@cybermem/cli 0.9.12 → 0.13.3

package/templates/ansible/playbooks/deploy-cybermem.yml

@@ -1,15 +1,21 @@
 ---
 - name: Deploy CyberMem to Raspberry Pi
-  hosts: rpi
-  become: yes
+  hosts: all
+  become: true
   vars:
     project_dir: /home/{{ ansible_user }}/cybermem
     env_file: .env.rpi
+    # Default ports based on environment
+    TRAEFIK_PORT_STAGING: "8625"
+    TRAEFIK_PORT_PROD: "8626"
+    TRAEFIK_PORT_DEFAULT: "{{ TRAEFIK_PORT_STAGING if cybermem_env | default('prod') == 'staging' else TRAEFIK_PORT_PROD }}"
+    # Port to use consistently across all tasks
+    EFFECTIVE_TRAEFIK_PORT: "{{ TRAEFIK_PORT | default(TRAEFIK_PORT_DEFAULT) }}"
 
   tasks:
     - name: Update apt cache
       apt:
-        update_cache: yes
+        update_cache: true
         cache_valid_time: 3600
 
     - name: Install dependencies
@@ -23,13 +29,13 @@
       service:
         name: docker
         state: started
-        enabled: yes
+        enabled: true
 
     - name: Add user to docker group
       user:
         name: "{{ ansible_user }}"
         groups: docker
-        append: yes
+        append: true
 
     - name: Create project directory
       file:
@@ -39,33 +45,204 @@
         group: "{{ ansible_user }}"
         mode: "0755"
 
-    - name: Synchronize project files
+    - name: Ensure backup directory exists
+      file:
+        path: "{{ project_dir }}/backups"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0755"
+
+    - name: Ensure secrets directory exists
+      file:
+        path: "{{ project_dir }}/secrets"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0755"
+
+    - name: Write API Key Secret File
+      copy:
+        content: "{{ auth_token_value }}"
+        dest: "{{ project_dir }}/secrets/om_api_key"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0600"
+      when: auth_token_value is defined
+      ignore_errors: true
+
+    - name: Ensure data directory exists
+      file:
+        path: "{{ project_dir }}/data"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0755"
+
+    - name: Check if database exists
+      stat:
+        path: "{{ project_dir }}/data/openmemory.sqlite"
+      register: db_file
+
+    - name: Create pre-deploy database backup
+      shell: "cp {{ project_dir }}/data/openmemory.sqlite {{ project_dir }}/backups/openmemory.sqlite.{{ ansible_facts['date_time']['iso8601_basic_short'] }}.bak"
+      when: db_file.stat.exists
+      ignore_errors: true
+
+    - name: Copy Docker Compose template
+      copy:
+        src: "../../docker-compose.yml"
+        dest: "{{ project_dir }}/docker-compose.yml"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0644"
+
+    - name: Replace GHCR image tag (staging uses :staging, prod uses :latest)
+      replace:
+        path: "{{ project_dir }}/docker-compose.yml"
+        regexp: "(ghcr.io/[^/]+/cybermem-[^:]+):latest"
+        replace: '\1:{{ ghcr_tag | default("latest") }}'
+      when: ghcr_tag is defined and ghcr_tag != 'latest'
+
+    - name: Sync monitoring configuration
       synchronize:
-        src: "{{ playbook_dir }}/../../"
-        dest: "{{ project_dir }}"
-        rsync_opts:
-          - "--exclude=.git"
-          - "--exclude=node_modules"
-          - "--exclude=.next"
-          - "--exclude=dashboard/.next"
-          - "--exclude=*.log"
-          - "--exclude=tmp"
-          - "--exclude=__pycache__"
-
-    - name: Copy environment file
+        src: "../../monitoring"
+        dest: "{{ project_dir }}/"
+        recursive: true
+        delete: true
+
+    # NOTE: build_from_source removed - all builds happen on GH Actions now
+
+    - name: Patch Traefik configuration
+      replace:
+        path: "{{ project_dir }}/monitoring/traefik/traefik.yml"
+        regexp: 'address: ":8626"'
+        replace: 'address: ":{{ EFFECTIVE_TRAEFIK_PORT }}"'
+
+    - name: Ensure .env is present (template if missing)
       copy:
-        src: "../../{{ env_file }}"
+        content: |
+          CYBERMEM_INSTANCE=rpi
+          CYBERMEM_ENV={{ cybermem_env | default('prod') }}
+          PROJECT_NAME={{ PROJECT_NAME | default('cybermem') }}
+          TRAEFIK_PORT={{ EFFECTIVE_TRAEFIK_PORT }}
+          CYBERMEM_TAILSCALE={{ CYBERMEM_TAILSCALE | default('false') }}
+          SECRETS_DIR={{ project_dir }}/secrets
+          DATA_DIR={{ project_dir }}/data
+          CYBERMEM_ENV_PATH={{ project_dir }}/.env
+          CYBERMEM_HOME={{ project_dir }}
+          # Add other envs as needed
         dest: "{{ project_dir }}/.env"
+        force: true
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: "0600"
 
