wyrm-mcp 7.2.0 → 7.2.2

package/dist/render.js

@@ -1,280 +1,4 @@
-/**
- * The single dual-emit renderer (v7 F3, T019 — spec FR-3).
- *
- * MCP responses ride two channels: `content[0].text` (the text wire every
- * 6.x client reads) and `structuredContent` (the machine wire, MCP
- * 2025-06-18). Before T019 each surface hand-built both and kept them in
- * sync by discipline — the WYRM_BUSY body (sqlite-busy.ts, T011) and the
- * failure_check verdict (T014) were the precedents. This module makes drift
- * IMPOSSIBLE BY CONSTRUCTION: the structured body is the ONLY input, and the
- * text is DERIVED from it by a pure template `(body, glyphs) => string` that
- * sees nothing else — there is no second source of truth to drift.
- *
- * Glyph policy (spec FR-3): plain ASCII by default — fleet subagents, CI
- * logs, and pipe consumers must never need a Nerd Font — with the Ghost
- * Protocol brand glyphs opt-in behind WYRM_FANCY=1. Toggling WYRM_FANCY
- * changes ONLY the text channel; `structuredContent` is byte-identical in
- * both modes (locked by tests/render-contract.test.ts).
- *
- * Rollout (spec FR-3, version-pinned): ToolSpec-resident domains render
- * through here from T019 on (goals first); switch-resident tools keep their
- * 6.x prose verbatim until their domain extracts (T026 hot paths, T036 full
- * drain) — the renderer is the path forward, not a big-bang rewrite.
- *
- * Article III: zero LLM, zero network, zero clock — rendering is a pure
- * function of the body and the WYRM_FANCY env read.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { ICON } from './icons.js';
-// ── Glyph sets ──────────────────────────────────────────────────────────────
-/** True when the operator opted into brand glyphs (WYRM_FANCY=1|true). Read
- * per render call (not cached at module load) so one long-lived server obeys
- * a harness-provided env and tests can toggle it deterministically. */
-export function isFancy() {
-    const v = process.env.WYRM_FANCY;
-    return v === '1' || v === 'true';
-}
-/** Plain ASCII (the default): decoration collapses to nothing, the prose
- * carries the semantics, lists keep a '-' bullet. */
-const ASCII_GLYPHS = {
-    brand: '',
-    ok: '',
-    fail: '',
-    warn: '',
-    paused: '',
-    resumed: '',
-    bullet: '-',
-    point: '>',
-};
-/** WYRM_FANCY=1 — the curated icons.ts vocabulary (ICON.brand honours the
- * WYRM_BRAND override; the pause/resume marks predate icons.ts and are kept
- * for 6.x visual continuity). */
-const FANCY_GLYPHS = {
-    brand: ICON.brand,
-    ok: ICON.ok,
-    fail: ICON.blocked,
-    warn: ICON.failure,
-    paused: '⏸', // ⏸
-    resumed: '▶', // ▶
-    bullet: ICON.bullet,
-    point: ICON.point,
-};
-/** The active glyph set for this render call. */
-export function glyphs() {
-    return isFancy() ? FANCY_GLYPHS : ASCII_GLYPHS;
-}
-/** Prefix `text` with a glyph — or return it untouched when the glyph is
- * empty (ASCII mode), so default output never carries stray separators. */
-export function withGlyph(glyph, text) {
-    return glyph ? `${glyph} ${text}` : text;
-}
-// ── Text-wire control-char floor (F3 security pass #1) ─────────────────────
-/** C0 control chars (minus \n 0x0a and \t 0x09) + DEL. ESC (0x1b) is the ANSI
- * introducer; CR/backspace enable line-spoofing in terminal consumers. */
-const TEXT_WIRE_CONTROLS = /[\x00-\x08\x0b-\x1f\x7f]/g;
-/**
- * Strip terminal-control characters from a derived text channel (security
- * pass #1, confirmed finding): boundary strings validated only for LENGTH
- * (asString — e.g. wyrm_run's `role`/`orchestrator`, stored prime sections)
- * may legally carry ESC/CR/backspace, and templates interpolate them raw.
