Update server.mjs

Author: GsCommand

server.mjs

@@ -18,7 +18,7 @@ app.use(express.json({ limit: "2mb" }));
 // ---- basic CORS (no dependency)
 app.use((req, res, next) => {
   res.setHeader("Access-Control-Allow-Origin", "*");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Debug-Token");
   res.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
   if (req.method === "OPTIONS") return res.status(204).end();
   next();
@@ -44,10 +44,18 @@ const SIGNER_ID =
 
 const SIGNER_KID = process.env.SIGNER_KID || "v1";
 
-// NOTE: runtime-core expects PEM text, not base64.
-// We accept base64 envs and decode to PEM.
+// NOTE: runtime-core expects PEM text.
+// We accept EITHER raw PEM OR base64(PEM). (Railway envs vary.)
 const PRIV_PEM_B64 = process.env.RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 || "";
 const PUB_PEM_B64 = process.env.RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64 || "";
+const PRIV_PEM_RAW = process.env.RECEIPT_SIGNING_PRIVATE_KEY_PEM || "";
+const PUB_PEM_RAW = process.env.RECEIPT_SIGNING_PUBLIC_KEY_PEM || "";
+
+// Optional: allow a baked-in public key fallback for /verify when env isn't set.
+// (You provided this pubkey; safe to embed since it's public.)
+const EMBEDDED_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA7Vkkmt6R02Iltp/+i3D5mraZyvLjfuTSVB33KwfzQC8=
+-----END PUBLIC KEY-----`;
 
 // ---- service identity / discovery
 const SERVICE_NAME = process.env.SERVICE_NAME || "commandlayer-runtime";
@@ -86,15 +94,16 @@ const ALLOW_FETCH_HOSTS = (process.env.ALLOW_FETCH_HOSTS || "")
 const VERIFY_MAX_MS = Number(process.env.VERIFY_MAX_MS || 30000);
 
 // CRITICAL: edge-safe schema verify behavior
-// If true, /verify?schema=1 will NEVER compile or fetch; it will only validate if cached,
-// otherwise it returns 202 and queues warm.
 const VERIFY_SCHEMA_CACHED_ONLY = String(process.env.VERIFY_SCHEMA_CACHED_ONLY || "1") === "1";
 
 // Prewarm knobs
 const PREWARM_MAX_VERBS = Number(process.env.PREWARM_MAX_VERBS || 25);
 const PREWARM_TOTAL_BUDGET_MS = Number(process.env.PREWARM_TOTAL_BUDGET_MS || 12000);
 const PREWARM_PER_VERB_BUDGET_MS = Number(process.env.PREWARM_PER_VERB_BUDGET_MS || 5000);
 
+// Debug gating (do NOT leave debug open in prod)
+const DEBUG_TOKEN = process.env.DEBUG_TOKEN || ""; // if set, /debug/* requires header X-Debug-Token
+
 function nowIso() {
   return new Date().toISOString();
 }
@@ -105,8 +114,12 @@ function randId(prefix = "trace_") {
 
 function pemFromB64(b64) {
   if (!b64) return null;
-  const pem = Buffer.from(b64, "base64").toString("utf8");
-  return pem.includes("BEGIN") ? pem : null;
+  try {
+    const pem = Buffer.from(String(b64).trim(), "base64").toString("utf8");
+    return pem.includes("BEGIN") ? pem : null;
+  } catch {
+    return null;
+  }
 }
 
 function normalizePem(text) {
@@ -115,6 +128,19 @@ function normalizePem(text) {
   return pem.includes("BEGIN") ? pem : null;
 }
 
