seabox 0.1.0-beta.1

package/lib/fetch-node.js

@@ -0,0 +1,177 @@
+/**
+ * fetch-node.js
+ * Download target Node.js binary for SEA injection.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+const { pipeline } = require('stream');
+const { promisify } = require('util');
+
+const pipelineAsync = promisify(pipeline);
+
+/**
+ * Construct the Node.js download URL for a given target.
+ * @param {string} nodeVersion - e.g., "24.11.0"
+ * @param {string} platform - e.g., "win", "linux", "darwin"
+ * @param {string} arch - e.g., "x64", "arm64"
+ * @returns {string}
+ */
+function getNodeDownloadUrl(nodeVersion, platform, arch) {
+  const baseUrl = 'https://nodejs.org/dist';
+  
+  // Map platform names to Node.js naming
+  const platformMap = {
+    win32: 'win',
+    linux: 'linux',
+    darwin: 'darwin'
+  };
+  
+  const mappedPlatform = platformMap[platform] || platform;
+  
+  // Construct filename
+  let filename;
+  if (mappedPlatform === 'win') {
+    filename = `node-v${nodeVersion}-${mappedPlatform}-${arch}.zip`;
+  } else {
+    filename = `node-v${nodeVersion}-${mappedPlatform}-${arch}.tar.gz`;
+  }
+  
+  return `${baseUrl}/v${nodeVersion}/${filename}`;
+}
+
+/**
+ * Download a file from a URL to a local path.
+ * @param {string} url
+ * @param {string} outputPath
+ * @returns {Promise<void>}
+ */
+async function downloadFile(url, outputPath) {
+  return new Promise((resolve, reject) => {
+    https.get(url, response => {
+      if (response.statusCode === 302 || response.statusCode === 301) {
+        // Follow redirect
+        return downloadFile(response.headers.location, outputPath)
+          .then(resolve)
+          .catch(reject);
+      }
+      
+      if (response.statusCode !== 200) {
+        reject(new Error(`HTTP ${response.statusCode}: ${url}`));
+        return;
+      }
+
+      const file = fs.createWriteStream(outputPath);
+      pipelineAsync(response, file)
+        .then(resolve)
+        .catch(reject);
+    }).on('error', reject);
+  });
+}
+
+/**
+ * Extract node.exe or node binary from downloaded archive.
+ * @param {string} archivePath - Path to .zip or .tar.gz
+ * @param {string} outputDir - Directory to extract to
+ * @param {string} platform - Platform identifier
+ * @returns {Promise<string>} - Path to extracted node binary
+ */
+async function extractNodeBinary(archivePath, outputDir, platform) {
+  const AdmZip = require('adm-zip');
+  const tar = require('tar');
+
+  if (platform === 'win32') {
+    // Extract from ZIP
+    const zip = new AdmZip(archivePath);
+    zip.extractAllTo(outputDir, true);
+    
+    // Find node.exe in the extracted directory structure
+    const extracted = fs.readdirSync(outputDir);
+    for (const item of extracted) {
+      const itemPath = path.join(outputDir, item);
+      if (fs.statSync(itemPath).isDirectory()) {
+        const nodeExePath = path.join(itemPath, 'node.exe');
+        if (fs.existsSync(nodeExePath)) {
+          const finalPath = path.join(outputDir, 'node.exe');
+          fs.renameSync(nodeExePath, finalPath);
+          // Clean up extracted directory
+          fs.rmSync(itemPath, { recursive: true, force: true });
+          return finalPath;
+        }
+      }
+    }
+    
+    throw new Error('node.exe not found in archive');
+  } else {
+    // Extract from tar.gz
+    await tar.extract({
+      file: archivePath,
+      cwd: outputDir,
+      filter: (p) => p.endsWith('/bin/node')
+    });
+
+    // Find the extracted node binary
+    const extracted = fs.readdirSync(outputDir);
+    for (const dir of extracted) {
+      const nodePath = path.join(outputDir, dir, 'bin', 'node');
+      if (fs.existsSync(nodePath)) {
+        const finalPath = path.join(outputDir, 'node');
+        fs.renameSync(nodePath, finalPath);
+        fs.chmodSync(finalPath, 0o755);
+        return finalPath;
+      }
+    }
+
+    throw new Error('node binary not found in archive');
+  }
+}
+
+/**
+ * Fetch and prepare a Node.js binary for SEA injection.
+ * @param {string} nodeVersion
+ * @param {string} platform
+ * @param {string} arch
+ * @param {string} cacheDir - Directory to cache downloads
+ * @returns {Promise<string>} - Path to the node binary
+ */
+async function fetchNodeBinary(nodeVersion, platform, arch, cacheDir) {
+  if (!fs.existsSync(cacheDir)) {
+    fs.mkdirSync(cacheDir, { recursive: true });
+  }
+
+  const binaryName = platform === 'win32' ? 'node.exe' : 'node';
+  const cachedBinary = path.join(cacheDir, `${nodeVersion}-${platform}-${arch}`, binaryName);
+
+  // Check cache
+  if (fs.existsSync(cachedBinary)) {
+    console.log(`✓ Using cached Node binary: ${cachedBinary}`);
+    return cachedBinary;
+  }
+
+  console.log(`Downloading Node.js v${nodeVersion} for ${platform}-${arch}...`);
+  const url = getNodeDownloadUrl(nodeVersion, platform, arch);
+  const archiveName = path.basename(url);
+  const archivePath = path.join(cacheDir, archiveName);
+
+  await downloadFile(url, archivePath);
+  console.log(`✓ Downloaded: ${archivePath}`);
+
+  const extractDir = path.join(cacheDir, `${nodeVersion}-${platform}-${arch}`);
+  fs.mkdirSync(extractDir, { recursive: true });
+
+  const binaryPath = await extractNodeBinary(archivePath, extractDir, platform);
+  console.log(`✓ Extracted Node binary: ${binaryPath}`);
+
+  // Clean up archive
+  fs.unlinkSync(archivePath);
+
+  return binaryPath;
+}
+
+module.exports = {
+  getNodeDownloadUrl,
+  downloadFile,
+  extractNodeBinary,
+  fetchNodeBinary
+};

