@bitpub/cli 2.0.0

package/src/config.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+const BITPUB_DIR = path.join(os.homedir(), '.bitpub');
+const CONFIG_FILE = path.join(BITPUB_DIR, 'config.json');
+
+/**
+ * Default cloud tenant. `bitpub init` provisions an identity here unless
+ * overridden with --url. Override via env for development:
+ *   BITPUB_CLOUD_URL=http://localhost:8080 bitpub init
+ */
+const DEFAULT_CLOUD_URL = process.env.BITPUB_CLOUD_URL || 'https://bitpub.io';
+
+function ensureDir() {
+  if (!fs.existsSync(BITPUB_DIR)) {
+    fs.mkdirSync(BITPUB_DIR, { recursive: true });
+  }
+}
+
+function readConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeConfig(config) {
+  ensureDir();
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Identity is valid if api_url is present and at least one of these is true:
+ *   - private identity: api_key + owner  (provisioned by `bitpub init`)
+ *   - group identity:   group_key + domain  (set by `bitpub auth login`)
+ *   - legacy single-key: api_key + domain  (old config shape, still supported)
+ */
+function isConfigured(config) {
+  if (!config || !config.api_url) return false;
+  const hasPrivate = Boolean(config.api_key && config.owner);
+  const hasGroup   = Boolean(config.group_key && config.domain);
+  const hasLegacy  = Boolean(config.api_key && config.domain);
+  return hasPrivate || hasGroup || hasLegacy;
+}
+
+/**
+ * Require a valid config or exit with a helpful message that points at the
+ * agent-first onboarding path first, then the BYOC path.
+ */
+function requireConfig() {
+  const config = readConfig();
+  if (!isConfigured(config)) {
+    console.error('No BitPub identity configured. Set one up:');
+    console.error('  bitpub init                                 # auto-provision against the hosted tenant');
+    console.error('  bitpub auth login --key <K> --domain <D>    # enterprise / BYOC');
+    process.exit(1);
+  }
+  return config;
+}
+
+/**
+ * Stable author identifier used in slice metadata. Falls back gracefully
+ * across config shapes so freshly-provisioned (owner-only) and BYOC
+ * (domain-only) identities both produce a meaningful author_id.
+ */
+function authorIdFor(config) {
+  if (config.owner) return `agent_${config.owner}`;
+  if (config.domain) return `agent_${config.domain.replace(/[^a-zA-Z0-9]/g, '_')}`;
+  return 'agent_anonymous';
+}
+
+module.exports = {
+  readConfig,
+  writeConfig,
+  requireConfig,
+  isConfigured,
+  authorIdFor,
+  BITPUB_DIR,
+  CONFIG_FILE,
+  DEFAULT_CLOUD_URL,
+};

package/src/crypto.js

@@ -0,0 +1,61 @@
+'use strict';
+
+const crypto = require('crypto');
+
+const SALT = Buffer.from('bitpub-private-v1');
+const INFO = Buffer.from('content-encryption');
+const PREFIX = 'bitpub-encrypted:v1:';
+
+function deriveKey(apiKey) {
+  return crypto.hkdfSync('sha256', apiKey, SALT, INFO, 32);
+}
+
+function encrypt(content, apiKey) {
+  const key = deriveKey(apiKey);
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key), iv);
+  const encrypted = Buffer.concat([cipher.update(content, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, tag]);
+  return PREFIX + iv.toString('base64') + ':' + combined.toString('base64');
+}
+
+function decrypt(encryptedStr, apiKey) {
+  if (!encryptedStr.startsWith(PREFIX)) return encryptedStr;
+  const parts = encryptedStr.slice(PREFIX.length).split(':', 1);
+  const rest = encryptedStr.slice(PREFIX.length + parts[0].length + 1);
+  const iv = Buffer.from(parts[0], 'base64');
+  const data = Buffer.from(rest, 'base64');
+  const tag = data.slice(-16);
+  const ciphertext = data.slice(0, -16);
+  const key = deriveKey(apiKey);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(ciphertext, null, 'utf8') + decipher.final('utf8');
+}
+
+function isEncrypted(str) {
+  return typeof str === 'string' && str.startsWith(PREFIX);
+}
+
+function isPrivateHcu(hcu) {
+  return typeof hcu === 'string' && hcu.startsWith('bitpub://private:');
+}
+
+/**
+ * Decrypt payload.content for any private-scope slices in an array.
+ * Mutates the slice objects in place. Returns the array for chaining.
