import crypto from "node:crypto"; import fs from "node:fs"; import path from "node:path"; import url from "node:url"; import { spawn } from "node:child_process"; import MarkdownIt from "markdown-it"; import express from "express"; import multer from "multer"; const __filename = url.fileURLToPath(import.meta.url); const __dirname = path.dirname(__filename); const projectRoot = path.resolve(__dirname, ".."); const distDir = path.join(projectRoot, "dist"); const indexHtmlPath = path.join(distDir, "index.html"); const privateUploadToken = process.env.PRIVATE_UPLOAD_TOKEN || ""; const privateUploadMaxBytes = Number(process.env.PRIVATE_UPLOAD_MAX_BYTES || 25 * 1024 * 1024); const privateUploadStyle = process.env.PRIVATE_UPLOAD_STYLE || "if.dave.v1.2"; const privateUploadActionPack = String(process.env.PRIVATE_UPLOAD_ACTION_PACK || "") .trim() .toLowerCase(); const revoiceRepoRoot = path.resolve(projectRoot, "..", ".."); function normalizeBaseUrl(value) { return String(value || "") .trim() .replace(/\/+$/g, ""); } function uniqBaseUrls(values) { const out = []; const seen = new Set(); for (const v of values || []) { const base = normalizeBaseUrl(v); if (!base) continue; if (seen.has(base)) continue; seen.add(base); out.push(base); } return out; } function staticMirrorBaseUrls(primaryBaseUrl, publicBaseUrl) { const env = String(process.env.STATIC_MIRROR_PUBLIC_BASE_URLS || "").trim(); const defaults = ["https://git.infrafabric.io"]; const configured = env ? env.split(",") : defaults; return uniqBaseUrls([primaryBaseUrl, ...configured, publicBaseUrl]); } function escapeHtml(value) { return String(value || "") .replaceAll("&", "&") .replaceAll("<", "<") .replaceAll(">", ">") .replaceAll('"', """) .replaceAll("'", "'"); } function ensureDir(dirPath) { fs.mkdirSync(dirPath, { recursive: true }); } const markdown = new MarkdownIt({ html: false, linkify: true, breaks: false, }); const defaultFence = markdown.renderer.rules.fence; markdown.renderer.rules.fence = (tokens, idx, options, env, self) => { const token = tokens[idx]; const info = String(token.info || "") .trim() .split(/\s+/g)[0] .toLowerCase(); if (info === "mermaid") { return `
${escapeHtml(token.content)}
\n`; } if (typeof defaultFence === "function") return defaultFence(tokens, idx, options, env, self); return self.renderToken(tokens, idx, options); }; function renderMarkdownPage({ title, html, topLinksHtml }) { return [ "", "", "", "", "", `${escapeHtml(title || "Shadow Dossier")}`, "", "", topLinksHtml ? `
${topLinksHtml}
` : "", `
${html}
`, "", "", ].join(""); } function renderVerificationBadgeHtml(verification) { const status = String(verification?.status || "").toLowerCase(); const label = String(verification?.label || "").trim(); const detail = String(verification?.detail || "").trim(); if (!status) return ""; const cls = status === "verified" ? "ok" : status === "warning" ? "warn" : "fail"; const safeLabel = escapeHtml(label || status.toUpperCase()); const safeDetail = escapeHtml(detail); return `${safeLabel}${safeDetail ? ` ${safeDetail}` : ""}`; } async function computeVerificationStatus({ job, projectRoot, outputsDir, uploadsDir }) { const expectedOutput = String(job?.outputSha256 || "").trim(); const expectedSource = String(job?.sourceSha256 || "").trim(); const warningsPresent = Boolean(job?.warnings && String(job.warnings).trim()); const status = String(job?.status || "").trim(); const outputPathRel = String(job?.outputPath || "").trim(); const outputAbs = outputPathRel ? path.resolve(projectRoot, outputPathRel) : ""; let outputOk = false; if (expectedOutput && outputAbs && outputAbs.startsWith(outputsDir + path.sep) && fs.existsSync(outputAbs)) { try { const actual = await sha256File(outputAbs); outputOk = actual === expectedOutput; } catch { outputOk = false; } } const sourcePathRel = String(job?.sourcePath || "").trim(); const sourceAbs = sourcePathRel ? path.resolve(projectRoot, sourcePathRel) : ""; let sourceOk = false; let sourceCheckKnown = false; if (expectedSource && sourceAbs && sourceAbs.startsWith(uploadsDir + path.sep) && fs.existsSync(sourceAbs)) { sourceCheckKnown = true; try { const actual = await sha256File(sourceAbs); sourceOk = actual === expectedSource; } catch { sourceOk = false; } } else if (expectedSource) { sourceCheckKnown = false; } if (!outputOk) { return { status: "fail", label: "FAIL", detail: "hash mismatch", checks: { outputOk, sourceOk: sourceCheckKnown ? sourceOk : null, warningsPresent, jobStatus: status }, }; } if (sourceCheckKnown && !sourceOk) { return { status: "fail", label: "FAIL", detail: "source mismatch", checks: { outputOk, sourceOk, warningsPresent, jobStatus: status }, }; } if (warningsPresent || status === "done_with_warnings" || !sourceCheckKnown) { const detail = warningsPresent ? "warnings" : !sourceCheckKnown ? "source not locally verifiable" : "check details"; return { status: "warning", label: "WARNING", detail, checks: { outputOk, sourceOk: sourceCheckKnown ? sourceOk : null, warningsPresent, jobStatus: status }, }; } return { status: "verified", label: "VERIFIED", detail: "all checks passed", checks: { outputOk, sourceOk, warningsPresent, jobStatus: status }, }; } function renderTraceMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl }) { const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl); const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl); const mirrorBase = bases.find((b) => b !