npm - @ao_zorin/zocket - Versions diffs - 1.0.0 - Mend

@ao_zorin/zocket 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/LICENSE +21 -0
package/README.md +92 -0
package/bin/zocket-setup.cjs +12 -0
package/bin/zocket.cjs +174 -0
package/docs/AI_AUTODEPLOY.md +52 -0
package/docs/CLIENTS_MCP.md +59 -0
package/docs/INSTALL.md +288 -0
package/docs/LOCAL_MODELS.md +95 -0
package/package.json +52 -0
package/pyproject.toml +29 -0
package/scripts/ai-autodeploy.py +127 -0
package/scripts/install-zocket.ps1 +116 -0
package/scripts/install-zocket.sh +228 -0
package/zocket/__init__.py +2 -0
package/zocket/__main__.py +5 -0
package/zocket/audit.py +76 -0
package/zocket/auth.py +34 -0
package/zocket/autostart.py +281 -0
package/zocket/backup.py +33 -0
package/zocket/cli.py +655 -0
package/zocket/config_store.py +68 -0
package/zocket/crypto.py +158 -0
package/zocket/harden.py +136 -0
package/zocket/i18n.py +216 -0
package/zocket/mcp_server.py +249 -0
package/zocket/paths.py +50 -0
package/zocket/runner.py +108 -0
package/zocket/templates/index.html +1062 -0
package/zocket/templates/login.html +244 -0
package/zocket/vault.py +331 -0
package/zocket/web.py +490 -0

package/zocket/config_store.py ADDED Viewed

@@ -0,0 +1,68 @@
+from __future__ import annotations
+import json
+import os
+import secrets
+from pathlib import Path
+from typing import Any
+DEFAULT_CONFIG: dict[str, Any] = {
+    "language": "en",
+    "key_storage": "file",
+    "keyring_service": "zocket",
+    "keyring_account": "master-key",
+    "web_auth_enabled": True,
+    "web_password_hash": "",
+    "web_password_salt": "",
+    "web_password_iterations": 390000,
+    "theme": "standard",
+    "theme_variant": "dark",
+    "session_secret": "",
+    "audit_enabled": True,
+    "exec_allowlist": [],
+    "exec_return_output": True,
+    "exec_max_output_chars": 4000,
+    "exec_allow_full_output": False,
+    "exec_substitute_env": True,
+}
+def _deep_copy_default() -> dict[str, Any]:
+    return json.loads(json.dumps(DEFAULT_CONFIG))
+class ConfigStore:
+    def __init__(self, path: Path):
+        self.path = path
+    def load(self) -> dict[str, Any]:
+        if not self.path.exists():
+            return _deep_copy_default()
+        raw = self.path.read_text(encoding="utf-8")
+        if not raw.strip():
+            return _deep_copy_default()
+        data = json.loads(raw)
+        if not isinstance(data, dict):
+            return _deep_copy_default()
+        merged = _deep_copy_default()
+        merged.update(data)
+        return merged
+    def save(self, payload: dict[str, Any]) -> None:
+        self.path.parent.mkdir(parents=True, exist_ok=True)
+        tmp = self.path.with_suffix(self.path.suffix + ".tmp")
+        tmp.write_text(
+            json.dumps(payload, ensure_ascii=True, indent=2, sort_keys=True) + "\n",
+            encoding="utf-8",
+        )
+        os.chmod(tmp, 0o600)
+        os.replace(tmp, self.path)
+    def ensure_exists(self) -> dict[str, Any]:
+        cfg = self.load()
+        if not cfg.get("session_secret"):
+            cfg["session_secret"] = secrets.token_urlsafe(32)
+            self.save(cfg)
+        elif not self.path.exists():
+            self.save(cfg)
+        return cfg

package/zocket/crypto.py ADDED Viewed

@@ -0,0 +1,158 @@
+from __future__ import annotations
+import json
+import os
+from pathlib import Path
+from typing import Any
+from cryptography.fernet import Fernet, InvalidToken
+KeyStorage = str
+class KeyNotFoundError(FileNotFoundError):
+    pass
+class DecryptionError(RuntimeError):
+    pass
+def _import_keyring():
+    try:
+        import keyring  # type: ignore
+        return keyring
+    except Exception as exc:  # pragma: no cover - environment dependent
+        raise RuntimeError(
+            "Keyring backend is unavailable. Install `keyring` package and OS backend."
