typeclaw 0.1.5 → 0.2.0

package/src/hostd/daemon.ts

@@ -11,6 +11,7 @@ import { kakaoChannelBlockSchema } from '@/secrets/schema'
 import { SecretsBackend } from '@/secrets/storage'
 
 import { isDaemonReachable } from './client'
+import type { KakaoRenewalCallbacks, KakaoRenewalLogEvent } from './kakao-renewal-manager'
 import { ensureDirs, registrationFilePath, registrationsDir, socketPath } from './paths'
 import type {
   HttpInfoResult,
@@ -54,6 +55,11 @@ export type DaemonOptions = {
   // fields trigger broker spawn alongside supervisor registration. Tests omit
   // it to keep the broker out of unrelated suites.
   portbroker?: PortbrokerCallbacks
+  // KakaoTalk credential renewal capability. When provided, the daemon
+  // starts a per-container daily renewal tick on register and stops it on
+  // deregister. Omit to disable in tests / when the agent has no kakaotalk
+  // channel configured.
+  kakaoRenewal?: KakaoRenewalCallbacks
 }
 
 export type RestartPreflight = (input: {
@@ -94,6 +100,7 @@ export type DaemonLogEvent =
   | { kind: 'shutdown-requested' }
   | { kind: 'port-forward-event'; event: PortForwardEvent }
   | { kind: 'tailscale-serve-event'; event: TailscaleServeEvent }
+  | KakaoRenewalLogEvent
 
 export type Daemon = {
   registered: () => string[]
@@ -284,6 +291,9 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
         onTailscaleServeEvent: (event) => log({ kind: 'tailscale-serve-event', event }),
       })
     }
+    if (opts.kakaoRenewal) {
+      opts.kakaoRenewal.start({ containerName: payload.containerName, cwd: payload.cwd })
+    }
   }
 
   const handleRegister = async (req: RegisterPayload): Promise<RpcResponse> => {
@@ -309,6 +319,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       restartTokens.delete(req.containerName)
       gcMisses.delete(req.containerName)
       if (opts.portbroker) await opts.portbroker.stop(req.containerName, 'deregistered').catch(() => {})
+      if (opts.kakaoRenewal) await opts.kakaoRenewal.stop(req.containerName).catch(() => {})
       await removeRegistrationFile(req.containerName)
       if (hadCwd) log({ kind: 'deregister', containerName: req.containerName, reason: 'requested' })
       return { ok: true }
@@ -574,6 +585,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
         const hadCwd = cwds.delete(name)
         restartTokens.delete(name)
         if (opts.portbroker) await opts.portbroker.stop(name, 'deregistered').catch(() => {})
+        if (opts.kakaoRenewal) await opts.kakaoRenewal.stop(name).catch(() => {})
         await removeRegistrationFile(name)
         if (hadCwd) log({ kind: 'deregister', containerName: name, reason: 'gone' })
         return { ok: true }
@@ -601,6 +613,10 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
         const names = Array.from(cwds.keys())
         await Promise.allSettled(names.map((n) => opts.portbroker!.stop(n, 'broker-stopped')))
       }
+      if (opts.kakaoRenewal) {
+        const names = Array.from(cwds.keys())
+        await Promise.allSettled(names.map((n) => opts.kakaoRenewal!.stop(n)))
+      }
       cwds.clear()
       restartTokens.clear()
       try {

