quadwork 1.19.2 → 2.0.0

package/server/__tests__/v1110-security-qa.test.js

@@ -1,312 +0,0 @@
-/**
- * #549: QA verification for v1.11.0 security hardening.
- *
- * Covers PRs #543, #546, #547, #548:
- *  - #543: execFileSync refactor (no shell interpolation)
- *  - #546: Next.js upgrade to 16.2.4
- *  - #547: File/directory permission hardening (0o700/0o600)
- *  - #548: WebSocket resize input validation
- *
- * Integration-level items (wizard flow, browser open, AC start,
- * multi-tab WS) require a live server and are verified by code-path
- * analysis in the PR description.
- */
-
-const assert = require("assert");
-const fs = require("fs");
-const path = require("path");
-
-let passed = 0;
-let failed = 0;
-
-function test(name, fn) {
-  try {
-    fn();
-    passed++;
-    console.log(`  PASS  ${name}`);
-  } catch (e) {
-    failed++;
-    console.error(`  FAIL  ${name}`);
-    console.error(`        ${e.message}`);
-  }
-}
-
-const ROOT = path.resolve(__dirname, "../..");
-const SERVER_DIR = path.resolve(__dirname, "..");
-
-console.log("\n#549 QA — v1.11.0 security hardening\n");
-
-// ============================================================================
-// PR #543 — execFileSync refactor
-// ============================================================================
-
-console.log("--- PR #543: execFileSync refactor ---\n");
-
-test("bin/quadwork.js has no execSync import", () => {
-  const src = fs.readFileSync(path.join(ROOT, "bin/quadwork.js"), "utf-8");
-  // execFileSync is OK, execSync is not
-  const lines = src.split("\n");
-  const badLines = lines.filter(
-    (l) => /\bexecSync\b/.test(l) && !/execFileSync/.test(l)
-  );
-  assert.strictEqual(badLines.length, 0, `Found execSync: ${badLines[0]}`);
-});
-
-test("server/index.js has no execSync import", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  const lines = src.split("\n");
-  const badLines = lines.filter(
-    (l) => /\bexecSync\b/.test(l) && !/execFileSync/.test(l)
-  );
-  assert.strictEqual(badLines.length, 0, `Found execSync: ${badLines[0]}`);
-});
-
-test("server/install-agentchattr.js has no execSync import", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "install-agentchattr.js"), "utf-8");
-  const lines = src.split("\n");
-  const badLines = lines.filter(
-    (l) => /\bexecSync\b/.test(l) && !/execFileSync/.test(l)
-  );
-  assert.strictEqual(badLines.length, 0, `Found execSync: ${badLines[0]}`);
-});
-
-test("scripts/e2e-per-project.js has no execSync import", () => {
-  const src = fs.readFileSync(path.join(ROOT, "scripts/e2e-per-project.js"), "utf-8");
-  const lines = src.split("\n");
-  const badLines = lines.filter(
-    (l) => /\bexecSync\b/.test(l) && !/execFileSync/.test(l)
-  );
-  assert.strictEqual(badLines.length, 0, `Found execSync: ${badLines[0]}`);
-});
-
-test("bin/quadwork.js run() uses execFileSync with array args", () => {
-  const src = fs.readFileSync(path.join(ROOT, "bin/quadwork.js"), "utf-8");
-  assert(src.includes("function run(cmd, args = [], opts = {})"), "run() signature should accept array args");
-  assert(src.includes("execFileSync(cmd, args,"), "run() should call execFileSync with cmd, args");
-});
-
-test("bin/quadwork.js which() uses run() with array args", () => {
-  const src = fs.readFileSync(path.join(ROOT, "bin/quadwork.js"), "utf-8");
-  assert(src.includes('run("which", [cmd])'), "which() should use array args");
-});
-
-test("bin/quadwork.js browser-open uses execFileSync (no shell)", () => {
-  const src = fs.readFileSync(path.join(ROOT, "bin/quadwork.js"), "utf-8");
-  // Windows path: cmd /c start
-  assert(src.includes('execFileSync("cmd", ["/c", "start"'), "Windows browser open should use execFileSync");
