sliccy 2.27.2 → 2.28.1

package/README.md

@@ -58,6 +58,7 @@ SLICC is for you if:
 - **Delegate parallel work to scoops.** Split tasks into isolated sub-agents with their own sandboxes and context, then let the main agent coordinate the results.
 - **Turn one-off wins into reusable workflows.** Package behavior as skills, build interactive sprinkles, and react to external events with webhooks and cron-driven licks.
 - **Mount your local file system.** By default, SLICC is confined to your browser. But you can ask it to mount folders from your local file system, so it can read and write from there. Mount into an empty path such as `/mnt/myproject` so you do not hide existing skills or scripts.
+- **Mount remote storage as if it were local.** Beyond local folders, `mount --source` bridges S3 buckets, S3-compatible services like Cloudflare R2 and MinIO, and Adobe da.live repositories into the same VFS surface. Reads use TTL+ETag caching with conditional revalidation; writes use ETag-conditional PUTs that surface concurrent-edit conflicts as `EBUSY`. Credentials live server-side (`~/.slicc/secrets.env` in CLI, `chrome.storage.local` in the extension via the **Extension options** page) and never reach the agent. After setup: `mount --source s3://my-bucket --profile r2 /mnt/r2` or `mount --source da://my-org/my-repo /mnt/da`. See [docs/mounts.md](docs/mounts.md) for the full guide.
 
 ## Getting started
 
@@ -184,5 +185,6 @@ If you want to go deeper, the detailed docs live here:
 - [Testing](docs/testing.md)
 - [Shell reference](docs/shell-reference.md)
 - [Secrets](docs/secrets.md)
+- [Mounts (local + S3 / R2 / DA)](docs/mounts.md)
 - [Adding features](docs/adding-features.md)
 - [Electron notes](docs/electron.md)

package/dist/node-server/fetch-proxy-headers.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Headers the `/api/fetch-proxy` route does NOT forward upstream.
+ *
+ * Includes hop-by-hop headers (`host`, `connection`, `transfer-encoding`,
+ * `content-length`), proxy-internal markers (`x-target-url`,
+ * `x-slicc-raw-body`), and forbidden-header transports the client uses
+ * to smuggle reserved names through `fetch()` (`x-proxy-cookie`,
+ * `x-proxy-origin`, `x-proxy-referer`).
+ *
+ * Lives in its own module (rather than `index.ts`) so tests can import
+ * it without triggering the server bootstrap that runs at `index.ts`
+ * module load.
+ */
+export declare const FETCH_PROXY_SKIP_HEADERS: ReadonlySet<string>;

package/dist/node-server/fetch-proxy-headers.js

@@ -0,0 +1,24 @@
+/**
+ * Headers the `/api/fetch-proxy` route does NOT forward upstream.
+ *
+ * Includes hop-by-hop headers (`host`, `connection`, `transfer-encoding`,
+ * `content-length`), proxy-internal markers (`x-target-url`,
+ * `x-slicc-raw-body`), and forbidden-header transports the client uses
+ * to smuggle reserved names through `fetch()` (`x-proxy-cookie`,
+ * `x-proxy-origin`, `x-proxy-referer`).
+ *
+ * Lives in its own module (rather than `index.ts`) so tests can import
+ * it without triggering the server bootstrap that runs at `index.ts`
+ * module load.
+ */
+export const FETCH_PROXY_SKIP_HEADERS = new Set([
+    'host',
+    'connection',
+    'x-target-url',
+    'x-slicc-raw-body',
+    'content-length',
+    'transfer-encoding',
+    'x-proxy-cookie',
+    'x-proxy-origin',
+    'x-proxy-referer',
+]);

