opencode-bifrost 0.0.1

package/src/manager.ts

@@ -0,0 +1,471 @@
+import { homedir } from "os";
+import { readdirSync, unlinkSync } from "fs";
+import type { BifrostConfig } from "./config";
+import { parseConfig } from "./config";
+
+export type ConnectionState = 
+  | "disconnected"
+  | "connecting"
+  | "connected"
+  | "disconnecting";
+
+export type BifrostErrorCode = 
+  | "UNREACHABLE" 
+  | "AUTH_FAILED" 
+  | "SOCKET_DEAD" 
+  | "COMMAND_FAILED" 
+  | "INVALID_STATE"
+  | "TIMEOUT";
+
+export class BifrostError extends Error {
+  public override readonly name = "BifrostError" as const;
+  
+  constructor(
+    message: string,
+    public readonly code: BifrostErrorCode
+  ) {
+    super(message);
+  }
+}
+
+export interface ExecResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+export interface ExecOptions {
+  timeout?: number;
+  maxOutputBytes?: number;
+}
+
+const SOCKET_DIR = `${homedir()}/.ssh/bifrost-control`;
+const DEFAULT_TIMEOUT = 30_000;
+const DEFAULT_MAX_OUTPUT = 10 * 1024 * 1024;
+
+function withTimeout<T>(promise: Promise<T>, ms: number, operation: string): Promise<T> {
+  return Promise.race([
+    promise,
+    new Promise<T>((_, reject) => 
+      setTimeout(() => reject(new BifrostError(`${operation} timed out after ${ms}ms`, "TIMEOUT")), ms)
+    )
+  ]);
+}
+
+async function readStreamLimited(stream: ReadableStream<Uint8Array>, maxBytes: number): Promise<string> {
+  const reader = stream.getReader();
+  const chunks: Uint8Array[] = [];
+  let totalBytes = 0;
+  let truncated = false;
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      
+      if (totalBytes + value.length > maxBytes) {
+        const remaining = maxBytes - totalBytes;
+        if (remaining > 0) {
+          chunks.push(value.slice(0, remaining));
+        }
+        truncated = true;
+        break;
+      }
+      
+      chunks.push(value);
+      totalBytes += value.length;
+    }
+  } finally {
+    reader.releaseLock();
+  }
+
+  const combined = new Uint8Array(Math.min(totalBytes, maxBytes));
+  let offset = 0;
+  for (const chunk of chunks) {
+    combined.set(chunk, offset);
+    offset += chunk.length;
+  }
+
+  const text = new TextDecoder().decode(combined);
+  return truncated ? text + `\n... [truncated at ${maxBytes} bytes]` : text;
+}
+
+export class BifrostManager implements AsyncDisposable {
+  private _state: ConnectionState = "disconnected";
+  private _config: BifrostConfig | null = null;
+  private _controlPath: string | null = null;
+  private _mutex: Promise<void> = Promise.resolve();
+
+  /**
+   * Explicit Resource Management (ES2024)
+   * Enables: `await using manager = new BifrostManager()`
+   * Auto-disconnects when scope exits
+   */
+  async [Symbol.asyncDispose](): Promise<void> {
+    await this.disconnect();
+  }
+
+  get state(): ConnectionState {
+    return this._state;
+  }
+
+  get config(): BifrostConfig | null {
+    return this._config;
+  }
+
+  get controlPath(): string | null {
+    return this._controlPath;
+  }
+
+  get socketDir(): string {
+    return SOCKET_DIR;
+  }
+
+  private async withMutex<T>(fn: () => Promise<T>): Promise<T> {
+    const prev = this._mutex;
+    let resolve: () => void;
+    this._mutex = new Promise<void>(r => { resolve = r; });
+    
+    try {
+      await prev;
+      return await fn();
+    } finally {
+      resolve!();
+    }
+  }
+
+  loadConfig(configPath: string): void {
+    this._config = parseConfig(configPath);
+    this._controlPath = `${SOCKET_DIR}/%C`;
+  }
+
+  private async ensureSocketDir(): Promise<void> {
+    const result = Bun.spawnSync(["mkdir", "-p", SOCKET_DIR]);
+    if (result.exitCode !== 0) {
+      throw new BifrostError(
+        `Failed to create socket directory: ${result.stderr.toString()}`,
+        "COMMAND_FAILED"
+      );
+    }
+    
+    const chmodResult = Bun.spawnSync(["chmod", "700", SOCKET_DIR]);
+    if (chmodResult.exitCode !== 0) {
+      throw new BifrostError(
+        `Failed to set socket directory permissions: ${chmodResult.stderr.toString()}`,
+        "COMMAND_FAILED"
+      );
+    }
+  }
+
+  private translateSSHError(exitCode: number, stderr: string): BifrostError {
+    const stderrLower = stderr.toLowerCase();
+    
+    if (exitCode === 255) {
