shardstitch 0.0.6 → 0.0.8

package/README.md

@@ -28,7 +28,9 @@ The same trick fixes a bloated session in the *same* tool. Long AI chats accumul
 
 ## 22 supported AI tools
 
-Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, ChatGPT, OpenCode, Trae, Factory Droid, OpenClaw, VS Code Copilot, JetBrains AI, Zed AI, Replit Agent, Cody, Continue, and Tabnine.
+Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, OpenCode, Trae, Factory Droid, OpenClaw, Amp, Cline, Roo Code, Kilo Code, Crush, Kimi, Qwen Code, and Antigravity.
+
+**Coming soon:** Cody, Continue, Replit Agent, JetBrains AI, Tabnine.
 
 ## 7 surfaces
 

package/cli.js

@@ -16,6 +16,28 @@ const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
 const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
 const MACHINE_SALT = "shardstitch-activation/1";
 
+// --- Supply-chain hardening -------------------------------------------------
+// The binary SHA-256 is baked into this file at release time. No external
+// checksums.json needed — Polar delivers the file, we verify the hash locally.
+// Update these after every build before publishing.
+const CHECKSUMS = {
+  windows: "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
+  linux:   "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
+  mac:     "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
+};
+const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
+  "shardstitch.com",
+  "polar.sh",
+  "polarsource.com",
+];
+
+function isTrustedHost(hostname) {
+  const h = (hostname || "").toLowerCase();
+  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
+    (suffix) => h === suffix || h.endsWith("." + suffix)
+  );
+}
+
 const PLATFORM = process.platform === "win32" ? "windows"
                : process.platform === "darwin" ? "mac"
                : "linux";
@@ -109,8 +131,22 @@ function downloadFile(url, dest) {
     const tmp = dest + ".tmp";
     const file = createWriteStream(tmp);
 
-    function follow(url) {
-      https.get(url, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
+    function follow(rawUrl) {
+      let u;
+      try {
+        u = new URL(rawUrl);
+      } catch {
+        return reject(new Error(`Refusing to download: invalid URL`));
+      }
+      // Fail closed on protocol downgrade or untrusted host (blocks open-redirect
+      // / MITM from pointing the download at an attacker-controlled binary).
+      if (u.protocol !== "https:") {
+        return reject(new Error(`Refusing non-HTTPS download (${u.protocol})`));
+      }
+      if (!isTrustedHost(u.hostname)) {
+        return reject(new Error(`Refusing download from untrusted host: ${u.hostname}`));
+      }
+      https.get(rawUrl, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
         if (res.statusCode === 301 || res.statusCode === 302) {
           return follow(res.headers.location);
         }
@@ -138,6 +174,17 @@ function downloadFile(url, dest) {
   });
 }
 
+function sha256File(path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash("sha256");
+    const stream = fs.createReadStream(path);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+
+
 async function cmdInstall(key) {
   key = key.trim();
   console.log();
@@ -191,12 +238,43 @@ async function cmdInstall(key) {
 
   try {
     await downloadFile(downloadUrl, exePath);
-    if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
   } catch (e) {
     console.log(`  ✗ Download failed: ${e.message}`);
     process.exit(1);
   }
 
+  // Integrity check — verify the downloaded binary's SHA-256 against the manifest
+  // on our pinned domain BEFORE making it executable or running it. Fails closed.
+  const allowUnverified = process.argv.includes("--allow-unverified");
+  try {
+    const expected = (CHECKSUMS[PLATFORM] || "").toLowerCase();
+    const actual = (await sha256File(exePath)).toLowerCase();
+    if (!expected) {
+      throw new Error(`no published checksum for platform "${PLATFORM}"`);
+    }
+    if (actual !== expected) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
+      console.log("    the published checksum and was deleted. Do NOT run it.");
+      console.log(`    expected ${expected}`);
+      console.log(`    actual   ${actual}`);
+      console.log("    Report this to support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log("  ✓ Integrity verified (SHA-256).");
+  } catch (e) {
+    if (!allowUnverified) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
+      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
+      console.log("    (not recommended), or contact support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
+  }
+
+  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
+
   saveActivation(key);
 
   console.log(`  ✓ Installed to ${exePath}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shardstitch",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 22 AI tools supported. 100% local, zero telemetry. https://shardstitch.com",
   "homepage": "https://shardstitch.com",
   "bugs": {