== primaryBase) || ""; const verificationStatus = String(job?._verification?.status || "").toUpperCase() || "UNKNOWN"; const verificationDetail = String(job?._verification?.detail || "").trim(); const verificationChecks = job?._verification?.checks || {}; const createdAt = job?.createdAt ? String(job.createdAt) : ""; const status = job?.status ? String(job.status) : ""; const warningsPresent = Boolean(job?.warnings && String(job.warnings).trim()); const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`; const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`; const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`; const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`; const sourceUrl = job?.sourceSha256 ? `${primaryBase}/static/source/${job.sourceSha256}${path.extname(job.sourcePath || "").toLowerCase()}` : ""; const directBase = primaryBase; // Caddy exposes /r/* on infrafabric.io and git.infrafabric.io too. const directDossierUrl = `${directBase}/r/${encodeURIComponent(shareId)}`; const directTraceUrl = `${directBase}/r/${encodeURIComponent(shareId)}/trace`; const directDownloadUrl = `${directBase}/r/${encodeURIComponent(shareId)}/download`; const directPackUrl = `${directBase}/r/${encodeURIComponent(shareId)}/pack.md`; const lastResortBase = normalizeBaseUrl(publicBaseUrl); const lastResortDossierUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}` : ""; const lastResortTraceUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/trace` : ""; const lastResortDownloadUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/download` : ""; const lines = [ "# IF.TTT trace (public evidence view)", "", "## Trace verification status", "", `**${verificationStatus}**${verificationDetail ? ` — ${verificationDetail}` : ""}`, "", "- Output hash check: " + (verificationChecks.outputOk ? "**PASS**" : "**FAIL**"), "- Source hash check: " + (verificationChecks.sourceOk === true ? "**PASS**" : verificationChecks.sourceOk === false ? "**FAIL**" : "**UNKNOWN**"), "- Quality warnings: " + (warningsPresent ? "**present**" : "none recorded"), "", "IF.TTT (Traceable, Transparent, Trustworthy) is InfraFabric’s chain-of-custody protocol: it binds the **source fingerprint** to the **generated output fingerprint**, so a skeptical reader can verify what was produced and from which input, without needing access to internal systems.", "This page is intentionally scoped to **one dossier only** (no index, no directory listing).", "", "## What this trace proves", "", "- You can independently verify the downloaded dossier Markdown by hashing it and comparing to `Output sha256` below.", "- You can independently verify the hosted source file (if present) by hashing it and comparing to `Source sha256` below.", "- This page binds those two fingerprints together as a single public evidence record.", "", "## What this trace does not prove", "", "- It does not validate the truth of the source’s claims.", "- It does not attest to correctness of any commentary or recommendations in the dossier.", "- It does not expose internal prompts, intermediate steps, or private systems.", "", "## Links", "", `- Dossier (rendered): ${dossierUrl}`, `- Dossier (download Markdown): ${downloadUrl}`, `- Single-file pack (review + dossier + trace): ${packUrl}`, sourceUrl ? `- Source (PDF): ${sourceUrl}` : null, `- This trace page: ${traceUrl}`, mirrorBase ? "" : null, mirrorBase ? "## Mirror host (same paths)" : null, mirrorBase ? "" : null, mirrorBase ? `- Dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null, mirrorBase ? `- Pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null, mirrorBase && sourceUrl ? `- Source: ${mirrorBase}/static/source/${job.sourceSha256}${path.extname(job.sourcePath || "").toLowerCase()}` : null, "", "## Fallback links (direct)", "", `- Dossier: ${directDossierUrl}`, `- Download: ${directDownloadUrl}`, `- Pack: ${directPackUrl}`, `- Trace: ${directTraceUrl}`, lastResortBase && lastResortBase !== directBase ? "" : null, lastResortBase && lastResortBase !== directBase ? "## Last resort (alternate host)" : null, lastResortBase && lastResortBase !== directBase ? "" : null, lastResortBase && lastResortBase !== directBase ? `- Dossier: ${lastResortDossierUrl}` : null, lastResortBase && lastResortBase !== directBase ? `- Download: ${lastResortDownloadUrl}` : null, lastResortBase && lastResortBase !== directBase ? `- Trace: ${lastResortTraceUrl}` : null, "", "## Generation context", "", createdAt ? `- Generated at (UTC): \`${createdAt}\`` : null, status ? `- Status: \`${status}\`` : null, `- Quality warnings: ${warningsPresent ? "present (see pack trace JSON)" : "none recorded"}`, "", "## Verifiability", "", `- Trace ID: \`${job.id || ""}\``, `- Dossier: \`${job.originalFilename || ""}\``, `- Output sha256: \`${job.outputSha256 || ""}\``, `- Source sha256: \`${job.sourceSha256 || ""}\``, `- Style: \`${job.style || ""}\``, `- Source bytes: \`${String(job.sourceBytes ?? "")}\``, "", "## How to verify (locally)", "", "1) Download the dossier Markdown.", "2) Compute its hash and compare to `Output sha256` above:", "", "```bash", "sha256sum .md", "```", "", sourceUrl ? "3) Optionally, download the source and verify its hash matches `Source sha256` above:" : null, sourceUrl ? "" : null, sourceUrl ? "```bash\nsha256sum \n```" : null, ]; return lines.filter(Boolean).join("\n"); } function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl }) { const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl); const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl); const mirrorBase = bases.find((b) => b !