@bitpub/cli 2.0.2 → 2.0.4

package/bin/bitpub.js

@@ -39,6 +39,7 @@ require('../src/commands/delete')(program);
 
 // ── Setup (rare, agent-invoked) ─────────────────────────────────────────────
 require('../src/commands/setup')(program);
+require('../src/commands/group')(program);
 require('../src/commands/alias')(program);
 require('../src/commands/seed')(program);
 require('../src/commands/browser')(program);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitpub/cli",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "BitPub CLI — local-first shared memory for AI agents. Six daily verbs (save/load/list/find/sync/delete), zero-config private namespace, encrypted client-side.",
   "bin": {
     "bitpub": "./bin/bitpub.js"
@@ -14,7 +14,7 @@
   ],
   "scripts": {
     "test": "jest --testPathPattern=tests/ --forceExit",
-    "prepack": "mkdir -p static && cp ../backend/static/console.html static/console.html",
+    "prepack": "mkdir -p static/assets && cp ../backend/static/console.html static/console.html && cp ../backend/static/welcome.html static/welcome.html && cp ../backend/static/assets/tollbit-icon.png ../backend/static/assets/BITPUB-dark.png static/assets/",
     "prepublishOnly": "npm test"
   },
   "engines": {

package/src/api.js

@@ -2,74 +2,106 @@
 
 const axios = require('axios');
 
+const { groupEntryFor } = require('./config');
+
 /**
- * Create an API client bound to a specific config.
- * All methods throw on non-2xx responses (axios default behavior).
- */
-/**
- * Pick the right API key for a given HCU.
- * Private namespaces use the personal api_key provisioned by `bitpub init`.
- * Group/public namespaces use group_key set by `bitpub auth login`, falling
- * back to api_key so single-key setups keep working.
+ * Resolve the backend (`url` + `key`) to use for a given HCU.
+ *
+ *   private:<owner>/...   → primary api_url + api_key from config
+ *   group:<slug>/...      → matching entry in config.groups[]
+ *                           (falls back to legacy top-level group_key/domain
+ *                           for the single-domain enterprise install)
+ *   public/...            → primary api_url + api_key
+ *   bare patterns         → same as primary (used for sync of mixed scopes)
+ *
+ * Throws if the HCU points at a group the caller isn't a member of —
+ * surfacing this at request time means the user gets a clear message
+ * ("Not a member of bitpub://group:foo") instead of an opaque 401.
  */
-function keyForHcu(config, hcu) {
-  if (typeof hcu === 'string' && hcu.startsWith('bitpub://private:')) {
-    return config.api_key;
+function resolveBackend(config, hcu) {
+  const baseUrl = (config.api_url || 'http://localhost:8080').replace(/\/$/, '');
+  const fallback = { url: baseUrl, key: config.api_key, source: 'primary' };
+
+  if (typeof hcu !== 'string') return fallback;
+
+  // Extract the group slug if this is a group-scoped HCU.
+  const m = hcu.match(/^bitpub:\/\/group:([^/]+)/);
+  if (!m) return fallback;
+
+  const slug = m[1];
+
+  // New flow: look in config.groups[] for a matching entry.
+  const entry = groupEntryFor(config, slug);
+  if (entry && entry.key) {
+    return {
+      url: (entry.api_url || baseUrl).replace(/\/$/, ''),
+      key: entry.key,
+      source: 'group',
+      slug,
+    };
+  }
+
+  // Legacy single-domain enterprise flow: pre-v2 deploys had a top-level
+  // group_key + domain. The lazy migration in config.js mirrors these
+  // into config.groups[], so this branch should rarely fire after the
+  // first read — kept for completeness.
+  if (config.group_key && config.domain && config.domain === slug) {
+    return { url: baseUrl, key: config.group_key, source: 'legacy-group', slug };
   }
-  return config.group_key || config.api_key;
+
+  // No matching key. Two reasonable behaviors:
+  //   - fall through to primary (will get a 403 from the server)
+  //   - throw here with a clearer message
+  // We pick the second so the user gets actionable feedback.
+  const err = new Error(
+    `Not a member of bitpub://group:${slug}/. Ask the group owner for an invite link, then run: bitpub join <link>`
+  );
+  err.code = 'NOT_A_MEMBER';
+  throw err;
 }
 
