npm - @cybermem/cli - Versions diffs - 0.13.17 → 0.14.4 - Mend

@cybermem/cli 0.13.17 → 0.14.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/templates/ansible/playbooks/deploy-cybermem.yml +111 -17
package/dist/templates/auth-sidecar/Dockerfile +2 -1
package/dist/templates/auth-sidecar/package.json +3 -1
package/dist/templates/auth-sidecar/server.js +320 -22
package/package.json +1 -1
package/templates/ansible/playbooks/deploy-cybermem.yml +111 -17
package/templates/auth-sidecar/Dockerfile +2 -1
package/templates/auth-sidecar/package.json +3 -1
package/templates/auth-sidecar/server.js +320 -22

package/dist/templates/ansible/playbooks/deploy-cybermem.yml CHANGED Viewed

@@ -61,15 +61,106 @@
         group: "{{ ansible_user }}"
         mode: "0755"
-    - name: Write API Key Secret File
+    - name: Check if API key secret file exists
+      stat:
+        path: "{{ project_dir }}/secrets/om_api_key"
+      register: api_key_file
+    - name: Read existing API key if it exists
+      command: cat "{{ project_dir }}/secrets/om_api_key"
+      register: existing_key_content
+      when: api_key_file.stat.exists
+      changed_when: false
+      no_log: true
+      ignore_errors: true
+    - name: Determine if token is missing or placeholder
+      set_fact:
+        token_needs_generation: "{{ not api_key_file.stat.exists or (existing_key_content.stdout | default('') == 'sk-not-generated-yet') }}"
+    - name: Generate new API token if not provided and not exists (or is placeholder)
+      set_fact:
+        auto_generated_token: "sk-{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=hexdigits') }}"
+        auto_generated_id: "{{ lookup('ansible.builtin.password', '/dev/null length=16 chars=hexdigits') }}"
+        auto_generated_name: "ansible-auto-generated"
+      no_log: true
+      when: (auth_token_value is not defined or auth_token_value == '' or auth_token_value == 'sk-not-generated-yet') and token_needs_generation
+    - name: Generate token hash for auto-generated token
+      shell: |
+        python3 -c "import sys, hashlib, binascii; token = sys.stdin.read().strip(); salt = hashlib.sha256(b'cybermem-salt-v1').hexdigest()[:16]; h = hashlib.pbkdf2_hmac('sha512', token.encode(), salt.encode(), 100000, 64); print(binascii.hexlify(h).decode())"
+      args:
+        stdin: "{{ auto_generated_token }}"
+      register: auto_generated_hash_result
+      when: auto_generated_token is defined
+      changed_when: false
+      no_log: true
+    - name: Set auto-generated token hash
+      set_fact:
+        auto_generated_hash: "{{ auto_generated_hash_result.stdout }}"
+      when: auto_generated_hash_result is not skipped
+    - name: Use auto-generated token if available
+      set_fact:
+        final_token_value: "{{ (auth_token_value | default(auto_generated_token, true)) if (auth_token_value | default('', true) != 'sk-not-generated-yet') else auto_generated_token }}"
+        final_token_hash: "{{ auth_token_hash | default(auto_generated_hash, true) }}"
+        final_token_id: "{{ auth_token_id | default(auto_generated_id, true) }}"
+        final_token_name: "{{ auth_token_name | default(auto_generated_name, true) }}"
+      no_log: true
+      when: (auth_token_value is defined and auth_token_value != '') or auto_generated_token is defined
+    - name: Generate token hash when only token value is provided
+      shell: |
+        python3 -c "import sys, hashlib, binascii; token = sys.stdin.read().strip(); salt = hashlib.sha256(b'cybermem-salt-v1').hexdigest()[:16]; h = hashlib.pbkdf2_hmac('sha512', token.encode(), salt.encode(), 100000, 64); print(binascii.hexlify(h).decode())"
+      args:
+        stdin: "{{ final_token_value }}"
+      register: computed_token_hash_result
+      when:
+        - final_token_value is defined and final_token_value != ""
+        - final_token_hash is not defined or final_token_hash == ""
+      changed_when: false
+      no_log: true
+    - name: Set computed token hash
+      set_fact:
+        final_token_hash: "{{ computed_token_hash_result.stdout }}"
+      when: computed_token_hash_result is not skipped
+      no_log: true
+    - name: Write API Key Secret File (only if no token exists or explicitly provided/rotated)
       copy:
-        content: "{{ auth_token_value }}"
+        content: "{{ final_token_value }}"
         dest: "{{ project_dir }}/secrets/om_api_key"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: "0600"
-      when: auth_token_value is defined
-      ignore_errors: true
+      no_log: true
+      when: final_token_value is defined and (token_needs_generation or (auth_token_value is defined and auth_token_value != '') or (force_rotate_token | default(false)))
+    - name: Display auto-generated token info
+      debug:
+        msg: |
+          🔐 AUTO-GENERATED SECURITY TOKEN:
+          Token: {{ auto_generated_token[:7] }}...{{ auto_generated_token[-4:] }}
+          Full token saved to: {{ project_dir }}/secrets/om_api_key
+          Retrieve with: cat {{ project_dir }}/secrets/om_api_key
+          Also visible in Dashboard Settings after deployment.
+      when:
+        - auto_generated_token is defined
+        - show_token_output | default(false)
+    - name: Display token retrieval instructions
+      debug:
+        msg: |
+          🔐 SECURITY TOKEN generated.
+          Full token saved to: {{ project_dir }}/secrets/om_api_key
+          Retrieve with: cat {{ project_dir }}/secrets/om_api_key
+          Masked token visible in Dashboard Settings after deployment.
+      when:
+        - auto_generated_token is defined
+        - not (show_token_output | default(false))
     - name: Ensure data directory exists
       file:
@@ -178,19 +269,22 @@
         state: present
     - name: Inject Authentication Token
-      shell: |
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "CREATE TABLE IF NOT EXISTS access_keys (
-          id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
-          key_hash TEXT NOT NULL,
-          name TEXT DEFAULT 'default',
-          user_id TEXT DEFAULT 'default',
-          created_at TEXT DEFAULT (datetime('now')),
-          last_used_at TEXT,
-          is_active INTEGER DEFAULT 1
-        );"
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "DELETE FROM access_keys WHERE name='{{ auth_token_name | default('ansible-generated') }}';"
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "INSERT INTO access_keys (id, key_hash, name, user_id) VALUES ('{{ auth_token_id }}', '{{ auth_token_hash }}', '{{ auth_token_name | default('ansible-generated') }}', 'admin');"
-      when: auth_token_hash is defined
+      shell: "sqlite3 {{ project_dir }}/data/openmemory.sqlite"
+      args:
+        stdin: |
+          CREATE TABLE IF NOT EXISTS access_keys (
+            id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+            key_hash TEXT NOT NULL,
+            name TEXT DEFAULT 'default',
+            user_id TEXT DEFAULT 'default',
+            created_at TEXT DEFAULT (datetime('now')),
+            last_used_at TEXT,
+            is_active INTEGER DEFAULT 1
+          );
+          DELETE FROM access_keys WHERE name='{{ final_token_name }}';
+          INSERT INTO access_keys (id, key_hash, name, user_id) VALUES ('{{ final_token_id }}', '{{ final_token_hash }}', '{{ final_token_name }}', 'admin');
+      when: final_token_hash is defined
+      no_log: true
       ignore_errors: true
     - name: Wait for Traefik (Proxy) to be ready