== primaryBase) || ""; const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`; const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`; const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`; const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`; const directBase = primaryBase; // Caddy exposes /r/* on infrafabric.io and git.infrafabric.io too. const directDossierUrl = `${directBase}/r/${encodeURIComponent(shareId)}`; const directTraceUrl = `${directBase}/r/${encodeURIComponent(shareId)}/trace`; const directDownloadUrl = `${directBase}/r/${encodeURIComponent(shareId)}/download`; const directPackUrl = `${directBase}/r/${encodeURIComponent(shareId)}/pack.md`; const lastResortBase = normalizeBaseUrl(publicBaseUrl); const lastResortDossierUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}` : ""; const lastResortTraceUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/trace` : ""; const lastResortDownloadUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/download` : ""; const lastResortPackUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/pack.md` : ""; const lines = [ "# InfraFabric External Review Pack — Shadow Dossier + IF.TTT trace", "", "Please review the dossier and the IF.TTT trace page. Provide constructive criticism and patch-style suggestions.", "", "## Assets", "", `- Dossier (rendered): ${dossierUrl}`, `- Dossier (download Markdown): ${downloadUrl}`, `- Single-file pack (review + dossier + trace): ${packUrl}`, staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null, `- IF.TTT trace page: ${traceUrl}`, externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null, mirrorBase ? "" : null, mirrorBase ? "## Alternate host mirror (same paths)" : null, mirrorBase ? "" : null, mirrorBase ? `- Dossier (rendered): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null, mirrorBase ? `- Dossier (download Markdown): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}/download` : null, mirrorBase ? `- Single-file pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- IF.TTT trace page: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null, "", "## Fallback links (direct)", "", "- These may be blocked by some scanners/LLM sandboxes; use only if the `infrafabric.io/static/*` links fail.", "", `- Dossier (rendered): ${directDossierUrl}`, `- Dossier (download Markdown): ${directDownloadUrl}`, `- Single-file pack (review + dossier + trace): ${directPackUrl}`, `- IF.TTT trace page: ${directTraceUrl}`, lastResortBase && lastResortBase !== directBase ? "" : null, lastResortBase && lastResortBase !== directBase ? "## Last resort (alternate host)" : null, lastResortBase && lastResortBase !== directBase ? "" : null, lastResortBase && lastResortBase !== directBase ? `- Dossier (rendered): ${lastResortDossierUrl}` : null, lastResortBase && lastResortBase !== directBase ? `- Dossier (download): ${lastResortDownloadUrl}` : null, lastResortBase && lastResortBase !== directBase ? `- Pack: ${lastResortPackUrl}` : null, lastResortBase && lastResortBase !== directBase ? `- Trace: ${lastResortTraceUrl}` : null, "", "## Response metadata (required)", "", "- `llm_name`: provider + model name/version (exact string)", "- `probable_model`: if `llm_name` is ambiguous, your best guess", "- `cutoff_date`: training data cutoff (YYYY-MM, or “unknown”)", "- `response_date_utc`: current date/time in UTC", "- `web_access_used`: `yes`/`no` (if yes, list URLs relied on)", "", "## Executive read (fast)", "", "- 5–10 bullets: what works / what doesn’t", "- 3 bullets: who this will land with vs who will reject it", "", "## Scorecard (0–5 each)", "", "- Mirror integrity (section order, headings, high-signal numbers/dates, lists/tables)", "- Layout fidelity (does it “feel” like the source?)", "- Humor discipline (sharp without being template-y)", "- Mermaid value (valid syntax; clarifies, not decorates)", "- IF.TTT demo value (understandable + credible + worth clicking)", "- Call-to-action stealth (curious about governance stack without feeling spammed)", "", "## Patch suggestions (actionable)", "", "Provide 5–15 patch suggestions. Use this format per item:", "", "- `target`: dossier / trace page / “generator rules” / site UX", "- `problem`: 1 sentence", "- `change`: proposed text or behavior (copy/pasteable if possible)", "- `why`: 1 sentence", "- `priority`: P0 / P1 / P2", "- `confidence`: high / medium / low", "", "## Plan iteration (debug our plan)", "", "Propose a revised 5–8 step plan for improving the system. Prioritize steps that:", "", "- reduce repeatable/template patterns", "- strengthen mirror fidelity (numbers/tables/caveats)", "- make Mermaid + output correct-by-construction", "- make IF.TTT feel like real chain-of-custody (not just “we printed a hash”)", "", "## Fact checking guidance (important)", "", "Default posture: don’t assume stats are true.", "", "- If you did not verify a number externally, refer to it as “the source claims …”", "- If you did verify, cite URLs and state confirmed/disputed/unclear", "- If a stat cannot be confirmed, recommend either: keep it attributed (“source claims”) or remove it from commentary", "", "## Notes", "", `- Dossier ID: \`${job.id || ""}\``, `- Style: \`${job.style || ""}\``, ] .filter((line) => line !