-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathipc-schemas.ts
More file actions
401 lines (380 loc) · 13.8 KB
/
Copy pathipc-schemas.ts
File metadata and controls
401 lines (380 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
import { z } from 'zod'
import { AGENT_IDS, TERMINAL_APP_IDS } from '@/shared/constants'
import type { IpcInvokeChannel } from '@/shared/ipc-contract'
import {
INSTALLED_SEARCH_COUNT_DISPLAY_OPTIONS,
SettingsSchema,
WINDOW_BACKGROUND_BLUR_RADIUS_SCHEMA,
} from '@/shared/settings'
/**
* Zod schemas for runtime validation of IPC invoke arguments.
* Channels not listed here accept no args and skip validation.
* Keyed by IpcInvokeChannel to auto-match in typedHandle.
* @example
* IPC_ARG_SCHEMAS['files:read'] // z.tuple([z.string().min(1)])
*/
const nonEmptyString = z.string().min(1)
/**
* Absolute POSIX path validator for IPC channels that hand a path to
* `shell.openPath` / `spawn('open', …)`. The leading-slash refine catches
* relative paths early (a renderer bug or a tampered call) before they reach
* the OS — `shell.openPath('relative/path')` resolves against the main
* process's cwd, which is almost never what the user expects and may escape
* the agent / source dir entirely.
*
* Symlink-loop protection (ELOOP) and not-found handling live in the
* `folder.ts` handler — this is a syntactic guard only.
*
* @example
* absolutePathArg.parse('/Users/me/.agents/skills') // ok
* absolutePathArg.parse('relative/path') // throws ZodError
*/
const absolutePathArg = z
.string()
.min(1)
.refine((p) => p.startsWith('/'), {
message: 'Path must be absolute (start with /)',
})
/** Serializable lstat identity captured when a destructive row was reviewed. */
const filesystemEntryIdentitySchema = z.object({
kind: z.enum(['directory', 'symlink', 'file', 'other']),
dev: z.number().finite(),
ino: z.number().finite(),
size: z.number().finite(),
ctimeMs: z.number().finite(),
mtimeMs: z.number().finite(),
})
/**
* Skill name must not contain path separators (prevents `../` traversal) or
* null bytes (defense in depth: some libc wrappers truncate at `\0`, which
* could let `evil\0.good` pass a later string check while opening `evil`).
*/
const skillNameString = z
.string()
.min(1)
.regex(/^[^/\\]+$/, 'Skill name must not contain path separators')
.refine((s) => !s.includes('\0'), 'Skill name must not contain null bytes')
/**
* Tombstone id format: `<unix_ms>-<skillName>-<rand8hex>`.
* Regex blocks path separators in both skillName and rand8 segments so a
* crafted id cannot escape `TRASH_DIR` when joined.
* The trailing 8-hex group prevents same-ms entry collisions.
* @example "1729180800000-theme-generator-a1b2c3d4"
*/
export const tombstoneIdSchema = z
.string()
.regex(/^\d+-[^/\\]+-[a-f0-9]{8}$/, 'Invalid tombstone id format')
/** Recorded symlink entry that lived in an agent dir before delete. */
const symlinkRecordSchema = z.object({
agentId: nonEmptyString,
linkPath: nonEmptyString,
target: nonEmptyString,
})
/** Recorded local-copy entry — a real (non-symlink) skill folder under an agent dir. */
const localCopyRecordSchema = z.object({
agentId: nonEmptyString,
linkPath: nonEmptyString,
})
/**
* Legacy v1 manifest (no kind discriminator — always source-backed).
* Read-only path: never written by current code. Normalized to v2 source-backed
* via Zod transform so consumers see one shape regardless of on-disk version.
* Removable in a future major once the 24h startupCleanup TTL has flushed all
* pre-upgrade tombstones.
*/
const manifestV1Schema = z
.object({
schemaVersion: z.literal(1),
deletedAt: z.number().int().positive(),
skillName: skillNameString,
sourcePath: nonEmptyString,
symlinks: z.array(symlinkRecordSchema),
})
.transform((legacy) => ({
schemaVersion: 2 as const,
kind: 'source-backed' as const,
deletedAt: legacy.deletedAt,
skillName: legacy.skillName,
sourcePath: legacy.sourcePath,
symlinks: legacy.symlinks,
}))
/**
* v2 source-backed manifest — produced when `~/.agents/skills/<name>` is the
* authoritative source dir and agent entries are symlinks pointing at it.