+/**
+ * Create an API client bound to a specific config.
+ *
+ * Each method resolves the backend (url + key) from the HCU it's about
+ * to operate on. Group-scoped HCUs route through `config.groups[]` to
+ * the host backend with the per-group key; private/public HCUs use the
+ * top-level `api_url` + `api_key`.
+ *
+ * All methods throw on non-2xx responses (axios default behavior, wrapped
+ * by the response interceptor so errors carry the server-side message).
+ */
 function createApiClient(config) {
-  const baseURL = (config.api_url || 'http://localhost:8080').replace(/\/$/, '');
-
-  const http = axios.create({
-    baseURL,
-    timeout: 30_000,
-  });
-
-  // Surface server-side error messages cleanly, preserving response for callers
-  http.interceptors.response.use(
-    res => res,
-    err => {
-      const msg = err.response?.data?.error || err.message;
-      const status = err.response?.status;
-      const wrapped = new Error(status ? `[${status}] ${msg}` : msg);
-      wrapped.status = status;
-      wrapped.response = err.response;
-      return Promise.reject(wrapped);
-    }
-  );
+  function http(backend) {
+    const inst = axios.create({
+      baseURL: backend.url,
+      timeout: 30_000,
+      headers: { 'x-api-key': backend.key },
+    });
+    inst.interceptors.response.use(
+      (res) => res,
+      (err) => {
+        const msg = err.response?.data?.error || err.message;
+        const status = err.response?.status;
+        const wrapped = new Error(status ? `[${status}] ${msg}` : msg);
+        wrapped.status = status;
+        wrapped.response = err.response;
+        return Promise.reject(wrapped);
+      }
+    );
+    return inst;
+  }
 
   return {
-    /**
-     * Pull context slices from the remote ledger.
-     * @param {string} hcu
-     * @param {number} [limit]
-     * @param {object} [opts]
-     * @param {boolean} [opts.includeDeleted]  surface tombstoned slices
-     * @param {boolean} [opts.mine]            filter to slices written by this key
-     * @returns {Promise<Array>} array of slice DTOs
-     */
     async pull(hcu, limit = 50, opts = {}) {
+      const backend = resolveBackend(config, hcu);
       const params = { hcu, limit };
       if (opts.includeDeleted) params.include_deleted = 'true';
       if (opts.mine) params.mine = 'true';
-      const res = await http.get('/v1/context/pull', {
-        params,
-        headers: { 'x-api-key': keyForHcu(config, hcu) },
-      });
+      const res = await http(backend).get('/v1/context/pull', { params });
       return res.data;
     },
 
-    /**
-     * Push a context slice to the remote ledger.
-     * @param {object} body  Full ContextSlice payload
-     * @param {object} [opts]
-     * @param {boolean} [opts.append]    append instead of overwrite
-     * @param {number}  [opts.expectVersion]  reject with 409 on version mismatch
-     * @param {boolean} [opts.force]     un-tombstone a deleted slice with new content
-     * @returns {Promise<{success: boolean, slice: object}>}
-     */
     async push(body, opts = {}) {
       // Back-compat: older callers passed (body, append, expectVersion) as
       // positional args. Detect that shape and translate to the opts object.
@@ -81,79 +113,42 @@ function createApiClient(config) {
       if (append) params.append = 'true';
       if (force) params.force = 'true';
       if (expectVersion != null) params.expect_version = String(expectVersion);
-      const res = await http.post('/v1/context/push', body, {
-        params,
-        headers: { 'x-api-key': keyForHcu(config, body?.hcu) },
-      });
+      const backend = resolveBackend(config, body?.hcu);
+      const res = await http(backend).post('/v1/context/push', body, { params });
       return res.data;
     },
 
-    /**
-     * List immediate children of an HCU path.
-     * @param {string} hcu
-     * @param {object} [opts]
-     * @param {boolean} [opts.includeDeleted]  return tombstone provenance
-     * @returns {Promise<{children: string[] | Array<{hcu: string, deleted_at: string|null, deleted_by: string|null}>}>}
-     */
     async list(hcu, opts = {}) {
+      const backend = resolveBackend(config, hcu);
       const params = { hcu };
       if (opts.includeDeleted) params.include_deleted = 'true';
-      const res = await http.get('/v1/context/list', {
-        params,
-        headers: { 'x-api-key': keyForHcu(config, hcu) },
-      });
+      const res = await http(backend).get('/v1/context/list', { params });
       return res.data;
     },
 