== null) .join("\n"); return lines; } function renderSingleFilePackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl, dossierMarkdown }) { const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl); const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl); const mirrorBase = bases.find((b) => b !== primaryBase) || ""; const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`; const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`; const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`; const reviewUrl = `${primaryBase}/static/review/${encodeURIComponent(shareId)}.md`; const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`; const jobSlim = { id: job?.id || "", status: job?.status || "", createdAt: job?.createdAt || "", originalFilename: job?.originalFilename || "", style: job?.style || "", sourceSha256: job?.sourceSha256 || "", outputSha256: job?.outputSha256 || "", warnings: job?.warnings || "", }; const lines = [ "# InfraFabric External Review Pack — Single File", "", "This is a single-file bundle intended for review environments that cannot reliably fetch multiple URLs.", "", "## Links", "", `- Pack (this file): ${packUrl}`, `- Review pack (links only): ${reviewUrl}`, `- Dossier (rendered): ${dossierUrl}`, `- Dossier (download Markdown): ${downloadUrl}`, `- IF.TTT trace page: ${traceUrl}`, staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null, externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null, mirrorBase ? "" : null, mirrorBase ? "## Alternate host mirror (same paths)" : null, mirrorBase ? "" : null, mirrorBase ? `- Pack (this file): ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- Review pack: ${mirrorBase}/static/review/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- Dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null, mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null, "", "## Review instructions (portable)", "", "Hard rules:", "1) 100% factual: every non-trivial claim must be tagged [SOURCE]/[DOSSIER]/[TRACE]/[INFERENCE]. If unverified, say “unverified” and stop.", "2) Vendor-neutral: critique deployment conditions + org behaviors, not vendor intent/competence.", "3) Mirror discipline: follow the dossier’s section order; do not invent a new structure.", "", "Deliverables:", "A) 5–10 bullets: what works / what doesn’t (tag each)", "B) Scorecard (0–5): mirror integrity, layout fidelity, humor discipline, mermaid value, IF.TTT demo value, CTA stealth", "C) Section-by-section critique (mirror headings): what’s mirrored, what’s missing, what feels templated/repeated", "D) Vendor-safe conclusion rewrite: success conditions / traps / questions-to-ask-vendor", "E) Unified diff patches against `IF_DAVE_BIBLE_v1.3.md` (and patchset if needed)", "", "## IF.TTT trace (portable extract)", "", "```json", JSON.stringify(jobSlim, null, 2), "```", "", "## Shadow dossier (Markdown)", "", "```markdown", String(dossierMarkdown || "").trim(), "```", "", ]; return lines.filter((line) => line !== null && line !== undefined).join("\n"); } function extractSection(markdownText, sectionMatcher) { const text = String(markdownText || ""); if (!text.trim()) return ""; const lines = text.split("\n"); const headingRe = /^##\s+/; let start = -1; for (let i = 0; i < lines.length; i++) { if (!headingRe.test(lines[i])) continue; const title = lines[i].replace(/^##\s+/, "").trim(); if (sectionMatcher && sectionMatcher.test(title)) { start = i; break; } } if (start === -1) return ""; let end = lines.length; for (let i = start + 1; i < lines.length; i++) { if (headingRe.test(lines[i])) { end = i; break; } } return lines.slice(start, end).join("\n").trim(); } function extractFirstMermaid(markdownText) { const text = String(markdownText || ""); const m = text.match(/```mermaid\s+([\s\S]*?)```/m); return m ? String(m[1] || "").trim() : ""; } function extractHeroMermaid(dossierMarkdown) { // Prefer the section that usually produces the most "hero" marketing loop for this dossier: audits. const sec02 = extractSection(dossierMarkdown, /^02\b/); const sec02Diagram = extractFirstMermaid(sec02); if (sec02Diagram) return { label: "Audit theater loop", diagram: sec02Diagram }; const any = extractFirstMermaid(dossierMarkdown); if (any) return { label: "Incentive loop (inferred)", diagram: any }; return { label: "", diagram: "" }; } function renderMarketingPackMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl, staticSourceUrl, dossierMarkdown }) { const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl); const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl); const mirrorBase = bases.find((b) => b !