wuphf 0.34.3 → 0.35.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wuphf",
-  "version": "0.34.3",
+  "version": "0.35.1",
   "description": "Open source Slack for AI agents. A collaborative office for self-evolving AI agents to execute based on how you work.",
   "bin": {
     "wuphf": "bin/wuphf.js"

package/scripts/download-binary.js

@@ -4,14 +4,42 @@
 // from the corresponding GitHub release and extracts it into bin/.
 // GoReleaser archive name: wuphf_<version>_<os>_<arch>.tar.gz
 // where <version> is the tag without the leading 'v'.
+//
+// ---------------------------------------------------------------------------
+// Integrity verification contract
+// ---------------------------------------------------------------------------
+// Every download is verified against the `checksums.txt` file published as a
+// sibling asset on the same GitHub release. That file is produced by
+// `goreleaser release` (see `.goreleaser.yml` `checksum.name_template`) and
+// contains one line per archive in the format:
+//
+//     <sha256-hex>  <archive-filename>
+//
+// Verification flow:
+//   1. Download the per-platform archive (wuphf_<ver>_<os>_<arch>.tar.gz).
+//   2. Download checksums.txt from the same release.
+//   3. Compute SHA256 of the downloaded archive locally.
+//   4. Compare against the hash listed for that archive in checksums.txt.
+//   5. If they differ, or checksums.txt is unreachable, or the archive is not
+//      listed in it: delete the archive and abort with a non-zero exit.
+//
+// This guards against release-asset tampering: even if a compromised release
+// token replaces the tarball, the mismatch causes `npm install wuphf` to fail
+// loudly rather than silently install a backdoored binary.
+//
+// To regenerate checksums.txt, run `goreleaser release` (or `goreleaser
+// release --snapshot` for a dry run). Never hand-edit the published file.
+// ---------------------------------------------------------------------------
 
 const fs = require("node:fs");
 const fsp = require("node:fs/promises");
 const path = require("node:path");
 const os = require("node:os");
+const crypto = require("node:crypto");
 const { execFileSync } = require("node:child_process");
 
 const REPO = "nex-crm/wuphf";
+const CHECKSUMS_FILENAME = "checksums.txt";
 
 function detectPlatform() {
   const platform = process.platform;
@@ -40,10 +68,13 @@ function packageVersion() {
   return pkg.version;
 }
 
-function archiveUrl(version) {
+function archiveName(version) {
   const { os: goOs, arch: goArch } = detectPlatform();
-  const archive = `wuphf_${version}_${goOs}_${goArch}.tar.gz`;
-  return `https://github.com/${REPO}/releases/download/v${version}/${archive}`;
+  return `wuphf_${version}_${goOs}_${goArch}.tar.gz`;
+}
+
+function releaseAssetUrl(version, filename) {
+  return `https://github.com/${REPO}/releases/download/v${version}/${filename}`;
 }
 
 async function fetchToFile(url, dest) {
@@ -55,16 +86,93 @@ async function fetchToFile(url, dest) {
   await fsp.writeFile(dest, buf);
 }
 
+async function fetchText(url) {
+  const res = await fetch(url, { redirect: "follow" });
+  if (!res.ok) {
+    throw new Error(`Download failed: ${res.status} ${res.statusText} (${url})`);
+  }
+  return res.text();
+}
+
+async function sha256OfFile(filePath) {
+  const hash = crypto.createHash("sha256");
+  const stream = fs.createReadStream(filePath);
+  for await (const chunk of stream) {
+    hash.update(chunk);
+  }
+  return hash.digest("hex");
+}
+
+// Parse a GoReleaser-style checksums.txt.
+// Each non-empty line is:  <sha256hex><whitespace><filename>
+// We look up the filename (basename) and return the hex hash, or null.
+function expectedHashFor(checksumsText, filename) {
+  const lines = checksumsText.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    // Split on first whitespace run. GoReleaser uses two spaces; be lenient.
+    const match = trimmed.match(/^([0-9a-fA-F]{64})\s+(?:\*)?(.+)$/);
+    if (!match) continue;
+    const [, hex, name] = match;
+    // Match on basename to tolerate optional path prefixes.
+    if (path.basename(name) === filename) {
+      return hex.toLowerCase();
+    }
+  }
+  return null;
+}
+
+async function verifyArchive({ version, archivePath, archiveBasename, silent }) {
+  const checksumsUrl = releaseAssetUrl(version, CHECKSUMS_FILENAME);
+  if (!silent) {
+    process.stderr.write(`wuphf: verifying ${archiveBasename} against ${CHECKSUMS_FILENAME}\n`);
+  }
+
+  let checksumsText;
+  try {
+    checksumsText = await fetchText(checksumsUrl);
+  } catch (err) {
+    throw new Error(
+      `Cannot verify download integrity: failed to fetch ${CHECKSUMS_FILENAME} ` +
+        `(${err.message}). Refusing to install an unverified binary.`,
+    );
+  }
+
+  const expected = expectedHashFor(checksumsText, archiveBasename);
+  if (!expected) {
+    throw new Error(
+      `Cannot verify download integrity: ${archiveBasename} not listed in ` +
+        `${checksumsUrl}. Refusing to install an unverified binary.`,
+    );
+  }
+
+  const actual = await sha256OfFile(archivePath);
+  if (actual.toLowerCase() !== expected) {
+    // Scrub the tampered/corrupt archive before aborting.
+    await fsp.rm(archivePath, { force: true });
+    throw new Error(
+      `SHA256 mismatch for ${archiveBasename}.\n` +
+        `  expected: ${expected}\n` +
+        `  actual:   ${actual}\n` +
+        `Refusing to install. This may indicate a tampered release asset or ` +
+        `a corrupted download. Re-run the install on a clean network; if the ` +
+        `mismatch persists, file an issue at https://github.com/${REPO}/issues.`,
+    );
+  }
+}
+
 async function downloadBinary({ silent = false } = {}) {
   const version = packageVersion();
-  const url = archiveUrl(version);
+  const archiveBasename = archiveName(version);
+  const url = releaseAssetUrl(version, archiveBasename);
   const binDir = path.join(__dirname, "..", "bin");
   const binaryPath = path.join(binDir, "wuphf");
 