+ */
+function decryptSlices(slices, apiKey) {
+  for (const slice of slices) {
+    if (!isPrivateHcu(slice.hcu)) continue;
+    const payload = typeof slice.payload === 'string' ? JSON.parse(slice.payload) : slice.payload;
+    if (isEncrypted(payload.content)) {
+      payload.content = decrypt(payload.content, apiKey);
+      slice.payload = payload;
+    }
+  }
+  return slices;
+}
+
+module.exports = { encrypt, decrypt, isEncrypted, isPrivateHcu, decryptSlices };

package/src/db/cache.js

@@ -0,0 +1,373 @@
+'use strict';
+
+const Database = require('better-sqlite3');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+
+const DB_PATH = path.join(os.homedir(), '.bitpub', 'cache.db');
+
+// All cache tables live here. CREATE TABLE IF NOT EXISTS is idempotent
+// and fast (~0.1ms), so we run it on every connection rather than relying
+// on `bitpub init`. This means a CLI that's been installed since before
+// a new table was added (e.g. local_trash for soft delete) self-migrates
+// the first time any cache function is called — no `bitpub init` rerun
+// required.
+const SCHEMA_DDL = `
+  CREATE TABLE IF NOT EXISTS local_slices (
+    hcu         TEXT PRIMARY KEY,
+    payload     TEXT NOT NULL,
+    metadata    TEXT NOT NULL,
+    version     INTEGER DEFAULT 1,
+    last_synced TEXT DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS synced_namespaces (
+    pattern     TEXT PRIMARY KEY,
+    last_synced TEXT DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now')),
+    slice_count INTEGER DEFAULT 0
+  );
+
+  CREATE TABLE IF NOT EXISTS local_trash (
+    hcu                 TEXT PRIMARY KEY,
+    payload             TEXT NOT NULL,
+    metadata            TEXT NOT NULL,
+    version             INTEGER NOT NULL,
+    deleted_at          TEXT NOT NULL,
+    trashed_locally_at  TEXT DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+  );
+`;
+
+function getDb() {
+  const dir = path.dirname(DB_PATH);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  const db = new Database(DB_PATH);
+  // Self-heal schema on every connection — handles upgrades from CLI
+  // versions that predated newer tables. Idempotent, microseconds.
+  db.exec(SCHEMA_DDL);
+  return db;
+}
+
+// ── Schema ────────────────────────────────────────────────────────────────────
+
+/**
+ * Explicit initialization is now redundant — `getDb()` runs the same DDL
+ * on every connection. This function is kept for backward compatibility
+ * with code that calls it directly during `bitpub init`.
+ *
+ * Two tables matter for deletion:
+ *
+ *   local_slices     — active state ONLY. No deleted_at column. The hot
+ *                      read path (`bitpub read`) is a pure-local query
+ *                      against this table; tombstones never leak in.
+ *
+ *   local_trash      — personal undo buffer for private slices THIS machine
+ *                      dropped. Stores the prior payload + version so an
+ *                      offline `bitpub trash restore` can attempt a server
+ *                      write with --expect-version. Group drops are NOT
+ *                      stored here (group is shared state; restoration goes
+ *                      through the server). Cleaned up on sync if remotely
+ *                      restored or superseded; TTL-purged after 30 days.
+ */
+function initCache() {
+  const db = getDb();
+  db.close();
+}
+
+// ── Writes ────────────────────────────────────────────────────────────────────
+
+/**
+ * Upsert a single slice returned from the remote API into the local cache.
+ * Accepts either the full DTO (from /push response) or a raw DB row.
+ */
+function upsertSlice(slice) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO local_slices (hcu, payload, metadata, version, last_synced)
+    VALUES (?, ?, ?, ?, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+    ON CONFLICT (hcu) DO UPDATE SET
+      payload     = excluded.payload,
+      metadata    = excluded.metadata,
+      version     = excluded.version,
+      last_synced = strftime('%Y-%m-%dT%H:%M:%fZ', 'now')
+  `);
+  stmt.run(
+    slice.hcu,
+    typeof slice.payload === 'string' ? slice.payload : JSON.stringify(slice.payload),
+    typeof slice.metadata === 'string' ? slice.metadata : JSON.stringify(slice.metadata),
+    slice.metadata?.version ?? 1
+  );
+  db.close();
+}
+
+/**
+ * Record that a namespace pattern was explicitly fetched.
+ */
+function recordNamespaceSync(pattern, count) {
+  const db = getDb();
+  db.prepare(`
+    INSERT INTO synced_namespaces (pattern, last_synced, slice_count)
+    VALUES (?, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'), ?)
+    ON CONFLICT (pattern) DO UPDATE SET
+      last_synced = strftime('%Y-%m-%dT%H:%M:%fZ', 'now'),
+      slice_count = excluded.slice_count
+  `).run(pattern, count);
+  db.close();
+}
+
+// ── Reads ─────────────────────────────────────────────────────────────────────
+
+/**
+ * Query local cache using HCU glob patterns.