package/dist/templates/auth-sidecar/Dockerfile CHANGED Viewed

@@ -1,6 +1,7 @@
 FROM node:20-alpine
 WORKDIR /app
-RUN apk add --no-cache libc6-compat
+# Install build dependencies for native modules (sqlite3)
+RUN apk add --no-cache libc6-compat python3 make g++
 COPY package.json ./
 RUN npm install
 COPY server.js .

package/dist/templates/auth-sidecar/package.json CHANGED Viewed

@@ -3,5 +3,7 @@
   "version": "0.1.0",
   "description": "Auth sidecar for CyberMem",
   "main": "server.js",
-  "dependencies": {}
+  "dependencies": {
+    "sqlite3": "^5.1.7"
+  }
 }

package/dist/templates/auth-sidecar/server.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * 1. Bearer tokens (sk-xxx) against Docker Secret file (SSoT)
  * 2. Local requests bypass (localhost, *.local domains)
  *
- * NO EXTERNAL DEPENDENCIES - uses built-in crypto and fs.
+ * Dependencies: sqlite3 (for auto-token persistence)
  */
 const http = require("http");
@@ -13,12 +13,175 @@ const crypto = require("crypto");
 const path = require("path");
 const fs = require("fs");
 const SECRET_PATH = process.env.API_KEY_FILE || "/run/secrets/om_api_key";
+const DB_PATH = process.env.OM_DB_PATH || "/data/openmemory.sqlite";
+const FALLBACK_TOKEN_PATH = "/data/.cybermem_token";
 let cachedToken = null;
+let isAutoGenerated = false;
 const PORT = process.env.PORT || 3001;
+// Generate a new secure token
+function generateToken() {
+  return `sk-${crypto.randomBytes(16).toString("hex")}`;
+}
+// Hash token using PBKDF2 (same algorithm as CLI)
+function hashToken(token) {
+  return new Promise((resolve, reject) => {
+    const salt = crypto
+      .createHash("sha256")
+      .update("cybermem-salt-v1")
+      .digest("hex")
+      .slice(0, 16);
+    crypto.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
+      if (err) reject(err);
+      else resolve(key.toString("hex"));
+    });
+  });
+}
+// Store token in database
+async function storeTokenInDatabase(token) {
+  // Check if sqlite3 module is available
+  let sqlite3;
+  try {
+    sqlite3 = require("sqlite3");
+  } catch (e) {
+    console.warn("sqlite3 module not available, skipping database storage");
+    return false;
+  }
+  const db = new sqlite3.Database(DB_PATH);
+  // Configure busy timeout to reduce SQLITE_BUSY errors on concurrent access
+  if (typeof db.configure === "function") {
+    db.configure("busyTimeout", 5000);
+  }
+  const tokenHash = await hashToken(token);
+  const tokenId = crypto.randomBytes(8).toString("hex");
+  return new Promise((resolve, reject) => {
+    db.serialize(() => {
+      const expectedColumns = [
+        "id",
+        "key_hash",
+        "name",
+        "user_id",
+        "created_at",
+        "last_used_at",
+        "is_active",
+      ];
+      const proceedWithSchema = () => {
+        // Create table if not exists (after optional drop)
+        db.run(
+          `CREATE TABLE IF NOT EXISTS access_keys (
+            id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+            key_hash TEXT NOT NULL,
+            name TEXT DEFAULT 'default',
+            user_id TEXT DEFAULT 'default',
+            created_at TEXT DEFAULT (datetime('now')),
+            last_used_at TEXT,
+            is_active INTEGER DEFAULT 1
+          )`,
+          (createErr) => {
+            if (createErr) {
+              console.error(
+                "Failed to ensure access_keys table exists:",
+                createErr.message,
+              );
+              db.close();
+              // Resolve false instead of rejecting to distinguish from fatal file persistence error
+              resolve(false);
+              return;
+            }
+            // Delete any existing auto-generated tokens
+            db.run(
+              "DELETE FROM access_keys WHERE name='auto-generated'",
+              (deleteErr) => {
+                if (deleteErr) {
+                  console.warn(
+                    "Warning cleaning old tokens:",
+                    deleteErr.message,
+                  );
+                }
+                // Insert new token
+                db.run(
+                  "INSERT INTO access_keys (id, key_hash, name, user_id) VALUES (?, ?, 'auto-generated', 'admin')",
+                  [tokenId, tokenHash],
+                  (insertErr) => {
+                    if (insertErr) {
+                      console.error(
+                        "Failed to store token in database:",
+                        insertErr.message,
+                      );
+                      db.close();
+                      // Resolve false instead of rejecting to distinguish from fatal file persistence error
+                      resolve(false);
+                    } else {
+                      console.log("✅ Auto-generated token stored in database");