+        ) from exc
+def _store_key_keyring(service: str, account: str, key: bytes, force: bool) -> None:
+    keyring = _import_keyring()
+    if not force:
+        existing = keyring.get_password(service, account)
+        if existing:
+            raise FileExistsError(
+                f"Key already exists in keyring service={service} account={account}"
+            )
+    keyring.set_password(service, account, key.decode("utf-8"))
+def _load_key_keyring(service: str, account: str) -> bytes:
+    keyring = _import_keyring()
+    value = keyring.get_password(service, account)
+    if not value:
+        raise KeyNotFoundError(
+            f"Master key not found in keyring service={service} account={account}"
+        )
+    return value.encode("utf-8")
+def _delete_key_keyring(service: str, account: str) -> None:
+    keyring = _import_keyring()
+    try:
+        keyring.delete_password(service, account)
+    except Exception:
+        return
+def generate_key_file(path: Path, force: bool = False) -> Path:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    if path.exists() and not force:
+        raise FileExistsError(f"Key file already exists: {path}")
+    key = Fernet.generate_key()
+    tmp_path = path.with_suffix(path.suffix + ".tmp")
+    tmp_path.write_bytes(key + b"\n")
+    os.chmod(tmp_path, 0o600)
+    os.replace(tmp_path, path)
+    return path
+def generate_master_key(
+    path: Path,
+    storage: KeyStorage = "file",
+    keyring_service: str = "zocket",
+    keyring_account: str = "master-key",
+    force: bool = False,
+) -> bytes:
+    key = Fernet.generate_key()
+    if storage == "keyring":
+        _store_key_keyring(keyring_service, keyring_account, key, force=force)
+        return key
+    generate_key_file(path, force=force)
+    return path.read_bytes().strip()
+def load_key(
+    path: Path,
+    env_var: str = "ZOCKET_MASTER_KEY",
+    storage: KeyStorage = "file",
+    keyring_service: str = "zocket",
+    keyring_account: str = "master-key",
+) -> bytes:
+    from_env = os.environ.get(env_var)
+    if from_env:
+        return from_env.strip().encode("utf-8")
+    if storage == "keyring":
+        return _load_key_keyring(keyring_service, keyring_account)
+    if not path.exists():
+        raise KeyNotFoundError(
+            f"Master key file not found: {path}. Run `zocket init` first."
+        )
+    key = path.read_bytes().strip()
+    if not key:
+        raise KeyNotFoundError(f"Master key file is empty: {path}")
+    return key
+def store_key(
+    key: bytes,
+    path: Path,
+    storage: KeyStorage = "file",
+    keyring_service: str = "zocket",
+    keyring_account: str = "master-key",
+) -> None:
+    if storage == "keyring":
+        _store_key_keyring(keyring_service, keyring_account, key, force=True)
+        return
+    tmp_path = path.with_suffix(path.suffix + ".tmp")
+    tmp_path.write_bytes(key + b"\n")
+    os.chmod(tmp_path, 0o600)
+    os.replace(tmp_path, path)
+def delete_key(
+    path: Path,
+    storage: KeyStorage = "file",
+    keyring_service: str = "zocket",
+    keyring_account: str = "master-key",
+) -> None:
+    if storage == "keyring":
+        _delete_key_keyring(keyring_service, keyring_account)
+        return
+    if path.exists():
+        path.unlink()
+def encrypt_payload(payload: dict[str, Any], key: bytes) -> bytes:
+    raw = json.dumps(payload, ensure_ascii=True, separators=(",", ":")).encode("utf-8")
+    return Fernet(key).encrypt(raw)
+def decrypt_payload(ciphertext: bytes, key: bytes) -> dict[str, Any]:
+    try:
+        raw = Fernet(key).decrypt(ciphertext)
+    except InvalidToken as exc:
+        raise DecryptionError(
+            "Failed to decrypt vault. Master key is invalid or vault is corrupted."