- * `content[0].text` feeds terminals (wyrm watch, CLI, CI logs), so injected
- * ANSI could spoof those consumers. This is the ONE chokepoint every template
- * render passes through — the by-construction guarantee stays a renderer
- * property, not per-handler discipline. \n and \t survive (templates are
- * multi-line); `structuredContent` is untouched (the machine wire JSON-escapes
- * C0 on serialization, so it was never exposed).
- */
-export function stripWireControls(text) {
-    return text.replace(TEXT_WIRE_CONTROLS, '');
-}
-export function channelPolicy() {
-    const v = process.env.WYRM_CHANNEL;
-    return v === 'text' || v === 'structured' ? v : 'both';
-}
-/**
- * The READ_ONLY_TOOLS read-cache key for a resolved (name, args) call.
- *
- * The cached value is a FULLY-RENDERED response whose channel shape
- * (content[0].text vs structuredContent presence) depends on channelPolicy()
- * — read per render call by design (see the channelPolicy header). The cache
- * must therefore be partitioned by that policy: otherwise a policy change
- * mid-process serves a stale-channel cache-hit until the entry expires (up to
- * its TTL), silently overriding the renderer's per-call freshness for every
- * READ_ONLY tool (wyrm_search, wyrm_session_prime, wyrm_context_build, ...).
- * In normal production WYRM_CHANNEL is process-static so the prefix is constant
- * (zero behavior change); the partition only matters when a harness/test
- * toggles the policy at runtime — exactly what the renderer was built to honour.
- *
- * Single source of truth for the key convention documented in handlers/types.ts
- * (ResponseCache): the dispatcher read+write path and every handler-side
- * cache.set MUST build keys through this so a publish and its later hit collide.
- */
-export function cacheKeyFor(name, argsStr) {
-    return `${channelPolicy()}:${name}:${argsStr}`;
-}
-/** The pointer appended to a collapsed text channel in 'structured' mode, so a
- * text-reading consumer that DID end up on a structured-only payload is told
- * where the body went rather than seeing a bare summary line. */
-const STRUCTURED_POINTER = '\n\n_(full body in structuredContent)_';
-/** First non-empty line of a rendered text block — the implicit summary used
- * when a template declares no explicit `summary`. */
-function firstLine(text) {
-    const nl = text.indexOf('\n');
-    return nl === -1 ? text : text.slice(0, nl);
-}
-/**
- * THE dual-emit constructor for success responses: `structuredContent` is the
- * canonical body; `content[0].text` is derived from it — by the template when
- * the tool has prose, else the deterministic 2-space JSON serialization (the
- * sqlite-busy.ts precedent). Nothing else may write both channels.
- *
- * The WYRM_CHANNEL policy (see ChannelPolicy) decides which channel(s) ride
- * the wire. 'both' (default) reproduces the base @7.0.0 bytes exactly.
- */
-export function renderResult(body, template, opts) {
-    // Template path: sanitize at THE chokepoint (stripWireControls above) so no
-    // boundary string can ride ANSI/C0 controls onto the terminal-facing text
-    // wire. The JSON path needs none: JSON.stringify escapes C0 to \uXXXX.
-    const fullText = template ? stripWireControls(template(body, glyphs())) : JSON.stringify(body, null, 2);
-    const policy = channelPolicy();
-    if (policy === 'structured' && !opts?.exemptStructured) {
-        // Collapse the text channel to a summary line + pointer; the body (the
-        // canonical, information-complete payload) rides structuredContent
-        // unchanged. The summary is the marked `summary` derivation, else the
-        // template's first line, else the body JSON (no template ⇒ nothing to
-        // summarize, keep the deterministic serialization).
-        const summaryText = opts?.summary
-            ? stripWireControls(opts.summary(body, glyphs()))
-            : template
-                ? firstLine(fullText)
-                : fullText;
-        const collapsed = summaryText + STRUCTURED_POINTER;
-        // Never make the text channel LARGER: a one-line response (a join ack, a
-        // clean failure verdict) is already minimal, and summary+pointer would
-        // ADD bytes. Collapse only when it actually shrinks — so 'structured' is a
-        // monotone-no-worse text wire for every template.