== primaryBase) || ""; const marketingUrl = `${primaryBase}/static/marketing/${encodeURIComponent(shareId)}.md`; const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`; const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`; const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`; const hero = extractHeroMermaid(dossierMarkdown); const lines = [ "# InfraFabric Red Team — Marketing-safe excerpt", "", "This is a **marketing-safe surface** for sharing a Shadow Dossier without rewriting it into “features”.", "", "## One sentence (blessed)", "", "> InfraFabric shows why AI controls fail in practice and what must be true for them to hold.", "", "## Hero asset (blessed)", "", hero.diagram ? `### ${hero.label}` : "### (No diagram available)", "", hero.diagram ? "```mermaid" : null, hero.diagram ? hero.diagram : null, hero.diagram ? "```" : null, "", "## Allowed pulls (blessed)", "", "- Section titles", "- “Dave Factor” blocks (verbatim)", "- Mermaid diagrams (unchanged)", "- Red Team Conclusion questions (verbatim)", "", "## Forbidden moves (do not do this)", "", "- Rewriting countermeasures as product capabilities", "- Adding adjectives that imply guarantees (\"proven\", \"complete\", \"bulletproof\")", "- Removing the “problem isn’t X” framing (it’s the vendor-safe contract)", "- Inventing stats, timelines, or customer claims", "", "## CTAs (safe buttons)", "", "- Run this against your own rollout", "- See the trace behind this critique", "- Ask these questions internally", "", "## Links", "", `- Marketing excerpt (this file): ${marketingUrl}`, `- Full dossier (rendered): ${dossierUrl}`, `- Single-file pack (review + dossier + trace): ${packUrl}`, `- IF.TTT trace: ${traceUrl}`, staticSourceUrl ? `- Source (PDF): ${staticSourceUrl}` : null, mirrorBase ? "" : null, mirrorBase ? "## Mirror host (same paths)" : null, mirrorBase ? "" : null, mirrorBase ? `- Marketing excerpt: ${mirrorBase}/static/marketing/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- Full dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null, mirrorBase ? `- Pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null, mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null, ].filter((l) => l !== null); return lines.join("\n"); } function ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }) { if (!job?.sourcePath) return null; if (!job?.sourceSha256) return null; const ext = path.extname(String(job.sourcePath || "")).slice(0, 12).toLowerCase() || ".bin"; const fileName = `${job.sourceSha256}${ext}`; const destAbs = path.join(staticSourceDir, fileName); if (fs.existsSync(destAbs)) return { fileName, destAbs, urlPath: `/static/source/${fileName}` }; const srcAbs = path.resolve(projectRoot, job.sourcePath); if (!srcAbs.startsWith(uploadsDir + path.sep)) return null; if (!fs.existsSync(srcAbs)) return null; ensureDir(staticSourceDir); fs.copyFileSync(srcAbs, destAbs); return { fileName, destAbs, urlPath: `/static/source/${fileName}` }; } function buildExternalReviewUrl(baseUrl, sheetId) { const base = String(baseUrl || "").trim(); const id = String(sheetId || "").trim(); if (!base || !id) return ""; try { const u = new URL(base); u.searchParams.set("sheet", id); return u.toString(); } catch { return base.includes("?") ? `${base}&sheet=${encodeURIComponent(id)}` : `${base}?sheet=${encodeURIComponent(id)}`; } } function publicBaseFromRequest(req, fallbackHost) { const host = req.get("host") || fallbackHost || "red-team.infrafabric.io"; const protocol = req.protocol || "https"; return `${protocol}://${host}`.replace(/\/+$/g, ""); } function staticPublicBaseUrlForRequest(req, fallbackPublicBaseUrl) { const explicit = String(process.env.STATIC_SOURCE_PUBLIC_BASE_URL || "").trim(); if (explicit) return explicit.replace(/\/+$/g, ""); return publicBaseFromRequest(req, fallbackPublicBaseUrl); } function looksLikeUuid(value) { return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(String(value || "")); } function jobJsonPath(jobsDir, jobId) { return path.join(jobsDir, `${jobId}.json`); } function readJob(jobsDir, jobId) { const p = jobJsonPath(jobsDir, jobId); if (!fs.existsSync(p)) return null; try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return null; } } function writeJob(jobsDir, job) { const p = jobJsonPath(jobsDir, job.id); fs.writeFileSync(p, JSON.stringify(job, null, 2) + "\n", "utf8"); } function shareJsonPath(sharesDir, shareId) { return path.join(sharesDir, `${shareId}.json`); } function writeShare(sharesDir, shareId, data) { const p = shareJsonPath(sharesDir, shareId); fs.writeFileSync(p, JSON.stringify(data, null, 2) + "\n", "utf8"); } function readShare(sharesDir, shareId) { const p = shareJsonPath(sharesDir, shareId); if (!fs.existsSync(p)) return null; try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return null; } } async function sha256File(filePath) { return await new Promise((resolve, reject) => { const h = crypto.createHash("sha256"); const s = fs.createReadStream(filePath); s.on("error", reject); s.on("data", (chunk) => h.update(chunk)); s.on("end", () => resolve(h.digest("hex"))); }); } function runProcess(command, args, { cwd, env }) { return new Promise((resolve) => { const child = spawn(command, args, { cwd, env, stdio: ["ignore", "pipe", "pipe"], }); let stdout = ""; let stderr = ""; child.stdout.on("data", (d) => { stdout += d.toString("utf8"); if (stdout.length > 256_000) stdout = stdout.slice(-256_000); }); child.stderr.on("data", (d) => { stderr += d.toString("utf8"); if (stderr.length > 256_000) stderr = stderr.slice(-256_000); }); child.on("error", (err) => { const msg = err?.message ? String(err.message) : String(err); resolve({ code: 127, stdout, stderr: (stderr ? `${stderr}\n` : "") + msg }); }); child.on("close", (code) => resolve({ code: code ?? 