+        ) from exc
+    data = json.loads(raw.decode("utf-8"))
+    if not isinstance(data, dict):
+        raise DecryptionError("Vault payload is malformed.")
+    return data

package/zocket/harden.py ADDED Viewed

@@ -0,0 +1,136 @@
+from __future__ import annotations
+import os
+import shutil
+import subprocess
+import sys
+from pathlib import Path
+def _run(cmd: list[str], check: bool = True) -> subprocess.CompletedProcess[str]:
+    cp = subprocess.run(cmd, capture_output=True, text=True, check=False)
+    if check and cp.returncode != 0:
+        msg = cp.stderr.strip() or cp.stdout.strip() or f"command failed: {' '.join(cmd)}"
+        raise RuntimeError(msg)
+    return cp
+def _service_text(
+    description: str,
+    user: str,
+    group: str,
+    zocket_home: Path,
+    exec_start: str,
+) -> str:
+    return (
+        "[Unit]\n"
+        f"Description={description}\n"
+        "After=network-online.target\n"
+        "Wants=network-online.target\n\n"
+        "[Service]\n"
+        "Type=simple\n"
+        f"User={user}\n"
+        f"Group={group}\n"
+        f"Environment=ZOCKET_HOME={zocket_home}\n"
+        f"ExecStart={exec_start}\n"
+        "Restart=on-failure\n"
+        "RestartSec=2\n"
+        "NoNewPrivileges=true\n"
+        "PrivateTmp=true\n"
+        "ProtectSystem=strict\n"
+        "ProtectHome=read-only\n"
+        "ProtectKernelTunables=true\n"
+        "ProtectControlGroups=true\n"
+        "LockPersonality=true\n"
+        "MemoryDenyWriteExecute=true\n"
+        f"ReadWritePaths={zocket_home}\n\n"
+        "[Install]\n"
+        "WantedBy=multi-user.target\n"
+    )
+def install_linux_system_services(
+    service_user: str = "zocketd",
+    zocket_home: Path = Path("/var/lib/zocket"),
+    web_port: int = 18001,
+    mcp_host: str = "127.0.0.1",
+    mcp_port: int = 18002,
+    mcp_mode: str = "metadata",
+    dry_run: bool = False,
+) -> dict[str, object]:
+    if not sys.platform.startswith("linux"):
+        return {"ok": False, "message": "linux-only command"}
+    if os.geteuid() != 0 and not dry_run:
+        return {"ok": False, "message": "run this command as root"}
+    python_exe = shutil.which("python3") or "/usr/bin/python3"
+    web_exec = f"{python_exe} -m zocket web --host 127.0.0.1 --port {web_port}"
+    mcp_exec = (
+        f"{python_exe} -m zocket mcp --transport streamable-http "
+        f"--mode {mcp_mode} --host {mcp_host} --port {mcp_port}"
+    )
+    web_service = _service_text(
+        "Zocket Web Panel (system)",
+        service_user,
+        service_user,
+        zocket_home,
+        web_exec,
+    )
+    mcp_service = _service_text(
+        "Zocket MCP HTTP (system)",
+        service_user,
+        service_user,
+        zocket_home,
+        mcp_exec,
+    )
+    result: dict[str, object] = {
+        "ok": True,
+        "dry_run": dry_run,
+        "service_user": service_user,
+        "zocket_home": str(zocket_home),
+        "preview": {
+            "/etc/systemd/system/zocket-web.service": web_service,
+            "/etc/systemd/system/zocket-mcp-http.service": mcp_service,
+        },
+    }
+    if dry_run:
+        return result
+    _run(
+        [
+            "id",
+            service_user,
+        ],
+        check=False,
+    )
+    exists = _run(["id", service_user], check=False).returncode == 0
+    if not exists:
+        _run(
+            [
+                "useradd",
+                "--system",
+                "--create-home",
+                "--home-dir",
+                str(zocket_home),
+                "--shell",
+                "/usr/sbin/nologin",
+                service_user,
+            ]
+        )
+    zocket_home.mkdir(parents=True, exist_ok=True)
+    os.chmod(zocket_home, 0o700)
+    _run(["chown", "-R", f"{service_user}:{service_user}", str(zocket_home)])