package/lib/index.js

@@ -0,0 +1,27 @@
+/**
+ * index.js
+ * Main entry point for seabox
+ */
+
+const { build } = require('./build');
+const { loadConfig, parseTarget } = require('./config');
+const { scanAssets, groupAssets } = require('./scanner');
+const { generateManifest, serializeManifest } = require('./manifest');
+const { createSeaConfig, writeSeaConfigJson, generateBlob } = require('./blob');
+const { fetchNodeBinary } = require('./fetch-node');
+const { injectBlob } = require('./inject');
+
+module.exports = {
+  build,
+  loadConfig,
+  parseTarget,
+  scanAssets,
+  groupAssets,
+  generateManifest,
+  serializeManifest,
+  createSeaConfig,
+  writeSeaConfigJson,
+  generateBlob,
+  fetchNodeBinary,
+  injectBlob
+};

package/lib/inject.js

@@ -0,0 +1,81 @@
+/**
+ * inject.js
+ * Inject SEA blob into Node binary using postject.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const { removeSignature } = require('./unsign');
+
+const execFileAsync = promisify(execFile);
+
+/**
+ * Inject a SEA blob into a Node.js binary using postject.
+ * @param {string} nodeBinaryPath - Path to the source Node binary
+ * @param {string} blobPath - Path to the SEA blob file
+ * @param {string} outputPath - Path for the output executable
+ * @param {string} platform - Target platform (win32, linux, darwin)
+ * @returns {Promise<void>}
+ */
+async function injectBlob(nodeBinaryPath, blobPath, outputPath, platform, verbose) {
+  // Copy node binary to output location
+  fs.copyFileSync(nodeBinaryPath, outputPath);
+
+  // Remove existing signature before postject injection
+  // The downloaded Node.js binary is signed, and postject will corrupt this signature
+  await removeSignature(outputPath, platform);
+
+  // Prepare postject command
+  const sentinel = 'NODE_SEA_BLOB';
+  const sentinelFuse = 'NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2';
+
+  const args = [
+    outputPath,
+    sentinel,
+    blobPath,
+    '--sentinel-fuse', sentinelFuse
+  ];
+
+  // Platform-specific postject options
+  if (platform === 'darwin') {
+    args.push('--macho-segment-name', 'NODE_SEA');
+  }
+
+  console.log(`Injecting SEA blob into: ${outputPath}`);
+  
+  // Use cmd.exe on Windows to run npx
+  const isWindows = process.platform === 'win32';
+  const command = isWindows ? 'cmd.exe' : 'npx';
+  const cmdArgs = isWindows 
+    ? ['/c', 'npx', 'postject', ...args]
+    : ['postject', ...args];
+
+  //console.log(`Command: ${command} ${cmdArgs.join(' ')}`);
+
+  try {
+    const { stdout, stderr } = await execFileAsync(command, cmdArgs);
+    if (stdout && verbose) console.log(stdout);
+    if (stderr && verbose) console.error(stderr);
+    console.log('✓ SEA blob injected successfully');
+  } catch (error) {
+    throw new Error(`Postject injection failed: ${error.message}`);
+  }
+
+  //console.log('\nNote: Executable is now ready for signing with your certificate');
+}
+
+/**
+ * Resolve the postject executable path.
+ * @returns {string}
+ */
+function resolvePostject() {
+  // Use npx to run postject
