pal-explorer-cli 0.4.0

package/lib/protocol/sync.js

@@ -0,0 +1,122 @@
+import crypto from 'crypto';
+import fs from 'fs';
+import { syncManifest, syncDiff, syncRequest, syncConflict } from './messages.js';
+import { isPro } from '../core/pro.js';
+
+const DEFAULT_BLOCK_SIZE = 4096;
+
+export function buildProtocolManifest(entries, syncPairId, generation) {
+  const sorted = [...entries].sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+  const checksumInput = sorted.map(e => `${e.relativePath}:${e.hash}:${e.size}`).join('\n');
+  const checksum = crypto.createHash('sha256').update(checksumInput).digest('hex');
+
+  return {
+    syncPairId,
+    generation,
+    entries: sorted.map(e => ({
+      path: e.relativePath,
+      size: e.size,
+      hash: e.hash,
+      mtime: e.mtime,
+      deleted: false,
+    })),
+    checksum,
+  };
+}
+
+export function createManifestEnvelope(keyPair, peerPK, manifest) {
+  return syncManifest(keyPair, peerPK, manifest);
+}
+
+export function computeDelta(localEntries, remoteEntries) {
+  const remoteMap = new Map(remoteEntries.map(e => [e.path, e]));
+  const localMap = new Map(localEntries.map(e => [e.path, e]));
+
+  const added = [];
+  const modified = [];
+  const deleted = [];
+  const unchanged = [];
+
+  for (const entry of remoteEntries) {
+    const local = localMap.get(entry.path);
+    if (!local) {
+      added.push(entry);
+    } else if (local.hash !== entry.hash) {
+      modified.push({ path: entry.path, local, remote: entry });
+    } else {
+      unchanged.push(entry);
+    }
+  }
+
+  for (const entry of localEntries) {
+    if (!remoteMap.has(entry.path)) {
+      deleted.push(entry);
+    }
+  }
+
+  return { added, modified, deleted, unchanged };
+}
+
+// Delta sync — block-level (Pro only)
+export function computeBlockHashes(filePath, blockSize = DEFAULT_BLOCK_SIZE) {
+  if (!isPro()) throw new Error('Delta sync requires Pro.');
+
+  const fd = fs.openSync(filePath, 'r');
+  const stat = fs.fstatSync(fd);
+  const hashes = [];
+  const buf = Buffer.alloc(blockSize);
+
+  let offset = 0;
+  while (offset < stat.size) {
+    const bytesRead = fs.readSync(fd, buf, 0, blockSize, offset);
+    const hash = crypto.createHash('sha256').update(buf.subarray(0, bytesRead)).digest('hex');
+    hashes.push(hash);
+    offset += bytesRead;
+  }
+
+  fs.closeSync(fd);
+  return { hashes, blockSize, totalSize: stat.size };
+}
+
+export function findChangedBlocks(localHashes, remoteHashes) {
+  const changed = [];
+  const maxLen = Math.max(localHashes.length, remoteHashes.length);
+  for (let i = 0; i < maxLen; i++) {
+    if (localHashes[i] !== remoteHashes[i]) {
+      changed.push(i);
+    }
+  }
+  return changed;
+}
+
+export function createSyncRequest(keyPair, peerPK, syncPairId, files) {
+  const requestFiles = files.map(f => {
+    if (isPro() && f.mode === 'delta') {
+      return {
+        path: f.path,
+        mode: 'delta',
+        blockSize: f.blockSize || DEFAULT_BLOCK_SIZE,
+        localBlockHashes: f.localBlockHashes,
+        localSize: f.localSize,
+      };
+    }
+    return { path: f.path, mode: 'full' };
+  });
+
+  return syncRequest(keyPair, peerPK, { syncPairId, files: requestFiles });
+}
+
+export function createConflictNotification(keyPair, peerPK, syncPairId, conflicts) {
+  return syncConflict(keyPair, peerPK, {
+    syncPairId,
+    conflicts: conflicts.map(c => ({
+      path: c.path,
+      localHash: c.localHash,
+      remoteHash: c.remoteHash,
+      baseHash: c.baseHash || null,
+      localMtime: c.localMtime,
+      remoteMtime: c.remoteMtime,
+      resolution: c.resolution || 'keep_both',
+    })),
+  });
+}

package/lib/utils/cli.js

@@ -0,0 +1,15 @@
+import chalk from 'chalk';
+
+export function printJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+
+export function parseCommaList(str) {
+  if (!str) return [];
+  return str.split(',').map(s => s.trim()).filter(Boolean);
+}
+
+export function exitError(message) {
+  console.error(chalk.red(message));
+  process.exitCode = 1;
+}