+    web_path = Path("/etc/systemd/system/zocket-web.service")
+    mcp_path = Path("/etc/systemd/system/zocket-mcp-http.service")
+    web_path.write_text(web_service, encoding="utf-8")
+    mcp_path.write_text(mcp_service, encoding="utf-8")
+    _run(["systemctl", "daemon-reload"])
+    _run(["systemctl", "enable", "--now", "zocket-web.service"])
+    _run(["systemctl", "enable", "--now", "zocket-mcp-http.service"])
+    result["status"] = {
+        "web": _run(["systemctl", "is-active", "zocket-web.service"], check=False).stdout.strip(),
+        "mcp": _run(["systemctl", "is-active", "zocket-mcp-http.service"], check=False).stdout.strip(),
+    }
+    return result

package/zocket/i18n.py ADDED Viewed

@@ -0,0 +1,216 @@
+from __future__ import annotations
+from typing import Any
+SUPPORTED_LANGS = {"en", "ru"}
+DEFAULT_LANG = "en"
+MESSAGES: dict[str, dict[str, str]] = {
+    "en": {
+        "app.tagline": "Local encrypted vault for MCP/CLI workflows.",
+        "ui.projects": "Projects",
+        "ui.name": "Name",
+        "ui.keys_count": "Keys",
+        "ui.new_project": "New project",
+        "ui.optional_desc": "Description (optional)",
+        "ui.optional_folder": "Project folder path (optional)",
+        "ui.project_folder": "Project folder",
+        "ui.not_set": "Not set",
+        "ui.choose_folder": "Choose folder",
+        "ui.save_folder": "Save folder",
+        "ui.clear_folder": "Clear folder",
+        "ui.folder_picker": "Folder picker",
+        "ui.current_path": "Current path",
+        "ui.parent_folder": "Up",
+        "ui.roots": "Roots",
+        "ui.select_folder": "Select this folder",
+        "ui.close": "Close",
+        "ui.loading": "Loading...",
+        "ui.no_subfolders": "No subfolders",
+        "ui.folder_picker_failed": "Failed to load folders",
+        "ui.create": "Create",
+        "ui.real_values_visible": "Real values are visible.",
+        "ui.hide_values": "Hide values",
+        "ui.masked_values_visible": "Masked values are visible.",
+        "ui.show_values": "Show values",
+        "ui.delete_project": "Delete project",
+        "ui.secrets": "Secrets",
+        "ui.description": "Description",
+        "ui.updated_at": "Updated",
+        "ui.value": "Value",
+        "ui.delete": "Delete",
+        "ui.edit_secret": "Edit secret",
+        "ui.add_or_update_secret": "Add or update secret",
+        "ui.secret_preset": "Secret preset",
+        "ui.choose_preset": "Choose preset",
+        "ui.friendly_name": "Friendly name (optional)",
+        "ui.key": "Key",
+        "ui.folder_search": "Search folders",
+        "ui.no_matching_folders": "No matching folders",
+        "ui.save": "Save",
+        "ui.no_projects": "No projects yet",
+        "ui.create_left": "Create a project in the left panel.",
+        "ui.lang": "Language",
+        "ui.lang_en": "English",
+        "ui.lang_ru": "Russian",
+        "ui.theme": "Theme",
+        "ui.theme_standard": "Standard",
+        "ui.theme_zorin": "Zorin Pretty",
+        "ui.variant_light": "Light view",
+        "ui.variant_dark": "Dark glow",
+        "ui.sign_in": "Sign in",
+        "ui.password": "Password",
+        "ui.password_repeat": "Repeat password",
+        "ui.login": "Login",
+        "ui.logout": "Logout",
+        "ui.invalid_login": "Invalid password",
+        "ui.auth_required": "Authentication is required",
+        "ui.first_time_set_password": "Set admin password first via CLI: zocket auth set-password",
+        "ui.first_setup_title": "First launch setup",
+        "ui.first_setup_subtitle": "Choose how to protect your local panel.",
+        "ui.set_password": "Set your password",
+        "ui.save_and_enter": "Save and open panel",
+        "ui.generate_password": "Generate strong password",
+        "ui.generate_password_hint": "A secure random password will be generated and shown once.",