+      if (stderrLower.includes("permission denied") || 
+          stderrLower.includes("authentication failed") ||
+          stderrLower.includes("publickey")) {
+        return new BifrostError(
+          `Authentication failed. Check key at ${this._config?.keyPath}`,
+          "AUTH_FAILED"
+        );
+      }
+      if (stderrLower.includes("connection refused") ||
+          stderrLower.includes("no route to host") ||
+          stderrLower.includes("connection timed out") ||
+          stderrLower.includes("could not resolve")) {
+        return new BifrostError(
+          `Server unreachable at ${this._config?.host}:${this._config?.port}`,
+          "UNREACHABLE"
+        );
+      }
+      return new BifrostError(
+        `SSH connection error: ${stderr}`,
+        "UNREACHABLE"
+      );
+    }
+    
+    return new BifrostError(
+      `Command failed with exit code ${exitCode}: ${stderr}`,
+      "COMMAND_FAILED"
+    );
+  }
+
+  private getDestination(): string {
+    if (!this._config) {
+      throw new BifrostError("No config loaded", "INVALID_STATE");
+    }
+    return `${this._config.user}@${this._config.host}`;
+  }
+
+  async connect(): Promise<void> {
+    return this.withMutex(async () => {
+      if (this._state === "connected") {
+        return;
+      }
+      
+      if (this._state === "connecting" || this._state === "disconnecting") {
+        throw new BifrostError(`Cannot connect in state: ${this._state}`, "INVALID_STATE");
+      }
+      
+      if (!this._config) {
+        throw new BifrostError("No config loaded. Call loadConfig() first", "INVALID_STATE");
+      }
+
+      this._state = "connecting";
+
+      try {
+        this.cleanup();
+        await this.ensureSocketDir();
+        await this.doConnect();
+        this._state = "connected";
+      } catch (error) {
+        this._state = "disconnected";
+        throw error;
+      }
+    });
+  }
+
+  async disconnect(): Promise<void> {
+    return this.withMutex(async () => {
+      if (this._state === "disconnected") {
+        return;
+      }
+      
+      if (this._state === "disconnecting" || this._state === "connecting") {
+        throw new BifrostError(`Cannot disconnect in state: ${this._state}`, "INVALID_STATE");
+      }
+
+      if (!this._config || !this._controlPath) {
+        this._state = "disconnected";
+        return;
+      }
+
+      this._state = "disconnecting";
+
+      try {
+        const args = [
+          "ssh",
+          "-O", "exit",
+          "-o", `ControlPath=${this._controlPath}`,
+          this.getDestination(),
+        ];
+
+        const proc = Bun.spawn(args, {
+          stdout: "pipe",
+          stderr: "pipe",
+        });
+
+        await withTimeout(proc.exited, 5000, "SSH disconnect");
+      } catch {
+      } finally {
+        this._state = "disconnected";
+      }
+    });
+  }
+
+  /**
+   * Health check via ssh -O check
+   * Returns true if connection is alive
+   */
+  async isConnected(): Promise<boolean> {
+    if (this._state !== "connected" || !this._config || !this._controlPath) {
+      return false;
+    }
+
+    const args = [
+      "ssh",
+      "-O", "check",
+      "-o", `ControlPath=${this._controlPath}`,
+      this.getDestination(),
+    ];
+
+    const proc = Bun.spawn(args, {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+
+    const exitCode = await proc.exited;
+    return exitCode === 0;
+  }
+
+  async exec(command: string, options: ExecOptions = {}): Promise<ExecResult> {
+    const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+    const maxOutput = options.maxOutputBytes ?? DEFAULT_MAX_OUTPUT;
+
+    if (this._state !== "connected") {
+      throw new BifrostError(
+        `Cannot exec in state: ${this._state}. Call connect() first`,
+        "INVALID_STATE"
+      );
+    }
+
+    if (!this._config || !this._controlPath) {
+      throw new BifrostError("No config or control path", "INVALID_STATE");
+    }
+
+    const alive = await this.isConnected();
+    if (!alive) {
+      this._state = "disconnected";
+      throw new BifrostError(
+        "Connection dead. Socket exists but connection failed",
+        "SOCKET_DEAD"
+      );
+    }
+
+    const escapedCommand = command.replace(/'/g, "'\\''");
+