+function pemFromEnv({ b64, raw, fallback = null } = {}) {
+  const pemDirect = normalizePem(raw);
+  if (pemDirect) return pemDirect;
+  const pemDecoded = pemFromB64(b64);
+  if (pemDecoded) return pemDecoded;
+  const pemFallback = normalizePem(fallback);
+  return pemFallback || null;
+}
+
+const PRIV_PEM = pemFromEnv({ b64: PRIV_PEM_B64, raw: PRIV_PEM_RAW, fallback: null });
+// Prefer env pubkey; fallback to embedded (public) key
+const PUB_PEM = pemFromEnv({ b64: PUB_PEM_B64, raw: PUB_PEM_RAW, fallback: EMBEDDED_PUBLIC_KEY_PEM });
+
 function enabled(verb) {
   return ENABLED_VERBS.includes(verb);
 }
@@ -131,6 +157,15 @@ function requireBody(req, res) {
   return true;
 }
 
+function requireDebug(req, res) {
+  if (!DEBUG_TOKEN) return true; // local/dev
+  if (req.headers["x-debug-token"] !== DEBUG_TOKEN) {
+    res.status(403).json({ ok: false, error: "forbidden" });
+    return false;
+  }
+  return true;
+}
+
 // -----------------------
 // SSRF guard for fetch()
 // -----------------------
@@ -336,11 +371,7 @@ async function getValidatorForVerb(verb) {
     }
 
     const schema = await fetchJsonWithTimeout(url, SCHEMA_FETCH_TIMEOUT_MS);
-    const validate = await withTimeout(
-      ajv.compileAsync(schema),
-      SCHEMA_VALIDATE_BUDGET_MS,
-      "ajv_compile_budget_exceeded"
-    );
+    const validate = await withTimeout(ajv.compileAsync(schema), SCHEMA_VALIDATE_BUDGET_MS, "ajv_compile_budget_exceeded");
     validatorCache.set(verb, { compiledAt: Date.now(), validate });
     return validate;
   })().finally(() => inflightValidator.delete(verb));
@@ -425,14 +456,13 @@ function makeReceipt({ x402, trace, result, status = "success", error = null, de
 
   if (actor) receipt.metadata.actor = actor;
 
-  const privPem = pemFromB64(PRIV_PEM_B64);
-  if (!privPem) throw new Error("Missing RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64");
+  if (!PRIV_PEM) throw new Error("Missing signing private key (set RECEIPT_SIGNING_PRIVATE_KEY_PEM or _PEM_B64)");
 
   receipt = signReceiptEd25519Sha256(receipt, {
     signer_id: SIGNER_ID,
     kid: SIGNER_KID,
     canonical: CANONICAL_ID_SORTED_KEYS_V1,
-    privateKeyPem: privPem,
+    privateKeyPem: PRIV_PEM,
   });
 
   return receipt;
@@ -467,7 +497,6 @@ async function doFetch(body) {
       if (done) break;
       received += value.byteLength;
       if (received > FETCH_MAX_BYTES) {
-        // FIX: cancel stream once we decide to truncate
         try {
           await reader.cancel();
         } catch {}
@@ -710,8 +739,7 @@ function doExplain(body) {
 
   let explanation = "";
   if (audience === "novice") {
-    explanation =
-      `**${subject}** are like “tamper-proof receipts” for agent actions.\n\n` + core.map((s) => `- ${s}`).join("\n");
+    explanation = `**${subject}** are like “tamper-proof receipts” for agent actions.\n\n` + core.map((s) => `- ${s}`).join("\n");
   } else {
     explanation =
       `**${subject}** are cryptographically verifiable execution artifacts that bind intent (verb+version), semantics (schema), and output into a signed proof.\n\n` +
@@ -729,8 +757,10 @@ function doExplain(body) {
 }
 
 function doAnalyze(body) {
-  const input = String(body?.input ?? "");
-  if (!input.trim()) throw new Error("analyze.input required (string)");
+  // Accept both input as string OR {content:"..."} to avoid "[object Object]" failures.
+  const raw = body?.input;
+  const input = typeof raw === "string" ? raw : String(raw?.content ?? "");
+  if (!String(input).trim()) throw new Error("analyze.input required (string or {content})");
   const goal = String(body?.goal ?? "").trim();
   const hints = Array.isArray(body?.hints) ? body.hints.map(String) : [];
   const lines = input.split(/\r?\n/).filter((l) => l.trim() !== "");
@@ -832,12 +862,13 @@ async function handleVerb(verb, req, res) {
 
   const started = Date.now();
 