+        "ui.generate_and_enter": "Generate and open panel",
+        "ui.continue_without_password": "Continue without password",
+        "ui.insecure_warning": "This is less secure. Anyone with local access may open the panel.",
+        "ui.i_understand_risk": "I understand the risk",
+        "ui.continue_anyway": "Continue without password",
+        "ui.insecure_confirm_dialog": "Continue without password? This is less secure.",
+        "ui.confirm_insecure_required": "Please confirm that you understand the security risk.",
+        "ui.invalid_setup_option": "Invalid setup option.",
+        "ui.password_required": "Password is required.",
+        "ui.passwords_do_not_match": "Passwords do not match.",
+        "ui.generated_password_notice": "Generated admin password (shown once):",
+        "ui.generated_password_save_now": "Save it now. You can change it later via CLI.",
+        "msg.key_file": "Key file: {path}",
+        "msg.vault_file": "Vault file: {path}",
+        "msg.init_complete": "Initialization complete.",
+        "msg.project_created": "Project created: {name}",
+        "msg.project_deleted": "Project deleted: {name}",
+        "msg.project_folder_set": "Project folder saved: {name}",
+        "msg.project_folder_cleared": "Project folder cleared: {name}",
+        "msg.secret_saved": "Secret {key} saved for project {project}",
+        "msg.secret_deleted": "Secret {key} deleted from project {project}",
+        "msg.password_set": "Web admin password was updated.",
+        "msg.language_set": "Language set to {lang}.",
+        "err.usage_use": "Usage: zocket use <project> -- <command> [args...]",
+        "err.need_login": "Error: password login required.",
+    },
+    "ru": {
+        "app.tagline": "Локальное шифрованное хранилище для MCP/CLI.",
+        "ui.projects": "Проекты",
+        "ui.name": "Имя",
+        "ui.keys_count": "Ключей",
+        "ui.new_project": "Новый проект",
+        "ui.optional_desc": "Описание (опционально)",
+        "ui.optional_folder": "Папка проекта (опционально)",
+        "ui.project_folder": "Папка проекта",
+        "ui.not_set": "Не задано",
+        "ui.choose_folder": "Выбрать папку",
+        "ui.save_folder": "Сохранить папку",
+        "ui.clear_folder": "Очистить папку",
+        "ui.folder_picker": "Выбор папки",
+        "ui.current_path": "Текущий путь",
+        "ui.parent_folder": "Вверх",
+        "ui.roots": "Корни",
+        "ui.select_folder": "Выбрать эту папку",
+        "ui.close": "Закрыть",
+        "ui.loading": "Загрузка...",
+        "ui.no_subfolders": "Подпапок нет",
+        "ui.folder_picker_failed": "Не удалось загрузить папки",
+        "ui.create": "Создать",
+        "ui.real_values_visible": "Показаны реальные значения.",
+        "ui.hide_values": "Скрыть значения",
+        "ui.masked_values_visible": "Показаны замаскированные значения.",
+        "ui.show_values": "Показать значения",
+        "ui.delete_project": "Удалить проект",
+        "ui.secrets": "Секреты",
+        "ui.description": "Описание",
+        "ui.updated_at": "Обновлён",
+        "ui.value": "Значение",
+        "ui.delete": "Удалить",
+        "ui.edit_secret": "Редактировать",
+        "ui.add_or_update_secret": "Добавить или обновить секрет",
+        "ui.secret_preset": "Пресет секрета",
+        "ui.choose_preset": "Выбрать пресет",
+        "ui.friendly_name": "Читабельное имя (опционально)",
+        "ui.key": "Ключ",
+        "ui.folder_search": "Поиск папок",
+        "ui.no_matching_folders": "Совпадений не найдено",
+        "ui.save": "Сохранить",
+        "ui.no_projects": "Проектов пока нет",
+        "ui.create_left": "Создайте проект слева.",
+        "ui.lang": "Язык",
+        "ui.lang_en": "Английский",
+        "ui.lang_ru": "Русский",