   await fsp.mkdir(binDir, { recursive: true });
 
   const tmpDir = await fsp.mkdtemp(path.join(os.tmpdir(), "wuphf-"));
-  const archivePath = path.join(tmpDir, "wuphf.tar.gz");
+  const archivePath = path.join(tmpDir, archiveBasename);
 
   try {
     if (!silent) {
@@ -72,6 +180,9 @@ async function downloadBinary({ silent = false } = {}) {
     }
     await fetchToFile(url, archivePath);
 
+    // Integrity check BEFORE we extract or execute anything.
+    await verifyArchive({ version, archivePath, archiveBasename, silent });
+
     // Extract using system tar (available on darwin + linux).
     execFileSync("tar", ["-xzf", archivePath, "-C", tmpDir], {
       stdio: silent ? "ignore" : "inherit",
@@ -99,4 +210,10 @@ async function downloadBinary({ silent = false } = {}) {
   }
 }
 
-module.exports = { downloadBinary, packageVersion };
+module.exports = {
+  downloadBinary,
+  packageVersion,
+  // Exported for tests.
+  expectedHashFor,
+  sha256OfFile,
+};

package/scripts/postinstall.js

@@ -1,19 +1,62 @@
 "use strict";
 
-// Best-effort: fetch the binary at install time. Failures are non-fatal —
-// the bin/wuphf.js shim will retry on first invocation. This keeps
-// `npm install` from failing behind flaky networks or corporate proxies.
+// Postinstall: fetch and cryptographically verify the wuphf binary.
+//
+// Security model: the download is verified against the SHA256 listed in the
+// release's checksums.txt. If the archive is tampered with, or the hash file
+// is unreachable, the install MUST fail — silently continuing would allow a
+// compromised release token to plant a backdoored binary on every machine
+// that runs `npm install wuphf`.
+//
+// Escape hatches (opt-in only):
+//   WUPHF_SKIP_POSTINSTALL=1
+//     Skip the download entirely. The bin/wuphf.js shim will attempt an
+//     (also-verified) download on first invocation. Use this for packaging
+//     builds, offline mirrors, or CI images that restore a prebuilt bin/.
+//
+//   WUPHF_POSTINSTALL_SOFT_FAIL=1
+//     Downgrade a *network* failure (e.g., GitHub unreachable behind a
+//     corporate proxy) from fatal to a warning. SHA256 mismatches are ALWAYS
+//     fatal and cannot be soft-failed — that path exists to catch tampering.
 
 const { downloadBinary } = require("./download-binary");
 
 if (process.env.WUPHF_SKIP_POSTINSTALL === "1") {
+  process.stderr.write(
+    "wuphf: postinstall skipped via WUPHF_SKIP_POSTINSTALL=1\n",
+  );
   process.exit(0);
 }
 
 downloadBinary().catch((err) => {
+  const message = err && err.message ? err.message : String(err);
+  const isIntegrityFailure =
+    message.includes("SHA256 mismatch") ||
+    message.includes("Cannot verify download integrity");
+
+  // Integrity failures are ALWAYS fatal. No soft-fail, no retry-on-first-run.
+  if (isIntegrityFailure) {
+    process.stderr.write(
+      `\nwuphf: SECURITY: ${message}\n` +
+        `wuphf: aborting install. No binary has been placed in bin/.\n\n`,
+    );
+    process.exit(1);
+  }
+
+  // Non-integrity failures (network, DNS, disk, unsupported platform).
+  if (process.env.WUPHF_POSTINSTALL_SOFT_FAIL === "1") {
+    process.stderr.write(
+      `wuphf: postinstall download failed (${message}).\n` +
+        `wuphf: continuing because WUPHF_POSTINSTALL_SOFT_FAIL=1 is set. ` +
+        `The binary will be fetched (and verified) on first run.\n`,
+    );
+    process.exit(0);
+  }
+
   process.stderr.write(
-    `wuphf: postinstall download failed (${err.message}). ` +
-      `The binary will be fetched on first run.\n`,
+    `\nwuphf: postinstall download failed: ${message}\n` +
+      `wuphf: set WUPHF_POSTINSTALL_SOFT_FAIL=1 to downgrade this to a ` +
+      `warning, or WUPHF_SKIP_POSTINSTALL=1 to skip the download entirely.\n\n`,
   );
-  process.exit(0);
+  process.exit(1);
 });