package/lib/utils/config.js

@@ -0,0 +1,123 @@
+import Conf from 'conf';
+import keytar from 'keytar';
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+
+const KEYTAR_SERVICE = 'pal-explorer-config';
+const KEYTAR_ACCOUNT = 'encryption-key';
+
+let encryptionKey;
+try {
+  if (process.platform === 'win32' || process.platform === 'darwin') {
+    encryptionKey = await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    if (!encryptionKey) {
+      encryptionKey = crypto.randomBytes(32).toString('hex');
+      await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT, encryptionKey);
+    }
+  } else {
+    // LOW-1 fix: on Linux, attempt libsecret via secret-tool
+    try {
+      const { execSync } = await import('child_process');
+      encryptionKey = execSync(
+        'secret-tool lookup service pal-explorer-config key encryption-key 2>/dev/null',
+        { encoding: 'utf8', timeout: 3000 }
+      ).trim();
+      if (!encryptionKey) {
+        encryptionKey = crypto.randomBytes(32).toString('hex');
+        execSync(
+          `echo -n "${encryptionKey}" | secret-tool store --label="palexplorer config key" service pal-explorer-config key encryption-key`,
+          { timeout: 3000 }
+        );
+      }
+    } catch {
+      encryptionKey = null;
+    }
+  }
+} catch {
+  encryptionKey = null;
+}
+const isHeadlessLinux = process.platform === 'linux' && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY;
+if (!encryptionKey && !isHeadlessLinux) {
+  console.warn('\x1b[33m[SECURITY WARNING] keytar unavailable — config will NOT be encrypted at rest.\x1b[0m');
+  console.warn('\x1b[33mPrivate keys are still protected via OS credential store.\x1b[0m');
+}
+
+const defaults = {
+  identity: null,
+  device: null,
+  friends: [],
+  shares: [],
+  settings: {
+    downloadDir: '',
+    port: 0,
+    dht: true,
+    maxConnections: 55,
+    discovery_servers: [],
+    bootstrapNodes: [],
+    stunServers: ['stun:stun.l.google.com:19302'],
+    turn_server: 'turn.palexplorer.com',
+    logLevel: 'info',
+    streamTransport: 'p2p',
+    customStunServers: [],
+    customTurnServers: [],
+    tunnelUrl: ''
+  }
+};
+
+// Migrate plain JSON config → encrypted if needed
+if (encryptionKey) {
+  try {
+    const tmpConf = new Conf({ projectName: 'pal-explorer-cli', defaults });
+    const configPath = tmpConf.path;
+    if (fs.existsSync(configPath)) {
+      const raw = fs.readFileSync(configPath, 'utf8');
+      // If file starts with '{', it's plain JSON — needs migration
+      if (raw.trimStart().startsWith('{')) {
+        const plainData = JSON.parse(raw);
+        // Create encrypted store (overwrites same file)
+        const encConf = new Conf({ projectName: 'pal-explorer-cli', defaults, encryptionKey });
+        for (const [key, value] of Object.entries(plainData)) {
+          encConf.set(key, value);
+        }
+      }
+    }
+  } catch {
+    // Migration failed — encrypted store will start fresh
+  }
+}
+
+let config;
+try {
+  config = new Conf({
+    projectName: 'pal-explorer-cli',
+    defaults,
+    ...(encryptionKey ? { encryptionKey } : {}),
+  });
+  // Trigger a read to surface decrypt/parse errors early
+  config.store;
+} catch (err) {
+  // Config file is encrypted with a different/missing key, or corrupt.
+  // Delete the unreadable file and start fresh.
+  try {
+    const tmpConf = new Conf({ projectName: 'pal-explorer-cli', defaults });
+    const configPath = tmpConf.path;
+    if (fs.existsSync(configPath)) {
+      fs.unlinkSync(configPath);
+    }
+  } catch {}
+  config = new Conf({
+    projectName: 'pal-explorer-cli',
+    defaults,
+    ...(encryptionKey ? { encryptionKey } : {}),
+  });
+}
+
+// LOW-1 fix: set restrictive permissions on config file (Linux/macOS)
+if (process.platform !== 'win32') {
+  try {
+    fs.chmodSync(config.path, 0o600);
+  } catch {}
+}
+
+export default config;