+        "ui.theme": "Тема",
+        "ui.theme_standard": "Стандартная",
+        "ui.theme_zorin": "Zorin Pretty",
+        "ui.variant_light": "Светлая",
+        "ui.variant_dark": "Тёмная",
+        "ui.hero_badge": "Zorin Pretty",
+        "ui.hero_title": "Локальное MCP-хранилище в неоновой оболочке",
+        "ui.hero_subtitle": "Переключайся между CLI-агентами на градиентном холсте, вдохновлённом zorin.pw. Секреты по-прежнему зашифрованы, а интерфейс выглядит как панель управления.",
+        "ui.hero_agent": "Готово для агентов",
+        "ui.hero_agent_body": "MCP под TLS, автозапуск и контроль сессий доступны в каждом проекте.",
+        "ui.hero_theme": "Управление темой",
+        "ui.hero_theme_body": "Zorin Pretty активирует градиенты, стеклянные карточки и атмосферные свечения.",
+        "ui.sign_in": "Вход",
+        "ui.password": "Пароль",
+        "ui.password_repeat": "Повторите пароль",
+        "ui.login": "Войти",
+        "ui.logout": "Выйти",
+        "ui.invalid_login": "Неверный пароль",
+        "ui.auth_required": "Требуется аутентификация",
+        "ui.first_time_set_password": "Сначала задайте пароль через CLI: zocket auth set-password",
+        "ui.first_setup_title": "Первичная настройка",
+        "ui.first_setup_subtitle": "Выберите способ защиты локальной панели.",
+        "ui.set_password": "Задать свой пароль",
+        "ui.save_and_enter": "Сохранить и открыть панель",
+        "ui.generate_password": "Сгенерировать надёжный пароль",
+        "ui.generate_password_hint": "Будет сгенерирован случайный пароль и показан один раз.",
+        "ui.generate_and_enter": "Сгенерировать и открыть панель",
+        "ui.continue_without_password": "Продолжить без пароля",
+        "ui.insecure_warning": "Это менее безопасно. Любой с локальным доступом сможет открыть панель.",
+        "ui.i_understand_risk": "Я понимаю риск",
+        "ui.continue_anyway": "Продолжить без пароля",
+        "ui.insecure_confirm_dialog": "Продолжить без пароля? Это менее безопасно.",
+        "ui.confirm_insecure_required": "Подтвердите, что вы понимаете риск безопасности.",
+        "ui.invalid_setup_option": "Некорректный вариант настройки.",
+        "ui.password_required": "Нужно ввести пароль.",
+        "ui.passwords_do_not_match": "Пароли не совпадают.",
+        "ui.generated_password_notice": "Сгенерированный пароль администратора (показан один раз):",
+        "ui.generated_password_save_now": "Сохраните его сейчас. Позже можно сменить через CLI.",
+        "msg.key_file": "Файл ключа: {path}",
+        "msg.vault_file": "Файл vault: {path}",
+        "msg.init_complete": "Инициализация завершена.",
+        "msg.project_created": "Проект создан: {name}",
+        "msg.project_deleted": "Проект удалён: {name}",
+        "msg.project_folder_set": "Папка проекта сохранена: {name}",
+        "msg.project_folder_cleared": "Папка проекта очищена: {name}",
+        "msg.secret_saved": "Секрет {key} сохранён для проекта {project}",
+        "msg.secret_deleted": "Секрет {key} удалён из проекта {project}",
+        "msg.password_set": "Пароль веб-админа обновлён.",
+        "msg.language_set": "Язык переключен на {lang}.",
+        "err.usage_use": "Использование: zocket use <project> -- <command> [args...]",
+        "err.need_login": "Ошибка: нужен парольный вход.",
+    },
+}
+def normalize_lang(value: str | None) -> str:
+    if not value:
+        return DEFAULT_LANG
+    value = value.lower().strip()
+    return value if value in SUPPORTED_LANGS else DEFAULT_LANG
+def tr(locale_code: str, message_id: str, **kwargs: Any) -> str:
+    locale = normalize_lang(locale_code)
+    table = MESSAGES.get(locale, MESSAGES[DEFAULT_LANG])
+    text = table.get(message_id, MESSAGES[DEFAULT_LANG].get(message_id, message_id))
+    if kwargs:
+        return text.format(**kwargs)
+    return text