-    - name: Pull and start services
-      command: docker-compose -f docker-compose.prod.yml --profile ollama up -d --pull always
+    - name: Load global version from package.json
+      set_fact:
+        global_version: "{{ (lookup('file', playbook_dir + '/../../../../../package.json') | from_json).version }}"
+
+    - name: Pull images from GHCR
+      command: docker-compose -p {{ PROJECT_NAME | default('cybermem') }} pull
+      args:
+        chdir: "{{ project_dir }}"
+      register: pull_out
+      changed_when: "'Downloaded newer image' in pull_out.stdout or 'Downloaded newer image' in pull_out.stderr"
+      when: not (skip_pull | default(false) | bool)
+
+    - name: Stop staging containers (prevent port conflicts, NEVER touch prod)
+      shell: |
+        docker-compose -p cybermem-staging down --remove-orphans 2>/dev/null || true
+      args:
+        chdir: "{{ project_dir }}"
+      changed_when: false
+      ignore_errors: true
+      when: cybermem_env | default('prod') == 'staging'
+
+    - name: Start services
+      command: docker-compose -p {{ PROJECT_NAME | default('cybermem') }} up -d --remove-orphans
       args:
         chdir: "{{ project_dir }}"
-      register: compose_output
+      register: up_out
+      changed_when: "'Creating' in up_out.stdout or 'Recreating' in up_out.stdout or 'Starting' in up_out.stdout or 'Creating' in up_out.stderr or 'Recreating' in up_out.stderr or 'Starting' in up_out.stderr"
+
+    - name: Install sqlite3 for token injection
+      apt:
+        name: sqlite3
+        state: present
+
+    - name: Inject Authentication Token
+      shell: |
+        sqlite3 {{ project_dir }}/data/openmemory.sqlite "CREATE TABLE IF NOT EXISTS access_keys (
+          id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+          key_hash TEXT NOT NULL,
+          name TEXT DEFAULT 'default',
+          user_id TEXT DEFAULT 'default',
+          created_at TEXT DEFAULT (datetime('now')),
+          last_used_at TEXT,
+          is_active INTEGER DEFAULT 1
+        );"
+        sqlite3 {{ project_dir }}/data/openmemory.sqlite "DELETE FROM access_keys WHERE name='{{ auth_token_name | default('ansible-generated') }}';"
+        sqlite3 {{ project_dir }}/data/openmemory.sqlite "INSERT INTO access_keys (id, key_hash, name, user_id) VALUES ('{{ auth_token_id }}', '{{ auth_token_hash }}', '{{ auth_token_name | default('ansible-generated') }}', 'admin');"
+      when: auth_token_hash is defined
+      ignore_errors: true
+
+    - name: Wait for Traefik to be ready
+      uri:
+        url: "http://localhost:{{ EFFECTIVE_TRAEFIK_PORT }}/health"
+        status_code: 200
+      register: traefik_ping
+      until: traefik_ping.status == 200
+      retries: 10
+      delay: 5
+
+    - name: Verify Overall System Health
+      uri:
+        url: "http://localhost:{{ EFFECTIVE_TRAEFIK_PORT }}/api/health"
+        return_content: true
+      register: health_status
+      until: "health_status.content is defined and (health_status.content | from_json).overall == 'ok'"
+      retries: 5
+      delay: 10
+      ignore_errors: true
+
+    - name: Configure Tailscale Funnel (after health check)
+      shell: |
+        # Reset any existing configuration for clean state
+        tailscale serve reset 2>/dev/null || true
+        tailscale funnel reset 2>/dev/null || true
+
+        # Configure port based on current environment only
+        if [ "{{ cybermem_env | default('prod') }}" = "staging" ]; then
+          tailscale funnel --bg --https=10000 http://127.0.0.1:{{ EFFECTIVE_TRAEFIK_PORT }}
+        else
+          tailscale funnel --bg --https=443 http://127.0.0.1:{{ EFFECTIVE_TRAEFIK_PORT }}
+        fi
+
+        tailscale funnel status
+      become: true
+      when: (CYBERMEM_TAILSCALE | default('false') | bool) and (health_status is defined and not health_status.failed and (health_status.content | from_json).overall == 'ok')
+      register: funnel_status
+      ignore_errors: true
+
+    - name: Display Tailscale Funnel Status
+      debug:
+        var: funnel_status.stdout_lines
+      when: funnel_status is defined and funnel_status.stdout_lines is defined
+
+    - name: Automated Rollback on Failure
+      block:
+        - name: Rollback message
+          debug:
+            msg: "Rollback logic triggered due to unhealthy state."
+
+        - name: Restart previous state containers
+          command: docker-compose -p {{ PROJECT_NAME | default('cybermem') }} up -d --remove-orphans
+          args:
+            chdir: "{{ project_dir }}"
+          ignore_errors: true
+      when: health_status.failed or (health_status.content | from_json).overall != 'ok'
 