-  // macOS/Linux: open or xdg-open
-  assert(src.includes('execFileSync(process.platform === "darwin" ? "open" : "xdg-open"'), "macOS/Linux browser open should use execFileSync");
-});
-
-test("server/index.js isCliInstalled uses execFileSync", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes('execFileSync("which", [cmd]'), "isCliInstalled should use execFileSync");
-});
-
-test("server/index.js killProcessOnPort uses execFileSync", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes('execFileSync("lsof", ["-ti"'), "killProcessOnPort should use execFileSync");
-});
-
-// ============================================================================
-// PR #546 — Next.js upgrade
-// ============================================================================
-
-console.log("\n--- PR #546: Next.js upgrade ---\n");
-
-test("package.json specifies Next.js >= 16.2.4 (not vulnerable 16.2.1-16.2.3)", () => {
-  const pkg = JSON.parse(fs.readFileSync(path.join(ROOT, "package.json"), "utf-8"));
-  const nextVersion = pkg.dependencies?.next || "";
-  // Strip leading ^ or ~ for comparison
-  const bare = nextVersion.replace(/^[~^]+/, "");
-  const [major, minor, patch] = bare.split(".").map(Number);
-  assert(
-    major > 16 || (major === 16 && minor > 2) || (major === 16 && minor === 2 && patch >= 4),
-    `Expected next >= 16.2.4, got ${nextVersion}`
-  );
-});
-
-test("package-lock.json has Next.js 16.2.4+ (resolved version)", () => {
-  const lock = JSON.parse(fs.readFileSync(path.join(ROOT, "package-lock.json"), "utf-8"));
-  const nextPkg = lock.packages?.["node_modules/next"];
-  assert(nextPkg, "next should be in package-lock.json");
-  const version = nextPkg.version;
-  const [major, minor, patch] = version.split(".").map(Number);
-  assert(
-    major > 16 || (major === 16 && minor > 2) || (major === 16 && minor === 2 && patch >= 4),
-    `Expected >= 16.2.4, got ${version}`
-  );
-});
-
-test("next build succeeds (runs build from scratch)", () => {
-  // Actually run the build to verify Next.js 16.2.4 works.
-  const { execFileSync } = require("child_process");
-  try {
-    execFileSync("npx", ["next", "build"], {
-      cwd: ROOT,
-      stdio: "pipe",
-      timeout: 120000,
-    });
-  } catch (e) {
-    assert.fail(`next build failed: ${e.stderr?.toString().slice(-500) || e.message}`);
-  }
-  const outIndex = path.join(ROOT, "out", "index.html");
-  assert(fs.existsSync(outIndex), "out/index.html should exist after build");
-});
-
-// ============================================================================
-// PR #547 — File/directory permission hardening
-// ============================================================================
-
-console.log("\n--- PR #547: File/directory permission hardening ---\n");
-
-test("server/config.js exports ensureSecureDir", () => {
-  const config = require(path.join(SERVER_DIR, "config.js"));
-  assert(typeof config.ensureSecureDir === "function", "ensureSecureDir should be exported");
-});
-
-test("server/config.js exports writeSecureFile", () => {
-  const config = require(path.join(SERVER_DIR, "config.js"));
-  assert(typeof config.writeSecureFile === "function", "writeSecureFile should be exported");
-});
-
-test("server/config.js exports writeConfig", () => {
-  const config = require(path.join(SERVER_DIR, "config.js"));
-  assert(typeof config.writeConfig === "function", "writeConfig should be exported");
-});
-
-test("ensureSecureDir creates dir with 0o700", () => {
-  const { ensureSecureDir } = require(path.join(SERVER_DIR, "config.js"));
-  const tmpDir = path.join(require("os").tmpdir(), `qw-qa-test-${Date.now()}`);
-  try {