package/dist/node-server/index.js

@@ -18,6 +18,8 @@ import { FileLogger } from './file-logger.js';
 import { CliLogDedup } from './cli-log-dedup.js';
 import { EnvSecretStore } from './secrets/env-secret-store.js';
 import { SecretProxyManager } from './secrets/proxy-manager.js';
+import { handleDaSignAndForward, handleS3SignAndForward } from './secrets/sign-and-forward.js';
+import { FETCH_PROXY_SKIP_HEADERS } from './fetch-proxy-headers.js';
 const __dirname = fileURLToPath(new URL('.', import.meta.url));
 const PROJECT_ROOT = resolve(__dirname, '..', '..');
 const RUNTIME_FLAGS = parseCliRuntimeFlags(process.argv.slice(2));
@@ -630,7 +632,15 @@ async function main() {
             res.status(204).end();
         }
     });
-    app.use(express.json({ limit: '50mb' }));
+    // Global JSON body parser. Skipped when the request carries
+    // `X-Slicc-Raw-Body: 1`, so SigV4-signed bodies survive into the
+    // /api/fetch-proxy handler byte-for-byte (the parser would otherwise
+    // re-serialize them via JSON.stringify, breaking the signature).
+    app.use(express.json({
+        limit: '50mb',
+        type: (req) => req.headers['x-slicc-raw-body'] !== '1' &&
+            (req.headers['content-type'] ?? '').includes('application/json'),
+    }));
     app.get('/api/runtime-config', (_req, res) => {
         res.json({
             trayWorkerBaseUrl: RUNTIME_FLAGS.leadWorkerBaseUrl ??
@@ -795,6 +805,60 @@ async function main() {
                 .json({ error: err instanceof Error ? err.message : 'Failed to list secrets' });
         }
     });
+    // S3 sign-and-forward — browser-side mount backend posts envelopes here;
+    // server resolves the s3.<profile>.* secrets, signs SigV4 v4, forwards to
+    // the upstream, returns the response as a JSON envelope. The browser
+    // never sees access_key_id / secret_access_key. See sign-and-forward.ts
+    // for the envelope contract.
+    app.post('/api/s3-sign-and-forward', async (req, res) => {
+        try {
+            await handleS3SignAndForward(req, res, secretStore);
+        }
+        catch (err) {
+            // Generic log line + trace id only. Avoid logging the err.message
+            // because TypeError stack frames or signing errors can include
+            // profile names, bucket names, or partial URLs — operational secrets
+            // we don't want in shared log aggregators (Sentry, Datadog, etc.).
+            // The trace id lets users correlate a server-side log with the
+            // 500 the client got; the detailed message goes only to the local
+            // file logger above DEBUG, where it's bounded to the operator.
+            const traceId = (globalThis.crypto?.randomUUID?.() ?? Math.random().toString(36).slice(2, 10)).slice(0, 8);
+            console.error(`S3 sign-and-forward error [trace=${traceId}]`);
+            if (DEV_MODE) {
+                console.error(err);
+            }
+            if (!res.headersSent) {
+                res.status(500).json({
+                    ok: false,
+                    error: `internal sign-and-forward error [trace=${traceId}]`,
+                    errorCode: 'internal',
+                });
+            }
+        }
+    });
+    // DA sign-and-forward — same pattern as S3, but for Adobe da.live. The
+    // IMS bearer token is passed transiently in the envelope (browser holds
+    // it via the existing Adobe LLM provider). v2 will move OAuth server-side
+    // to remove the browser exposure entirely.
+    app.post('/api/da-sign-and-forward', async (req, res) => {
+        try {
+            await handleDaSignAndForward(req, res);
+        }
+        catch (err) {
+            const traceId = (globalThis.crypto?.randomUUID?.() ?? Math.random().toString(36).slice(2, 10)).slice(0, 8);
+            console.error(`DA sign-and-forward error [trace=${traceId}]`);
+            if (DEV_MODE) {
+                console.error(err);
+            }
+            if (!res.headersSent) {
+                res.status(500).json({
+                    ok: false,
+                    error: `internal sign-and-forward error [trace=${traceId}]`,
+                    errorCode: 'internal',
+                });
+            }
+        }
+    });
     // Masked secrets endpoint — returns name + maskedValue pairs for shell env population.
     // The browser fetches this at shell init to populate env vars with masked values.
     // Real values are never exposed; only deterministic session-scoped masks.
@@ -842,20 +906,12 @@ async function main() {
                 method: req.method,
                 redirect: 'follow', // Follow redirects for git protocol compatibility
             };
-            // Forward relevant headers (excluding hop-by-hop and proxy headers)
-            const skipHeaders = new Set([
-                'host',
-                'connection',
-                'x-target-url',
-                'content-length',
-                'transfer-encoding',
-                'x-proxy-cookie',
-                'x-proxy-origin',
-                'x-proxy-referer',
-            ]);
+            // Forward relevant headers (excluding hop-by-hop and proxy headers).
+            // Set lives at module scope as FETCH_PROXY_SKIP_HEADERS so tests can
+            // verify the contract without copying it.
             const headers = {};
             for (const [key, value] of Object.entries(req.headers)) {
-                if (!skipHeaders.has(key) && typeof value === 'string') {
+                if (!FETCH_PROXY_SKIP_HEADERS.has(key) && typeof value === 'string') {
                     headers[key] = value;
                 }
             }