package/src/hostd/kakao-renewal-manager.ts

@@ -0,0 +1,223 @@
+import { renewCurrentAccount, type AttemptLoginFn } from '@/secrets/kakao-renewal'
+import { createKeyStore, type KeyStore } from '@/secrets/keys'
+
+import { keysDir } from './paths'
+
+const DEFAULT_TICK_INTERVAL_MS = 24 * 60 * 60 * 1000
+
+export type KakaoRenewalCallbacks = {
+  start: (input: KakaoRenewalStartInput) => void
+  stop: (containerName: string) => Promise<void>
+  drain: () => Promise<void>
+}
+
+export type KakaoRenewalStartInput = {
+  containerName: string
+  cwd: string
+}
+
+export type KakaoRenewalLogEvent =
+  | { kind: 'kakao-renewal-tick-start'; containerName: string }
+  | { kind: 'kakao-renewal-tick-skipped'; containerName: string; reason: string; ageMs?: number }
+  | { kind: 'kakao-renewal-tick-ok'; containerName: string; accountId: string; previousUpdatedAt: string }
+  | {
+      kind: 'kakao-renewal-tick-reauth-required'
+      containerName: string
+      accountId: string
+      reason: string
+      message: string
+    }
+  | { kind: 'kakao-renewal-tick-transient-failure'; containerName: string; accountId: string; reason: string }
+  | { kind: 'kakao-renewal-tick-error'; containerName: string; error: string }
+  | { kind: 'kakao-renewal-restart-scheduled'; containerName: string; accountId: string }
+  | { kind: 'kakao-renewal-restart-failed'; containerName: string; accountId: string; reason: string }
+
+export type KakaoRenewalManagerOptions = {
+  onLog?: (event: KakaoRenewalLogEvent) => void
+  tickIntervalMs?: number
+  keyStoreFactory?: () => KeyStore
+  attemptLogin?: AttemptLoginFn
+  schedule?: (fn: () => void, intervalMs: number) => { stop: () => void }
+  // Invoked after a successful renewal so the host can restart the container
+  // and the in-memory adapter picks up the fresh tokens. Without this, the
+  // cron writes new tokens to secrets.json but the live LOCO client keeps the
+  // old token in its closure and still hits 401 at the ~7-day wall. Production
+  // wires this to the same restart path the `restart` RPC uses; tests can
+  // observe it via a fake.
+  onRenewalOk?: (input: { containerName: string; cwd: string; accountId: string }) => Promise<void>
+  // Optional predicate: only start the renewal cron for containers whose
+  // `typeclaw.json` actually has a `channels.kakaotalk` block. Without this,
+  // every typeclaw agent on the host emits daily `no_account` skip logs.
+  shouldRenew?: (input: KakaoRenewalStartInput) => boolean
+}
+
+// Per-container daily renewal tick. Mirrors portbroker-manager.ts: hostd calls
+// start() on register and stop() on deregister, and the manager owns timer
+// lifecycle plus the actual renewal work. The keystore lives on the host
+// (~/.typeclaw/keys/<name>.key), unreachable from inside the container —
+// that's load-bearing for encryption.ts's threat model.
+export function createKakaoRenewalManager(opts: KakaoRenewalManagerOptions = {}): KakaoRenewalCallbacks {
+  const intervalMs = opts.tickIntervalMs ?? DEFAULT_TICK_INTERVAL_MS
+  const keyStore = (opts.keyStoreFactory ?? (() => createKeyStore({ keysDir: keysDir() })))()
+  const log = opts.onLog ?? (() => {})
+  const schedule =
+    opts.schedule ??
+    ((fn: () => void, ms: number) => {
+      const handle = setInterval(fn, ms)
+      return { stop: () => clearInterval(handle) }
+    })
+
+  const timers = new Map<string, { stop: () => void }>()
+  // Track the latest registration input per container so a re-register
+  // arriving during an in-flight tick can both (a) prevent the in-flight tick
+  // from acting on stale cwd, and (b) trigger a fresh tick once the in-flight
+  // one finishes. The Map's value is the most recent input.
+  const latestInput = new Map<string, KakaoRenewalStartInput>()
+  // Track in-flight tick promises per container so stop()/drain() can await
+  // them. Without this, daemon shutdown abandons an in-flight attemptLogin
+  // HTTPS request mid-write.
+  const inFlight = new Map<string, Promise<void>>()
+  // Pending immediate-tick request: set when start() is called while a tick
+  // is in flight, so we re-fire one tick after the in-flight settles.
+  const pendingRerun = new Set<string>()
+
+  const runTick = async (input: KakaoRenewalStartInput): Promise<void> => {
+    log({ kind: 'kakao-renewal-tick-start', containerName: input.containerName })
+    try {
+      const result = await renewCurrentAccount({
+        containerName: input.containerName,
+        agentDir: input.cwd,
+        keyStore,
+        ...(opts.attemptLogin ? { attemptLogin: opts.attemptLogin } : {}),
+      })
+      if (result.kind === 'skipped') {
+        log({
+          kind: 'kakao-renewal-tick-skipped',