-        const text = collapsed.length < fullText.length ? collapsed : fullText;
-        return {
-            content: [{ type: 'text', text }],
-            structuredContent: body,
-        };
-    }
-    if (policy === 'text') {
-        // Single text channel: the human-complete derivation. structuredContent is
-        // dropped — the consumer reads prose only. (No body channel means nothing
-        // to shrink, and no information is lost: the text already carried it all.)
-        return { content: [{ type: 'text', text: fullText }] };
-    }
-    // 'both' (default) — byte-identical to the base @7.0.0 wire.
-    return {
-        content: [{ type: 'text', text: fullText }],
-        structuredContent: body,
-    };
-}
-/**
- * Dual-emit constructor for `isError:true` responses: `content[0].text` is
- * the JSON serialization of the SAME body riding `structuredContent` —
- * text-parsing and structured clients see one truth. (Error bodies are JSON
- * on the text channel by design: their consumers are programs, and the 6.x
- * busy path already shipped these bytes.)
- */
-export function renderErrorResponse(body) {
-    // Error bodies are JSON on the text channel BY DESIGN (their consumers are
-    // programs; the 6.x busy path shipped these bytes), so 'structured' shrink
-    // does not apply — the text already IS the body and collapsing it would drop
-    // the machine-actionable {error,expected} contract. The only policy branch
-    // that touches errors is 'text', which drops the redundant structuredContent
-    // copy (the text channel carries the identical SEP-1303 envelope). 'both'
-    // (default) and 'structured' keep the base @7.0.0 dual-emit bytes.
-    if (channelPolicy() === 'text') {
-        return { content: [{ type: 'text', text: JSON.stringify(body, null, 2) }], isError: true };
-    }
-    return {
-        content: [{ type: 'text', text: JSON.stringify(body, null, 2) }],
-        isError: true,
-        structuredContent: body,
-    };
-}
-// ── SEP-1303 boundary-validation errors (v7 F3, T020) ──────────────────────
-/** Machine-readable code for boundary-validation rejections. Deliberately
- * distinct from WYRM_BUSY: a busy write is retryable AS-IS; a validation
- * failure is only "retryable" after the caller CORRECTS the named argument. */
-export const WYRM_VALIDATION_CODE = 'WYRM_VALIDATION';
-/**
- * Build the validation body. `detail` is ValidationError.message — already
- * `'<field>' <reason>` (validate.ts), so the message reads
- * `wyrm_x: 'field' must be one of: …`. Deterministic (Article III/VIII: no
- * clock, no model — same inputs, same bytes).
- */
-export function validationErrorBody(tool, field, detail) {
-    return {
-        error: {
-            code: WYRM_VALIDATION_CODE,
-            message: `${tool}: ${detail}`,
-            retryable: false,
-            field,
-        },
-        expected: `Correct the '${field}' argument — it ${detail.replace(`'${field}' `, '')} — and call ${tool} again. ` +
-            `This rejection is deterministic: the SAME arguments will fail the SAME way, so do not retry unchanged ` +
-            `(unlike WYRM_BUSY, which is retryable as-is). Validators run at the argument-binding seam ` +
-            `(validate.ts) before the handler's write path, so re-calling with corrected arguments is safe. ` +
-            `The tool's inputSchema documents the accepted values.`,
-    };
-}
-/** The full dual-emit MCP response for a boundary-validation rejection —
- * `isError:true`, text = JSON of the SAME body riding structuredContent. */
-export function validationErrorResponse(tool, field, detail) {
-    return renderErrorResponse(validationErrorBody(tool, field, detail));
-}
-// ── outputSchema contract checking ──────────────────────────────────────────
-/**
- * Minimal hand-rolled JSON-Schema subset validator (the repo deliberately
- * carries no ajv/zod for core ops — Article III keeps the core dependency-
- * light). Covers exactly the constructs our outputSchemas use: `type` (incl.