+    const args = [
+      "ssh",
+      "-o", `ControlPath=${this._controlPath}`,
+      this.getDestination(),
+      `bash -l -c '${escapedCommand}'`,
+    ];
+
+    const proc = Bun.spawn(args, {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+
+    try {
+      const exitCode = await withTimeout(proc.exited, timeout, "Command execution");
+      const [stdout, stderr] = await Promise.all([
+        readStreamLimited(proc.stdout, maxOutput),
+        readStreamLimited(proc.stderr, maxOutput),
+      ]);
+
+      return { stdout, stderr, exitCode };
+    } catch (error) {
+      proc.kill();
+      throw error;
+    }
+  }
+
+  private async runSftp(sftpCommand: string, timeout: number = 60000): Promise<void> {
+    if (this._state !== "connected") {
+      throw new BifrostError(
+        `Cannot run SFTP in state: ${this._state}. Call connect() first`,
+        "INVALID_STATE"
+      );
+    }
+
+    if (!this._config || !this._controlPath) {
+      throw new BifrostError("No config or control path", "INVALID_STATE");
+    }
+
+    const args = [
+      "sftp",
+      "-o", `ControlPath=${this._controlPath}`,
+      "-b", "-",
+      this.getDestination(),
+    ];
+    
+    const proc = Bun.spawn(args, {
+      stdin: new Response(sftpCommand).body,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+
+    try {
+      const exitCode = await withTimeout(proc.exited, timeout, "SFTP operation");
+      const stderr = await new Response(proc.stderr).text();
+
+      if (exitCode !== 0) {
+        throw this.translateSSHError(exitCode, stderr);
+      }
+    } catch (error) {
+      proc.kill();
+      throw error;
+    }
+  }
+
+  async upload(localPath: string, remotePath: string): Promise<void> {
+    await this.runSftp(`put -r "${localPath}" "${remotePath}"`);
+  }
+
+  async download(remotePath: string, localPath: string): Promise<void> {
+    await this.runSftp(`get -r "${remotePath}" "${localPath}"`);
+  }
+
+  async ensureConnected(): Promise<void> {
+    return this.withMutex(async () => {
+      if (this._state === "disconnected") {
+        this._state = "connecting";
+        try {
+          this.cleanup();
+          await this.ensureSocketDir();
+          await this.doConnect();
+          this._state = "connected";
+        } catch (error) {
+          this._state = "disconnected";
+          throw error;
+        }
+        return;
+      }
+
+      if (this._state === "connecting" || this._state === "disconnecting") {
+        throw new BifrostError(
+          `Cannot ensure connection in state: ${this._state}`,
+          "INVALID_STATE"
+        );
+      }
+
+      const alive = await this.isConnected();
+      if (!alive) {
+        this._state = "connecting";
+        try {
+          await this.doConnect();
+          this._state = "connected";
+        } catch (error) {
+          this._state = "disconnected";
+          throw error;
+        }
+      }
+    });
+  }
+
+  private async doConnect(): Promise<void> {
+    if (!this._config) {
+      throw new BifrostError("No config loaded", "INVALID_STATE");
+    }
+
+    const args = [
+      "ssh",
+      "-fN",
+      "-o", "ControlMaster=auto",
+      "-o", `ControlPath=${this._controlPath}`,
+      "-o", `ControlPersist=${this._config.controlPersist}`,
+      "-o", `ServerAliveInterval=${this._config.serverAliveInterval}`,
+      "-o", `ConnectTimeout=${this._config.connectTimeout}`,
+      "-o", "StrictHostKeyChecking=accept-new",
+      "-i", this._config.keyPath,
+      "-p", String(this._config.port),
+      this.getDestination(),
+    ];
+
+    const proc = Bun.spawn(args, {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+
+    const timeoutMs = (this._config.connectTimeout + 5) * 1000;
+    const exitCode = await withTimeout(proc.exited, timeoutMs, "SSH connect");
+    const stderr = await new Response(proc.stderr).text();
+
+    if (exitCode !== 0) {
+      throw this.translateSSHError(exitCode, stderr);
+    }
+  }
+
+  cleanup(): void {
+    try {
+      const files = readdirSync(SOCKET_DIR);
+      for (const file of files) {
+        try {
+          unlinkSync(`${SOCKET_DIR}/${file}`);
+        } catch {}
+      }
+    } catch {}
+  }
+}
+
+export const bifrostManager = new BifrostManager();