-    ensureSecureDir(tmpDir);
-    const stat = fs.statSync(tmpDir);
-    assert(stat.isDirectory(), "should be a directory");
-    assert.strictEqual(stat.mode & 0o777, 0o700, `expected 0o700, got ${(stat.mode & 0o777).toString(8)}`);
-  } finally {
-    try { fs.rmdirSync(tmpDir); } catch {}
-  }
-});
-
-test("writeSecureFile creates file with 0o600", () => {
-  const { writeSecureFile } = require(path.join(SERVER_DIR, "config.js"));
-  const tmpFile = path.join(require("os").tmpdir(), `qw-qa-test-${Date.now()}.txt`);
-  try {
-    writeSecureFile(tmpFile, "test content");
-    const stat = fs.statSync(tmpFile);
-    assert(stat.isFile(), "should be a file");
-    assert.strictEqual(stat.mode & 0o777, 0o600, `expected 0o600, got ${(stat.mode & 0o777).toString(8)}`);
-    assert.strictEqual(fs.readFileSync(tmpFile, "utf-8"), "test content");
-  } finally {
-    try { fs.unlinkSync(tmpFile); } catch {}
-  }
-});
-
-test("server/index.js imports ensureSecureDir and writeSecureFile", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes("ensureSecureDir"), "should import ensureSecureDir");
-  assert(src.includes("writeSecureFile"), "should import writeSecureFile");
-  assert(src.includes("writeConfig"), "should import writeConfig");
-});
-
-test("server/routes.js imports ensureSecureDir and writeSecureFile", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "routes.js"), "utf-8");
-  assert(src.includes("ensureSecureDir"), "should import ensureSecureDir");
-  assert(src.includes("writeSecureFile"), "should import writeSecureFile");
-  assert(src.includes("writeConfig"), "should import writeConfig");
-});
-
-test("no raw mkdirSync without mode in server files", () => {
-  const files = ["index.js", "routes.js", "config.js"];
-  for (const file of files) {
-    const src = fs.readFileSync(path.join(SERVER_DIR, file), "utf-8");
-    const lines = src.split("\n");
-    const badLines = lines.filter(
-      (l) =>
-        /fs\.mkdirSync\(/.test(l) &&
-        !l.includes("mode:") &&
-        !l.includes("ensureSecureDir") &&
-        !l.trim().startsWith("//")
-    );
-    assert.strictEqual(
-      badLines.length,
-      0,
-      `${file} has raw mkdirSync without mode: ${badLines[0]}`
-    );
-  }
-});
-
-test("bin/quadwork.js uses ensureSecureDir for directory creation", () => {
-  const src = fs.readFileSync(path.join(ROOT, "bin/quadwork.js"), "utf-8");
-  assert(src.includes("ensureSecureDir"), "bin/quadwork.js should use ensureSecureDir");
-});
-
-test("install-agentchattr.js uses mode: 0o700 for mkdirSync", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "install-agentchattr.js"), "utf-8");
-  const lines = src.split("\n");
-  const mkdirLines = lines.filter((l) => /fs\.mkdirSync\(/.test(l) && !l.trim().startsWith("//"));
-  for (const line of mkdirLines) {
-    assert(line.includes("mode: 0o700"), `Missing mode: 0o700 in: ${line.trim()}`);
-  }
-});
-
-test("install-agentchattr.js uses mode: 0o600 for writeFileSync (security-sensitive files)", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "install-agentchattr.js"), "utf-8");
-  const lines = src.split("\n");
-  const writeLines = lines.filter(
-    (l) =>
-      /fs\.writeFileSync\(/.test(l) &&
-      !l.trim().startsWith("//") &&
-      // CSS/JS patches are non-sensitive (cosmetic overrides to AC UI)
-      !l.includes("cssPath") &&
-      !l.includes("jsPath")
-  );
-  for (const line of writeLines) {
-    assert(line.includes("mode: 0o600"), `Missing mode: 0o600 in: ${line.trim()}`);
-  }
-});
-
-// ============================================================================
-// PR #548 — WebSocket resize validation
-// ============================================================================