+ *   exact       → exact match
+ *   .../path/*  → direct children (one level deep)
+ *   .../path/** → all descendants (recursive)
+ */
+function querySlices(hcuPattern) {
+  const db = getDb();
+  const pattern = hcuPattern.replace(/\/$/, '');
+  let rows;
+
+  if (pattern.endsWith('/**')) {
+    const base = pattern.slice(0, -3);
+    // Match the exact base OR anything underneath it
+    rows = db.prepare(`
+      SELECT * FROM local_slices
+      WHERE hcu = ? OR hcu LIKE ?
+      ORDER BY hcu
+    `).all(base, base + '/%');
+  } else if (pattern.endsWith('/*')) {
+    const base = pattern.slice(0, -2);
+    // Direct children: one slash deeper, no further slashes
+    rows = db.prepare(`
+      SELECT * FROM local_slices
+      WHERE hcu LIKE ?
+        AND SUBSTR(hcu, LENGTH(?) + 2) NOT LIKE '%/%'
+      ORDER BY hcu
+    `).all(base + '/%', base);
+  } else {
+    rows = db.prepare('SELECT * FROM local_slices WHERE hcu = ?').all(pattern);
+  }
+
+  db.close();
+  return rows;
+}
+
+/**
+ * Find slices whose address ends with the given path-tail. Used for
+ * "did you mean" recovery on a `load` miss: the user typed a short name
+ * that didn't resolve in their active workspace, but a slice with the
+ * same trailing path may still exist elsewhere in their cache (e.g. in
+ * Transcripts/, Memory/, a sibling Workspace, etc.).
+ *
+ * Matching is path-suffix only — `notes` matches `.../foo/notes` but not
+ * `.../barnotes`. Multi-segment tails work too: `Transcripts/Raw/2026-04-30`
+ * matches any address ending in that exact path.
+ *
+ * SQL wildcards `%` and `_` in the input are escaped so user-supplied
+ * names can't accidentally widen the search.
+ *
+ * @param {string} tail            e.g. "notes" or "Transcripts/Raw/2026-04-30-..."
+ * @param {string} [scopePattern]  optional bitpub:// pattern to constrain the
+ *                                 search (e.g. `bitpub://private:owner/**`)
+ * @returns {Array} matching local_slices rows
+ */
+function findSlicesByName(tail, scopePattern) {
+  if (typeof tail !== 'string' || tail.length === 0) return [];
+  const db = getDb();
+
+  const normalizedTail = '/' + tail.replace(/^\/+|\/+$/g, '');
+  const escape = (s) => s.replace(/\\/g, '\\\\').replace(/%/g, '\\%').replace(/_/g, '\\_');
+  const tailLike = '%' + escape(normalizedTail);
+
+  let rows;
+  if (scopePattern) {
+    const scopeBase = scopePattern.replace(/\/(\*\*|\*)$/, '').replace(/\/$/, '');
+    const scopeLike = escape(scopeBase) + '/%';
+    rows = db.prepare(`
+      SELECT * FROM local_slices
+      WHERE (hcu = ? OR hcu LIKE ? ESCAPE '\\')
+        AND hcu LIKE ? ESCAPE '\\'
+      ORDER BY hcu
+    `).all(scopeBase, scopeLike, tailLike);
+  } else {
+    rows = db.prepare(
+      `SELECT * FROM local_slices WHERE hcu LIKE ? ESCAPE '\\' ORDER BY hcu`
+    ).all(tailLike);
+  }
+
+  db.close();
+  return rows;
+}
+
+/**
+ * Return all synced namespace records for the `status` command.
+ */
+function getSyncedNamespaces() {
+  const db = getDb();
+  const rows = db.prepare(
+    'SELECT pattern, last_synced, slice_count FROM synced_namespaces ORDER BY last_synced DESC'
+  ).all();
+  db.close();
+  return rows;
+}
+
+/**
+ * Return aggregate stats for the `status` command.
+ */
+function getCacheStats() {
+  const db = getDb();
+  const row = db.prepare(`
+    SELECT COUNT(*) as total_slices,
+           MAX(last_synced) as latest_sync,
+           MIN(last_synced) as oldest_sync
+    FROM local_slices
+  `).get();
+  db.close();
+  return row;
+}
+
+// ── Deletion helpers ──────────────────────────────────────────────────────────
+//
+// Drops mutate two tables atomically depending on scope:
+//   - private + this-machine drop → row leaves local_slices, lands in local_trash
+//   - group drop                  → row leaves local_slices, no trash entry
+//   - sync-discovered drop (any)  → row leaves local_slices, no trash entry
+//
+// The local_trash entry carries the version at delete-time so a restore push
+// can pass --expect-version and let the server reject any state drift.