package/lib/utils/configIntegrity.js

@@ -0,0 +1,87 @@
+import crypto from 'crypto';
+import os from 'os';
+import keytar from 'keytar';
+import config from './config.js';
+
+const KEYTAR_SERVICE = 'pal-explorer-config';
+const KEYTAR_ACCOUNT = 'hmac-key';
+const HMAC_STORE_KEY = '_integrity';
+
+// Protected config keys that get HMAC integrity checks
+const PROTECTED_KEYS = ['shares', 'users', 'billing', 'billing_license_key'];
+
+let hmacKey = null;
+
+function deriveMachineKey() {
+  const hostname = os.hostname();
+  const username = os.userInfo().username;
+  const cpus = os.cpus();
+  const hardwareId = cpus.length > 0 ? cpus[0].model : 'unknown';
+  const seed = `pal-explorer:${hostname}:${username}:${hardwareId}`;
+  return crypto.createHash('sha256').update(seed).digest('hex');
+}
+
+async function getHmacKey() {
+  if (hmacKey) return hmacKey;
+  try {
+    hmacKey = await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    if (!hmacKey) {
+      hmacKey = crypto.randomBytes(32).toString('hex');
+      await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT, hmacKey);
+    }
+  } catch {
+    // keytar unavailable (e.g., Linux without libsecret) — derive from machine identity
+    hmacKey = deriveMachineKey();
+  }
+  return hmacKey;
+}
+
+function computeHmac(key, data, secret) {
+  const hmac = crypto.createHmac('sha256', secret);
+  hmac.update(key + ':');
+  hmac.update(JSON.stringify(data));
+  return hmac.digest('hex');
+}
+
+export async function signConfigKey(key) {
+  if (!PROTECTED_KEYS.includes(key)) return;
+  const secret = await getHmacKey();
+  if (!secret) return;
+
+  const data = config.get(key);
+  const mac = computeHmac(key, data, secret);
+  const integrity = config.get(HMAC_STORE_KEY) || {};
+  integrity[key] = mac;
+  config.set(HMAC_STORE_KEY, integrity);
+}
+
+export async function verifyConfigKey(key) {
+  if (!PROTECTED_KEYS.includes(key)) return true;
+  const secret = await getHmacKey();
+  if (!secret) return true; // keytar unavailable, can't verify
+
+  const integrity = config.get(HMAC_STORE_KEY) || {};
+  const storedMac = integrity[key];
+  if (!storedMac) {
+    // First run or migration — sign it now
+    await signConfigKey(key);
+    return true;
+  }
+
+  const data = config.get(key);
+  const expected = computeHmac(key, data, secret);
+  return crypto.timingSafeEqual(Buffer.from(storedMac, 'hex'), Buffer.from(expected, 'hex'));
+}
+
+export async function setProtected(key, value) {
+  config.set(key, value);
+  await signConfigKey(key);
+}
+
+export async function getProtected(key) {
+  const valid = await verifyConfigKey(key);
+  if (!valid) {
+    throw new Error(`Config integrity check failed for "${key}". Data may have been tampered with.`);
+  }
+  return config.get(key);
+}

package/lib/utils/downloadDir.js

@@ -0,0 +1,9 @@
+import path from 'path';
+import config from './config.js';
+
+export function getDownloadDir() {
+  const settings = config.get('settings') || {};
+  if (settings.downloadDir) return settings.downloadDir;
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  return path.join(home, 'Downloads', 'Palexplorer');
+}

package/lib/utils/explorer.js

@@ -0,0 +1,83 @@
+import regedit from 'regedit';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import fs from 'fs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// Note: regedit requires vbs scripts which it bundle, but sometimes we need to set the path
+// regedit.setExternalVBSLocation(path.join(__dirname, 'vbs'));
+
+export async function installExplorerContextMenu() {
+  if (process.platform !== 'win32') {
+    console.log('Explorer integration is only available on Windows.');
+    return;
+  }
+
+  const exePath = process.execPath;
+  const scriptPath = path.resolve(__dirname, '../../bin/pal.js');
+  // Command to run: pe share "filepath"
+  // For the GUI, we might want a specific handler that opens the GUI
+  const command = `"${exePath}" "${scriptPath}" gui-share "%1"`;
+
+  const keys = {
+    'HKCU\Software\Classes\*\shell\PalExplorer': {
+      'MUIVerb': {
+        value: 'Share with Pal...',
+        type: 'REG_SZ'
+      },
+      'Icon': {
+        value: exePath,
+        type: 'REG_SZ'
+      }
+    },
+    'HKCU\Software\Classes\*\shell\PalExplorer\command': {
+      'default': {
+        value: command,
+        type: 'REG_SZ'
+      }
+    },
+    'HKCU\Software\Classes\Directory\shell\PalExplorer': {
+      'MUIVerb': {
+        value: 'Share with Pal...',
+        type: 'REG_SZ'
+      },
+      'Icon': {
+        value: exePath,
+        type: 'REG_SZ'
+      }
+    },
+    'HKCU\Software\Classes\Directory\shell\PalExplorer\command': {
+      'default': {
+        value: command,
+        type: 'REG_SZ'
+      }
+    }
+  };
+
+  return new Promise((resolve, reject) => {
+    regedit.createKey(Object.keys(keys), (err) => {
+      if (err) return reject(err);
+      regedit.putValue(keys, (err) => {
+        if (err) return reject(err);
+        resolve();
+      });
+    });
+  });
+}
+
+export async function uninstallExplorerContextMenu() {
+  if (process.platform !== 'win32') return;
+
+  const keys = [
+    'HKCU\Software\Classes\*\shell\PalExplorer',
+    'HKCU\Software\Classes\Directory\shell\PalExplorer'
+  ];
+
+  return new Promise((resolve, reject) => {
+    regedit.deleteKey(keys, (err) => {
+      if (err) return reject(err);
+      resolve();
+    });
+  });
+}

package/lib/utils/format.js

@@ -0,0 +1,12 @@
+export function formatSize(bytes) {
+  if (bytes == null) return '';
+  if (bytes === 0) return '0 B';
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(1)} GB`;
+}
+
+export function formatSpeed(bytesPerSec) {
+  return formatSize(bytesPerSec) + '/s';
+}