- * `["x","null"]` unions), `properties`, `required`, `items`, `enum`,
- * `minimum`/`maximum`. Returns a list of human-readable violations (empty =
- * conforms). Used by the T019 contract tests to validate every ToolSpec-
- * routed response against its declared outputSchema; lifted here from
- * tests/toolspec-registry.test.ts so there is ONE validator to keep honest.
- */
-export function validateAgainstSchema(value, schema, path = '$') {
-    const errors = [];
-    const types = Array.isArray(schema.type) ? schema.type : schema.type ? [schema.type] : [];
-    const jsType = (v) => v === null ? 'null'
-        : Array.isArray(v) ? 'array'
-            : typeof v === 'number' ? (Number.isInteger(v) ? 'integer' : 'number')
-                : typeof v;
-    if (types.length > 0) {
-        const actual = jsType(value);
-        const ok = types.some((t) => t === actual || (t === 'number' && actual === 'integer'));
-        if (!ok)
-            errors.push(`${path}: expected ${types.join('|')}, got ${actual}`);
-    }
-    if (schema.enum && !schema.enum.includes(value)) {
-        errors.push(`${path}: ${JSON.stringify(value)} not in enum`);
-    }
-    if (typeof value === 'number') {
-        if (typeof schema.minimum === 'number' && value < schema.minimum)
-            errors.push(`${path}: < minimum`);
-        if (typeof schema.maximum === 'number' && value > schema.maximum)
-            errors.push(`${path}: > maximum`);
-    }
-    if (value && typeof value === 'object' && !Array.isArray(value) && schema.properties) {
-        const props = schema.properties;
-        for (const req of schema.required ?? []) {
-            if (!(req in value))
-                errors.push(`${path}: missing required '${req}'`);
-        }
-        for (const [k, v] of Object.entries(value)) {
-            if (props[k])
-                errors.push(...validateAgainstSchema(v, props[k], `${path}.${k}`));
-        }
-    }
-    if (Array.isArray(value) && schema.items) {
-        value.forEach((v, i) => errors.push(...validateAgainstSchema(v, schema.items, `${path}[${i}]`)));
-    }
-    return errors;
-}
-//# sourceMappingURL=render.js.map
+import{ICON as u}from"./icons.js";function a(){const t=process.env.WYRM_FANCY;return t==="1"||t==="true"}const x={brand:"",ok:"",fail:"",warn:"",paused:"",resumed:"",bullet:"-",point:">"},d={brand:u.brand,ok:u.ok,fail:u.blocked,warn:u.failure,paused:"\u23F8",resumed:"\u25B6",bullet:u.bullet,point:u.point};function l(){return a()?d:x}function N(t,r){return t?`${t} ${r}`:r}const $=/[\x00-\x08\x0b-\x1f\x7f]/g;function m(t){return t.replace($,"")}function p(){const t=process.env.WYRM_CHANNEL;return t==="text"||t==="structured"?t:"both"}function T(t,r){return`${p()}:${t}:${r}`}const g=`
+
+_(full body in structuredContent)_`;function A(t){const r=t.indexOf(`
+`);return r===-1?t:t.slice(0,r)}function O(t,r,n){const o=r?m(r(t,l())):JSON.stringify(t,null,2),s=p();if(s==="structured"&&!n?.exemptStructured){const e=(n?.summary?m(n.summary(t,l())):r?A(o):o)+g;return{content:[{type:"text",text:e.length<o.length?e:o}],structuredContent:t}}return s==="text"?{content:[{type:"text",text:o}]}:{content:[{type:"text",text:o}],structuredContent:t}}function b(t){return p()==="text"?{content:[{type:"text",text:JSON.stringify(t,null,2)}],isError:!0}:{content:[{type:"text",text:JSON.stringify(t,null,2)}],isError:!0,structuredContent:t}}const S="WYRM_VALIDATION";function C(t,r,n){return{error:{code:S,message:`${t}: ${n}`,retryable:!1,field:r},expected:`Correct the '${r}' argument \u2014 it ${n.replace(`'${r}' `,"")} \u2014 and call ${t} again. This rejection is deterministic: the SAME arguments will fail the SAME way, so do not retry unchanged (unlike WYRM_BUSY, which is retryable as-is). Validators run at the argument-binding seam (validate.ts) before the handler's write path, so re-calling with corrected arguments is safe. The tool's inputSchema documents the accepted values.