*/
const manifestV2SourceBackedSchema = z.object({
schemaVersion: z.literal(2),
kind: z.literal('source-backed'),
deletedAt: z.number().int().positive(),
skillName: skillNameString,
sourcePath: nonEmptyString,
symlinks: z.array(symlinkRecordSchema),
})
/**
* v2 local-only manifest — produced when no source dir exists but one or more
* agent dirs hold a real (non-symlink) folder for the skill. Each agent folder
* is moved to `<entryDir>/local-copies/<agentId>/` and recorded here so
* `restore()` can put each copy back exactly where it came from.
*/
const manifestV2LocalOnlySchema = z.object({
schemaVersion: z.literal(2),
kind: z.literal('local-only'),
deletedAt: z.number().int().positive(),
skillName: skillNameString,
localCopies: z.array(localCopyRecordSchema).min(1),
})
/**
* Trash manifest schema written on every moveToTrash.
* Validated via Zod before `trashService.restore()` touches the filesystem
* — bad JSON or injected fields fail at the boundary, not via `JSON.parse` alone.
* Each `linkPath` is re-validated with `validatePath` against the agent's base
* directory before any fs op, so an attacker-crafted manifest still cannot point
* outside the agent's allowed base (defense in depth).
*
* Discriminated on `kind` after Zod parsing — v1 manifests are normalized to
* `{kind: 'source-backed', schemaVersion: 2}` so consumers don't branch on
* version separately from kind.
* @example
* // v2 source-backed
* {
* schemaVersion: 2,
* kind: 'source-backed',
* deletedAt: 1729180800000,
* skillName: 'theme-generator',
* sourcePath: '/Users/me/.agents/skills/theme-generator',
* symlinks: [{ agentId: 'cursor', linkPath: '/Users/me/.cursor/skills/theme-generator', target: '/Users/me/.agents/skills/theme-generator' }]
* }
* @example
* // v2 local-only
* {
* schemaVersion: 2,
* kind: 'local-only',
* deletedAt: 1729180800000,
* skillName: 'architecture-decision-records',
* localCopies: [{ agentId: 'claude', linkPath: '/Users/me/.claude/skills/architecture-decision-records' }]
* }
*/
export const manifestSchema = z.union([
manifestV2SourceBackedSchema,
manifestV2LocalOnlySchema,
manifestV1Schema,
])
export const IPC_ARG_SCHEMAS: Partial<Record<IpcInvokeChannel, z.ZodTuple>> = {
// File operations — require non-empty path strings
'files:list': z.tuple([nonEmptyString]),
'files:read': z.tuple([nonEmptyString]),
// CLI operations
'skills:cli:search': z.tuple([z.string()]),
'skills:cli:install': z.tuple([
z.object({
repo: nonEmptyString,
global: z.boolean(),
agents: z.array(z.string()),
skills: z.array(z.string()).optional(),
}),
]),
// Skills operations
'skills:unlinkFromAgent': z.tuple([
z.union([
z.object({
skillName: skillNameString,
agentId: nonEmptyString,
linkPath: absolutePathArg,
targetPath: absolutePathArg,
confirmedLocalDirectoryDelete: z.literal(false).optional(),
reviewedDirectoryIdentity: z.undefined().optional(),
}),
z.object({
skillName: skillNameString,
agentId: nonEmptyString,
linkPath: absolutePathArg,
confirmedLocalDirectoryDelete: z.literal(true),
reviewedDirectoryIdentity: filesystemEntryIdentitySchema,
targetPath: z.undefined().optional(),
}),
]),
]),
'skills:removeAllFromAgent': z.tuple([
z.object({
agentId: nonEmptyString,
agentPath: absolutePathArg,
filesystemIdentity: filesystemEntryIdentitySchema,
}),
]),
'skills:deleteSkill': z.tuple([
z.object({
skillName: skillNameString,
skillPath: absolutePathArg,
filesystemIdentity: filesystemEntryIdentitySchema,
}),
]),
'skills:createSymlinks': z.tuple([
z.object({
skillName: skillNameString,
skillPath: nonEmptyString,
agentIds: z.array(nonEmptyString).min(1),
}),
]),
'skills:copyToAgents': z.tuple([
z.object({
skillName: skillNameString,
sourcePath: nonEmptyString,
targetAgentIds: z.array(nonEmptyString).min(1),
}),
]),
// Bulk delete + undo
'skills:deleteSkills': z.tuple([
z.object({
items: z
.array(
z.object({
skillName: skillNameString,
skillPath: absolutePathArg,
filesystemIdentity: filesystemEntryIdentitySchema,
}),
)
.min(1, 'At least one skill required for batch delete'),
}),
]),
'skills:clearOrphanSymlinks': z.tuple([
z.object({
items: z
.array(
z.object({
skillName: skillNameString,
agents: z
.array(
z.object({
agentId: nonEmptyString,
linkPath: absolutePathArg,
targetPath: absolutePathArg,
}),
)
.min(1, 'At least one orphan symlink required'),
}),
)
.min(1, 'At least one orphan record required'),
}),
]),
'skills:clearBrokenSymlinkSlots': z.tuple([
z.object({
items: z
.array(
z.object({
agentId: nonEmptyString,
linkName: skillNameString,
linkPath: absolutePathArg,
targetPath: absolutePathArg,
}),
)
.min(1, 'At least one broken symlink slot required'),
}),
]),
'skills:unlinkManyFromAgent': z.tuple([
z.object({
agentId: nonEmptyString,
items: z
.array(
z.object({
skillName: skillNameString,
linkPath: absolutePathArg,
targetPath: absolutePathArg,
}),
)
.min(1, 'At least one skill required for batch unlink'),
}),
]),
'skills:restoreDeletedSkill': z.tuple([
z.object({
tombstoneId: tombstoneIdSchema,
}),
]),
// Marketplace Leaderboard
'marketplace:leaderboard': z.tuple([
z.object({
filter: z.enum(['all-time', 'trending', 'hot']),
}),
]),
// Sync operations
// Optional `agentId` scopes preview/execute to a single agent — used by
// the per-agent Cleanup flow surfaced from AgentItem's context menu.