+                      db.close();
+                      resolve(true);
+                    }
+                  },
+                );
+              },
+            );
+          },
+        );
+      };
+      // Validate existing access_keys schema and drop if malformed
+      db.all("PRAGMA table_info(access_keys)", (pragmaErr, columns) => {
+        if (pragmaErr) {
+          console.warn(
+            "Unable to inspect access_keys schema, proceeding with creation:",
+            pragmaErr.message,
+          );
+          proceedWithSchema();
+          return;
+        }
+        let needsDrop = false;
+        if (Array.isArray(columns) && columns.length > 0) {
+          const existingColumns = columns.map((c) => c.name);
+          const hasAllExpected = expectedColumns.every((col) =>
+            existingColumns.includes(col),
+          );
+          const sameLength = existingColumns.length === expectedColumns.length;
+          if (!hasAllExpected || !sameLength) {
+            needsDrop = true;
+          }
+        }
+        if (!needsDrop) {
+          proceedWithSchema();
+          return;
+        }
+        console.log("⚠️  Malformed access_keys schema detected, recreating...");
+        db.run("DROP TABLE IF EXISTS access_keys", (dropErr) => {
+          if (dropErr) {
+            console.error(
+              "Failed to drop malformed access_keys table:",
+              dropErr.message,
+            );
+            db.close();
+            resolve(false);
+            return;
+          }
+          proceedWithSchema();
+        });
+      });
+    });
+  });
+}
 // Load token from secret file once at startup (SSoT)
-function loadSecret() {
+async function loadSecret() {
   try {
     // 1. Check environment variable first (Direct)
     if (process.env.OM_API_KEY) {
@@ -34,30 +197,103 @@ function loadSecret() {
       // Check if it's a shell-formatted env file (OM_API_KEY=sk-...)
       const envMatch = content.match(/OM_API_KEY=["']?(sk-[a-zA-Z0-9]+)["']?/);
       if (envMatch) {
-        cachedToken = envMatch[1];
-        console.log(`SSoT Token extracted from env file: ${SECRET_PATH}`);
+        const extractedToken = envMatch[1];
+        // Reject known insecure placeholder
+        if (extractedToken === "sk-not-generated-yet") {
+          console.warn(
+            `⚠️  INSECURE PLACEHOLDER DETECTED in ${SECRET_PATH}. Treating as missing.`,
+          );
+        } else {
+          cachedToken = extractedToken;
+          console.log(`SSoT Token extracted from env file: ${SECRET_PATH}`);
+        }
+      } else if (content && content.startsWith("sk-")) {
+        // Reject known insecure placeholder
+        if (content === "sk-not-generated-yet") {
+          console.warn(
+            `⚠️  INSECURE PLACEHOLDER DETECTED in ${SECRET_PATH}. Treating as missing.`,
+          );
+        } else {
+          // Assume raw token file
+          cachedToken = content;
+          console.log(`SSoT Token loaded from raw file: ${SECRET_PATH}`);
+        }
+      } else if (content) {
+        console.warn(
+          `SECRET WARNING: ${SECRET_PATH} exists but doesn't contain a valid token format`,
+        );
+      }
+    }
+    // 3. Check fallback token file (auto-generated location)
+    if (!cachedToken && fs.existsSync(FALLBACK_TOKEN_PATH)) {
+      const fallbackContent = fs
+        .readFileSync(FALLBACK_TOKEN_PATH, "utf8")
+        .trim();
+      if (fallbackContent.startsWith("sk-")) {
+        cachedToken = fallbackContent;
+        console.log(`SSoT Token loaded from fallback: ${FALLBACK_TOKEN_PATH}`);
+        isAutoGenerated = true;
+        return;
       } else {
-        // Assume raw token file
-        cachedToken = content;
-        console.log(`SSoT Token loaded from raw file: ${SECRET_PATH}`);
+        console.warn(
+          `SECRET WARNING: ${FALLBACK_TOKEN_PATH} exists but doesn't contain a valid token format (sk-*)`,
+        );
       }
-    } else {
-      console.warn(
-        `SECRET WARNING: ${SECRET_PATH} not found. Remote auth will fail.`,
-      );
+    }
+    // 4. Auto-generate if no token found anywhere
+    if (!cachedToken) {
+      console.warn("⚠️  NO TOKEN FOUND - Auto-generating security token...");
+      cachedToken = generateToken();
+      isAutoGenerated = true;
+      // Try to persist to fallback location
+      try {
+        fs.writeFileSync(FALLBACK_TOKEN_PATH, cachedToken, {
+          mode: 0o600,
+        });
+        console.log(`✅ Auto-generated token saved to ${FALLBACK_TOKEN_PATH}`);
+        // Also try to store in database
+        const dbSuccess = await storeTokenInDatabase(cachedToken);
+        if (!dbSuccess) {
+          console.warn("⚠️  Token saved to file but database storage failed");