-  // Schema legality: only include parent_trace_id if it's a non-empty string
+  // Trace: honor inbound trace_id if present
+  const inboundTraceId = typeof req.body?.trace?.trace_id === "string" ? req.body.trace.trace_id.trim() : "";
   const rawParent = req.body?.trace?.parent_trace_id ?? req.body?.x402?.extras?.parent_trace_id ?? null;
   const parentTraceId = typeof rawParent === "string" && rawParent.trim().length ? rawParent.trim() : null;
 
   const trace = {
-    trace_id: randId("trace_"),
+    trace_id: inboundTraceId || randId("trace_"),
     ...(parentTraceId ? { parent_trace_id: parentTraceId } : {}),
     started_at: nowIso(),
     completed_at: null,
@@ -927,13 +958,14 @@ app.get("/health", (req, res) => {
       port: PORT,
       enabled_verbs: ENABLED_VERBS,
       signer_id: SIGNER_ID,
-      signer_ok: !!pemFromB64(PRIV_PEM_B64),
+      signer_ok: !!PRIV_PEM,
       time: nowIso(),
     })
   );
 });
 
 app.get("/debug/env", (req, res) => {
+  if (!requireDebug(req, res)) return;
   res.json({
     ok: true,
     node: process.version,
@@ -942,9 +974,12 @@ app.get("/debug/env", (req, res) => {
     enabled_verbs: ENABLED_VERBS,
     signer_id: SIGNER_ID,
     signer_kid: SIGNER_KID,
-    signer_ok: !!pemFromB64(PRIV_PEM_B64),
+    signer_ok: !!PRIV_PEM,
     has_priv_b64: !!PRIV_PEM_B64,
+    has_priv_pem: !!PRIV_PEM_RAW,
     has_pub_b64: !!PUB_PEM_B64,
+    has_pub_pem: !!PUB_PEM_RAW,
+    using_embedded_pubkey_fallback: !pemFromEnv({ b64: PUB_PEM_B64, raw: PUB_PEM_RAW, fallback: null }) && !!PUB_PEM,
     verifier_ens_name: VERIFIER_ENS_NAME || null,
     ens_pubkey_text_key: ENS_PUBKEY_TEXT_KEY,
     has_rpc: hasRpc(),
@@ -977,6 +1012,7 @@ app.get("/debug/env", (req, res) => {
 });
 
 app.get("/debug/enskey", async (req, res) => {
+  if (!requireDebug(req, res)) return;
   const refresh = String(req.query.refresh || "0") === "1";
   const out = await fetchEnsPubkeyPem({ refresh });
   res.json({
@@ -991,6 +1027,7 @@ app.get("/debug/enskey", async (req, res) => {
 });
 
 app.get("/debug/schemafetch", (req, res) => {
+  if (!requireDebug(req, res)) return;
   const verb = String(req.query.verb || "").trim();
   if (!verb) return res.status(400).json({ ok: false, error: "missing verb" });
   const url = receiptSchemaUrlForVerb(verb);
@@ -1003,6 +1040,7 @@ app.get("/debug/schemafetch", (req, res) => {
 });
 
 app.get("/debug/validators", (req, res) => {
+  if (!requireDebug(req, res)) return;
   res.json({
     ok: true,
     cached: Array.from(validatorCache.keys()),
@@ -1017,14 +1055,14 @@ app.get("/debug/validators", (req, res) => {
 // EDGE-SAFE prewarm: responds immediately, warms AFTER response
 // -----------------------
 app.post("/debug/prewarm", (req, res) => {
+  if (!requireDebug(req, res)) return;
   const verbs = Array.isArray(req.body?.verbs) ? req.body.verbs : [];
   const cleaned = verbs
     .map((v) => String(v || "").trim())
     .filter(Boolean)
     .slice(0, PREWARM_MAX_VERBS);
 