`}}function R(t,r,n){return b(C(t,r,n))}function y(t,r,n="$"){const o=[],s=Array.isArray(r.type)?r.type:r.type?[r.type]:[],f=e=>e===null?"null":Array.isArray(e)?"array":typeof e=="number"?Number.isInteger(e)?"integer":"number":typeof e;if(s.length>0){const e=f(t);s.some(c=>c===e||c==="number"&&e==="integer")||o.push(`${n}: expected ${s.join("|")}, got ${e}`)}if(r.enum&&!r.enum.includes(t)&&o.push(`${n}: ${JSON.stringify(t)} not in enum`),typeof t=="number"&&(typeof r.minimum=="number"&&t<r.minimum&&o.push(`${n}: < minimum`),typeof r.maximum=="number"&&t>r.maximum&&o.push(`${n}: > maximum`)),t&&typeof t=="object"&&!Array.isArray(t)&&r.properties){const e=r.properties;for(const i of r.required??[])i in t||o.push(`${n}: missing required '${i}'`);for(const[i,c]of Object.entries(t))e[i]&&o.push(...y(c,e[i],`${n}.${i}`))}return Array.isArray(t)&&r.items&&t.forEach((e,i)=>o.push(...y(e,r.items,`${n}[${i}]`))),o}export{S as WYRM_VALIDATION_CODE,T as cacheKeyFor,p as channelPolicy,l as glyphs,a as isFancy,b as renderErrorResponse,O as renderResult,m as stripWireControls,y as validateAgainstSchema,C as validationErrorBody,R as validationErrorResponse,N as withGlyph};

package/dist/repl-guard.js

@@ -1,173 +1 @@
-/**
- * Live Memory v6.4 — replication egress guard.
- *
- * The replication client makes OUTBOUND HTTP requests to a caller/registry-supplied
- * peer URL, with a bearer token attached. Left unguarded that's an SSRF + credential
- * exfiltration primitive (point it at cloud metadata / localhost / an attacker host).
- * This module is the chokepoint every outbound replication request goes through:
- *
- *  - scheme allowlist (http/https only),
- *  - block loopback / link-local / private / metadata hosts (unless
- *    WYRM_REPL_ALLOW_PRIVATE=1, which is needed for same-host two-node testing),
- *  - `redirect: 'manual'` so a peer can't 3xx the token to another origin,
- *  - a hard request timeout (a hung peer must not wedge the daemon),
- *  - a byte-bounded body read (a hostile peer can't OOM us with a huge response).
- *
- * Residual: DNS-rebinding (host resolves to a public IP at check time, a private one
- * at connect time) is NOT fully closed — fetch doesn't expose connect-time IP. The
- * literal-host checks below cover the realistic SSRF targets for an operator-driven
- * tool; treat cross-trust peers accordingly.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { isIP } from 'node:net';
-export const PEER_FETCH_TIMEOUT_MS = 15_000;
-export const MAX_PEER_RESPONSE_BYTES = 4 * 1024 * 1024; // 4 MB — matches the 500-event push batch
-/** Is this hostname/IP literal a loopback / link-local / private / metadata target? */
-export function isBlockedHost(hostname) {
-    // strip IPv6 brackets + a trailing FQDN-root dot ("localhost." resolves to loopback)
-    const h = hostname.toLowerCase().replace(/^\[|\]$/g, '').replace(/\.$/, '');
-    if (!h || h === 'localhost' || h.endsWith('.localhost') || h.endsWith('.local') || h.endsWith('.internal'))
-        return true;
-    const kind = isIP(h);
-    if (kind === 4) {
-        const o = h.split('.').map(Number);
-        if (o.length !== 4 || o.some((n) => !Number.isInteger(n) || n < 0 || n > 255))
-            return true; // malformed → block
