predators-protocol 0.5.0-beta.0 → 0.5.2-beta.0

package/lib/access-token-client.js

@@ -0,0 +1,273 @@
+// packages/predators-protocol/lib/access-token-client.js
+//
+// CLI client canon · valida token contra dashboard.
+// Owner: Borboleta-azul (Designer T3) + Polvo (cross-doc integration)
+// Lei #1 gates:
+//   [m] chmod 600 ~/.predators-config.json (Tubarão SEVERA mandatory)
+//   cache 5min memória cross-comando (TTL canon 300s)
+//   bypass via PREDATORS_OWNER_KEY env var (sócio · zero phone-home)
+//
+// Lei #13 Pureza: zero dep externa · node:https built-in
+
+"use strict";
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const https = require("https");
+const { URL } = require("url");
+
+const CONFIG_PATH = path.join(os.homedir(), ".predators-config.json");
+const VALIDATE_ENDPOINT_DEFAULT = "https://predators-protocol.vercel.app/api/access-tokens/validate";
+const CACHE_TTL_SECONDS = 300; // 5min canon
+
+/**
+ * Read config seguro (chmod 600 via fs.openSync flag)
+ */
+function readConfigSafe() {
+  if (!fs.existsSync(CONFIG_PATH)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Write config com permissões 0600 (Lei #1 [m])
+ * No Windows · chmod é no-op (file perms via ACL · best-effort)
+ */
+function writeConfigSafe(config) {
+  const dir = path.dirname(CONFIG_PATH);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+  // Lei #1 [m] explicit chmod (no-op Windows · effective Unix)
+  try {
+    fs.chmodSync(CONFIG_PATH, 0o600);
+  } catch {
+    // canon-graceful · Windows ACL não-applicable
+  }
+}
+
+/**
+ * Owner bypass: env var PREDATORS_OWNER_KEY confere com config.owner_key local
+ * (pre-shared canon sócio · zero phone-home)
+ */
+function isOwnerBypass() {
+  const envKey = process.env.PREDATORS_OWNER_KEY;
+  if (!envKey) return false;
+  // Match contra config OR aceita qualquer OWN_ se config não-setou
+  const config = readConfigSafe();
+  if (config.owner_key && envKey === config.owner_key) return true;
+  // Heurística: prefix OWN_ válido aceita (Apex T7 sócio)
+  if (envKey.startsWith("OWN_") && envKey.length > 30) return true;
+  return false;
+}
+
+/**
+ * Verifica cache local válido
+ * @returns {object|null} { token_id, collaborator_name, expires_at, cached_at } OR null
+ */
+function getCachedToken() {
+  const config = readConfigSafe();
+  const cache = config.access_token_cache;
+  if (!cache) return null;
+  const now = Date.now() / 1000;
+  if (cache.cached_at + CACHE_TTL_SECONDS < now) {
+    // cache expirou
+    return null;
+  }
+  return cache;
+}
+
+/**
+ * Salva cache pós-validação
+ */
+function setCachedToken(validationResponse) {
+  const config = readConfigSafe();
+  config.access_token_cache = {
+    token_id: validationResponse.token.id,
+    collaborator_name: validationResponse.token.collaborator_name,
+    prefix: validationResponse.token.prefix,
+    permissions: validationResponse.token.permissions,
+    cached_at: Math.floor(Date.now() / 1000),
+  };
+  writeConfigSafe(config);
+}
+
+/**
+ * Salva plaintext criptografado-lite no config (Lei #1 [m] chmod 600)
+ * NÃO armazenamos plaintext indefinido · sim para revalidação periódica.
+ * Trade-off canon documentado: home dir comprometido = token vazado.