package/src/security.ts

@@ -0,0 +1,98 @@
+export interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+
+function normalizeUnicode(input: string): string {
+  return input
+    .normalize("NFKC")
+    .replace(/[\uFF01-\uFF5E]/g, (c) => 
+      String.fromCharCode(c.charCodeAt(0) - 0xFEE0)
+    )
+    .replace(/[\u2018\u2019\u201A\u201B]/g, "'")
+    .replace(/[\u201C\u201D\u201E\u201F]/g, '"')
+    .replace(/[\u2010-\u2015\u2212\uFE58\uFE63\uFF0D]/g, "-");
+}
+
+const SAFE_PATH_CHARS = /^[a-zA-Z0-9_.\-\/\s@:]+$/;
+
+const DANGEROUS_PATTERNS: Array<{ pattern: RegExp; name: string }> = [
+  { pattern: /\.\./, name: "path traversal (..)" },
+  { pattern: /^\s*-/, name: "flag injection (starts with -)" },
+  { pattern: /[`$]/, name: "command substitution ($ or `)" },
+  { pattern: /[;&|]/, name: "command chaining (; & |)" },
+  { pattern: /[\n\r]/, name: "newline injection" },
+  { pattern: new RegExp("\\x00"), name: "null byte" },
+  { pattern: /[\t\v\f]/, name: "tab or special whitespace" },
+  { pattern: /[<>]/, name: "redirection (< or >)" },
+  { pattern: /[*?[\]]/, name: "glob pattern (* ? [ ])" },
+  { pattern: /[{}]/, name: "brace expansion ({ })" },
+  { pattern: /[\\]/, name: "backslash escape" },
+  { pattern: /[!#~^]/, name: "shell expansion (! # ~ ^)" },
+  { pattern: /\$\(/, name: "command substitution $()" },
+];
+
+export function validatePath(path: string, fieldName: string): ValidationResult {
+  if (!path || path.trim().length === 0) {
+    return { valid: false, error: `${fieldName} cannot be empty` };
+  }
+
+  const normalized = normalizeUnicode(path);
+  
+  if (normalized !== path) {
+    return { 
+      valid: false, 
+      error: `${fieldName} contains suspicious unicode characters` 
+    };
+  }
+
+  if (!SAFE_PATH_CHARS.test(path)) {
+    return { 
+      valid: false, 
+      error: `${fieldName} contains characters outside allowed set [a-zA-Z0-9_.\\-/@: ]` 
+    };
+  }
+
+  for (const { pattern, name } of DANGEROUS_PATTERNS) {
+    if (pattern.test(path)) {
+      return {
+        valid: false,
+        error: `${fieldName} contains forbidden pattern: ${name}`,
+      };
+    }
+  }
+
+  if (path.length > 4096) {
+    return { valid: false, error: `${fieldName} exceeds maximum length (4096)` };
+  }
+
+  return { valid: true };
+}
+
+export function validateCommand(command: string): ValidationResult {
+  if (!command || command.trim().length === 0) {
+    return { valid: false, error: "command cannot be empty" };
+  }
+
+  const normalized = normalizeUnicode(command);
+  if (normalized !== command) {
+    return { 
+      valid: false, 
+      error: "command contains suspicious unicode characters" 
+    };
+  }
+
+  if (command.includes("\x00")) {
+    return { valid: false, error: "command contains null byte" };
+  }
+
+  if (command.length > 65536) {
+    return { valid: false, error: "command exceeds maximum length (64KB)" };
+  }
+
+  return { valid: true };
+}
+
+export function escapeShellArg(arg: string): string {
+  return arg.replace(/'/g, "'\\''");
+}