-        if (o[0] === 127)
-            return true; // 127.0.0.0/8 loopback
-        if (o[0] === 10)
-            return true; // 10.0.0.0/8
-        if (o[0] === 0)
-            return true; // 0.0.0.0/8
-        if (o[0] === 169 && o[1] === 254)
-            return true; // 169.254.0.0/16 link-local + metadata
-        if (o[0] === 172 && o[1] >= 16 && o[1] <= 31)
-            return true; // 172.16.0.0/12
-        if (o[0] === 192 && o[1] === 168)
-            return true; // 192.168.0.0/16
-        if (o[0] === 100 && o[1] >= 64 && o[1] <= 127)
-            return true; // 100.64.0.0/10 CGNAT
-        return false;
-    }
-    if (kind === 6) {
-        if (h === '::1' || h === '::')
-            return true; // loopback / unspecified
-        if (h.startsWith('fe80') || h.startsWith('fe9') || h.startsWith('fea') || h.startsWith('feb'))
-            return true; // fe80::/10 link-local
-        if (h.startsWith('fc') || h.startsWith('fd'))
-            return true; // fc00::/7 ULA
-        // IPv4-mapped (::ffff:a.b.c.d). WHATWG URL normalizes this to the HEX form
-        // (::ffff:7f00:1), so handle BOTH the dotted tail and the two-hex-group tail —
-        // otherwise http://[::ffff:127.0.0.1]/ slips through to loopback.
-        if (h.startsWith('::ffff:')) {
-            const tail = h.slice('::ffff:'.length);
-            if (isIP(tail) === 4)
-                return isBlockedHost(tail);
-            const m = tail.match(/^([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
-            if (m) {
-                const hi = parseInt(m[1], 16), lo = parseInt(m[2], 16);
-                return isBlockedHost(`${(hi >> 8) & 255}.${hi & 255}.${(lo >> 8) & 255}.${lo & 255}`);
-            }
-            return true; // unrecognized ::ffff: form → block to be safe
-        }
-        if (h.startsWith('64:ff9b:'))
-            return true; // NAT64 well-known prefix (can embed private IPv4)
-        return false;
-    }
-    return false; // a non-IP hostname (public DNS name) — allowed
-}
-/** Validate a peer base URL for outbound replication. Returns the parsed URL or a reason. */
-export function checkPeerUrl(baseUrl) {
-    let url;
-    try {
-        url = new URL(baseUrl);
-    }
-    catch {
-        return { ok: false, reason: 'invalid URL' };
-    }
-    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
-        return { ok: false, reason: `scheme ${url.protocol} not allowed (http/https only)` };
-    }
-    const allowPrivate = process.env.WYRM_REPL_ALLOW_PRIVATE === '1';
-    if (!allowPrivate && isBlockedHost(url.hostname)) {
-        return { ok: false, reason: `host ${url.hostname} is loopback/private/link-local (set WYRM_REPL_ALLOW_PRIVATE=1 for same-host/LAN peers)` };
-    }
-    return { ok: true, url };
-}
-/**
- * Is a peer token env-var name allowed? Must be `WYRM_`-prefixed — this stops a
- * (possibly attacker-supplied) registry entry from pointing `tokenEnv` at an
- * arbitrary process secret like `OPENAI_API_KEY` / `AWS_SECRET_ACCESS_KEY` and
- * exfiltrating it to a peer. Set WYRM_REPL_ALLOW_ANY_TOKEN_ENV=1 to override.
- */
-export function isValidTokenEnvName(name) {
-    if (process.env.WYRM_REPL_ALLOW_ANY_TOKEN_ENV === '1')
-        return /^[A-Z][A-Z0-9_]{0,63}$/.test(name);
-    return /^WYRM_[A-Z0-9_]{1,58}$/.test(name);
-}
-/**
- * Fetch a peer endpoint with the egress guard applied: validated URL, hard timeout,
- * no redirect following, and a byte-bounded body. Returns the parsed JSON (object).
- * Throws on any violation — callers are failure-isolated and treat throw as "skip".