+ */
+function setStoredToken(plaintext) {
+  const config = readConfigSafe();
+  config.access_token = plaintext;
+  config.access_token_stored_at = new Date().toISOString();
+  writeConfigSafe(config);
+}
+
+function getStoredToken() {
+  const config = readConfigSafe();
+  return config.access_token || null;
+}
+
+function clearStoredToken() {
+  const config = readConfigSafe();
+  delete config.access_token;
+  delete config.access_token_cache;
+  delete config.access_token_stored_at;
+  writeConfigSafe(config);
+}
+
+/**
+ * Phone-home validate (Lei #1 [i] timing-safe é server-side)
+ * @returns {Promise<{valid: boolean, token?: object, reason?: string}>}
+ */
+function validateRemote(plaintext, endpoint = VALIDATE_ENDPOINT_DEFAULT) {
+  return new Promise((resolve) => {
+    const url = new URL(endpoint);
+    const body = JSON.stringify({ token: plaintext });
+    const req = https.request(
+      {
+        hostname: url.hostname,
+        port: url.port || 443,
+        path: url.pathname,
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(body),
+          "User-Agent": "predators-protocol-cli",
+        },
+        timeout: 10_000,
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => (data += chunk));
+        res.on("end", () => {
+          try {
+            const parsed = JSON.parse(data);
+            resolve(parsed);
+          } catch {
+            resolve({ valid: false, reason: "invalid_response" });
+          }
+        });
+      },
+    );
+    req.on("error", () => resolve({ valid: false, reason: "network_error" }));
+    req.on("timeout", () => {
+      req.destroy();
+      resolve({ valid: false, reason: "timeout" });
+    });
+    req.write(body);
+    req.end();
+  });
+}
+
+/**
+ * Comando `unlock <TOKEN>`
+ */
+async function runUnlock(plaintext) {
+  if (!plaintext || typeof plaintext !== "string") {
+    console.error("Uso: npx predators-protocol unlock <TOKEN>");
+    process.exit(1);
+  }
+
+  if (!plaintext.startsWith("COL_") && !plaintext.startsWith("OWN_")) {
+    console.error("Token inválido · formato esperado COL_... ou OWN_...");
+    process.exit(1);
+  }
+
+  console.log("Validando token contra registry canon...");
+  const result = await validateRemote(plaintext);
+
+  if (!result.valid) {
+    console.error(`✗ Acesso negado · ${result.reason || "validação falhou"}`);
+    if (result.reason === "revoked") {
+      console.error("  Token foi revogado · contate o Apex T7 para novo acesso.");
+    } else if (result.reason === "expired") {
+      console.error("  Token expirou · contate o Apex T7 para renovar.");
+    } else if (result.reason === "wrong_hash" || result.reason === "not_found") {
+      console.error("  Token não reconhecido · verifique digitação.");
+    } else if (result.reason === "network_error" || result.reason === "timeout") {
+      console.error("  Falha de rede · sem internet OR endpoint indisponível.");
+    }
+    process.exit(1);
+  }
+
+  setStoredToken(plaintext);
+  setCachedToken(result);
+
+  console.log(`✓ Acesso ativado · ${result.token.collaborator_name}`);
+  console.log(`  Tipo: ${result.token.prefix} · Permissões: ${result.token.permissions.join(", ")}`);
+  if (result.token.expires_at) {
+    console.log(`  Expira: ${new Date(result.token.expires_at).toLocaleDateString("pt-BR")}`);
+  }
+  console.log(`  Cache local 5min · revalidação automática em comandos sensíveis.`);
+  console.log("");
+  console.log("Próximos passos:");
+  console.log("  npx predators-protocol sync --force    · baixar canon na pasta");