-
-console.log("\n--- PR #548: WebSocket resize validation ---\n");
-
-test("server/index.js has typeof number check for resize cols", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes('typeof parsed.cols === "number"'), "should check typeof cols");
-});
-
-test("server/index.js has typeof number check for resize rows", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes('typeof parsed.rows === "number"'), "should check typeof rows");
-});
-
-test("server/index.js validates Number.isFinite for resize", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes("Number.isFinite(parsed.cols)"), "should validate isFinite for cols");
-  assert(src.includes("Number.isFinite(parsed.rows)"), "should validate isFinite for rows");
-});
-
-test("server/index.js bounds-checks resize to 1-500", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  assert(src.includes("parsed.cols >= 1"), "should lower-bound cols");
-  assert(src.includes("parsed.cols <= 500"), "should upper-bound cols");
-  assert(src.includes("parsed.rows >= 1"), "should lower-bound rows");
-  assert(src.includes("parsed.rows <= 500"), "should upper-bound rows");
-});
-
-test("resize validation is inside the resize handler block", () => {
-  const src = fs.readFileSync(path.join(SERVER_DIR, "index.js"), "utf-8");
-  // Verify the validation is between 'parsed.type === "resize"' and 'session.term.resize'
-  const resizeIdx = src.indexOf('parsed.type === "resize"');
-  const termResizeIdx = src.indexOf("session.term.resize(parsed.cols, parsed.rows)");
-  const typeofIdx = src.indexOf('typeof parsed.cols === "number"');
-  assert(resizeIdx > 0 && termResizeIdx > resizeIdx && typeofIdx > resizeIdx && typeofIdx < termResizeIdx,
-    "validation should be between resize type check and term.resize call");
-});
-
-// ============================================================================
-
-console.log(`\nResults: ${passed} passed, ${failed} failed, ${passed + failed} total\n`);
-process.exit(failed > 0 ? 1 : 0);

package/server/agentchattr-registry.js

@@ -1,188 +0,0 @@
-/**
- * AgentChattr registration helper (#238).
- *
- * Talks to a per-project AgentChattr instance's registration API to obtain
- * per-agent tokens for MCP auth. Each function takes serverPort explicitly
- * so the helper is project-agnostic.
- *
- * Reference: /Users/cho/Projects/agentchattr/wrapper.py _register_instance.
- */
-
-const DEFAULT_TIMEOUT_MS = 5000;
-
-// Tokens returned from registerAgent are cached per (port, name) so the
-// two-arg deregisterAgent(serverPort, name) form from the #238 contract
-// works without the caller having to thread the token through.
-const _tokenCache = new Map();
-
-function fetchWithTimeout(url, opts = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
-  const ctrl = new AbortController();
-  const t = setTimeout(() => ctrl.abort(), timeoutMs);
-  return fetch(url, { ...opts, signal: ctrl.signal }).finally(() => clearTimeout(t));
-}
-
-/**
- * Poll GET / on the AgentChattr server until it responds 200, or until
- * timeoutMs elapses. Returns true on success, false on timeout.
- */
-async function waitForAgentChattrReady(serverPort, timeoutMs = 10000) {
-  const deadline = Date.now() + timeoutMs;
-  while (Date.now() < deadline) {
-    try {
-      const r = await fetchWithTimeout(`http://127.0.0.1:${serverPort}/`, {}, 2000);
-      if (r.ok) return true;
-    } catch {
-      // not ready yet
-    }
-    await new Promise((res) => setTimeout(res, 250));
-  }
-  return false;
-}
-
-/**
- * Register an agent with AgentChattr. Returns {name, token, slot} on
- * success, null on failure (with registerAgent.lastError populated).