-    /**
-     * Soft-delete an exact context slice. Bumps version (active(N) →
-     * deleted(N+1)). The server preserves the row's payload so a no-content
-     * restore can undelete it. Re-dropping an already-tombstoned slice is
-     * idempotent.
-     */
     async drop(hcu, opts = {}) {
+      const backend = resolveBackend(config, hcu);
       const params = { hcu };
       if (opts.expectVersion != null) params.expect_version = String(opts.expectVersion);
-      const res = await http.delete('/v1/context/drop', {
-        params,
-        headers: { 'x-api-key': keyForHcu(config, hcu) },
-      });
+      const res = await http(backend).delete('/v1/context/drop', { params });
       return res.data;
     },
 
-    /**
-     * Restore a tombstoned slice in place using the server's preserved
-     * payload. Bumps version (deleted(N) → active(N+1)). Returns 409 if
-     * the slice is already active; 404 if it never existed.
-     */
     async restore(hcu, opts = {}) {
+      const backend = resolveBackend(config, hcu);
       const params = { hcu };
       if (opts.expectVersion != null) params.expect_version = String(opts.expectVersion);
-      const res = await http.post('/v1/context/restore', null, {
-        params,
-        headers: { 'x-api-key': keyForHcu(config, hcu) },
-      });
+      const res = await http(backend).post('/v1/context/restore', null, { params });
       return res.data;
     },
 
-    /**
-     * Open an SSE heartbeat stream and invoke onSync(evt) for each sync event.
-     * Each `evt` is a `{ hcu, deleted? }` object — the optional `deleted: true`
-     * hint tells callers the slice was tombstoned (so they can evict from
-     * any local cache without a refetch).
-     *
-     * For backward compatibility with any caller that expected just an HCU
-     * string, the `evt` argument is documented as the new shape and callers
-     * should detect `evt.deleted` to short-circuit refetch.
-     *
-     * Returns a cleanup function that closes the connection.
-     */
     watch(hcuPattern, onSync, onError) {
       const EventSource = require('eventsource');
-      const url = `${baseURL}/v1/context/heartbeat?hcu_pattern=${encodeURIComponent(hcuPattern)}`;
+      const backend = resolveBackend(config, hcuPattern);
+      const url = `${backend.url}/v1/context/heartbeat?hcu_pattern=${encodeURIComponent(hcuPattern)}`;
 
       const es = new EventSource(url, {
-        headers: { 'x-api-key': keyForHcu(config, hcuPattern) },
+        headers: { 'x-api-key': backend.key },
       });
 
       es.addEventListener('sync', (event) => {
@@ -174,4 +169,4 @@ function createApiClient(config) {
   };
 }
 
-module.exports = { createApiClient };
+module.exports = { createApiClient, resolveBackend };

package/src/commands/browser.js

@@ -46,27 +46,29 @@ function decryptSlice(slice, apiKey) {
 }
 
 function resolveBrowserHtmlPath() {
-  // Order matters. We want production installs to always serve the HTML
-  // that ships with the *current* CLI version, not whatever got cached in
-  // ~/.bitpub/ from a one-time tarball install months ago.
+  // Resolution order:
   //
-  //   1. cli/static/console.html — populated by `prepack` from the
-  //      workspace `backend/static/console.html` and shipped inside the
-  //      CLI tarball. This is the canonical location at runtime.
-  //   2. backend/static/console.html — only resolves when running from a
-  //      checked-out workspace (e.g., `node cli/bin/bitpub.js browser`
-  //      during development). Convenient but not the real install path.
+  //   1. backend/static/console.html — the workspace file, only present
+  //      in a checked-out clone. Preferred when present so iterating on
+  //      the UI doesn't require a `prepack` round-trip between edits.
+  //      Production installs (npm tarball) don't ship the `backend/`
+  //      folder, so this candidate is absent there and the resolver
+  //      falls through.
+  //   2. cli/static/console.html — populated by `prepack` from
+  //      `backend/static/console.html` and shipped inside the CLI
+  //      tarball. This is the canonical location at runtime for
+  //      installed CLIs.
   //   3. ~/.bitpub/console.html — last-resort cache, mainly for the
-  //      original install instructions that fetched a single file via curl.
-  //      We never write here ourselves; it exists only when a user
-  //      manually populated it.
+  //      original install instructions that fetched a single file via
+  //      curl. We never write here ourselves; it exists only when a
+  //      user manually populated it.
   //
   // Filename is still console.html on disk — keeping the filename stable
   // avoids churning the prepack step and lets old `~/.bitpub/console.html`
   // caches keep working. The user-facing command is `browser`.
   const candidates = [
-    path.join(__dirname, '../../static/console.html'),
     path.join(__dirname, '../../../backend/static/console.html'),
+    path.join(__dirname, '../../static/console.html'),
     path.join(BITPUB_DIR, 'console.html'),
   ];
   for (const p of candidates) {
@@ -75,6 +77,37 @@ function resolveBrowserHtmlPath() {
   return null;
 }
 