+          console.warn(
+            "    You may need to manually add the token to the database",
+          );
+        }
+      } catch (err) {
+        console.error("Failed to persist auto-generated token:", err.message);
+        console.error(
+          "⚠️  Token is in-memory only and will be lost on restart!",
+        );
+      }
+      const masked =
+        cachedToken.substring(0, 7) + "..." + cachedToken.slice(-4);
+      console.log("\n" + "=".repeat(70));
+      console.log("🔐 AUTO-GENERATED SECURITY TOKEN:");
+      console.log(`   ${masked}`);
+      console.log("");
+      console.log("Token saved to: " + FALLBACK_TOKEN_PATH);
+      console.log("Retrieve the full token from:");
+      console.log(`   cat ${FALLBACK_TOKEN_PATH}`);
+      console.log("=".repeat(70) + "\n");
     }
   } catch (err) {
     console.error("SECRET LOAD ERROR:", err.message);
   }
 }
-loadSecret();
+// Initialization promise to avoid race conditions
+const initPromise = loadSecret();
 // Verify token against SSoT (file-based)
 async function verifyToken(token) {
   if (!cachedToken) {
     // Try one more time if not loaded (e.g. race condition/debug)
-    loadSecret();
+    await loadSecret();
   }
   if (cachedToken && token === cachedToken) {
@@ -76,11 +312,6 @@ function isLocalRequest(req) {
     forwarded?.split(",")[0]?.trim() || realIp || req.socket.remoteAddress;
   // 1. First reject Tailscale/Remote requests (.ts.net, 100.x.x.x)
-  // CRITICAL: Tailscale requests (via Funnel) must NEVER be treated as local.
-  // If host contains .ts.net, it's external.
-  // NOTE: Legacy CYBERMEM_TAILSCALE env-flag logic was removed on purpose.
-  //       We now auto-detect Tailscale by host/IP (".ts.net" / "100.x.x.x"),
-  //       so .local bypass works regardless of CYBERMEM_TAILSCALE being set.
   if (
     host.includes(".ts.net") ||
     (typeof ip === "string" && ip.startsWith("100."))
@@ -94,9 +325,6 @@ function isLocalRequest(req) {
     return true;
   }
-  // Host-based check REMOVED for security (CVE-2026-001)
-  // We only trust loopback IP if not on Tailscale.
   // Allow localhost bypass ONLY for local Dev environment (Docker Desktop)
   const isDev = process.env.CYBERMEM_INSTANCE === "local";
   if (isDev && (host.startsWith("localhost") || host.startsWith("127.0.0.1"))) {
@@ -112,12 +340,82 @@ function isLocalRequest(req) {
   return isLocalIp;
 }
+// Strictly localhost for sensitive metadata endpoints
+function isStrictlyLocalRequest(req) {
+  const ip = req.socket.remoteAddress;
+  // 1. Direct loopback check
+  const isLoopback =
+    ip === "127.0.0.1" ||
+    ip === "::1" ||
+    ip === "::ffff:127.0.0.1" ||
+    ip === "localhost";
+  if (isLoopback) return true;
+  // 2. Docker bridge check (e.g. 172.17.0.1 or 172.18.x.x)
+  // This allows host-to-container calls for diagnostics
+  if (typeof ip === "string" && ip.startsWith("172.")) {
+    const parts = ip.split(".");
+    const second = parseInt(parts[1], 10);
+    if (second >= 16 && second <= 31) {
+      return true;
+    }
+  }
+  return false;
+}
 // ForwardAuth handler
 const server = http.createServer(async (req, res) => {
+  // Wait for secret to be loaded before processing any requests
+  await initPromise;
   // Health check
   if (req.url === "/health") {
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok", mode: "token-auth" }));
+    res.end(
+      JSON.stringify({
+        status: "ok",
+        mode: "token-auth",
+        tokenSource: isAutoGenerated ? "auto-generated" : "configured",
+      }),
+    );
+    return;
+  }
+  // Token info endpoint (metadata only — never expose raw token over HTTP)
+  if (req.url === "/token-info") {
+    if (!isStrictlyLocalRequest(req)) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Forbidden - localhost only" }));
+      return;
+    }
+    if (!isAutoGenerated) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Not Found",
+          message: "Token info only available for auto-generated tokens",
+        }),
+      );
+      return;
+    }
+    const masked = cachedToken
+      ? cachedToken.substring(0, 7) + "..." + cachedToken.slice(-4)
+      : null;
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        tokenSource: isAutoGenerated ? "auto-generated" : "configured",
+        tokenPrefix: masked,
+        fallbackPath: FALLBACK_TOKEN_PATH,
+        message: isAutoGenerated
+          ? `Token was auto-generated. Read it from: cat ${FALLBACK_TOKEN_PATH}`
+          : "Token is configured from deployment.",
+      }),
+    );
     return;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cybermem/cli",
-  "version": "0.13.17",
+  "version": "0.14.4",
   "description": "CyberMem — Universal Long-Term Memory for AI Agents",
   "homepage": "https://cybermem.dev",
   "repository": {