- */
-async function registerAgent(serverPort, base, label = null, { force = false } = {}) {
-  registerAgent.lastError = null;
-  try {
-    const r = await fetchWithTimeout(
-      `http://127.0.0.1:${serverPort}/api/register`,
-      {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ base, label, force }),
-      },
-    );
-    if (!r.ok) {
-      registerAgent.lastError = `register ${base}: HTTP ${r.status}`;
-      return null;
-    }
-    const data = await r.json();
-    if (!data || !data.name || !data.token) {
-      registerAgent.lastError = `register ${base}: malformed response`;
-      return null;
-    }
-    _tokenCache.set(`${serverPort}:${data.name}`, data.token);
-    return { name: data.name, token: data.token, slot: data.slot };
-  } catch (err) {
-    registerAgent.lastError = `register ${base}: ${err.message || err}`;
-    return null;
-  }
-}
-registerAgent.lastError = null;
-
-/**
- * Best-effort deregister. Failures are non-fatal (e.g. AgentChattr already
- * shut down). Returns true on a 2xx response, false otherwise.
- *
- * AgentChattr's /api/deregister/{name} requires the agent's own bearer
- * token for "family" names (head/dev/re1/re2) — see
- * app.py:2123-2135. The token is looked up automatically from the cache
- * populated by registerAgent; an explicit token may be passed as a third
- * argument to override (e.g. recovering a session).
- */
-async function deregisterAgent(serverPort, name, token) {
-  try {
-    const headers = {};
-    const tok = token || _tokenCache.get(`${serverPort}:${name}`);
-    if (tok) headers["Authorization"] = `Bearer ${tok}`;
-    const r = await fetchWithTimeout(
-      `http://127.0.0.1:${serverPort}/api/deregister/${encodeURIComponent(name)}`,
-      { method: "POST", headers },
-    );
-    if (r.ok) _tokenCache.delete(`${serverPort}:${name}`);
-    return r.ok;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Start a per-agent heartbeat that POSTs /api/heartbeat/{name} every 5s
- * with bearer auth. AgentChattr considers an agent crashed and removes
- * it after ~120s without a heartbeat, so without this every registered
- * QuadWork agent silently disappears from the channel one minute after
- * registration.
- *
- * `getName` and `getToken` are read on every tick (either as plain
- * values or as zero-arg functions) so the sub-D 409 recovery path can
- * swap them in place after re-registration without restarting the
- * interval. Pass an `onConflict` callback to handle 409 responses
- * (AgentChattr restart wiped the in-memory registry — re-register and
- * the next tick will use the new credentials). Other errors are
- * swallowed.
- *
- * Returns an opaque handle suitable for stopHeartbeat.
- *
- * Reference: /Users/cho/Projects/agentchattr/wrapper.py lines 715-744.
- */
-function startHeartbeat(serverPort, getName, getToken, { onConflict, intervalMs = 5000 } = {}) {
-  // Sub-D guard: avoid re-entering onConflict while a previous recovery
-  // attempt is still in flight. Without this, a slow re-register would
-  // be triggered once per 5s tick and stack up duplicate registrations.
-  let recovering = false;
-  const resolve = (v) => (typeof v === "function" ? v() : v);
-  const tick = async () => {
-    const name = resolve(getName);
-    const token = resolve(getToken);
-    if (!name) return;
-    const url = `http://127.0.0.1:${serverPort}/api/heartbeat/${encodeURIComponent(name)}`;
-    try {
-      const r = await fetchWithTimeout(
-        url,
-        { method: "POST", headers: token ? { Authorization: `Bearer ${token}` } : {} },
-        DEFAULT_TIMEOUT_MS,
-      );
-      if (r.status === 409 && typeof onConflict === "function" && !recovering) {
-        recovering = true;
-        try {
-          await onConflict();
-        } catch {
-          // recovery is best-effort; next tick retries on its own
-        } finally {
-          recovering = false;
-        }
-      }
-    } catch {
-      // swallow — next tick will retry
-    }
-  };
-  // Fire one immediately so a fresh agent is held alive without waiting
-  // a full interval, then poll on the timer.
-  tick();
-  const handle = setInterval(tick, intervalMs);
-  return handle;
-}
-
-/**
- * Stop a heartbeat started by startHeartbeat. Safe to call with null.
