted = ["github.com", "objects.githubusercontent.com", "moveros.dev"];
         if (!trusted.some((d) => redirectUrl.hostname === d || redirectUrl.hostname.endsWith("." + d))) {
           reject(new Error("Untrusted redirect domain"));
@@ -802,6 +828,12 @@ async function downloadPayload(key) {
         res.on("end", () => reject(new Error("License key rejected by server")));
         return;
       }
+      if (res.statusCode === 403) {
+        let body = "";
+        res.on("data", (c) => body += c);
+        res.on("end", () => reject(new Error("License at activation cap. Email support@moveros.dev to free a slot.")));
+        return;
+      }
       if (res.statusCode !== 200) {
         reject(new Error(`Download failed (HTTP ${res.statusCode})`));
         return;
@@ -818,6 +850,15 @@ async function downloadPayload(key) {
     req.end();
   });
 
+  // Validate tar contents before extraction (zip-slip prevention)
+  const listing = execSync(`tar -tzf "${tarPath}"`, { encoding: 'utf8' });
+  const entries = listing.split('\n').filter(Boolean);
+  const badPaths = entries.filter(e => e.startsWith('/') || e.includes('..'));
+  if (badPaths.length > 0) {
+    fs.unlinkSync(tarPath);
+    throw new Error('Payload contains unsafe paths: ' + badPaths.join(', '));
+  }
+
   // Extract tarball into ~/.mover/ (produces ~/.mover/src/)
   try {
     execSync(`tar -xzf "${tarPath}" -C "${moverDir}"`, { stdio: "ignore" });
@@ -5340,8 +5381,10 @@ async function cmdUpdateComprehensive(opts, bundleDir, startTime) {
   createVaultStructure(vaultPath);
   // NOTE: templates are now handled via smart merge below (after manifest load), NOT installTemplateFiles()
 
-  // Update version marker
-  fs.writeFileSync(path.join(vaultPath, ".mover-version"), `${require("./package.json").version}\n`, "utf8");
+  // Version marker is NOT stamped here during interactive update.
+  // /update workflow stamps it after migrations complete.
+  // Stamping early would make /update see current-version == target-version
+  // and skip all migrations (the "V4→V4" bug).
 
   // ── Smart Update: hash-based change detection + auto-merge ──
   const manifest = loadUpdateManifest();
@@ -5796,6 +5839,9 @@ async function main() {
       } else if (msg.includes("401") || msg.includes("rejected")) {
         barLn(red("  License key rejected by server."));
         barLn(dim("  Has your key expired? Check polar.sh or email support@moveros.dev."));
+      } else if (msg.includes("activation cap") || msg.includes("403")) {
+        barLn(red("  License is registered to other devices."));
+        barLn(dim("  Email support@moveros.dev to deactivate one and free a slot."));
       } else if (msg.includes("500") || msg.includes("502") || msg.includes("503")) {
         barLn(red("  Server error."));
         barLn(dim("  Try again in a few minutes. If it persists, email support@moveros.dev."));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mover-os",
-  "version": "4.7.2",
+  "version": "4.7.3",
   "description": "Your AI co-founder. Remembers your goals, pushes back when you drift. Works with 15 AI agents.",
   "bin": {
     "moveros": "install.js"
@@ -8,6 +8,13 @@
   "files": [
     "install.js"
   ],
+  "scripts": {
+    "test": "node test/runner.mjs",
+    "test:smoke": "node test/smoke.mjs",
+    "test:structural": "node test/structural.mjs",
+    "test:machineid": "node test/getMachineId.test.mjs",
+    "test:full": "node test/runner.mjs --include-slow"
+  },
   "keywords": [
     "obsidian",
     "productivity",