0, stdout, stderr })); }); } async function generateShadowDossier({ inputPath, outputPath }) { const revoiceModule = path.join(revoiceRepoRoot, "src", "revoice"); if (!fs.existsSync(revoiceModule)) { throw new Error(`Missing revoice pipeline at ${revoiceModule}`); } const baseEnv = { ...process.env, PYTHONPATH: path.join(revoiceRepoRoot, "src"), }; const genArgs = ["-m", "revoice", "generate", "--style", privateUploadStyle]; if (["1", "true", "yes", "on"].includes(privateUploadActionPack)) genArgs.push("--action-pack"); genArgs.push("--input", inputPath, "--output", outputPath); const gen = await runProcess( "python3", genArgs, { cwd: revoiceRepoRoot, env: baseEnv } ); if (gen.code !== 0) { throw new Error(`revoice generate failed (code ${gen.code}): ${gen.stderr || gen.stdout}`); } const preflight = await runProcess( "python3", ["-m", "revoice", "preflight", "--style", privateUploadStyle, "--input", outputPath, "--source", inputPath], { cwd: revoiceRepoRoot, env: baseEnv } ); const warnings = preflight.code === 0 ? "" : preflight.stderr || preflight.stdout; if (preflight.code !== 0 && preflight.code !== 2) { throw new Error(`revoice preflight failed (code ${preflight.code}): ${preflight.stderr || preflight.stdout}`); } return { warnings }; } function pickPhrases(input) { const text = String(input || "").replace(/\r\n?/g, "\n"); const lines = text .split("\n") .map((l) => l.trim()) .filter(Boolean) .slice(0, 200); const interesting = []; const needles = ["must", "should", "require", "required", "ensure", "enforce", "policy", "control", "audit", "compliance"]; for (const line of lines) { const lower = line.toLowerCase(); if (needles.some((n) => lower.includes(n))) interesting.push(line); if (interesting.length >= 4) break; } if (interesting.length) return interesting; return lines.slice(0, 3); } function generateRoastText(content) { const trimmed = String(content || "").trim(); const phrases = pickPhrases(trimmed); const bullets = phrases.map((p) => `- ${p.length > 120 ? `${p.slice(0, 117)}…` : p}`).join("\n"); return [ "We love the ambition here and are directionally aligned with the idea of \"secure rollout\" as long as we define secure as \"documented\" and rollout as \"phased.\"", "", "Key risk: this reads like a control narrative optimized for sign-off, not for the Friday-afternoon pull request that actually ships the code.", "", "Observed control theater (excerpt):", bullets ? bullets : "- (no extractable claims detected)", "", "Recommendation: convert every \"should\" into an owner, a gate (PR/CI/access), and a stop condition. Otherwise this becomes an alignment session that reproduces itself indefinitely.", ].join("\n"); } function main() { const port = Number(process.env.PORT || 8080); const app = express(); app.set("trust proxy", true); const configuredDataDir = String(process.env.RED_TEAM_DATA_DIR || "").trim(); const dataDir = configuredDataDir ? path.resolve(configuredDataDir) : path.join(projectRoot, "data"); const uploadsDir = path.join(dataDir, "uploads"); const outputsDir = path.join(dataDir, "outputs"); const jobsDir = path.join(dataDir, "jobs"); const sharesDir = path.join(dataDir, "shares"); const staticDir = path.join(dataDir, "static"); const staticSourceDir = path.join(staticDir, "source"); ensureDir(uploadsDir); ensureDir(outputsDir); ensureDir(jobsDir); ensureDir(sharesDir); ensureDir(staticDir); ensureDir(staticSourceDir); app.disable("x-powered-by"); app.use(express.json({ limit: "256kb" })); app.use("/static", express.static(staticDir, { fallthrough: false, etag: true, maxAge: "30d" })); app.get("/healthz", (_req, res) => { res.status(200).json({ ok: true }); }); app.post("/api/roast", (req, res) => { const content = String(req.body?.content ?? ""); if (!content.trim()) return res.status(400).json({ text: "Missing content" }); if (content.length > 20_000) return res.status(413).json({ text: "Content too large" }); return res.status(200).json({ text: generateRoastText(content) }); }); const privateUploadEnabled = Boolean(privateUploadToken.trim()); const privateGuard = (req, res, next) => { if (!privateUploadEnabled) return res.status(404).type("text/plain").send("Not found"); if (req.params?.token !== privateUploadToken) return res.status(404).type("text/plain").send("Not found"); return next(); }; const upload = multer({ storage: multer.diskStorage({ destination: (_req, _file, cb) => cb(null, uploadsDir), filename: (req, file, cb) => { const id = crypto.randomUUID(); req._jobId = id; const ext = path.extname(file.originalname || "").slice(0, 12).toLowerCase(); cb(null, `${id}${ext}`); }, }), limits: { fileSize: privateUploadMaxBytes, files: 1 }, }); app.get("/private/:token", privateGuard, (req, res) => { const token = req.params.token; res .status(200) .type("text/html; charset=utf-8") .send( [ "", "", "", "", "Private Upload · Shadow Dossier", "", "", "