package/templates/ansible/playbooks/deploy-cybermem.yml CHANGED Viewed

@@ -61,15 +61,106 @@
         group: "{{ ansible_user }}"
         mode: "0755"
-    - name: Write API Key Secret File
+    - name: Check if API key secret file exists
+      stat:
+        path: "{{ project_dir }}/secrets/om_api_key"
+      register: api_key_file
+    - name: Read existing API key if it exists
+      command: cat "{{ project_dir }}/secrets/om_api_key"
+      register: existing_key_content
+      when: api_key_file.stat.exists
+      changed_when: false
+      no_log: true
+      ignore_errors: true
+    - name: Determine if token is missing or placeholder
+      set_fact:
+        token_needs_generation: "{{ not api_key_file.stat.exists or (existing_key_content.stdout | default('') == 'sk-not-generated-yet') }}"
+    - name: Generate new API token if not provided and not exists (or is placeholder)
+      set_fact:
+        auto_generated_token: "sk-{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=hexdigits') }}"
+        auto_generated_id: "{{ lookup('ansible.builtin.password', '/dev/null length=16 chars=hexdigits') }}"
+        auto_generated_name: "ansible-auto-generated"
+      no_log: true
+      when: (auth_token_value is not defined or auth_token_value == '' or auth_token_value == 'sk-not-generated-yet') and token_needs_generation
+    - name: Generate token hash for auto-generated token
+      shell: |
+        python3 -c "import sys, hashlib, binascii; token = sys.stdin.read().strip(); salt = hashlib.sha256(b'cybermem-salt-v1').hexdigest()[:16]; h = hashlib.pbkdf2_hmac('sha512', token.encode(), salt.encode(), 100000, 64); print(binascii.hexlify(h).decode())"
+      args:
+        stdin: "{{ auto_generated_token }}"
+      register: auto_generated_hash_result
+      when: auto_generated_token is defined
+      changed_when: false
+      no_log: true
+    - name: Set auto-generated token hash
+      set_fact:
+        auto_generated_hash: "{{ auto_generated_hash_result.stdout }}"
+      when: auto_generated_hash_result is not skipped
+    - name: Use auto-generated token if available
+      set_fact:
+        final_token_value: "{{ (auth_token_value | default(auto_generated_token, true)) if (auth_token_value | default('', true) != 'sk-not-generated-yet') else auto_generated_token }}"
+        final_token_hash: "{{ auth_token_hash | default(auto_generated_hash, true) }}"
+        final_token_id: "{{ auth_token_id | default(auto_generated_id, true) }}"
+        final_token_name: "{{ auth_token_name | default(auto_generated_name, true) }}"
+      no_log: true
+      when: (auth_token_value is defined and auth_token_value != '') or auto_generated_token is defined
+    - name: Generate token hash when only token value is provided
+      shell: |
+        python3 -c "import sys, hashlib, binascii; token = sys.stdin.read().strip(); salt = hashlib.sha256(b'cybermem-salt-v1').hexdigest()[:16]; h = hashlib.pbkdf2_hmac('sha512', token.encode(), salt.encode(), 100000, 64); print(binascii.hexlify(h).decode())"
+      args:
+        stdin: "{{ final_token_value }}"
+      register: computed_token_hash_result
+      when:
+        - final_token_value is defined and final_token_value != ""
+        - final_token_hash is not defined or final_token_hash == ""
+      changed_when: false
+      no_log: true
+    - name: Set computed token hash
+      set_fact:
+        final_token_hash: "{{ computed_token_hash_result.stdout }}"
+      when: computed_token_hash_result is not skipped
+      no_log: true
+    - name: Write API Key Secret File (only if no token exists or explicitly provided/rotated)
       copy:
-        content: "{{ auth_token_value }}"
+        content: "{{ final_token_value }}"
         dest: "{{ project_dir }}/secrets/om_api_key"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: "0600"
-      when: auth_token_value is defined
-      ignore_errors: true
+      no_log: true
+      when: final_token_value is defined and (token_needs_generation or (auth_token_value is defined and auth_token_value != '') or (force_rotate_token | default(false)))
+    - name: Display auto-generated token info
+      debug:
+        msg: |
+          🔐 AUTO-GENERATED SECURITY TOKEN:
+          Token: {{ auto_generated_token[:7] }}...{{ auto_generated_token[-4:] }}
+          Full token saved to: {{ project_dir }}/secrets/om_api_key
+          Retrieve with: cat {{ project_dir }}/secrets/om_api_key
+          Also visible in Dashboard Settings after deployment.
+      when:
+        - auto_generated_token is defined
+        - show_token_output | default(false)
+    - name: Display token retrieval instructions
+      debug:
+        msg: |
+          🔐 SECURITY TOKEN generated.
+          Full token saved to: {{ project_dir }}/secrets/om_api_key
+          Retrieve with: cat {{ project_dir }}/secrets/om_api_key
+          Masked token visible in Dashboard Settings after deployment.
+      when:
+        - auto_generated_token is defined
+        - not (show_token_output | default(false))
     - name: Ensure data directory exists
       file:
@@ -178,19 +269,22 @@
         state: present
     - name: Inject Authentication Token
-      shell: |
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "CREATE TABLE IF NOT EXISTS access_keys (
-          id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
-          key_hash TEXT NOT NULL,
-          name TEXT DEFAULT 'default',
-          user_id TEXT DEFAULT 'default',
-          created_at TEXT DEFAULT (datetime('now')),
-          last_used_at TEXT,
-          is_active INTEGER DEFAULT 1
-        );"
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "DELETE FROM access_keys WHERE name='{{ auth_token_name | default('ansible-generated') }}';"
-        sqlite3 {{ project_dir }}/data/openmemory.sqlite "INSERT INTO access_keys (id, key_hash, name, user_id) VALUES ('{{ auth_token_id }}', '{{ auth_token_hash }}', '{{ auth_token_name | default('ansible-generated') }}', 'admin');"
-      when: auth_token_hash is defined
+      shell: "sqlite3 {{ project_dir }}/data/openmemory.sqlite"
+      args:
+        stdin: |
+          CREATE TABLE IF NOT EXISTS access_keys (
+            id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+            key_hash TEXT NOT NULL,
+            name TEXT DEFAULT 'default',
+            user_id TEXT DEFAULT 'default',
+            created_at TEXT DEFAULT (datetime('now')),
+            last_used_at TEXT,
+            is_active INTEGER DEFAULT 1
+          );
+          DELETE FROM access_keys WHERE name='{{ final_token_name }}';
+          INSERT INTO access_keys (id, key_hash, name, user_id) VALUES ('{{ final_token_id }}', '{{ final_token_hash }}', '{{ final_token_name }}', 'admin');
+      when: final_token_hash is defined
+      no_log: true
       ignore_errors: true
     - name: Wait for Traefik (Proxy) to be ready