+          containerName: input.containerName,
+          reason: result.reason,
+          ...(result.ageMs !== undefined ? { ageMs: result.ageMs } : {}),
+        })
+      } else if (result.kind === 'ok') {
+        log({
+          kind: 'kakao-renewal-tick-ok',
+          containerName: input.containerName,
+          accountId: result.account_id,
+          previousUpdatedAt: result.previousUpdatedAt,
+        })
+        if (opts.onRenewalOk) {
+          log({
+            kind: 'kakao-renewal-restart-scheduled',
+            containerName: input.containerName,
+            accountId: result.account_id,
+          })
+          try {
+            await opts.onRenewalOk({
+              containerName: input.containerName,
+              cwd: input.cwd,
+              accountId: result.account_id,
+            })
+          } catch (err) {
+            log({
+              kind: 'kakao-renewal-restart-failed',
+              containerName: input.containerName,
+              accountId: result.account_id,
+              reason: err instanceof Error ? err.message : String(err),
+            })
+          }
+        }
+      } else if (result.kind === 'reauth_required') {
+        log({
+          kind: 'kakao-renewal-tick-reauth-required',
+          containerName: input.containerName,
+          accountId: result.account_id,
+          reason: result.reason,
+          message: result.message,
+        })
+      } else {
+        log({
+          kind: 'kakao-renewal-tick-transient-failure',
+          containerName: input.containerName,
+          accountId: result.account_id,
+          reason: result.reason,
+        })
+      }
+    } catch (err) {
+      // Defensive: renewCurrentAccount's contract is to return a structured
+      // result, but a malformed secrets.json or a disk error could surface
+      // here. Log and move on — the next tick retries.
+      log({
+        kind: 'kakao-renewal-tick-error',
+        containerName: input.containerName,
+        error: err instanceof Error ? err.message : String(err),
+      })
+    }
+  }
+
+  // Single-flight per container: dedupe overlapping ticks, but if a new
+  // tick request arrives while one is in flight, queue ONE rerun so the new
+  // registration's cwd (or a manual nudge) gets a chance after the in-flight
+  // settles. The Promise stored in inFlight resolves only after any queued
+  // rerun also completes, so stop()/drain() awaiting inFlight is enough to
+  // observe a quiescent manager.
+  const scheduleTick = (containerName: string): Promise<void> => {
+    const existing = inFlight.get(containerName)
+    if (existing) {
+      pendingRerun.add(containerName)
+      return existing
+    }
+    const promise = (async () => {
+      // Loop until no rerun was queued during this tick, so the LAST input
+      // recorded for the container is the one we end on. This handles the
+      // re-register-while-in-flight + cwd-change case described in the
+      // pendingRerun comment above.
+      while (true) {
+        const input = latestInput.get(containerName)
+        if (!input) return
+        await runTick(input)
+        if (!pendingRerun.has(containerName)) return
+        pendingRerun.delete(containerName)
+      }
+    })().finally(() => {
+      inFlight.delete(containerName)
+      pendingRerun.delete(containerName)
+    })
+    inFlight.set(containerName, promise)
+    return promise
+  }
+
+  return {
+    start(input: KakaoRenewalStartInput): void {
+      if (opts.shouldRenew && !opts.shouldRenew(input)) return
+      const existing = timers.get(input.containerName)
+      if (existing) existing.stop()
+      latestInput.set(input.containerName, input)
+      const handle = schedule(() => {
+        void scheduleTick(input.containerName)
+      }, intervalMs)
+      timers.set(input.containerName, handle)
+      void scheduleTick(input.containerName)
+    },
+
+    async stop(containerName: string): Promise<void> {
+      const handle = timers.get(containerName)
+      if (handle) {
+        timers.delete(containerName)
+        handle.stop()
+      }
+      latestInput.delete(containerName)
+      // Await any in-flight tick before resolving so the caller can rely on
+      // "stop returned → no work outstanding". Daemon shutdown depends on
+      // this; without it, a mid-tick `attemptLogin` HTTPS call is abandoned.
+      const promise = inFlight.get(containerName)
+      if (promise) await promise.catch(() => {})
+    },
+
+    async drain(): Promise<void> {
+      for (const [, handle] of timers) handle.stop()
+      timers.clear()
+      latestInput.clear()
+      const promises = Array.from(inFlight.values())
+      await Promise.allSettled(promises)
+    },
+  }
+}