Private dossier upload

", `

Style: ${escapeHtml(privateUploadStyle)} · Max: ${escapeHtml( String(privateUploadMaxBytes) )} bytes

`, "
", "
", "

", "

", "

Supported: PDF/MD/TXT. Output: Markdown shadow dossier.

", "
", "
", "", ].join("") ); }); app.get("/private/:token/job/:jobId", privateGuard, (req, res) => { const jobId = String(req.params.jobId || ""); if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, jobId); if (!job) return res.status(404).type("text/plain").send("Not found"); const status = String(job.status || "unknown"); const isDone = status === "done" || status === "done_with_warnings"; const isError = status === "error"; const token = req.params.token; const refresh = isDone || isError ? "" : ""; const downloadLink = isDone ? `

Download Markdown

` : ""; const viewLink = isDone ? `

View rendered dossier

` : ""; const shareLinks = isDone && job.shareId ? [ "

Share links (no repo):

", `

Public view · Public download

`, ].join("") : ""; const sourceLink = job.sourcePath ? `

Download source

` : ""; const warnings = job.warnings ? `
${escapeHtml(job.warnings)}
` : ""; const error = job.error ? `
${escapeHtml(job.error)}
` : ""; res .status(200) .type("text/html; charset=utf-8") .send( [ "", "", "", "", refresh, "Job · Shadow Dossier", "", "", "

Shadow dossier job

", `

Status: ${escapeHtml(status)}

`, `

Job ID: ${escapeHtml(jobId)}

`, job.originalFilename ? `

Source: ${escapeHtml(job.originalFilename)}

` : "", job.sourceSha256 ? `

Source sha256: ${escapeHtml(job.sourceSha256)}

` : "", job.outputSha256 ? `

Output sha256: ${escapeHtml(job.outputSha256)}

` : "", job.shareId ? `

Share ID: ${escapeHtml(job.shareId)}

` : "", downloadLink, viewLink, sourceLink, shareLinks, warnings ? "

Warnings

" + warnings : "", isError ? "

