sentinel: Add hotpatch and GitHub webhook handling

Author: PartMan7

.eslintrc.json

@@ -48,7 +48,7 @@
 		"no-console": "error",
 		"no-restricted-imports": ["error", { "patterns": [".*"] }],
 		"no-unreachable": "error",
-		"no-unused-expressions": "error",
+		"no-unused-expressions": ["error", { "allowTaggedTemplates": true }],
 		"no-var": "error",
 		"prefer-const": [
 			"error",

package-lock.json

@@ -31,7 +31,7 @@
 		"express": "^5.0.1",
 		"flat-cache": "^6.1.1",
 		"mongoose": "^8.12.1",
-		"ps-client": "^4.5.0",
+		"ps-client": "^4.5.2",
 		"react": "^18.2.0",
 		"react-dom": "^18.2.0",
 		"tailwindcss": "^4.0.8",

package.json

@@ -6,6 +6,7 @@ import * as _cache from '@/cache';
 import * as _Tools from '@/tools';
 import { ansiToHtml } from '@/utils/ansiToHtml';
 import { cachebuster as _cachebuster } from '@/utils/cachebuster';
+import { $ as _$ } from '@/utils/child_process';
 import { fsPath as _fsPath } from '@/utils/fsPath';
 import { log as _log } from '@/utils/logger';
 
@@ -21,9 +22,10 @@ const fsPath = _fsPath;
 const log = _log;
 const path = _path;
 const Tools = _Tools;
+const $ = _$;
 
 // Storing in context for eval()
-const _evalContext = [cache, cachebuster, fs, fsSync, fsPath, log, path, Tools];
+const _evalContext = [cache, cachebuster, fs, fsSync, fsPath, log, path, Tools, $];
 
 export type EvalModes = 'COLOR_OUTPUT' | 'FULL_OUTPUT' | 'ABBR_OUTPUT' | 'NO_OUTPUT';
 export type EvalOutput = {

src/eval.ts

@@ -0,0 +1,43 @@
+import { promises as fs } from 'fs';
+import path from 'path';
+import { update } from 'ps-client/tools';
+
+import { registers } from '@/sentinel/registers';
+import { $ } from '@/utils/child_process';
+import { fsPath } from '@/utils/fsPath';
+import { errorLog, log } from '@/utils/logger';
+
+export type HotpatchType = 'code' | 'data' | string;
+
+export async function hotpatch(hotpatchType: HotpatchType, by: string | symbol): Promise<void> {
+	if (!hotpatchType) throw new TypeError('Missing hotpatchType');
+	try {
+		// Hardcoded variants
+		switch (hotpatchType) {
+			case 'code': {
+				$`git pull`;
+				break;
+			}
+			case 'data': {
+				await update();
+				// TODO: cachebust
+				break;
+			}
+			default:
+				const register = registers.list.find(register => register.label === hotpatchType);
+				if (register) {
+					const allFiles = (await fs.readdir(fsPath(), { recursive: true, withFileTypes: true }))
+						.filter(entry => entry.isFile())
+						.map(entry => path.join(entry.parentPath, entry.name));
+					await register.reload(allFiles.filter(file => register.pattern.test(file)));
+				}
+		}
+		log(`${hotpatchType} was hotpatched ${typeof by === 'symbol' ? `(${Symbol.keyFor(by) ?? '-'})` : `by ${by}`}`);
+	} catch (error) {
+		if (error instanceof Error) {
+			log('Failed to hotpatch', hotpatchType, by, error.message);
+			errorLog(error);
+		}
+		throw error;
+	}
+}

src/sentinel/hotpatch.ts

@@ -0,0 +1,8 @@
+import { execSync } from 'child_process';
+
+import type { ExecSyncOptionsWithStringEncoding } from 'child_process';
+
+export function $(input: TemplateStringsArray | string, options?: ExecSyncOptionsWithStringEncoding): string {
+	const command = typeof input === 'string' ? input : input.raw.join(' ');
+	return execSync(command, { encoding: 'utf8', ...options });
+}

src/utils/child_process.ts

@@ -1,24 +1,28 @@
 import crypto from 'crypto';
 
-import { log } from '@/utils/logger';
+import { hotpatch } from '@/sentinel/hotpatch';
 import { WebError } from '@/utils/webError';
 
 import type { RequestHandler } from 'express';
 
 export const verb = 'post';
 
-function gitHubHash(body: unknown): string {
-	return crypto
+function gitHubHash(body: string): string {
+	const hash = crypto
 		.createHmac('sha256', process.env.WEB_GITHUB_SECRET ?? 'No key provided.')
-		.update(JSON.stringify(body))
+		.update(body)
 		.digest('hex');
+	return `sha256=${hash}`;
 }
 
-export const handler: RequestHandler = async (req, _res) => {
+export const handler: RequestHandler = async (req, res) => {
 	const signature = req.header('X-Hub-Signature-256');
-	const checksum = gitHubHash(req.body);
-	log({ req, body: req.body, checksum, signature });
+	const checksum = gitHubHash(JSON.stringify(req.body));
 	if (!signature) throw new WebError('Signature not provided.');
+	// Not going to bother with protecting against timing attacks
+	// TODO: Maybe use crypto.timingSafeEqual? Honestly just looks way too cluttered
 	if (signature !== checksum) throw new WebError('Signature invalid.');
-	throw new WebError('Not added yet');
+
+	await hotpatch('code', Symbol.for('GitHub'));
+	res.send('Code updated.');
 };