package/dist/node-server/secrets/sign-and-forward.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Server-side request signing for S3 and Adobe da.live mounts.
+ *
+ * The browser-side mount backends never see real S3 credentials or the IMS
+ * bearer token. They post envelopes to `/api/s3-sign-and-forward` and
+ * `/api/da-sign-and-forward`, which:
+ *  1. Validate the envelope.
+ *  2. Resolve credentials server-side (S3) or accept a transient bearer (DA).
+ *  3. Reconstruct the upstream URL from profile config (S3) or the path
+ *     prefix (DA) — so the browser cannot SSRF arbitrary hosts.
+ *  4. Sign with SigV4 v4 (S3) or attach `Authorization: Bearer` (DA).
+ *  5. Forward to the upstream and return the response as a JSON envelope.
+ *
+ * Logging contract: never log envelope contents — request bodies or the
+ * `imsToken` may contain credential material.
+ */
+import type { Request, Response } from 'express';
+import type { SecretStore } from './types.js';
+/** Methods we permit through the signed proxies. */
+declare const ALLOWED_METHODS: readonly ["GET", "PUT", "POST", "DELETE", "HEAD"];
+type SignedMethod = (typeof ALLOWED_METHODS)[number];
+export interface S3SignAndForwardEnvelope {
+    profile: string;
+    method: SignedMethod;
+    bucket: string;
+    /** S3 key (the prefix is already baked in by the backend). */
+    key: string;
+    query?: Record<string, string>;
+    /** Extra headers from the backend (If-Match, Content-Type, ...). */
+    headers?: Record<string, string>;
+    /** Request body, base64-encoded. Null/absent for GET/HEAD/DELETE/listing. */
+    bodyBase64?: string | null;
+}
+export interface DaSignAndForwardEnvelope {
+    /** IMS bearer token, passed transiently. Never persisted server-side. */
+    imsToken: string;
+    method: SignedMethod;
+    /** Path including leading slash, e.g. `/source/<org>/<repo>/<key>`. */
+    path: string;
+    query?: Record<string, string>;
+    headers?: Record<string, string>;
+    bodyBase64?: string | null;
+}
+/**
+ * Handle a `POST /api/s3-sign-and-forward` request. Validates the envelope,
+ * resolves credentials, signs, forwards, returns a JSON envelope.
+ *
+ * Errors in setup return 400 with a structured `{ ok: false, error, errorCode }`.
+ * Network errors against the upstream return 502.
+ */
+export declare function handleS3SignAndForward(req: Request, res: Response, secretStore: SecretStore): Promise<void>;
+/**
+ * Handle a `POST /api/da-sign-and-forward` request. Attaches the IMS bearer
+ * token (passed transiently in the envelope), forwards to da.live, returns
+ * a JSON envelope.
+ *
+ * v1: the IMS token comes from the browser at request time. The browser
+ * already holds the token via the existing Adobe LLM provider OAuth flow;
+ * routing through the server gives architectural symmetry with S3 and a
+ * place to tighten the threat model in v2 (server-side OAuth).
+ */
+export declare function handleDaSignAndForward(req: Request, res: Response): Promise<void>;
+export {};