'sync:preview': z.tuple([
z
.object({
agentId: nonEmptyString.optional(),
})
.optional(),
]),
'sync:execute': z.tuple([
z.object({
replaceConflicts: z.array(z.string()),
agentId: nonEmptyString.optional(),
}),
]),
// Shell — restrict to http/https to prevent opening arbitrary URI schemes
'shell:openExternal': z.tuple([
z
.string()
.url()
.refine((u) => /^https?:\/\//i.test(u), {
message: 'Only http(s) URLs are allowed',
}),
]),
// Settings — partial<Settings> with explicit allowed keys/values.
// Matches src/shared/settings.ts; widening that schema must widen
// this one too. Defense-in-depth so a compromised renderer cannot write
// arbitrary JSON into settings.json.
'settings:set': z.tuple([
z
.object({
defaultSkillTab: z.enum(['files', 'info']).optional(),
preferredTerminal: z.enum(TERMINAL_APP_IDS).optional(),
// Direct re-export from SettingsSchema — drift between the two
// constraint sets is mechanically impossible. `.shape` access yields
// the field's ZodOptional<ZodString> exactly as defined in settings.ts.
customTerminalAppName: SettingsSchema.shape.customTerminalAppName,
// Same source-of-truth pattern: re-use the schema's own field so
// the {min,int} constraints can never drift. `undefined` is how
// the Settings UI clears the persisted size back to "use default".
windowSize: SettingsSchema.shape.windowSize,
// Electron 42 blur radius. Use the shared non-defaulting schema so
// unrelated partial settings writes do not reset blur to zero.
windowBackgroundBlurRadius:
WINDOW_BACKGROUND_BLUR_RADIUS_SCHEMA.optional(),
// Search-count display preference. Keep this as a non-defaulting enum
// so unrelated partial settings writes do not reset the user's choice.
installedSearchCountDisplay: z
.enum(INSTALLED_SEARCH_COUNT_DISPLAY_OPTIONS)
.optional(),
// Strict z.enum here — renderers should only ever emit valid ids.
// Intentionally NOT chained off `SettingsSchema.shape.hiddenAgentIds`:
// that field carries a `.default([])` for forgiving disk reads, and
// wrapping it with `.optional()` materializes the default whenever
// the key is omitted from a partial update — which then clobbers
// the persisted hidden-agent set on every unrelated `settings:set`
// call. Independent declaration keeps the IPC and disk concerns
// separate; both still reference the same `AGENT_IDS` constant so
// the enum cannot drift. `.max(AGENT_IDS.length)` caps payload size
// so a misbehaving renderer cannot send an arbitrarily long list
// (every entry past `AGENT_IDS.length` would have to be a duplicate
// anyway, since the enum constrains values).
hiddenAgentIds: z
.array(z.enum(AGENT_IDS))
.max(AGENT_IDS.length)
.optional(),
// Auto-download preference. Declared as plain `z.boolean().optional()`
// rather than chaining `.optional()` off `SettingsSchema.shape.*`
// (which carries `.default(false)`): the same default-materialization
// footgun as hiddenAgentIds above — an omitted key would parse to
// `false` and clobber the persisted value on every unrelated
// settings:set. A bare boolean has no constraint that can drift, so
// there's nothing to keep in lockstep beyond the type itself.
autoDownloadUpdates: z.boolean().optional(),
})
.strict(),
]),
// Folder actions — `open -a` / `shell.openPath`. Path must be absolute;
// see `absolutePathArg` for rationale.
'folder:revealInFinder': z.tuple([absolutePathArg]),
'folder:openInTerminal': z.tuple([absolutePathArg]),
}