package/templates/auth-sidecar/Dockerfile CHANGED Viewed

@@ -1,6 +1,7 @@
 FROM node:20-alpine
 WORKDIR /app
-RUN apk add --no-cache libc6-compat
+# Install build dependencies for native modules (sqlite3)
+RUN apk add --no-cache libc6-compat python3 make g++
 COPY package.json ./
 RUN npm install
 COPY server.js .

package/templates/auth-sidecar/package.json CHANGED Viewed

@@ -3,5 +3,7 @@
   "version": "0.1.0",
   "description": "Auth sidecar for CyberMem",
   "main": "server.js",
-  "dependencies": {}
+  "dependencies": {
+    "sqlite3": "^5.1.7"
+  }
 }

package/templates/auth-sidecar/server.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * 1. Bearer tokens (sk-xxx) against Docker Secret file (SSoT)
  * 2. Local requests bypass (localhost, *.local domains)
  *
- * NO EXTERNAL DEPENDENCIES - uses built-in crypto and fs.
+ * Dependencies: sqlite3 (for auto-token persistence)
  */
 const http = require("http");
@@ -13,12 +13,175 @@ const crypto = require("crypto");
 const path = require("path");
 const fs = require("fs");
 const SECRET_PATH = process.env.API_KEY_FILE || "/run/secrets/om_api_key";
+const DB_PATH = process.env.OM_DB_PATH || "/data/openmemory.sqlite";
+const FALLBACK_TOKEN_PATH = "/data/.cybermem_token";
 let cachedToken = null;
+let isAutoGenerated = false;
 const PORT = process.env.PORT || 3001;
+// Generate a new secure token
+function generateToken() {
+  return `sk-${crypto.randomBytes(16).toString("hex")}`;
+}
+// Hash token using PBKDF2 (same algorithm as CLI)
+function hashToken(token) {
+  return new Promise((resolve, reject) => {
+    const salt = crypto
+      .createHash("sha256")
+      .update("cybermem-salt-v1")
+      .digest("hex")
+      .slice(0, 16);
+    crypto.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
+      if (err) reject(err);
+      else resolve(key.toString("hex"));
+    });
+  });
+}
+// Store token in database
+async function storeTokenInDatabase(token) {
+  // Check if sqlite3 module is available
+  let sqlite3;
+  try {
+    sqlite3 = require("sqlite3");
+  } catch (e) {
+    console.warn("sqlite3 module not available, skipping database storage");
+    return false;
+  }
+  const db = new sqlite3.Database(DB_PATH);
+  // Configure busy timeout to reduce SQLITE_BUSY errors on concurrent access
+  if (typeof db.configure === "function") {
+    db.configure("busyTimeout", 5000);
+  }
+  const tokenHash = await hashToken(token);
+  const tokenId = crypto.randomBytes(8).toString("hex");
+  return new Promise((resolve, reject) => {
+    db.serialize(() => {
+      const expectedColumns = [
+        "id",
+        "key_hash",
+        "name",
+        "user_id",
+        "created_at",
+        "last_used_at",
+        "is_active",
+      ];
+      const proceedWithSchema = () => {
+        // Create table if not exists (after optional drop)
+        db.run(
+          `CREATE TABLE IF NOT EXISTS access_keys (
+            id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+            key_hash TEXT NOT NULL,
+            name TEXT DEFAULT 'default',
+            user_id TEXT DEFAULT 'default',
+            created_at TEXT DEFAULT (datetime('now')),
+            last_used_at TEXT,
+            is_active INTEGER DEFAULT 1
+          )`,
+          (createErr) => {
+            if (createErr) {
+              console.error(
+                "Failed to ensure access_keys table exists:",
+                createErr.message,
+              );
+              db.close();
+              // Resolve false instead of rejecting to distinguish from fatal file persistence error
+              resolve(false);
+              return;
+            }
+            // Delete any existing auto-generated tokens
+            db.run(
+              "DELETE FROM access_keys WHERE name='auto-generated'",
+              (deleteErr) => {
+                if (deleteErr) {
+                  console.warn(
+                    "Warning cleaning old tokens:",
+                    deleteErr.message,
+                  );
+                }
+                // Insert new token
+                db.run(
+                  "INSERT INTO access_keys (id, key_hash, name, user_id) VALUES (?, ?, 'auto-generated', 'admin')",
+                  [tokenId, tokenHash],
+                  (insertErr) => {
+                    if (insertErr) {
+                      console.error(
+                        "Failed to store token in database:",
+                        insertErr.message,
+                      );
+                      db.close();
+                      // Resolve false instead of rejecting to distinguish from fatal file persistence error
+                      resolve(false);
+                    } else {