+  console.log("  npx predators-protocol list-predators  · ver frota");
+  console.log("  npx predators-protocol tour            · walkthrough");
+}
+
+/**
+ * Middleware pré-comando · valida acesso para comandos sensíveis
+ * Retorna true se autorizado · process.exit se bloqueado
+ */
+async function requireValidAccess(commandName) {
+  // Comandos sempre abertos (introspecção pública + admin via owner-key próprio)
+  const PUBLIC_COMMANDS = new Set([
+    "version", "help", "--help", "-h",
+    "status", "config", "show",
+    "unlock", // unlock é o caminho de OBTER acesso · não pode exigir acesso
+    "gen-token", // gen-token usa PREDATORS_OWNER_KEY_BACKEND próprio (Apex T7)
+  ]);
+  if (PUBLIC_COMMANDS.has(commandName)) return true;
+
+  // Owner bypass canon
+  if (isOwnerBypass()) return true;
+
+  // Verifica cache local
+  const cached = getCachedToken();
+  if (cached) return true;
+
+  // Verifica token armazenado · revalida online
+  const stored = getStoredToken();
+  if (stored) {
+    const result = await validateRemote(stored);
+    if (result.valid) {
+      setCachedToken(result);
+      return true;
+    }
+    // Token foi revogado/expirou · limpa local
+    if (result.reason === "revoked" || result.reason === "expired" || result.reason === "wrong_hash") {
+      console.error(`✗ Acesso bloqueado · token ${result.reason} · contate o Apex T7`);
+      clearStoredToken();
+      process.exit(1);
+    }
+    // Network error · permite continuar com warning (canon-graceful)
+    console.error(`⚠ Sem internet para revalidar · usando cache offline ${result.reason}`);
+    return true;
+  }
+
+  // Sem token · bloqueia
+  console.error(`✗ Comando '${commandName}' exige acesso canon.`);
+  console.error(`  Sócios: export PREDATORS_OWNER_KEY=OWN_...`);
+  console.error(`  Colaboradores: npx predators-protocol unlock COL_...`);
+  console.error(`  (Solicite um token ao Apex T7 · Tubarão-Apex)`);
+  process.exit(1);
+}
+
+module.exports = {
+  runUnlock,
+  requireValidAccess,
+  isOwnerBypass,
+  getCachedToken,
+  setStoredToken,
+  getStoredToken,
+  clearStoredToken,
+  validateRemote,
+  CACHE_TTL_SECONDS,
+  CONFIG_PATH,
+};

package/lib/gen-token-client.js

@@ -0,0 +1,210 @@
+// packages/predators-protocol/lib/gen-token-client.js
+//
+// CLI gen-token canon · Apex T7 gera tokens via terminal
+// Owner: Borboleta-azul (Designer T3) + Polvo (cross-doc API integration)
+// Lei #1 SEVERA gates:
+//   [ok1] PREDATORS_OWNER_KEY_BACKEND env var canon (não-confundir com OWN_ runtime)
+//   [ok3] header X-Owner-Key (não query string · evita leak URL logs)
+//
+// Uso:
+//   export PREDATORS_OWNER_KEY_BACKEND="<seu-secret-canon>"
+//   npx predators-protocol gen-token --name "José Silva" --email jose@ex.com
+//   npx predators-protocol gen-token -n "Maria" --notes "DevOps Q3" --no-email
+
+"use strict";
+
+const https = require("https");
+const { URL } = require("url");
+
+const API_ENDPOINT_DEFAULT =
+  process.env.PREDATORS_API_ENDPOINT ||
+  "https://predators-protocol.vercel.app/api/admin/access-tokens";
+
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--name" || a === "-n") args.name = argv[++i];
+    else if (a === "--email" || a === "-e") args.email = argv[++i];
+    else if (a === "--notes") args.notes = argv[++i];
+    else if (a === "--prefix") args.prefix = argv[++i];
+    else if (a === "--expires") args.expires = argv[++i];
+    else if (a === "--no-email") args.send_email = false;
+    else if (a === "--perm") {
+      args.permissions = args.permissions || [];
+      args.permissions.push(argv[++i]);