- */
-function stopHeartbeat(handle) {
-  if (handle) clearInterval(handle);
-}
-
-/**
- * Register an agent with retries and exponential backoff.
- * Returns {name, token, slot} on success, null after all attempts fail.
- * Uses registerAgent internally so registerAgent.lastError is populated.
- */
-async function registerAgentWithRetry(serverPort, base, label = null, { force = false, attempts = 3, delayMs = 2000 } = {}) {
-  for (let i = 0; i < attempts; i++) {
-    const result = await registerAgent(serverPort, base, label, { force });
-    if (result) return result;
-    if (i < attempts - 1) {
-      await new Promise((res) => setTimeout(res, delayMs * Math.pow(2, i)));
-    }
-  }
-  return null;
-}
-
-module.exports = {
-  waitForAgentChattrReady,
-  registerAgent,
-  registerAgentWithRetry,
-  deregisterAgent,
-  startHeartbeat,
-  stopHeartbeat,
-};

package/server/install-agentchattr.patchCrashTimeout.test.js

@@ -1,71 +0,0 @@
-// #629: patchCrashTimeout tests. Plain node:assert — run with
-// `node server/install-agentchattr.patchCrashTimeout.test.js`.
-
-const assert = require("node:assert/strict");
-const fs = require("fs");
-const path = require("path");
-const os = require("os");
-const { patchCrashTimeout } = require("./install-agentchattr");
-
-const UNPATCHED_APP_PY = [
-  "import time",
-  "",
-  "# Crash timeout: if a wrapper hasn't heartbeated for 60s,",
-  "# consider it dead and deregister.",
-  "_CRASH_TIMEOUT = 15",
-  "",
-  "def check_heartbeats():",
-  "    now = time.time()",
-  "    for name, last_seen in list(_heartbeats.items()):",
-  "        if last_seen > 0 and now - last_seen > _CRASH_TIMEOUT:",
-  '            log.info(f"Crash timeout: deregistering {name} (no heartbeat for {_CRASH_TIMEOUT}s)")',
-].join("\n");
-
-const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "qw-test-629-"));
-
-function setup(content) {
-  const dir = fs.mkdtempSync(path.join(tmpDir, "ac-"));
-  if (content !== undefined) {
-    fs.writeFileSync(path.join(dir, "app.py"), content);
-  }
-  return dir;
-}
-
-// 1) Patches _CRASH_TIMEOUT from 15 to 120
-{
-  const dir = setup(UNPATCHED_APP_PY);
-  patchCrashTimeout(dir);
-  const result = fs.readFileSync(path.join(dir, "app.py"), "utf-8");
-  assert.ok(result.includes("_CRASH_TIMEOUT = 120"), "timeout patched to 120");
-  assert.ok(!result.includes("_CRASH_TIMEOUT = 15"), "old value removed");
-  assert.ok(result.includes("heartbeated for 120s"), "comment updated");
-  assert.ok(!result.includes("heartbeated for 60s"), "old comment removed");
-}
-
-// 2) Idempotent — already-patched file is untouched
-{
-  const dir = setup(UNPATCHED_APP_PY.replace("_CRASH_TIMEOUT = 15", "_CRASH_TIMEOUT = 120")
-    .replace("heartbeated for 60s", "heartbeated for 120s"));
-  const before = fs.readFileSync(path.join(dir, "app.py"), "utf-8");
-  patchCrashTimeout(dir);
-  const after = fs.readFileSync(path.join(dir, "app.py"), "utf-8");
-  assert.equal(before, after, "already-patched file unchanged");
-}
-
-// 3) No app.py — no crash
-{
-  const dir = setup();
-  patchCrashTimeout(dir);
-  assert.ok(!fs.existsSync(path.join(dir, "app.py")), "no file created");
-}
-
-// 4) Null/undefined dir — no crash
-{
-  patchCrashTimeout(null);
-  patchCrashTimeout(undefined);
-}
-
-// Cleanup
-fs.rmSync(tmpDir, { recursive: true, force: true });
-
-console.log("patchCrashTimeout: all tests passed");