-    - name: Show deployment status
+    - name: Deployment Summary
       debug:
-        var: compose_output.stdout_lines
+        msg: "CyberMem v{{ global_version }} successfully deployed. Health: {{ (health_status.content | from_json).overall | default('UNKNOWN') }}"

package/templates/ansible/playbooks/reset-db.yml

@@ -0,0 +1,44 @@
+---
+- name: Reset CyberMem Database on Raspberry Pi
+  hosts: rpi
+  become: yes
+  vars:
+    project_dir: /home/{{ ansible_user }}/cybermem
+    db_path: "{{ project_dir }}/data/openmemory.sqlite"
+
+  tasks:
+    - name: Stop CyberMem services
+      command: docker-compose down
+      args:
+        chdir: "{{ project_dir }}"
+
+    - name: Wipe database file
+      file:
+        path: "{{ db_path }}"
+        state: absent
+
+    - name: Ensure data directory exists
+      file:
+        path: "{{ project_dir }}/data"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: "0755"
+
+    - name: Start CyberMem services
+      command: docker-compose up -d
+      args:
+        chdir: "{{ project_dir }}"
+
+    - name: Wait for Traefik to be ready
+      uri:
+        url: "http://localhost:8626/health"
+        status_code: 200
+      register: traefik_ping
+      until: traefik_ping.status == 200
+      retries: 10
+      delay: 5
+
+    - name: Database Reset Summary
+      debug:
+        msg: "CyberMem database at {{ db_path }} has been wiped and services are back online."

package/templates/auth-sidecar/Dockerfile

@@ -1,17 +1,9 @@
-# Builder stage for native modules
-FROM node:20-alpine AS builder
+FROM node:20-alpine
 WORKDIR /app
-RUN apk add --no-cache python3 make g++
+RUN apk add --no-cache libc6-compat
 COPY package.json ./
 RUN npm install
-
-# Production stage
-FROM node:20-alpine AS runner
-WORKDIR /app
-RUN apk add --no-cache libc6-compat
-COPY --from=builder /app/node_modules ./node_modules
 COPY server.js .
-COPY package.json .
 