+
+const TRASH_TTL_DAYS = 30;
+
+/**
+ * Remove a slice from the active local cache. Used for any drop the local
+ * cache observes — both ones initiated here and ones learned about via
+ * sync (SSE `deleted` hint, fetch returning no row, etc.).
+ */
+function evictSlice(hcu) {
+  const db = getDb();
+  db.prepare('DELETE FROM local_slices WHERE hcu = ?').run(hcu);
+  db.close();
+}
+
+/**
+ * Move a slice from local_slices into local_trash, recording the version
+ * and tombstone timestamp from the server response so a future restore
+ * can use --expect-version safely.
+ *
+ * Only call this for private slices the local user actively dropped; group
+ * drops should go through `evictSlice` instead.
+ */
+function trashSlice(slice, deletedAt) {
+  const db = getDb();
+  const tx = db.transaction(() => {
+    db.prepare('DELETE FROM local_slices WHERE hcu = ?').run(slice.hcu);
+    db.prepare(`
+      INSERT INTO local_trash (hcu, payload, metadata, version, deleted_at, trashed_locally_at)
+      VALUES (?, ?, ?, ?, ?, strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
+      ON CONFLICT (hcu) DO UPDATE SET
+        payload    = excluded.payload,
+        metadata   = excluded.metadata,
+        version    = excluded.version,
+        deleted_at = excluded.deleted_at,
+        trashed_locally_at = strftime('%Y-%m-%dT%H:%M:%fZ', 'now')
+    `).run(
+      slice.hcu,
+      typeof slice.payload === 'string' ? slice.payload : JSON.stringify(slice.payload),
+      typeof slice.metadata === 'string' ? slice.metadata : JSON.stringify(slice.metadata),
+      slice.metadata?.version ?? 1,
+      deletedAt || slice.deleted_at || new Date().toISOString()
+    );
+  });
+  tx();
+  db.close();
+}
+
+/**
+ * Look up a single trash entry. Returns null if not in trash.
+ */
+function getTrashEntry(hcu) {
+  const db = getDb();
+  const row = db.prepare('SELECT * FROM local_trash WHERE hcu = ?').get(hcu);
+  db.close();
+  return row || null;
+}
+
+/**
+ * List trash entries, optionally constrained to an HCU prefix (e.g. the
+ * active workspace's namespace). Newest-first.
+ */
+function listTrash(prefix) {
+  const db = getDb();
+  let rows;
+  if (prefix) {
+    rows = db.prepare(`
+      SELECT * FROM local_trash
+      WHERE hcu = ? OR hcu LIKE ?
+      ORDER BY trashed_locally_at DESC
+    `).all(prefix.replace(/\/$/, ''), prefix.replace(/\/$/, '') + '/%');
+  } else {
+    rows = db.prepare('SELECT * FROM local_trash ORDER BY trashed_locally_at DESC').all();
+  }
+  db.close();
+  return rows;
+}
+
+/**
+ * Remove an entry from local_trash without touching the server. Used after
+ * a successful restore (the slice is back in local_slices via upsert), or
+ * by `bitpub trash empty`.
+ */
+function removeFromTrash(hcu) {
+  const db = getDb();
+  db.prepare('DELETE FROM local_trash WHERE hcu = ?').run(hcu);
+  db.close();
+}
+
+/**
+ * Empty all trash entries, optionally constrained to a prefix.
+ * Returns the number of rows removed.
+ */
+function emptyTrash(prefix) {
+  const db = getDb();
+  let result;
+  if (prefix) {
+    const base = prefix.replace(/\/$/, '');
+    result = db.prepare('DELETE FROM local_trash WHERE hcu = ? OR hcu LIKE ?').run(base, base + '/%');
+  } else {
+    result = db.prepare('DELETE FROM local_trash').run();
+  }
+  db.close();
+  return result.changes;
+}
+
+/**
+ * TTL-purge stale trash entries. Trash entries older than TRASH_TTL_DAYS
+ * are removed. Returns the count of removed rows.
+ */
+function purgeExpiredTrash() {
+  const db = getDb();
+  const cutoff = new Date(Date.now() - TRASH_TTL_DAYS * 24 * 60 * 60 * 1000).toISOString();
+  const result = db.prepare('DELETE FROM local_trash WHERE trashed_locally_at < ?').run(cutoff);
+  db.close();
+  return result.changes;
+}
+
+module.exports = {
+  initCache,
+  upsertSlice,
+  recordNamespaceSync,
+  querySlices,
+  findSlicesByName,
+  getSyncedNamespaces,
+  getCacheStats,
+  // Deletion helpers
+  evictSlice,
+  trashSlice,
+  getTrashEntry,
+  listTrash,
+  removeFromTrash,
+  emptyTrash,
+  purgeExpiredTrash,
+  TRASH_TTL_DAYS,
+};