+                      console.log("✅ Auto-generated token stored in database");
+                      db.close();
+                      resolve(true);
+                    }
+                  },
+                );
+              },
+            );
+          },
+        );
+      };
+      // Validate existing access_keys schema and drop if malformed
+      db.all("PRAGMA table_info(access_keys)", (pragmaErr, columns) => {
+        if (pragmaErr) {
+          console.warn(
+            "Unable to inspect access_keys schema, proceeding with creation:",
+            pragmaErr.message,
+          );
+          proceedWithSchema();
+          return;
+        }
+        let needsDrop = false;
+        if (Array.isArray(columns) && columns.length > 0) {
+          const existingColumns = columns.map((c) => c.name);
+          const hasAllExpected = expectedColumns.every((col) =>
+            existingColumns.includes(col),
+          );
+          const sameLength = existingColumns.length === expectedColumns.length;
+          if (!hasAllExpected || !sameLength) {
+            needsDrop = true;
+          }
+        }
+        if (!needsDrop) {
+          proceedWithSchema();
+          return;
+        }
+        console.log("⚠️  Malformed access_keys schema detected, recreating...");
+        db.run("DROP TABLE IF EXISTS access_keys", (dropErr) => {
+          if (dropErr) {
+            console.error(
+              "Failed to drop malformed access_keys table:",
+              dropErr.message,
+            );
+            db.close();
+            resolve(false);
+            return;
+          }
+          proceedWithSchema();
+        });
+      });
+    });
+  });
+}
 // Load token from secret file once at startup (SSoT)
-function loadSecret() {
+async function loadSecret() {
   try {
     // 1. Check environment variable first (Direct)
     if (process.env.OM_API_KEY) {
@@ -34,30 +197,103 @@ function loadSecret() {
       // Check if it's a shell-formatted env file (OM_API_KEY=sk-...)
       const envMatch = content.match(/OM_API_KEY=["']?(sk-[a-zA-Z0-9]+)["']?/);
       if (envMatch) {
-        cachedToken = envMatch[1];
-        console.log(`SSoT Token extracted from env file: ${SECRET_PATH}`);
+        const extractedToken = envMatch[1];
+        // Reject known insecure placeholder
+        if (extractedToken === "sk-not-generated-yet") {
+          console.warn(
+            `⚠️  INSECURE PLACEHOLDER DETECTED in ${SECRET_PATH}. Treating as missing.`,
+          );
+        } else {
+          cachedToken = extractedToken;
+          console.log(`SSoT Token extracted from env file: ${SECRET_PATH}`);
+        }
+      } else if (content && content.startsWith("sk-")) {
+        // Reject known insecure placeholder
+        if (content === "sk-not-generated-yet") {
+          console.warn(
+            `⚠️  INSECURE PLACEHOLDER DETECTED in ${SECRET_PATH}. Treating as missing.`,
+          );
+        } else {
+          // Assume raw token file
+          cachedToken = content;
+          console.log(`SSoT Token loaded from raw file: ${SECRET_PATH}`);
+        }
+      } else if (content) {
+        console.warn(
+          `SECRET WARNING: ${SECRET_PATH} exists but doesn't contain a valid token format`,
+        );
+      }
+    }
+    // 3. Check fallback token file (auto-generated location)
+    if (!cachedToken && fs.existsSync(FALLBACK_TOKEN_PATH)) {
+      const fallbackContent = fs
+        .readFileSync(FALLBACK_TOKEN_PATH, "utf8")
+        .trim();
+      if (fallbackContent.startsWith("sk-")) {
+        cachedToken = fallbackContent;
+        console.log(`SSoT Token loaded from fallback: ${FALLBACK_TOKEN_PATH}`);
+        isAutoGenerated = true;
+        return;
       } else {
-        // Assume raw token file
-        cachedToken = content;
-        console.log(`SSoT Token loaded from raw file: ${SECRET_PATH}`);
+        console.warn(
+          `SECRET WARNING: ${FALLBACK_TOKEN_PATH} exists but doesn't contain a valid token format (sk-*)`,
+        );
       }
-    } else {
-      console.warn(
-        `SECRET WARNING: ${SECRET_PATH} not found. Remote auth will fail.`,
-      );
+    }
+    // 4. Auto-generate if no token found anywhere
+    if (!cachedToken) {
+      console.warn("⚠️  NO TOKEN FOUND - Auto-generating security token...");
+      cachedToken = generateToken();
+      isAutoGenerated = true;
+      // Try to persist to fallback location
+      try {
+        fs.writeFileSync(FALLBACK_TOKEN_PATH, cachedToken, {
+          mode: 0o600,
+        });
+        console.log(`✅ Auto-generated token saved to ${FALLBACK_TOKEN_PATH}`);
+        // Also try to store in database