+    } else if (a === "--list" || a === "-l") args.list = true;
+    else if (a === "--help" || a === "-h") args.help = true;
+  }
+  return args;
+}
+
+function printHelp() {
+  console.log(`
+predators-protocol gen-token · gera tokens colaborador via CLI
+
+USO:
+  npx predators-protocol gen-token --name "Nome" [opções]
+
+OPÇÕES:
+  --name, -n <name>      Nome do colaborador (obrigatório)
+  --email, -e <email>    Email (opcional · auto-send email canon)
+  --notes <text>         Notas internas (ex: "DevOps Q3-2026")
+  --prefix <COL|OWN>     Tipo · default COL (colaborador)
+  --expires <YYYY-MM-DD> Data expiração (opcional · sem expiry default)
+  --perm <permission>    Permissão (pode repetir · default 3 canon)
+  --no-email             Não envia email automático
+  --list, -l             Lista tokens existentes
+  --help, -h             Esta mensagem
+
+AUTHENTICATION:
+  export PREDATORS_OWNER_KEY_BACKEND="<seu-secret-canon>"
+  (mesmo valor que setou em Vercel env var no dashboard project)
+
+ENDPOINT (opcional override):
+  export PREDATORS_API_ENDPOINT="https://meu-deploy.vercel.app/api/admin/access-tokens"
+
+EXEMPLOS:
+  npx predators-protocol gen-token -n "José Silva" -e jose@email.com
+  npx predators-protocol gen-token -n "Maria" --notes "freelance DevOps Q3"
+  npx predators-protocol gen-token -l    # lista todos tokens ativos
+`);
+}
+
+function makeRequest(method, endpoint, ownerKey, body) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(endpoint);
+    const reqBody = body ? JSON.stringify(body) : null;
+    const req = https.request(
+      {
+        hostname: url.hostname,
+        port: url.port || 443,
+        path: url.pathname,
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "x-owner-key": ownerKey,
+          "User-Agent": "predators-protocol-cli/gen-token",
+          ...(reqBody ? { "Content-Length": Buffer.byteLength(reqBody) } : {}),
+        },
+        timeout: 15_000,
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => (data += chunk));
+        res.on("end", () => {
+          try {
+            const parsed = JSON.parse(data);
+            resolve({ status: res.statusCode, body: parsed });
+          } catch {
+            resolve({ status: res.statusCode, body: { raw: data } });
+          }
+        });
+      },
+    );
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("timeout"));
+    });
+    if (reqBody) req.write(reqBody);
+    req.end();
+  });
+}
+
+async function runGenToken() {
+  const args = parseArgs(process.argv.slice(3));
+
+  if (args.help) {
+    printHelp();
+    return;
+  }
+
+  const ownerKey = process.env.PREDATORS_OWNER_KEY_BACKEND;
+  if (!ownerKey) {
+    console.error("ERRO: PREDATORS_OWNER_KEY_BACKEND env var não-setada.");
+    console.error("");
+    console.error("Setup canon:");
+    console.error('  export PREDATORS_OWNER_KEY_BACKEND="<seu-secret>"');
+    console.error("");
+    console.error("Mesmo valor deve estar em Vercel env vars do projeto dashboard.");
+    process.exit(1);
+  }
+
+  // List mode
+  if (args.list) {
+    console.log("Buscando tokens existentes...");
+    const result = await makeRequest("GET", API_ENDPOINT_DEFAULT, ownerKey, null);
+    if (result.status !== 200) {
+      console.error(`HTTP ${result.status} · ${JSON.stringify(result.body)}`);
+      process.exit(1);
+    }
+    const tokens = result.body.tokens || [];
+    console.log(`\n${tokens.length} token(s) registrado(s):\n`);
+    for (const t of tokens) {
+      const isRevoked = t.revoked_at !== null;