- */
-export async function guardedFetchJson(fetchImpl, baseUrl, path, init = {}, maxBytes = MAX_PEER_RESPONSE_BYTES, timeoutMs = PEER_FETCH_TIMEOUT_MS) {
-    const check = checkPeerUrl(baseUrl);
-    if (!check.ok)
-        throw new Error(`peer URL rejected: ${check.reason}`);
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    try {
-        const res = await fetchImpl(`${baseUrl}${path}`, {
-            ...init,
-            redirect: 'manual', // never follow a 3xx — it could leak the token cross-origin
-            signal: controller.signal,
-        });
-        if (res.status >= 300 && res.status < 400)
-            throw new Error(`peer redirected (${res.status}) — refused`);
-        if (!res.ok)
-            throw new Error(`peer HTTP ${res.status}`);
-        const declared = Number(res.headers?.get?.('content-length') ?? '');
-        if (Number.isFinite(declared) && declared > maxBytes)
-            throw new Error('peer response too large (content-length)');
-        // Real fetch: byte-bounded stream read. Test fakes / bodyless responses: fall back to json()/text().
-        if (typeof res.body?.getReader === 'function') {
-            const text = await readBounded(res, maxBytes);
-            return text ? JSON.parse(text) : {};
-        }
-        if (typeof res.json === 'function')
-            return await res.json();
-        const t = typeof res.text === 'function' ? await res.text() : '';
-        return t ? JSON.parse(t) : {};
-    }
-    finally {
-        clearTimeout(timer);
-    }
-}
-/** Read a fetch Response body, aborting if it exceeds maxBytes (defeats a no-content-length OOM). */
-async function readBounded(res, maxBytes) {
-    const reader = res.body?.getReader?.();
-    if (!reader)
-        return typeof res.text === 'function' ? res.text() : '';
-    let total = 0;
-    const chunks = [];
-    for (;;) {
-        const { done, value } = await reader.read();
-        if (done)
-            break;
-        if (value) {
-            total += value.length;
-            if (total > maxBytes) {
-                try {
-                    await reader.cancel();
-                }
-                catch { /* */ }
-                throw new Error('peer response too large');
-            }
-            chunks.push(value);
-        }
-    }
-    return Buffer.concat(chunks).toString('utf8');
-}
-//# sourceMappingURL=repl-guard.js.map
+import{isIP as p}from"node:net";const w=15e3,E=4*1024*1024;function f(o){const t=o.toLowerCase().replace(/^\[|\]$/g,"").replace(/\.$/,"");if(!t||t==="localhost"||t.endsWith(".localhost")||t.endsWith(".local")||t.endsWith(".internal"))return!0;const s=p(t);if(s===4){const e=t.split(".").map(Number);return!!(e.length!==4||e.some(r=>!Number.isInteger(r)||r<0||r>255)||e[0]===127||e[0]===10||e[0]===0||e[0]===169&&e[1]===254||e[0]===172&&e[1]>=16&&e[1]<=31||e[0]===192&&e[1]===168||e[0]===100&&e[1]>=64&&e[1]<=127)}if(s===6){if(t==="::1"||t==="::"||t.startsWith("fe80")||t.startsWith("fe9")||t.startsWith("fea")||t.startsWith("feb")||t.startsWith("fc")||t.startsWith("fd"))return!0;if(t.startsWith("::ffff:")){const e=t.slice(7);if(p(e)===4)return f(e);const r=e.match(/^([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);if(r){const i=parseInt(r[1],16),a=parseInt(r[2],16);return f(`${i>>8&255}.${i&255}.${a>>8&255}.${a&255}`)}return!0}return!!t.startsWith("64:ff9b:")}return!1}function _(o){let t;try{t=new URL(o)}catch{return{ok:!1,reason:"invalid URL"}}return t.protocol!=="http:"&&t.protocol!=="https:"?