+  return 'npx';
+}
+
+module.exports = {
+  injectBlob,
+  resolvePostject
+};

package/lib/manifest.js

@@ -0,0 +1,98 @@
+/**
+ * manifest.js
+ * Generate runtime manifest with asset metadata and extraction rules.
+ */
+
+const path = require('path');
+
+/**
+ * @typedef {Object} BinaryManifestEntry
+ * @property {string} assetKey - Key in the SEA blob
+ * @property {string} fileName - Original filename
+ * @property {string} platform - Target platform (win32, linux, darwin, *)
+ * @property {string} arch - Target architecture (x64, arm64, *)
+ * @property {number} order - Extraction order priority (lower = earlier)
+ * @property {string} hash - SHA-256 hash for integrity check
+ */
+
+/**
+ * @typedef {Object} RuntimeManifest
+ * @property {string} appName - Application name
+ * @property {string} appVersion - Application version
+ * @property {string} platform - Target platform
+ * @property {string} arch - Target architecture
+ * @property {BinaryManifestEntry[]} binaries - Binary extraction rules
+ * @property {string[]} allAssetKeys - All embedded asset keys
+ */
+
+/**
+ * Generate a runtime manifest from scanned assets.
+ * @param {import('./scanner').AssetEntry[]} assets - All scanned assets
+ * @param {Object} config - SEA configuration
+ * @param {string} targetPlatform - Target platform (win32, linux, darwin)
+ * @param {string} targetArch - Target architecture (x64, arm64)
+ * @returns {RuntimeManifest}
+ */
+function generateManifest(assets, config, targetPlatform, targetArch) {
+  const binaries = assets
+    .filter(a => a.isBinary)
+    .map((asset, index) => {
+      const fileName = path.basename(asset.sourcePath);
+      return {
+        assetKey: asset.assetKey,
+        fileName,
+        platform: targetPlatform,
+        arch: targetArch,
+        order: inferExtractionOrder(fileName, index),
+        hash: asset.hash
+      };
+    });
+
+  return {
+    appName: config._packageName || 'app',
+    appVersion: config._packageVersion || '1.0.0',
+    platform: targetPlatform,
+    arch: targetArch,
+    binaries,
+    allAssetKeys: assets.map(a => a.assetKey)
+  };
+}
+
+/**
+ * Infer extraction order based on file type.
+ * Libraries (.dll, .so, .dylib) should extract before .node addons.
+ * @param {string} fileName
+ * @param {number} fallbackIndex - Fallback order if heuristic doesn't apply
+ * @returns {number}
+ */
+function inferExtractionOrder(fileName, fallbackIndex) {
+  const ext = path.extname(fileName).toLowerCase();
+  
+  // Extract shared libraries first
+  if (['.dll', '.so', '.dylib'].includes(ext)) {
+    return 10;
+  }
+  
+  // Then native addons
+  if (ext === '.node') {
+    return 20;
+  }
+
+  // Fallback for other binaries
+  return 100 + fallbackIndex;
+}
+
+/**
+ * Serialize manifest to JSON string for embedding.
+ * @param {RuntimeManifest} manifest
+ * @returns {string}
+ */
+function serializeManifest(manifest) {
+  return JSON.stringify(manifest, null, 2);
+}
+
+module.exports = {
+  generateManifest,
+  inferExtractionOrder,
+  serializeManifest
+};