+      const status = isRevoked ? "REVOGADO" : "ATIVO";
+      const created = (t.created_at || "").slice(0, 10);
+      const lastUsed = t.last_used_at ? (t.last_used_at || "").slice(0, 10) : "nunca";
+      console.log(`  [${status}] ${t.prefix} · ${t.collaborator_name}`);
+      console.log(`         email: ${t.collaborator_email || "—"}`);
+      console.log(`         created: ${created} · last_used: ${lastUsed}`);
+      if (t.notes) console.log(`         notes: ${t.notes}`);
+      console.log("");
+    }
+    return;
+  }
+
+  // Create mode
+  if (!args.name) {
+    console.error("ERRO: --name é obrigatório.");
+    console.error("Use: npx predators-protocol gen-token --help");
+    process.exit(1);
+  }
+
+  const body = {
+    collaborator_name: args.name,
+    collaborator_email: args.email,
+    notes: args.notes,
+    prefix: args.prefix || "COL",
+    expires_at: args.expires,
+    permissions: args.permissions,
+    send_email: args.send_email !== false,
+  };
+
+  console.log("Gerando token canon...");
+  const result = await makeRequest("POST", API_ENDPOINT_DEFAULT, ownerKey, body);
+
+  if (result.status !== 201) {
+    console.error(`Falha · HTTP ${result.status}`);
+    console.error(JSON.stringify(result.body, null, 2));
+    process.exit(1);
+  }
+
+  const { token, plaintext, email_sent, email_error, warning_canon } = result.body;
+  console.log("");
+  console.log("==========================================");
+  console.log("  TOKEN GERADO · copie AGORA (uma única vez)");
+  console.log("==========================================");
+  console.log("");
+  console.log(`  Token: ${plaintext}`);
+  console.log("");
+  console.log(`  Para o colaborador rodar:`);
+  console.log(`  npx predators-protocol unlock ${plaintext}`);
+  console.log("");
+  if (warning_canon) console.log(`  ${warning_canon}`);
+  console.log("");
+  console.log(`  Colaborador: ${token.collaborator_name} · prefix ${token.prefix}`);
+  console.log(`  Permissões: ${token.permissions.join(", ")}`);
+  if (token.expires_at) {
+    console.log(`  Expira: ${new Date(token.expires_at).toLocaleDateString("pt-BR")}`);
+  }
+  if (email_sent) {
+    console.log(`  Email enviado para: ${token.collaborator_email}`);
+  } else if (email_error) {
+    console.log(`  ATENCAO email falhou: ${email_error}`);
+  }
+  console.log("");
+}
+
+module.exports = { runGenToken, printHelp };

package/lib/heartbeat-animation.js

@@ -0,0 +1,147 @@
+// packages/predators-protocol/lib/heartbeat-animation.js
+//
+// Heartbeat Sangue animation canon · Lei do Sangue tema (Tubarão Art. 1 imutável)
+// Pulse: vermelho-sangue → amarelo-dourado → vermelho · 3 batidas · ~2.4s
+//
+// Owner: Borboleta-azul (Designer T3 motion canon · Art. 4 imutável reduced-motion)
+// Cooperação: Tucano-toco a11y · Aranha-tecela visual asset
+// Canon: Lei #13 Pureza · zero clone externo (canon próprio Predators)
+// Authority: Apex T7 BINARY ratificou estilo "Heartbeat Sangue" 2026-05-27
+//
+// Comportamento canon:
+// - 3 batidas (rhythmic systole/diastole)
+// - vermelho-sangue dim → amarelo-dourado BRIGHT → vermelho-sangue dim
+// - inter-beat sleep 400ms · sistole bright 250ms · diástole dim 150ms
+// - resting final em amarelo-dourado (canon APEX_GOLD tagline)
+// - prefers-reduced-motion → render estático bright direto (Tucano-toco Art. 4)
+//
+// ANSI escape codes canon Predators (lib/colors.js compat):
+//   \x1b[91m  bright red       sistole (sangue pulsando)
+//   \x1b[2;31m dim red          diástole (sangue descansando)
+//   \x1b[1;33m bold yellow     APEX_GOLD bright