package/src/hostd/paths.ts

@@ -9,6 +9,7 @@ import { join } from 'node:path'
 const CONTAINER_HOST_RUN_DIR = '/run/typeclaw-host'
 const SOCKET_FILE = 'hostd.sock'
 const REGISTRATIONS_DIR = 'registrations'
+const KEYS_DIR = 'keys'
 
 // Defense-in-depth: containerName arrives from RPC payloads (some of which
 // originate inside the container). Docker already forbids slashes and most
@@ -51,6 +52,10 @@ export function registrationsDir(): string {
   return join(runDir(), REGISTRATIONS_DIR)
 }
 
+export function keysDir(): string {
+  return join(homeRoot(), KEYS_DIR)
+}
+
 // Throws on any name that could traverse out of registrationsDir() or
 // confuse the filesystem. Caller's responsibility to handle the error;
 // don't catch-and-ignore — an invalid name is a protocol violation.
@@ -76,7 +81,9 @@ export async function ensureDirs(): Promise<void> {
   await mkdir(runDir(), { recursive: true })
   await mkdir(logDir(), { recursive: true })
   await mkdir(registrationsDir(), { recursive: true })
+  await mkdir(keysDir(), { recursive: true })
   await chmod(runDir(), 0o700).catch(() => {})
   await chmod(logDir(), 0o700).catch(() => {})
   await chmod(registrationsDir(), 0o700).catch(() => {})
+  await chmod(keysDir(), 0o700).catch(() => {})
 }

package/src/init/dockerfile.ts

@@ -136,14 +136,38 @@ export const NETWORK_BLOCK_IPV6_NETS = ['fc00::/7', 'fe80::/10', 'ff00::/8', '::
 // Carve-out ordering is load-bearing. iptables OUTPUT is first-match-wins,
 // and we use -A (append). So the order written into the shim is the order
 // rules will be evaluated:
-//   1. loopback ACCEPT
-//   2. hostd port ACCEPT (narrow: tcp + single dport on the host gateway)
-//   3. resolver ACCEPT (narrow: udp/tcp dport 53 to each /etc/resolv.conf
+//   1. ESTABLISHED,RELATED ACCEPT (return path for any connection initiated
+//      from outside the container — see comment block below)
+//   2. loopback ACCEPT
+//   3. hostd port ACCEPT (narrow: tcp + single dport on the host gateway)
+//   4. resolver ACCEPT (narrow: udp/tcp dport 53 to each /etc/resolv.conf
 //      nameserver) — gated on TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS=1
-//   4. user-supplied allowlist ACCEPT (wholesale: -d <cidr>) — driven by
+//   5. user-supplied allowlist ACCEPT (wholesale: -d <cidr>) — driven by
 //      TYPECLAW_NETWORK_ALLOW comma-separated env
-//   5. RFC1918 + link-local + CGNAT + multicast + reserved REJECTs
-// A resolver at 10.0.0.2 hits (3) and ACCEPTs before (5) DROPs it.
+//   6. RFC1918 + link-local + CGNAT + multicast + reserved REJECTs
+// A resolver at 10.0.0.2 hits (4) and ACCEPTs before (6) DROPs it.
+//
+// Rule 1 (conntrack ESTABLISHED,RELATED) is what makes Docker port-forward
+// reply traffic survive the RFC1918 REJECT. On Docker Desktop and OrbStack
+// the bridge gateway is in 192.168.0.0/16 (OrbStack: 192.168.215.1 or
+// 192.168.139.1; Docker Desktop: 192.168.65.1). A host -> container request
+// via `docker run -p 127.0.0.1:HOST:CONTAINER` arrives at the container
+// from the bridge gateway IP. Without rule 1, the reply packets would
+// match rule 6 (192.168.0.0/16 REJECT) and never reach the host — TCP
+// handshake completes (kernel SYN/ACK is in INPUT, not OUTPUT), the
+// request body is delivered, but the agent's HTTP response is dropped at
+// OUTPUT. Symptom: `curl http://127.0.0.1:HOST` connects but receives
+// zero bytes and times out. Stateful inversion via conntrack is the
+// canonical fix: ESTABLISHED matches packets belonging to a connection
+// the kernel already tracks (including the inbound port-forward), and
+// RELATED covers ICMP error packets for those connections. No new
+// outbound capability is granted — a compromised agent still cannot
+// initiate connections to RFC1918, only respond to inbound ones.
+//
+// Requires the `xt_conntrack` kernel module (universal on Linux 2.6.20+
+// and on every Docker/OrbStack VM kernel) and the userspace iptables
+// `conntrack` match (shipped in the `iptables` Debian package on trixie
+// alongside the binary itself; no extra apt install needed).
 //
 // The resolver carve-out reads /etc/resolv.conf inside the container, NOT
 // on the host. Docker propagates the host's resolver into the container by
@@ -186,6 +210,7 @@ if [ "\${TYPECLAW_NETWORK_BLOCK_INTERNAL:-0}" != "1" ]; then
   exec bun run typeclaw "$@"
 fi
 
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
 # Hostd HTTP control carve-out: narrow ACCEPT, scoped to one TCP port on
@@ -222,6 +247,7 @@ if [ -n "\${TYPECLAW_NETWORK_ALLOW:-}" ]; then
 fi
 ${ipv4Rules.join('\n')}
 
+ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT
 ${ipv6Rules.join('\n')}