package/dist/node-server/secrets/sign-and-forward.js

@@ -0,0 +1,294 @@
+/**
+ * Server-side request signing for S3 and Adobe da.live mounts.
+ *
+ * The browser-side mount backends never see real S3 credentials or the IMS
+ * bearer token. They post envelopes to `/api/s3-sign-and-forward` and
+ * `/api/da-sign-and-forward`, which:
+ *  1. Validate the envelope.
+ *  2. Resolve credentials server-side (S3) or accept a transient bearer (DA).
+ *  3. Reconstruct the upstream URL from profile config (S3) or the path
+ *     prefix (DA) — so the browser cannot SSRF arbitrary hosts.
+ *  4. Sign with SigV4 v4 (S3) or attach `Authorization: Bearer` (DA).
+ *  5. Forward to the upstream and return the response as a JSON envelope.
+ *
+ * Logging contract: never log envelope contents — request bodies or the
+ * `imsToken` may contain credential material.
+ */
+import { signSigV4 } from './signing-s3.js';
+/** Allowed characters in profile names — restricts secret-key path traversal. */
+const PROFILE_NAME_REGEX = /^[a-zA-Z0-9._-]+$/;
+/** Methods we permit through the signed proxies. */
+const ALLOWED_METHODS = ['GET', 'PUT', 'POST', 'DELETE', 'HEAD'];
+/**
+ * Hop-by-hop headers — per RFC 7230 these are connection-scoped and must not
+ * be propagated upstream / downstream. Lowercase for comparison.
+ */
+const HOP_BY_HOP = new Set([
+    'connection',
+    'keep-alive',
+    'proxy-authenticate',
+    'proxy-authorization',
+    'te',
+    'trailer',
+    'transfer-encoding',
+    'upgrade',
+]);
+/** Adobe da.live API origin. Hard-coded — clients send only the path component. */
+const DA_ORIGIN = 'https://admin.da.live';
+class ProfileNotConfiguredError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ProfileNotConfiguredError';
+    }
+}
+// ----------------- helpers -----------------
+function decodeBase64(b64) {
+    return new Uint8Array(Buffer.from(b64, 'base64'));
+}
+function encodeBase64(bytes) {
+    return Buffer.from(bytes).toString('base64');
+}
+function isAllowedMethod(m) {
+    return typeof m === 'string' && ALLOWED_METHODS.includes(m);
+}
+function readSecretValue(store, key) {
+    const secret = store.get(key);
+    return secret?.value;
+}
+function resolveS3Profile(name, store) {
+    const accessKeyId = readSecretValue(store, `s3.${name}.access_key_id`);
+    const secretAccessKey = readSecretValue(store, `s3.${name}.secret_access_key`);
+    if (!accessKeyId) {
+        throw new ProfileNotConfiguredError(`profile '${name}' missing required field 'access_key_id'. ` +
+            `Set it via: secret set s3.${name}.access_key_id <value>`);
+    }
+    if (!secretAccessKey) {
+        throw new ProfileNotConfiguredError(`profile '${name}' missing required field 'secret_access_key'. ` +
+            `Set it via: secret set s3.${name}.secret_access_key <value>`);
+    }
+    return {
+        accessKeyId,
+        secretAccessKey,
+        sessionToken: readSecretValue(store, `s3.${name}.session_token`),
+        region: readSecretValue(store, `s3.${name}.region`) ?? 'us-east-1',
+        endpoint: readSecretValue(store, `s3.${name}.endpoint`),
+        pathStyle: readSecretValue(store, `s3.${name}.path_style`) === 'true',
+    };
+}
+/** Build the S3 URL based on profile addressing style. */
+function buildS3Url(profile, bucket, key, query) {
+    // Determine host from explicit endpoint (R2/MinIO) or AWS region default.
+    let host;
+    if (profile.endpoint) {
+        try {
+            host = new URL(profile.endpoint).host;
+        }
+        catch {
+            throw new Error(`profile endpoint is not a valid URL: ${profile.endpoint}`);
+        }
+    }
+    else {
+        host = `s3.${profile.region}.amazonaws.com`;
+    }
+    // Encode key segment-by-segment so '/' is preserved.
+    const encodedKey = key.split('/').map(encodeURIComponent).join('/');
+    const encodedBucket = encodeURIComponent(bucket);
+    const pathPart = profile.pathStyle ? `${encodedBucket}/${encodedKey}` : encodedKey;
+    const hostPart = profile.pathStyle ? host : `${encodedBucket}.${host}`;
+    const url = new URL(`https://${hostPart}/${pathPart}`);
+    if (query) {
+        for (const [k, v] of Object.entries(query)) {
+            url.searchParams.set(k, v);
+        }
+    }
+    return url;
+}
+/** Copy upstream response headers, dropping hop-by-hop entries. */
+function passthroughHeaders(upstream) {
+    const out = {};
+    upstream.headers.forEach((value, key) => {
+        if (!HOP_BY_HOP.has(key.toLowerCase())) {
+            out[key] = value;
+        }
+    });
+    return out;
+}
+// ----------------- handlers -----------------
+/**
+ * Handle a `POST /api/s3-sign-and-forward` request. Validates the envelope,
+ * resolves credentials, signs, forwards, returns a JSON envelope.
+ *
+ * Errors in setup return 400 with a structured `{ ok: false, error, errorCode }`.
+ * Network errors against the upstream return 502.
+ */
+export async function handleS3SignAndForward(req, res, secretStore) {
+    const env = req.body;
+    if (typeof env?.profile !== 'string' ||
+        env.profile.length === 0 ||
+        !PROFILE_NAME_REGEX.test(env.profile)) {
+        res.status(400).json({
+            ok: false,
+            error: 'invalid profile name (allowed: alphanumeric, dot, underscore, hyphen)',
+            errorCode: 'invalid_profile',
+        });
+        return;
+    }