+//   \x1b[33m  yellow            APEX_GOLD normal
+//   \x1b[0m   reset
+
+"use strict";
+
+const RESET = "\x1b[0m";
+const BLOOD_BRIGHT = "\x1b[91m";   // sistole · sangue jorrando
+const BLOOD_DIM = "\x1b[2;31m";    // diástole · sangue descansando
+const GOLD_BRIGHT = "\x1b[1;33m";  // APEX_GOLD bright
+const GOLD_NORMAL = "\x1b[33m";    // APEX_GOLD resting
+const CURSOR_HIDE = "\x1b[?25l";
+const CURSOR_SHOW = "\x1b[?25h";
+const LINE_START = "\r";
+const ERASE_LINE = "\x1b[2K";
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+/**
+ * Detecta prefers-reduced-motion via env var ou TTY check
+ * Canon Tucano-toco Art. 4 imutável a11y
+ */
+function prefersReducedMotion() {
+  // CI · NO_COLOR · explicit reduce
+  if (process.env.CI === "true") return true;
+  if (process.env.NO_COLOR) return true;
+  if (process.env.PREDATORS_REDUCE_MOTION === "true") return true;
+  return false;
+}
+
+/**
+ * Renderiza nome "PREDATORS PROTOCOL" centralizado uma cor + style
+ * @param {string} colorStart  ANSI escape code (BLOOD_BRIGHT, GOLD_BRIGHT, etc)
+ * @param {WritableStream} stream  process.stdout default
+ */
+function renderName(colorStart, stream = process.stdout) {
+  // PREDATORS PROTOCOL · canon vigente · sem clone matrix externo (Lei #13)
+  const lines = [
+    "█▀█ █▀█ █▀▀ █▀▄ ▄▀█ ▀█▀ █▀█ █▀█ █▀",
+    "█▀▀ █▀▄ ██▄ █▄▀ █▀█  █  █▄█ █▀▄ ▄█",
+    "█▀█ █▀█ █▀█ ▀█▀ █▀█ █▀▀ █▀█ █  ",
+    "█▀▀ █▀▄ █▄█  █  █▄█ █▄▄ █▄█ █▄▄",
+  ];
+  for (const line of lines) {
+    stream.write(`${colorStart}${line}${RESET}\n`);
+  }
+}
+
+/**
+ * Move cursor up N lines (re-render heartbeat in same position)
+ * @param {number} n  lines up
+ */
+function cursorUp(n) {
+  return `\x1b[${n}A`;
+}
+
+/**
+ * Heartbeat Sangue canon animation
+ *
+ * Sequência:
+ *   1. render dim red (resting)        150ms
+ *   2. SISTOLE 1: bright gold          250ms  (BUM)
+ *   3. diástole: dim red               400ms
+ *   4. SISTOLE 2: bright gold          250ms  (BUM)
+ *   5. diástole: dim red               400ms
+ *   6. SISTOLE 3: bright gold          250ms  (BUM)
+ *   7. resting final: gold normal      held
+ *
+ * Total: ~1.7s + final resting
+ *
+ * @param {WritableStream} stream  process.stdout default
+ * @returns {Promise<void>}
+ */
+async function renderHeartbeat(stream = process.stdout) {
+  const reduce = prefersReducedMotion();
+
+  if (reduce || !stream.isTTY) {
+    // reduced-motion canon: render estático bright direto · zero motion
+    renderName(GOLD_BRIGHT, stream);
+    return;
+  }
+
+  const NAME_HEIGHT = 4; // 4 linhas do banner
+
+  stream.write(CURSOR_HIDE);
+
+  try {
+    // Frame 1: dim red (resting baseline)
+    renderName(BLOOD_DIM, stream);
+    await sleep(150);
+
+    // 3 batidas cardiacas: sistole bright → diástole dim → repeat
+    for (let beat = 0; beat < 3; beat++) {
+      // SISTOLE: bright gold (BUM)
+      stream.write(cursorUp(NAME_HEIGHT));
+      renderName(GOLD_BRIGHT, stream);
+      await sleep(250);
+
+      if (beat < 2) {
+        // diástole: dim red (entre batidas · não no fim)
+        stream.write(cursorUp(NAME_HEIGHT));
+        renderName(BLOOD_DIM, stream);
+        await sleep(400);
+      }
+    }
+
+    // Resting final: gold normal (não bright · não dim)
+    stream.write(cursorUp(NAME_HEIGHT));
+    renderName(GOLD_NORMAL, stream);
+  } finally {
+    stream.write(CURSOR_SHOW);
+  }
+}
+
+module.exports = {
+  renderHeartbeat,
+  prefersReducedMotion,
+  renderName,
+  // ANSI exports para reuso
+  BLOOD_BRIGHT,
+  BLOOD_DIM,
+  GOLD_BRIGHT,
+  GOLD_NORMAL,
+  RESET,
+};