 EXPOSE 3001
 CMD ["node", "server.js"]

package/templates/auth-sidecar/package.json

@@ -3,7 +3,5 @@
   "version": "0.1.0",
   "description": "Auth sidecar for CyberMem",
   "main": "server.js",
-  "dependencies": {
-    "sqlite3": "5.1.7"
-  }
+  "dependencies": {}
 }

package/templates/auth-sidecar/server.js

@@ -2,98 +2,71 @@
  * CyberMem Auth Sidecar
  *
  * ForwardAuth service for Traefik that validates:
- * 1. Bearer tokens (sk-xxx) against SQLite access_keys table
+ * 1. Bearer tokens (sk-xxx) against Docker Secret file (SSoT)
  * 2. Local requests bypass (localhost, *.local domains)
  *
- * NO EXTERNAL DEPENDENCIES - uses built-in crypto and sqlite3.
+ * NO EXTERNAL DEPENDENCIES - uses built-in crypto and fs.
  */
 
 const http = require("http");
 const crypto = require("crypto");
 const path = require("path");
-const sqlite3 = require("sqlite3").verbose();
+const fs = require("fs");
+const SECRET_PATH = process.env.API_KEY_FILE || "/run/secrets/om_api_key";
+let cachedToken = null;
 
 const PORT = process.env.PORT || 3001;
-const DB_PATH = process.env.OM_DB_PATH || "/data/openmemory.sqlite";
-
-// Ensure schema exists
-function initSchema() {
-  const db = new sqlite3.Database(DB_PATH);
-  db.serialize(() => {
-    db.run(
-      `
-      CREATE TABLE IF NOT EXISTS access_keys (
-        key_id TEXT PRIMARY KEY,
-        key_hash TEXT UNIQUE NOT NULL,
-        user_id TEXT NOT NULL,
-        name TEXT,
-        is_active INTEGER DEFAULT 1,
-        created_at DATETIME DEFAULT CURRENT_TIMESTAMP
-      )
-    `,
-      (err) => {
-        if (err) console.error("SCHEMA ERROR:", err.message);
-        else console.log("Schema verified for access_keys");
-        db.close();
-      },
-    );
-  });
-}
-
-initSchema();
-
-// Hash token using same PBKDF2 as CLI (for verification)
-function hashToken(token) {
-  return new Promise((resolve, reject) => {
-    const salt = crypto
-      .createHash("sha256")
-      .update("cybermem-salt-v1")
-      .digest("hex")
-      .slice(0, 16);
-    crypto.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
-      if (err) reject(err);
-      else resolve(key.toString("hex"));
-    });
-  });
-}
 
-// Verify token against SQLite access_keys table
-async function verifyToken(token) {
+// Load token from secret file once at startup (SSoT)
+function loadSecret() {
   try {
-    const db = new sqlite3.Database(DB_PATH);
-
-    const tokenHash = await hashToken(token);
-
-    return new Promise((resolve, reject) => {
-      db.get(
-        "SELECT user_id, name FROM access_keys WHERE key_hash = ? AND is_active = 1",
-        [tokenHash],
-        (err, row) => {
-          db.close();
-          if (err) {
-            console.log("DB error:", err.message);
-            resolve(null);
-          } else if (row) {
-            // Update last_used_at
-            const updateDb = new sqlite3.Database(DB_PATH);
-            updateDb.run(
-              "UPDATE access_keys SET last_used_at = datetime('now') WHERE key_hash = ?",
-              [tokenHash],
-            );
-            updateDb.close();
-            resolve({ userId: row.user_id, name: row.name });
-          } else {
-            resolve(null);
-          }
-        },
+    // 1. Check environment variable first (Direct)
+    if (process.env.OM_API_KEY) {
+      cachedToken = process.env.OM_API_KEY.trim();
+      console.log("SSoT Token loaded from OM_API_KEY env");
+      return;
+    }
+
+    // 2. Check secret/env file (Mapped)
+    if (fs.existsSync(SECRET_PATH)) {
+      const content = fs.readFileSync(SECRET_PATH, "utf8").trim();
+
+      // Check if it's a shell-formatted env file (OM_API_KEY=sk-...)
+      const envMatch = content.match(/OM_API_KEY=["']?(sk-[a-zA-Z0-9]+)["']?/);
+      if (envMatch) {
+        cachedToken = envMatch[1];
+        console.log(`SSoT Token extracted from env file: ${SECRET_PATH}`);
+      } else {
+        // Assume raw token file
+        cachedToken = content;
+        console.log(`SSoT Token loaded from raw file: ${SECRET_PATH}`);
+      }
+    } else {
+      console.warn(
+        `SECRET WARNING: ${SECRET_PATH} not found. Remote auth will fail.`,
       );
-    });
+    }
   } catch (err) {
-    console.log("Token verification error:", err.message);
-    return null;
+    console.error("SECRET LOAD ERROR:", err.message);
   }
 }
 