+    if (!isAllowedMethod(env.method)) {
+        res.status(400).json({ ok: false, error: 'invalid method', errorCode: 'invalid_request' });
+        return;
+    }
+    if (typeof env.bucket !== 'string' || env.bucket.length === 0) {
+        res.status(400).json({ ok: false, error: 'invalid bucket', errorCode: 'invalid_request' });
+        return;
+    }
+    if (typeof env.key !== 'string') {
+        res.status(400).json({ ok: false, error: 'invalid key', errorCode: 'invalid_request' });
+        return;
+    }
+    let profile;
+    try {
+        profile = resolveS3Profile(env.profile, secretStore);
+    }
+    catch (err) {
+        if (err instanceof ProfileNotConfiguredError) {
+            res.status(400).json({
+                ok: false,
+                error: err.message,
+                errorCode: 'profile_not_configured',
+            });
+            return;
+        }
+        throw err;
+    }
+    let url;
+    try {
+        url = buildS3Url(profile, env.bucket, env.key, env.query);
+    }
+    catch (err) {
+        res.status(400).json({
+            ok: false,
+            error: err instanceof Error ? err.message : 'failed to build URL',
+            errorCode: 'invalid_request',
+        });
+        return;
+    }
+    const body = typeof env.bodyBase64 === 'string' && env.bodyBase64.length > 0
+        ? decodeBase64(env.bodyBase64)
+        : undefined;
+    const signed = await signSigV4({
+        method: env.method,
+        url,
+        headers: { ...(env.headers ?? {}), Host: url.host },
+        body,
+    }, {
+        accessKeyId: profile.accessKeyId,
+        secretAccessKey: profile.secretAccessKey,
+        sessionToken: profile.sessionToken,
+    }, profile.region, 's3');
+    let upstream;
+    try {
+        upstream = await fetch(url.toString(), {
+            method: signed.method,
+            headers: signed.headers,
+            // Cast: TS 6 narrows Uint8Array<ArrayBufferLike> too aggressively for
+            // BodyInit; runtime accepts the bytes fine.
+            body: signed.body,
+        });
+    }
+    catch (err) {
+        res.status(502).json({
+            ok: false,
+            error: `S3 fetch failed: ${err instanceof Error ? err.message : String(err)}`,
+            errorCode: 'fetch_failed',
+        });
+        return;
+    }
+    const upstreamBody = new Uint8Array(await upstream.arrayBuffer());
+    res.json({
+        ok: true,
+        status: upstream.status,
+        headers: passthroughHeaders(upstream),
+        bodyBase64: encodeBase64(upstreamBody),
+    });
+}
+/**
+ * Handle a `POST /api/da-sign-and-forward` request. Attaches the IMS bearer
+ * token (passed transiently in the envelope), forwards to da.live, returns
+ * a JSON envelope.
+ *
+ * v1: the IMS token comes from the browser at request time. The browser
+ * already holds the token via the existing Adobe LLM provider OAuth flow;
+ * routing through the server gives architectural symmetry with S3 and a
+ * place to tighten the threat model in v2 (server-side OAuth).
+ */
+export async function handleDaSignAndForward(req, res) {
+    const env = req.body;
+    if (typeof env?.imsToken !== 'string' || env.imsToken.length === 0) {
+        res.status(400).json({
+            ok: false,
+            error: 'imsToken is required',
+            errorCode: 'invalid_request',
+        });
+        return;
+    }
+    if (!isAllowedMethod(env.method)) {
+        res.status(400).json({ ok: false, error: 'invalid method', errorCode: 'invalid_request' });
+        return;
+    }
+    if (typeof env.path !== 'string' || !env.path.startsWith('/')) {
+        res.status(400).json({
+            ok: false,
+            error: 'path must be a string starting with /',
+            errorCode: 'invalid_request',
+        });
+        return;
+    }
+    let url;
+    try {
+        url = new URL(DA_ORIGIN + env.path);
+        if (env.query) {
+            for (const [k, v] of Object.entries(env.query)) {
+                url.searchParams.set(k, v);
+            }
+        }
+    }
+    catch (err) {
+        res.status(400).json({
+            ok: false,
+            error: err instanceof Error ? err.message : 'failed to build URL',
+            errorCode: 'invalid_request',
+        });
+        return;
+    }
+    const body = typeof env.bodyBase64 === 'string' && env.bodyBase64.length > 0
+        ? decodeBase64(env.bodyBase64)
+        : undefined;
+    let upstream;
+    try {
+        upstream = await fetch(url.toString(), {
+            method: env.method,
+            headers: {
+                ...(env.headers ?? {}),
+                Authorization: `Bearer ${env.imsToken}`,
+            },
+            // Cast: TS 6 narrows Uint8Array<ArrayBufferLike> too aggressively for
+            // BodyInit; runtime accepts the bytes fine.
+            body: body,
+        });
+    }
+    catch (err) {
+        res.status(502).json({
+            ok: false,
+            error: `DA fetch failed: ${err instanceof Error ? err.message : String(err)}`,
+            errorCode: 'fetch_failed',
+        });
+        return;
+    }
+    const upstreamBody = new Uint8Array(await upstream.arrayBuffer());
+    res.json({
+        ok: true,
+        status: upstream.status,
+        headers: passthroughHeaders(upstream),
+        bodyBase64: encodeBase64(upstreamBody),
+    });
+}