package/lib/obfuscate.js

@@ -0,0 +1,73 @@
+/**
+ * @file Obfuscate bootstrap code to protect encryption keys and decryption logic
+ */
+
+const JavaScriptObfuscator = require('javascript-obfuscator');
+
+/**
+ * Obfuscate bootstrap code with maximum protection settings
+ * 
+ * @param {string} bootstrapCode - The bootstrap JavaScript code to obfuscate
+ * @returns {string} Obfuscated JavaScript code
+ */
+function obfuscateBootstrap(bootstrapCode) {
+  const obfuscationResult = JavaScriptObfuscator.obfuscate(bootstrapCode, {
+    // Maximum protection settings for encryption key and decryption logic
+    
+    // String encoding
+    stringArray: true,
+    stringArrayThreshold: 1,
+    stringArrayEncoding: ['rc4'],
+    stringArrayIndexShift: true,
+    stringArrayRotate: true,
+    stringArrayShuffle: true,
+    stringArrayWrappersCount: 5,
+    stringArrayWrappersChainedCalls: true,
+    stringArrayWrappersParametersMaxCount: 5,
+    stringArrayWrappersType: 'function',
+    
+    // Control flow
+    controlFlowFlattening: true,
+    controlFlowFlatteningThreshold: 1,
+    deadCodeInjection: true,
+    deadCodeInjectionThreshold: 0.4,
+    
+    // Code transformations
+    transformObjectKeys: true,
+    splitStrings: true,
+    splitStringsChunkLength: 10,
+    
+    // Identifiers
+    identifierNamesGenerator: 'hexadecimal',
+    identifiersPrefix: '',
+    renameGlobals: false, // Keep false - we need to preserve global scope
+    renameProperties: false, // Keep false - breaks sea.getAsset patching
+    
+    // Self-defending
+    selfDefending: true,
+    
+    // Compact output
+    compact: true,
+    
+    // Additional obfuscation
+    numbersToExpressions: true,
+    simplify: true,
+    
+    // Disable source maps (we don't want them)
+    sourceMap: false,
+    
+    // Performance vs protection tradeoff
+    // (these settings prioritize protection over performance)
+    target: 'node',
+    ignoreImports: true,
+    
+    // Comments removal
+    // (handled automatically by compact: true)
+  });
+
+  return obfuscationResult.getObfuscatedCode();
+}
+
+module.exports = {
+  obfuscateBootstrap
+};