+loadSecret();
+
+// Verify token against SSoT (file-based)
+async function verifyToken(token) {
+  if (!cachedToken) {
+    // Try one more time if not loaded (e.g. race condition/debug)
+    loadSecret();
+  }
+
+  if (cachedToken && token === cachedToken) {
+    return { userId: "admin", name: "SSoT-Admin" };
+  }
+
+  return null;
+}
+
 // Check if request is from localhost or local network
 function isLocalRequest(req) {
   const forwarded = req.headers["x-forwarded-for"];
@@ -102,21 +75,41 @@ function isLocalRequest(req) {
   const ip =
     forwarded?.split(",")[0]?.trim() || realIp || req.socket.remoteAddress;
 
-  // IP-based local check
+  // 1. First reject Tailscale/Remote requests (.ts.net, 100.x.x.x)
+  // CRITICAL: Tailscale requests (via Funnel) must NEVER be treated as local.
+  // If host contains .ts.net, it's external.
+  // NOTE: Legacy CYBERMEM_TAILSCALE env-flag logic was removed on purpose.
+  //       We now auto-detect Tailscale by host/IP (".ts.net" / "100.x.x.x"),
+  //       so .local bypass works regardless of CYBERMEM_TAILSCALE being set.
+  if (
+    host.includes(".ts.net") ||
+    (typeof ip === "string" && ip.startsWith("100."))
+  ) {
+    return false;
+  }
+
+  // 2. Allow .local (mDNS) bypass for RPi LAN access
+  const hostname = host.split(":")[0];
+  if (hostname.endsWith(".local")) {
+    return true;
+  }
+
+  // Host-based check REMOVED for security (CVE-2026-001)
+  // We only trust loopback IP if not on Tailscale.
+
+  // Allow localhost bypass ONLY for local Dev environment (Docker Desktop)
+  const isDev = process.env.CYBERMEM_INSTANCE === "local";
+  if (isDev && (host.startsWith("localhost") || host.startsWith("127.0.0.1"))) {
+    return true;
+  }
+
   const isLocalIp =
     ip === "127.0.0.1" ||
     ip === "::1" ||
     ip === "::ffff:127.0.0.1" ||
     ip === "localhost";
 
-  // Host-based local check (raspberrypi.local, localhost, *.local)
-  const isLocalHost =
-    host.includes("localhost") ||
-    host.includes("127.0.0.1") ||
-    host.includes("raspberrypi.local") ||
-    host.match(/\.local(:\d+)?$/);
-
-  return isLocalIp || isLocalHost;
+  return isLocalIp;
 }
 
 // ForwardAuth handler
@@ -131,9 +124,47 @@ const server = http.createServer(async (req, res) => {
   const authHeader = req.headers["authorization"];
   const apiKeyHeader = req.headers["x-api-key"];
 
