Fix login primitive smoke fallback

Author: jahooma

.github/workflows/cli-release-build.yml

@@ -184,6 +184,7 @@ jobs:
           # Fast path: --version exits synchronously through commander, so it
           # only catches early sync failures. Run it for parity with old CI.
           "$BIN" --version
+          "$BIN" --smoke-login-primitives
 
           # Slow path: keep the binary alive long enough for *async* startup
           # failures (e.g. the Parser.init rejection that crashed the

.github/workflows/freebuff-e2e.yml

@@ -44,6 +44,7 @@ jobs:
           # startup failures (e.g. the Parser.init rejection from a broken
           # tree-sitter wasm load).
           cli/bin/freebuff --version
+          cli/bin/freebuff --smoke-login-primitives
           # Run for a few seconds so unhandled rejections during module init
           # have a chance to fire and trip earlyFatalHandler.
           bun cli/scripts/smoke-binary.ts cli/bin/freebuff

cli/src/utils/__tests__/fingerprint.test.ts

@@ -1,6 +1,10 @@
-import { describe, test, expect } from 'bun:test'
+import { describe, test, expect, spyOn } from 'bun:test'
 
-import { getFingerprintType, generateFingerprintIdSync } from '../fingerprint'
+import {
+  getFingerprintType,
+  generateFingerprintIdSync,
+  generateLegacyFingerprintSuffix,
+} from '../fingerprint'
 
 describe('fingerprint utilities', () => {
   describe('getFingerprintType', () => {
@@ -142,4 +146,42 @@ describe('fingerprint utilities', () => {
     })
   })
 
+  describe('generateLegacyFingerprintSuffix', () => {
+    test('falls back to Web Crypto when node randomBytes fails', () => {
+      const suffix = generateLegacyFingerprintSuffix(
+        () => {
+          throw new Error('randomBytes unavailable')
+        },
+        {
+          getRandomValues: (bytes) => {
+            bytes.set([0, 1, 2, 3, 4, 5])
+            return bytes
+          },
+        },
+      )
+
+      expect(suffix).toBe('AAECAwQF')
+    })
+
+    test('falls back to Math.random when node and Web Crypto both fail', () => {
+      const mathRandomSpy = spyOn(Math, 'random').mockReturnValue(0)
+
+      try {
+        const suffix = generateLegacyFingerprintSuffix(
+          () => {
+            throw new Error('randomBytes unavailable')
+          },
+          {
+            getRandomValues: () => {
+              throw new Error('getRandomValues unavailable')
+            },
+          },
+        )
+
+        expect(suffix).toBe('AAAAAAAA')
+      } finally {
+        mathRandomSpy.mockRestore()
+      }
+    })
+  })
 })

cli/src/utils/fingerprint.ts

@@ -22,6 +22,14 @@ let machineIdModule: typeof import('node-machine-id') | null = null
 let systeminformationModule: typeof import('systeminformation') | null = null
 
 const ENHANCED_FINGERPRINT_TIMEOUT_MS = 3000
+const LEGACY_FINGERPRINT_SUFFIX_LENGTH = 8
+const LEGACY_FINGERPRINT_RANDOM_BYTES = 6
+const BASE64URL_ALPHABET =
+  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'
+
+type RandomValuesProvider = {
+  getRandomValues: (bytes: Uint8Array) => Uint8Array
+}
 
 async function getMachineId(): Promise<string> {
   if (!machineIdModule) {
@@ -136,10 +144,51 @@ async function calculateEnhancedFingerprint(): Promise<string> {
  * Used as a fallback when enhanced fingerprinting fails.
  */
 function calculateLegacyFingerprint(): string {
-  const randomSuffix = randomBytes(6).toString('base64url').substring(0, 8)
+  const randomSuffix = generateLegacyFingerprintSuffix()
   return `codebuff-cli-${randomSuffix}`
 }
 
+export function generateLegacyFingerprintSuffix(
+  randomByteSource: (byteCount: number) => Uint8Array = randomBytes,
+  randomValuesProvider: RandomValuesProvider | undefined = globalThis.crypto,
+): string {
+  try {
+    return Buffer.from(randomByteSource(LEGACY_FINGERPRINT_RANDOM_BYTES))
+      .toString('base64url')
+      .substring(0, LEGACY_FINGERPRINT_SUFFIX_LENGTH)
+  } catch (err) {
+    logger.warn(
+      {
+        errorMessage: err instanceof Error ? err.message : String(err),
+      },
+      'Node crypto randomBytes failed for legacy fingerprint suffix',
+    )
+  }
+
+  try {
+    if (randomValuesProvider) {
+      const bytes = new Uint8Array(LEGACY_FINGERPRINT_RANDOM_BYTES)
+      randomValuesProvider.getRandomValues(bytes)
+      return Buffer.from(bytes)
+        .toString('base64url')
+        .substring(0, LEGACY_FINGERPRINT_SUFFIX_LENGTH)
+    }
+  } catch (err) {
+    logger.warn(
+      {
+        errorMessage: err instanceof Error ? err.message : String(err),
+      },
+      'Web Crypto getRandomValues failed for legacy fingerprint suffix',
+    )
+  }
+
+  let suffix = ''
+  for (let i = 0; i < LEGACY_FINGERPRINT_SUFFIX_LENGTH; i++) {
+    suffix += BASE64URL_ALPHABET[Math.floor(Math.random() * BASE64URL_ALPHABET.length)]
+  }
+  return suffix
+}
+
 /**
  * Cached fingerprint promise. Populated on first call and reused for the
  * process lifetime so every auth step in a session ships the same fingerprint