+        const dbSuccess = await storeTokenInDatabase(cachedToken);
+        if (!dbSuccess) {
+          console.warn("⚠️  Token saved to file but database storage failed");
+          console.warn(
+            "    You may need to manually add the token to the database",
+          );
+        }
+      } catch (err) {
+        console.error("Failed to persist auto-generated token:", err.message);
+        console.error(
+          "⚠️  Token is in-memory only and will be lost on restart!",
+        );
+      }
+      const masked =
+        cachedToken.substring(0, 7) + "..." + cachedToken.slice(-4);
+      console.log("\n" + "=".repeat(70));
+      console.log("🔐 AUTO-GENERATED SECURITY TOKEN:");
+      console.log(`   ${masked}`);
+      console.log("");
+      console.log("Token saved to: " + FALLBACK_TOKEN_PATH);
+      console.log("Retrieve the full token from:");
+      console.log(`   cat ${FALLBACK_TOKEN_PATH}`);
+      console.log("=".repeat(70) + "\n");
     }
   } catch (err) {
     console.error("SECRET LOAD ERROR:", err.message);
   }
 }
-loadSecret();
+// Initialization promise to avoid race conditions
+const initPromise = loadSecret();
 // Verify token against SSoT (file-based)
 async function verifyToken(token) {
   if (!cachedToken) {
     // Try one more time if not loaded (e.g. race condition/debug)
-    loadSecret();
+    await loadSecret();
   }
   if (cachedToken && token === cachedToken) {
@@ -76,11 +312,6 @@ function isLocalRequest(req) {
     forwarded?.split(",")[0]?.trim() || realIp || req.socket.remoteAddress;
   // 1. First reject Tailscale/Remote requests (.ts.net, 100.x.x.x)
-  // CRITICAL: Tailscale requests (via Funnel) must NEVER be treated as local.
-  // If host contains .ts.net, it's external.
-  // NOTE: Legacy CYBERMEM_TAILSCALE env-flag logic was removed on purpose.
-  //       We now auto-detect Tailscale by host/IP (".ts.net" / "100.x.x.x"),
-  //       so .local bypass works regardless of CYBERMEM_TAILSCALE being set.
   if (
     host.includes(".ts.net") ||
     (typeof ip === "string" && ip.startsWith("100."))
@@ -94,9 +325,6 @@ function isLocalRequest(req) {
     return true;
   }
-  // Host-based check REMOVED for security (CVE-2026-001)
-  // We only trust loopback IP if not on Tailscale.
   // Allow localhost bypass ONLY for local Dev environment (Docker Desktop)
   const isDev = process.env.CYBERMEM_INSTANCE === "local";
   if (isDev && (host.startsWith("localhost") || host.startsWith("127.0.0.1"))) {
@@ -112,12 +340,82 @@ function isLocalRequest(req) {
   return isLocalIp;
 }
+// Strictly localhost for sensitive metadata endpoints
+function isStrictlyLocalRequest(req) {
+  const ip = req.socket.remoteAddress;
+  // 1. Direct loopback check
+  const isLoopback =
+    ip === "127.0.0.1" ||
+    ip === "::1" ||
+    ip === "::ffff:127.0.0.1" ||
+    ip === "localhost";
+  if (isLoopback) return true;
+  // 2. Docker bridge check (e.g. 172.17.0.1 or 172.18.x.x)
+  // This allows host-to-container calls for diagnostics
+  if (typeof ip === "string" && ip.startsWith("172.")) {
+    const parts = ip.split(".");
+    const second = parseInt(parts[1], 10);
+    if (second >= 16 && second <= 31) {
+      return true;
+    }
+  }
+  return false;
+}
 // ForwardAuth handler
 const server = http.createServer(async (req, res) => {
+  // Wait for secret to be loaded before processing any requests
+  await initPromise;
   // Health check
   if (req.url === "/health") {
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok", mode: "token-auth" }));
+    res.end(
+      JSON.stringify({
+        status: "ok",
+        mode: "token-auth",
+        tokenSource: isAutoGenerated ? "auto-generated" : "configured",
+      }),
+    );
+    return;
+  }
+  // Token info endpoint (metadata only — never expose raw token over HTTP)
+  if (req.url === "/token-info") {
+    if (!isStrictlyLocalRequest(req)) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Forbidden - localhost only" }));
+      return;
+    }
+    if (!isAutoGenerated) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Not Found",
+          message: "Token info only available for auto-generated tokens",
+        }),
+      );
+      return;
+    }
+    const masked = cachedToken
+      ? cachedToken.substring(0, 7) + "..." + cachedToken.slice(-4)
+      : null;
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        tokenSource: isAutoGenerated ? "auto-generated" : "configured",
+        tokenPrefix: masked,
+        fallbackPath: FALLBACK_TOKEN_PATH,
+        message: isAutoGenerated
+          ? `Token was auto-generated. Read it from: cat ${FALLBACK_TOKEN_PATH}`
+          : "Token is configured from deployment.",
+      }),
+    );
     return;
   }