+// Mirror of `resolveBrowserHtmlPath` for the bundled asset directory.
+// Both the dev clone and the npm tarball place assets under
+// `static/assets/` next to `console.html`, so we look in the same order:
+// workspace first (so the browser picks up edits to PNGs without a
+// `prepack` round-trip), then the prepacked CLI copy.
+function resolveAssetsDir() {
+  const candidates = [
+    path.join(__dirname, '../../../backend/static/assets'),
+    path.join(__dirname, '../../static/assets'),
+  ];
+  for (const p of candidates) {
+    if (fs.existsSync(p)) return p;
+  }
+  return null;
+}
+
+// Tiny extension → Content-Type table covering the asset types the
+// console actually uses. Falls back to application/octet-stream so an
+// unknown extension downloads instead of being interpreted.
+const ASSET_MIME = {
+  '.png':  'image/png',
+  '.jpg':  'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.gif':  'image/gif',
+  '.webp': 'image/webp',
+  '.svg':  'image/svg+xml',
+  '.ico':  'image/x-icon',
+  '.mp4':  'video/mp4',
+  '.webm': 'video/webm',
+};
+
 function openInBrowser(url) {
   const cmd = process.platform === 'darwin' ? 'open' :
     process.platform === 'win32' ? 'start' : 'xdg-open';
@@ -110,7 +143,21 @@ function startBrowserServer(opts = {}) {
       return reject(err);
     }
 
-    const htmlTemplate = fs.readFileSync(htmlPath, 'utf-8');
+    // Cache the HTML at startup, but if the resolver picked the workspace
+    // copy (developer iterating on the UI), re-read on every request so
+    // edits show up on a simple browser refresh — no server restart
+    // needed. The installed-tarball path stays cached because its file
+    // never changes between sessions.
+    const workspaceHtml = path.join(__dirname, '../../../backend/static/console.html');
+    const isWorkspaceCopy = path.resolve(htmlPath) === path.resolve(workspaceHtml);
+    const cachedHtml = fs.readFileSync(htmlPath, 'utf-8');
+    function loadHtml() {
+      if (!isWorkspaceCopy) return cachedHtml;
+      try { return fs.readFileSync(htmlPath, 'utf-8'); }
+      catch { return cachedHtml; }
+    }
+
+    const assetsDir = resolveAssetsDir();
 
     const server = http.createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${port}`);
@@ -132,7 +179,34 @@ function startBrowserServer(opts = {}) {
 
       if (url.pathname === '/' || url.pathname === '/index.html') {
         res.setHeader('Content-Type', 'text/html; charset=utf-8');
-        res.end(htmlTemplate);
+        res.end(loadHtml());
+        return;
+      }
+
+      // Static assets: serve files from `static/assets/` for any
+      // `/assets/<name>` request. We resolve+contain inside the assets
+      // dir to defend against `../`-style traversal, fail closed if the
+      // asset dir doesn't exist, and only serve known image/video MIME
+      // types so this can't accidentally double as a generic file
+      // server.
+      if (url.pathname.startsWith('/assets/')) {
+        if (!assetsDir) { res.statusCode = 404; res.end('Not found'); return; }
+        const rel = url.pathname.replace(/^\/assets\//, '');
+        const full = path.resolve(assetsDir, rel);
+        if (!full.startsWith(path.resolve(assetsDir) + path.sep)) {
+          res.statusCode = 403; res.end('Forbidden'); return;
+        }
+        const ext = path.extname(full).toLowerCase();
+        const mime = ASSET_MIME[ext];
+        if (!mime) { res.statusCode = 415; res.end('Unsupported Media Type'); return; }
+        fs.readFile(full, (err, data) => {
+          if (err) { res.statusCode = 404; res.end('Not found'); return; }
+          res.setHeader('Content-Type', mime);
+          // Short cache so iterating on PNGs (which we re-read from
+          // the workspace in dev) doesn't get pinned to a stale copy.
+          res.setHeader('Cache-Control', 'public, max-age=60');
+          res.end(data);
+        });
         return;
       }