{ok:!1,reason:`scheme ${t.protocol} not allowed (http/https only)`}:!(process.env.WYRM_REPL_ALLOW_PRIVATE==="1")&&f(t.hostname)?{ok:!1,reason:`host ${t.hostname} is loopback/private/link-local (set WYRM_REPL_ALLOW_PRIVATE=1 for same-host/LAN peers)`}:{ok:!0,url:t}}function R(o){return process.env.WYRM_REPL_ALLOW_ANY_TOKEN_ENV==="1"?/^[A-Z][A-Z0-9_]{0,63}$/.test(o):/^WYRM_[A-Z0-9_]{1,58}$/.test(o)}async function g(o,t,s,e={},r=E,i=w){const a=_(t);if(!a.ok)throw new Error(`peer URL rejected: ${a.reason}`);const u=new AbortController,d=setTimeout(()=>u.abort(),i);try{const n=await o(`${t}${s}`,{...e,redirect:"manual",signal:u.signal});if(n.status>=300&&n.status<400)throw new Error(`peer redirected (${n.status}) \u2014 refused`);if(!n.ok)throw new Error(`peer HTTP ${n.status}`);const c=Number(n.headers?.get?.("content-length")??"");if(Number.isFinite(c)&&c>r)throw new Error("peer response too large (content-length)");if(typeof n.body?.getReader=="function"){const h=await W(n,r);return h?JSON.parse(h):{}}if(typeof n.json=="function")return await n.json();const l=typeof n.text=="function"?await n.text():"";return l?JSON.parse(l):{}}finally{clearTimeout(d)}}async function W(o,t){const s=o.body?.getReader?.();if(!s)return typeof o.text=="function"?o.text():"";let e=0;const r=[];for(;;){const{done:i,value:a}=await s.read();if(i)break;if(a){if(e+=a.length,e>t){try{await s.cancel()}catch{}throw new Error("peer response too large")}r.push(a)}}return Buffer.concat(r).toString("utf8")}export{E as MAX_PEER_RESPONSE_BYTES,w as PEER_FETCH_TIMEOUT_MS,_ as checkPeerUrl,g as guardedFetchJson,f as isBlockedHost,R as isValidTokenEnvName};

package/dist/replication-daemon-entrypoint.js

@@ -1,31 +1 @@
-/**
- * Wyrm Live Memory — replication daemon entrypoint.
- *
- * Spawned detached by `ReplicationManager.start()`. Opens the same DB the MCP
- * server uses (`WYRM_DB_PATH` or `~/.wyrm/wyrm.db`) and runs the sync loop until
- * SIGTERM/SIGINT. Not meant to be invoked directly — go through the
- * `wyrm_replication` MCP tool, which manages the PID file.
- *
- * argv[2] = interval_ms
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { WyrmDB } from './database.js';
-import { ReplicationDaemon, DEFAULT_INTERVAL_MS } from './replication-daemon.js';
-async function main() {
-    const intervalMs = Number(process.argv[2]) || DEFAULT_INTERVAL_MS;
-    const db = new WyrmDB(process.env.WYRM_DB_PATH);
-    if (!db.liveMemoryEnabled()) {
-        console.error('[replication-entrypoint] WYRM_LIVE_MEMORY is off — refusing to start');
-        process.exit(2);
-    }
-    const daemon = new ReplicationDaemon(db, intervalMs);
-    console.log(`[replication] started · interval=${intervalMs}ms · db=${process.env.WYRM_DB_PATH || '~/.wyrm/wyrm.db'}`);
-    await daemon.run();
-}
-main().catch((e) => {
-    console.error('[replication-entrypoint] fatal:', e);
-    process.exit(1);
-});
-//# sourceMappingURL=replication-daemon-entrypoint.js.map
+import{WyrmDB as n}from"./database.js";import{ReplicationDaemon as t,DEFAULT_INTERVAL_MS as i}from"./replication-daemon.js";async function s(){const o=Number(process.argv[2])||i,e=new n(process.env.WYRM_DB_PATH);e.liveMemoryEnabled()||(console.error("[replication-entrypoint] WYRM_LIVE_MEMORY is off \u2014 refusing to start"),process.exit(2));const r=new t(e,o);console.log(`[replication] started \xB7 interval=${o}ms \xB7 db=${process.env.WYRM_DB_PATH||"~/.wyrm/wyrm.db"}`),await r.run()}s().catch(o=>{console.error("[replication-entrypoint] fatal:",o),process.exit(1)});