-  // 1. Local bypass - no auth required for localhost
-  if (isLocalRequest(req)) {
-    console.log("Auth OK: Local bypass");
+  // 1. Resolve URI
+  const requestUri = req.headers["x-forwarded-uri"] || req.url || "/";
+  console.log(`[Auth-Sidecar] Processing ${req.method} ${requestUri}`);
+
+  // 2. Public Paths Bypass
+  // We allow Dashboard roots, login paths and essential assets to bypass SSoT token check
+  // The Dashboard itself handles its own session auth.
+  const prefixPublicPaths = [
+    "/auth",
+    "/api/auth",
+    "/api/health",
+    // "/api/metrics", // LEAK FIXED
+    // "/api/stats",   // LEAK FIXED
+    "/api/settings",
+    "/_next",
+    "/favicon",
+    "/static",
+    "/public",
+    "/health",
+    "/login",
+    // "/metrics",     // LEAK FIXED
+    "/clients.json",
+  ];
+
+  const exactPublicPaths = ["/"];
+
+  const isPublic =
+    exactPublicPaths.includes(requestUri) ||
+    prefixPublicPaths.some((p) => requestUri.startsWith(p));
+
+  if (isPublic) {
+    console.log(`[Auth-Sidecar] ✅ Public bypass: ${requestUri}`);
+    res.writeHead(200, { "X-Auth-Method": "public" });
+    res.end();
+    return;
+  }
+
+  // 3. Local bypass
+  const isK3d = process.env.CYBERMEM_INSTANCE === "k3d";
+  if (!isK3d && isLocalRequest(req)) {
+    console.log(`[Auth-Sidecar] ✅ Local bypass: ${requestUri}`);
     res.writeHead(200, {
       "X-Auth-Method": "local",
       "X-User-Id": "local",
@@ -142,32 +173,41 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
-  // 2. Check Bearer token (sk-xxx format)
+  // 4. Token Auth Verification Helper
+  const verifyRequestToken = async (received) => {
+    if (!received) return null;
+    const result = await verifyToken(received);
+    if (!result) {
+      console.log(
+        `[Auth-Sidecar] DEBUG Mismatch: received [${received.substring(0, 5)}...] (len:${received.length}) vs cached [${cachedToken?.substring(0, 5)}...] (len:${cachedToken?.length})`,
+      );
+    }
+    return result;
+  };
+
   if (authHeader?.startsWith("Bearer ")) {
     const token = authHeader.substring(7);
-
-    if (token.startsWith("sk-")) {
-      const result = await verifyToken(token);
-
-      if (result) {
-        console.log(`Auth OK: Token (${result.name || result.userId})`);
-        res.writeHead(200, {
-          "X-User-Id": result.userId,
-          "X-Auth-Method": "token",
-          "X-Token-Name": result.name || "",
-        });
-        res.end();
-        return;
-      }
+    const result = await verifyRequestToken(token);
+    if (result) {
+      console.log(
+        `[Auth-Sidecar] ✅ Auth OK (Bearer): ${result.name || result.userId}`,
+      );
+      res.writeHead(200, {
+        "X-User-Id": result.userId,
+        "X-Auth-Method": "token",
+        "X-Token-Name": result.name || "",
+      });
+      res.end();
+      return;
     }
   }
 
-  // 3. Check X-API-Key header (sk-xxx format)
   if (apiKeyHeader?.startsWith("sk-")) {
-    const result = await verifyToken(apiKeyHeader);
-
+    const result = await verifyRequestToken(apiKeyHeader);
     if (result) {
-      console.log(`Auth OK: API-Key Header (${result.name || result.userId})`);
+      console.log(
+        `[Auth-Sidecar] ✅ Auth OK (X-API-Key): ${result.name || result.userId}`,
+      );
       res.writeHead(200, {
         "X-User-Id": result.userId,
         "X-Auth-Method": "api-key",
@@ -178,8 +218,8 @@ const server = http.createServer(async (req, res) => {
     }
   }
 
-  // 4. Unauthorized
-  console.log("Auth FAILED: No valid token");
+  // 5. Unauthorized
+  console.log(`[Auth-Sidecar] ❌ Auth FAILED: ${requestUri}`);
   res.writeHead(401, { "Content-Type": "application/json" });
   res.end(
     JSON.stringify({
@@ -192,5 +232,4 @@ const server = http.createServer(async (req, res) => {
 
 server.listen(PORT, () => {
   console.log(`Auth sidecar (token-auth) listening on port ${PORT}`);
-  console.log(`DB path: ${DB_PATH}`);
 });

package/templates/charts/cybermem/.helmignore

@@ -0,0 +1,13 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, same as .gitignore.
+#  ...
+.DS_Store
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.git
+.gitignore
+.idea
+.vscode