package/src/tools/connect.ts

@@ -0,0 +1,35 @@
+import { homedir } from "os";
+import { tool, type ToolDefinition } from "@opencode-ai/plugin/tool";
+import { bifrostManager } from "../manager";
+
+export const bifrost_connect: ToolDefinition = tool({
+  description:
+    "Establish a persistent SSH connection to the configured remote server. Uses SSH ControlMaster multiplexing. Once connected, use bifrost_exec to run commands.",
+  args: {
+    configPath: tool.schema
+      .string()
+      .optional()
+      .describe("Path to bifrost config file (defaults to ~/.config/opencode/bifrost.json)"),
+  },
+  execute: async (args) => {
+    try {
+      const configPath = args.configPath || `${homedir()}/.config/opencode/bifrost.json`;
+      bifrostManager.loadConfig(configPath);
+
+      if (bifrostManager.state === "connected") {
+        const config = bifrostManager.config;
+        return `Already connected to ${config?.user}@${config?.host}`;
+      }
+
+      await bifrostManager.connect();
+
+      const config = bifrostManager.config;
+      return `🌈 Bifrost bridge established to ${config?.user}@${config?.host}:${config?.port}\nConnection persistent. Use bifrost_exec to run commands.`;
+    } catch (error) {
+      if (error instanceof Error) {
+        return `Error: ${error.message}`;
+      }
+      return "Error: Unknown error occurred while connecting";
+    }
+  },
+});

package/src/tools/disconnect.ts

@@ -0,0 +1,30 @@
+import { tool, type ToolDefinition } from "@opencode-ai/plugin/tool";
+import { bifrostManager } from "../manager";
+
+export const bifrost_disconnect: ToolDefinition = tool({
+  description:
+    "Disconnect the Bifrost SSH connection and clean up the control socket.",
+  args: {},
+  execute: async () => {
+    try {
+      // Check if connected
+      if (bifrostManager.state === "disconnected") {
+        return "Not connected. Nothing to disconnect.";
+      }
+
+      // Disconnect
+      await bifrostManager.disconnect();
+
+      // Get user and host for message
+      const config = bifrostManager.config;
+      const userHost = config ? `${config.user}@${config.host}` : "remote server";
+
+      return `🌈 Bifrost bridge closed. Connection to ${userHost} terminated.`;
+    } catch (error) {
+      if (error instanceof Error) {
+        return `Error: ${error.message}`;
+      }
+      return "Error: Unknown error occurred during disconnect";
+    }
+  },
+});

package/src/tools/download.ts

@@ -0,0 +1,51 @@
+import { statSync } from "fs";
+import { tool, type ToolDefinition } from "@opencode-ai/plugin/tool";
+import { bifrostManager } from "../manager";
+import { validatePath } from "../security";
+
+export const bifrost_download: ToolDefinition = tool({
+  description:
+    "Download a file from the remote server to the local machine via the persistent Bifrost connection.",
+  args: {
+    remotePath: tool.schema
+      .string()
+      .describe("Remote file path to download"),
+    localPath: tool.schema
+      .string()
+      .describe("Local file path destination"),
+  },
+  execute: async (args) => {
+    try {
+      const remoteValidation = validatePath(args.remotePath, "remotePath");
+      if (!remoteValidation.valid) {
+        return `Error: ${remoteValidation.error}`;
+      }
+
+      const localValidation = validatePath(args.localPath, "localPath");
+      if (!localValidation.valid) {
+        return `Error: ${localValidation.error}`;
+      }
+
+      await bifrostManager.ensureConnected();
+
+      await bifrostManager.download(args.remotePath, args.localPath);
+
+      // Get file size after download
+      const stat = statSync(args.localPath);
+      const fileSize = stat.size;
+
+      // Get config for display
+      const config = bifrostManager.config;
+      if (!config) {
+        return "Error: No config loaded";
+      }
+
+      return `📥 Downloaded ${config.user}@${config.host}:${args.remotePath} → ${args.localPath} (${fileSize} bytes)`;
+    } catch (error) {
+      if (error instanceof Error) {
+        return `Error: ${error.message}`;
+      }
+      return "Error: Unknown error occurred during download";
+    }
+  },
+});