Error

" + error : "", `

Back to upload

`, "", ].join("") ); }); app.get("/private/:token/view/:jobId", privateGuard, (req, res) => { const jobId = String(req.params.jobId || ""); if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, jobId); if (!job) return res.status(404).type("text/plain").send("Not found"); if (!job.outputPath) return res.status(409).type("text/plain").send("Not ready"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const mdText = fs.readFileSync(abs, "utf8"); const html = markdown.render(mdText); const token = req.params.token; const topLinks = [ `Download Markdown`, job.sourcePath ? `Download source` : "", job.shareId ? `Share view` : "", ] .filter(Boolean) .join(" · "); res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: job.originalFilename || "Shadow dossier", html, topLinksHtml: topLinks })); }); app.get("/r/:shareId/trace", async (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const verification = await computeVerificationStatus({ job, projectRoot, outputsDir, uploadsDir }); const jobForRender = { ...job, _verification: verification }; const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io"); const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl); const md = renderTraceMarkdown({ shareId, job: jobForRender, publicBaseUrl, staticPublicBaseUrl }); const html = markdown.render(md); const badge = renderVerificationBadgeHtml(verification); const topLinks = [ badge, `Back to dossier`, `Download Markdown`, job.sourcePath ? `Download source` : "", `Review pack (MD)`, ] .filter(Boolean) .join(" · "); res .status(200) .type("text/html; charset=utf-8") .send(renderMarkdownPage({ title: "IF.TTT trace", html, topLinksHtml: topLinks })); }); app.get("/r/:shareId/source", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.sourcePath) return res.status(404).type("text/plain").send("Not found"); const staticFile = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }); if (!staticFile) return res.status(404).type("text/plain").send("Not found"); res.redirect(302, staticFile.urlPath); }); app.get("/r/:shareId/review-pack.md", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }); const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html"); const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId); const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io"); const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl); const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : ""; const md = renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl }); const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60); res .status(200) .type("text/markdown; charset=utf-8") .send(md); }); app.get("/r/:shareId/pack.md", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const dossierMarkdown = fs.readFileSync(abs, "utf8"); const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }); const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html"); const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId); const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io"); const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl); const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : ""; const md = renderSingleFilePackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl, dossierMarkdown, }); res.status(200).type("text/markdown; charset=utf-8").send(md); }); app.get("/r/:shareId/marketing.md", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const dossierMarkdown = fs.readFileSync(abs, "utf8"); const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }); const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io"); const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl); const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : ""; const md = renderMarketingPackMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl, staticSourceUrl, dossierMarkdown, }); res.status(200).type("text/markdown; charset=utf-8").send(md); }); app.get("/r/:shareId", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const mdText = fs.readFileSync(abs, "utf8"); const html = markdown.render(mdText); const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html"); const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId); const topLinks = [ `Download Markdown`, job.sourcePath ? `Download source` : "", `IF.TTT trace`, `Review pack (MD)`, `Marketing excerpt (MD)`, externalReviewUrl ? `Feedback intake (login)` : "", ] .filter(Boolean) .join(" · "); res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: job.originalFilename || "Shadow dossier", html, topLinksHtml: topLinks })); }); app.get("/r/:shareId/download", (req, res) => { const shareId = String(req.params.shareId || "").trim(); if (!shareId) return res.status(404).type("text/plain").send("Not found"); const share = readShare(sharesDir, shareId); if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, share.jobId); if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60); res.download(abs, `${baseName}.shadow.dave.md`); }); app.get("/private/:token/download/:jobId", privateGuard, (req, res) => { const jobId = String(req.params.jobId || ""); if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, jobId); if (!job) return res.status(404).type("text/plain").send("Not found"); if (!job.outputPath) return res.status(409).type("text/plain").send("Not ready"); const abs = path.resolve(projectRoot, job.outputPath); if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60); res.download(abs, `${baseName}.shadow.dave.md`); }); app.get("/private/:token/source/:jobId", privateGuard, (req, res) => { const jobId = String(req.params.jobId || ""); if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found"); const job = readJob(jobsDir, jobId); if (!job) return res.status(404).type("text/plain").send("Not found"); if (!job.sourcePath) return res.status(404).type("text/plain").send("Not found"); const abs = path.resolve(projectRoot, job.sourcePath); if (!abs.startsWith(uploadsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path"); if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found"); const baseName = (job.originalFilename || "source").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 80); res.download(abs, baseName); }); app.post("/api/private/:token/upload", privateGuard, upload.single("file"), async (req, res) => { const jobId = req._jobId || crypto.randomUUID(); const file = req.file; if (!file?.path) return res.status(400).type("text/plain").send("Missing file"); const relSourcePath = path.relative(projectRoot, file.path); const absOutputPath = path.join(outputsDir, `${jobId}.shadow.dave.md`); const relOutputPath = path.relative(projectRoot, absOutputPath); const shareId = crypto.randomBytes(18).toString("base64url"); const now = new Date().toISOString(); const job = { id: jobId, status: "processing", createdAt: now, originalFilename: file.originalname || "", sourcePath: relSourcePath, outputPath: relOutputPath, shareId, style: privateUploadStyle, sourceBytes: Number(file.size || 0), sourceSha256: "", outputSha256: "", warnings: "", error: "", }; try { job.sourceSha256 = await sha256File(file.path); } catch (e) { job.status = "error"; job.error = String(e?.message || e || "hash_failed"); writeJob(jobsDir, job); return res.status(500).type("text/plain").send("Failed to hash upload"); } writeJob(jobsDir, job); writeShare(sharesDir, shareId, { shareId, jobId, createdAt: now }); void (async () => { try { const { warnings } = await generateShadowDossier({ inputPath: file.path, outputPath: absOutputPath }); job.warnings = warnings ? warnings.trim() : ""; job.outputSha256 = await sha256File(absOutputPath); job.status = job.warnings ? "done_with_warnings" : "done"; writeJob(jobsDir, job); } catch (e) { job.status = "error"; job.error = String(e?.message || e || "generation_failed"); writeJob(jobsDir, job); } })(); res.redirect(303, `/private/${encodeURIComponent(req.params.token)}/job/${encodeURIComponent(jobId)}`); }); if (fs.existsSync(distDir) && fs.existsSync(indexHtmlPath)) { app.use(express.static(distDir, { fallthrough: true })); app.get("*", (_req, res) => { res.setHeader("Content-Type", "text/html; charset=utf-8"); res.status(200).sendFile(indexHtmlPath); }); } else { app.get("*", (_req, res) => { res .status(503) .type("text/plain") .send("red-team site is not built yet. Run `npm install` then `npm run build`."); }); } app.listen(port, "0.0.0.0", () => { // eslint-disable-next-line no-console console.log(`red-team site listening on http://0.0.0.0:${port}`); }); } main();