package/lib/scanner.js

@@ -0,0 +1,153 @@
+/**
+ * scanner.js
+ * Resolve glob patterns, collect assets, and identify binary artifacts.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { glob } = require('glob');
+const crypto = require('crypto');
+
+/**
+ * @typedef {Object} AssetEntry
+ * @property {string} sourcePath - Absolute path to the asset on disk
+ * @property {string} assetKey - Logical key in the SEA blob
+ * @property {boolean} isBinary - True if this is a binary artifact requiring extraction
+ * @property {string} [hash] - SHA-256 hash of the file
+ */
+
+/**
+ * Scan and resolve all assets from configuration.
+ * Supports negative glob patterns (prefixed with '!') for exclusions.
+ * @param {string[]} assetPatterns - Glob patterns from config (supports '!' prefix for exclusions)
+ * @param {string[]} [binaryPatterns] - Patterns identifying binaries to extract
+ * @param {string[]} [excludePatterns] - Legacy: Additional patterns to exclude (optional)
+ * @param {string} projectRoot - Project root directory
+ * @returns {Promise<AssetEntry[]>}
+ */
+async function scanAssets(assetPatterns, binaryPatterns = [], excludePatterns = [], projectRoot = process.cwd()) {
+  const assets = [];
+  const seenKeys = new Set();
+
+  // Separate positive and negative patterns
+  const includePatterns = [];
+  const negativePatterns = [];
+  
+  for (const pattern of assetPatterns) {
+    if (pattern.startsWith('!')) {
+      // Negative pattern - add to exclusions (remove the '!' prefix)
+      negativePatterns.push(pattern.slice(1));
+    } else {
+      includePatterns.push(pattern);
+    }
+  }
+
+  // Combine negative patterns with legacy excludePatterns
+  const allExclusions = [...negativePatterns, ...excludePatterns];
+
+  // Process each include pattern
+  for (const pattern of includePatterns) {
+    const matches = await glob(pattern, {
+      cwd: projectRoot,
+      nodir: true,
+      absolute: false,
+      ignore: allExclusions
+    });
+
+    for (const match of matches) {
+      const sourcePath = path.resolve(projectRoot, match);
+      const assetKey = normalizeAssetKey(match);
+
+      // Skip duplicates
+      if (seenKeys.has(assetKey)) {
+        continue;
+      }
+      seenKeys.add(assetKey);
+
+      const isBinary = isBinaryAsset(match, binaryPatterns);
+      const hash = isBinary ? await computeHash(sourcePath) : undefined;
+
+      assets.push({
+        sourcePath,
+        assetKey,
+        isBinary,
+        hash
+      });
+    }
+  }
+
+  return assets;
+}
+
+/**
+ * Normalize a file path to a forward-slash asset key.
+ * @param {string} filePath
+ * @returns {string}
+ */
+function normalizeAssetKey(filePath) {
+  return filePath.replace(/\\/g, '/');
+}
+
+/**
+ * Check if an asset matches binary patterns.
+ * @param {string} filePath
+ * @param {string[]} binaryPatterns
+ * @returns {boolean}
+ */
+function isBinaryAsset(filePath, binaryPatterns) {
+  const ext = path.extname(filePath).toLowerCase();
+  const binaryExtensions = ['.node', '.dll', '.so', '.dylib'];
+
+  // Check explicit patterns first
+  for (const pattern of binaryPatterns) {
+    if (filePath.includes(pattern) || filePath.endsWith(pattern)) {
+      return true;
+    }
+  }
+
+  // Fall back to extension check
+  return binaryExtensions.includes(ext);
+}
+
+/**
+ * Compute SHA-256 hash of a file.
+ * @param {string} filePath
+ * @returns {Promise<string>}
+ */
+function computeHash(filePath) {
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash('sha256');
+    const stream = fs.createReadStream(filePath);
+    stream.on('data', chunk => hash.update(chunk));
+    stream.on('end', () => resolve(hash.digest('hex')));
+    stream.on('error', reject);
+  });
+}
+
+/**
+ * Group assets by binary vs non-binary.
+ * @param {AssetEntry[]} assets
+ * @returns {{binaries: AssetEntry[], nonBinaries: AssetEntry[]}}
+ */
+function groupAssets(assets) {
+  const binaries = [];
+  const nonBinaries = [];
+
+  for (const asset of assets) {
+    if (asset.isBinary) {
+      binaries.push(asset);
+    } else {
+      nonBinaries.push(asset);
+    }
+  }
+
+  return { binaries, nonBinaries };
+}
+
+module.exports = {
+  scanAssets,
+  normalizeAssetKey,
+  isBinaryAsset,
+  computeHash,
+  groupAssets
+};