   const supported = cleaned.filter((v) => handlers[v]);
-
   for (const v of supported) warmQueue.add(v);
 
   res.json({
@@ -1047,9 +1085,8 @@ for (const v of Object.keys(handlers)) {
 
 // -----------------------
 // verify endpoint (schema validation + ENS pubkey)
-// - schema=1 (default off) is EDGE-SAFE:
-//     if VERIFY_SCHEMA_CACHED_ONLY=1, it only validates if cached; otherwise returns 202 and queues warm.
-// - ens=1 resolves pubkey from ENS (still bounded by VERIFY_MAX_MS)
+// - schema=1 is EDGE-SAFE when VERIFY_SCHEMA_CACHED_ONLY=1
+// - ens=1 resolves pubkey from ENS (bounded)
 // -----------------------
 app.post("/verify", async (req, res) => {
   const work = (async () => {
@@ -1083,17 +1120,15 @@ app.post("/verify", async (req, res) => {
         return fail(400, "missing metadata.proof.signature_b64 or hash_sha256");
       }
 
-      // 1) pick pubkey (env -> optional ENS)
-      let pubPem = pemFromB64(PUB_PEM_B64);
-      let pubSrc = pubPem ? "env-b64" : null;
+      // 1) pick pubkey: env/raw -> env/b64 -> embedded -> optional ENS override
+      let pubPem = PUB_PEM;
+      let pubSrc = pubPem ? (PUB_PEM_RAW ? "env-pem" : PUB_PEM_B64 ? "env-b64" : "embedded") : null;
 
       if (wantEns) {
         const ensOut = await fetchEnsPubkeyPem({ refresh });
         if (ensOut.ok && ensOut.pem) {
           pubPem = ensOut.pem;
           pubSrc = "ens";
-        } else if (!pubPem) {
-          pubSrc = null;
         }
       }
 
@@ -1108,20 +1143,19 @@ app.post("/verify", async (req, res) => {
 
       const sigOk = !!v.ok;
 
-      // FIX: tighten ternary formatting to avoid parsing weirdness
       const sigErr = pubPem
         ? sigOk
           ? null
           : (v.reason || "verify failed")
-        : "no public key available (set RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64 or pass ens=1 with ETH_RPC_URL)";
+        : "no public key available (set RECEIPT_SIGNING_PUBLIC_KEY_PEM/_PEM_B64 or pass ens=1 with ETH_RPC_URL)";
 
-      // FIX: Hash match truthfulness
-      // - If signature is valid, hash match is implicitly true (it verified).
-      // - If signature is invalid and reason is "hash_mismatch", it's false.
+      // Truthful hash reporting:
+      // - If signature verifies, hash match is true.
+      // - If verifier says hash_mismatch, it's false.
       // - Otherwise unknown (null).
       const hashMatches = sigOk ? true : (v.reason === "hash_mismatch" ? false : null);
 
-      // FIX: We are NOT recomputing hash here; keep null unless you add an explicit helper.
+      // We are not recomputing hash here (keep null unless runtime-core exposes a helper)
       const recomputed = null;
 
       // 3) schema validation (edge-safe)
@@ -1156,9 +1190,7 @@ app.post("/verify", async (req, res) => {
           });
         } else {
           try {
-            const validate = VERIFY_SCHEMA_CACHED_ONLY
-              ? validatorCache.get(verb)?.validate
-              : await getValidatorForVerb(verb);
+            const validate = VERIFY_SCHEMA_CACHED_ONLY ? validatorCache.get(verb)?.validate : await getValidatorForVerb(verb);
 
             if (!validate) {
               schemaOk = false;
@@ -1176,7 +1208,7 @@ app.post("/verify", async (req, res) => {
       }
 
       return res.json({
-        ok: hashMatches === true && sigOk === true && schemaOk === true,
+        ok: (hashMatches === true) && (sigOk === true) && (schemaOk === true),
         checks: { schema_valid: schemaOk, hash_matches: hashMatches, signature_valid: sigOk },
         values: {
           verb: receipt?.x402?.verb ?? null,