package/dist/node-server/secrets/signing-s3.d.ts

@@ -0,0 +1,34 @@
+/**
+ * AWS SigV4 v4 signing — node-server copy.
+ *
+ * **Mirrored from `packages/webapp/src/fs/mount/signing-s3.ts`.** Both files
+ * are byte-for-byte equivalent in behavior and must stay in sync. The reason
+ * for two copies is that `tsconfig.cli.json` pins `rootDir` to
+ * `packages/node-server/src`, so cross-importing the webapp source under
+ * NodeNext resolution is rejected by the compiler. Sharing via a workspace
+ * package is a larger change than this PR's scope.
+ *
+ * Drift between the two copies is caught by both test suites running the
+ * same canonical AWS test vectors:
+ *  - `packages/webapp/tests/fs/mount/signing-s3.test.ts`
+ *  - `packages/node-server/tests/secrets/signing-s3.test.ts`
+ *
+ * If you change one, change the other and verify both test suites pass.
+ *
+ * Pure function — given a request + credentials + region + service + clock,
+ * produces the same request with an `Authorization` header attached. Uses
+ * Web Crypto (`crypto.subtle`) which works in browsers, extension service
+ * workers, and Node 22+ (where it lives on `globalThis.crypto`).
+ */
+export interface SigV4Request {
+    method: 'GET' | 'PUT' | 'POST' | 'DELETE' | 'HEAD';
+    url: URL;
+    headers: Record<string, string>;
+    body?: Uint8Array;
+}
+export interface SigV4Credentials {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+}
+export declare function signSigV4(req: SigV4Request, creds: SigV4Credentials, region: string, service?: string, now?: Date): Promise<SigV4Request>;