@fyresmith/hive-server 4.0.1 → 5.0.0

package/cli/flows/doctor.js

@@ -64,16 +64,11 @@ export async function runDoctorChecks({ envFile, includeCloudflared = true }) {
       }
     }
 
-    if (env.VAULT_PATH && env.OWNER_DISCORD_ID) {
+    if (env.VAULT_PATH) {
       try {
         const managedState = await loadManagedState(env.VAULT_PATH);
         if (!managedState) {
           info('Managed state not initialized yet');
-        } else if (managedState.ownerDiscordId !== env.OWNER_DISCORD_ID) {
-          fail(
-            `Managed owner mismatch: state=${managedState.ownerDiscordId} env=${env.OWNER_DISCORD_ID}`,
-          );
-          failures += 1;
         } else {
           success(`Managed state OK (vaultId ${managedState.vaultId})`);
         }

package/cli/flows/setup.js

@@ -5,11 +5,11 @@ import {
   DEFAULT_CLOUDFLARED_CONFIG,
   DEFAULT_TUNNEL_NAME,
   EXIT,
+  HIVE_HOME,
   HIVE_CONFIG_FILE,
-  LEGACY_ENV_FILE,
 } from '../constants.js';
 import { CliError } from '../errors.js';
-import { inferDomainFromRedirect, loadEnvFile, normalizeEnv, promptForEnv, validateEnvValues, writeEnvFile } from '../env-file.js';
+import { loadEnvFile, normalizeEnv, promptForEnv, validateEnvValues, writeEnvFile } from '../env-file.js';
 import { validateDomain } from '../checks.js';
 import { updateHiveConfig } from '../config.js';
 import { installHiveService } from '../service.js';
@@ -20,9 +20,11 @@ import {
   promptConfirm,
   requiredOrFallback,
   resolveContext,
-  setRedirectUriForDomain,
 } from '../core/context.js';
 import { runDoctorChecks } from './doctor.js';
+import { createVaultAtParent, initializeOwnerManagedVault } from '../../lib/setupOrchestrator.js';
+import { loadManagedState } from '../../lib/managedState.js';
+import { join } from 'path';
 
 export async function runSetupWizard(options) {
   const yes = Boolean(options.yes);
@@ -31,25 +33,10 @@ export async function runSetupWizard(options) {
 
   const { config, envFile } = await resolveContext(options);
   let nextConfig = { ...config, envFile };
-  let importedLegacy = false;
-
-  if (!existsSync(HIVE_CONFIG_FILE) && existsSync(LEGACY_ENV_FILE)) {
-    const shouldImportLegacy = await promptConfirm(
-      `Import existing legacy env from ${LEGACY_ENV_FILE}?`,
-      yes,
-      true
-    );
-    if (shouldImportLegacy) {
-      const legacyValues = await loadEnvFile(LEGACY_ENV_FILE);
-      await writeEnvFile(envFile, legacyValues);
-      importedLegacy = true;
-      success(`Imported legacy env into ${envFile}`);
-    }
-  }
 
   const envExists = existsSync(envFile);
   let envValues;
-  if (!envExists || importedLegacy) {
+  if (!envExists) {
     info(`Initializing env file at ${envFile}`);
     const existing = await loadEnvFile(envFile);
     envValues = await promptForEnv({ envFile, existing, yes });
@@ -63,34 +50,117 @@ export async function runSetupWizard(options) {
     }
   }
 
+  // Prompt for vault display name and owner account credentials
+  let vaultName = '';
+  let vaultParentPath = '';
+  let ownerEmail = '';
+  let ownerDisplayName = '';
+  let ownerPassword = '';
+  if (!yes) {
+    const nameResp = await prompts({
+      type: 'text',
+      name: 'name',
+      message: 'Vault display name (e.g. "Team Vault")',
+      validate: (v) => String(v).trim().length > 0 || 'Vault name is required',
+    });
+    vaultName = String(nameResp.name ?? '').trim();
+
+    if (!String(envValues.VAULT_PATH ?? '').trim()) {
+      const parentResp = await prompts({
+        type: 'text',
+        name: 'path',
+        message: 'Choose folder location for the generated vault (parent directory)',
+        validate: (v) => String(v).trim().length > 0 || 'Parent folder path is required',
+      });
+      vaultParentPath = String(parentResp.path ?? '').trim();
+    }
+
+    const acctResp = await prompts([
+      { type: 'text', name: 'email', message: 'Owner email (for dashboard login)' },
+      { type: 'text', name: 'displayName', message: 'Owner display name' },
+      { type: 'password', name: 'password', message: 'Owner password' },
+    ]);
+    ownerEmail = String(acctResp.email ?? '').trim();
+    ownerDisplayName = String(acctResp.displayName ?? '').trim() || 'Owner';
+    ownerPassword = String(acctResp.password ?? '');
+  }
+
+  const existingVaultPath = String(envValues.VAULT_PATH ?? '').trim();
+  if (!existingVaultPath) {
+    if (yes) {
+      vaultName = vaultName || 'Hive Vault';
+      vaultParentPath = vaultParentPath || join(HIVE_HOME, 'vaults');
+    }
+    if (vaultName && vaultParentPath) {
+      const generatedVaultPath = await createVaultAtParent({
+        parentPath: vaultParentPath,
+        vaultName,
+      });
+      envValues = { ...envValues, VAULT_PATH: generatedVaultPath };
+      await writeEnvFile(envFile, envValues);
+      success(`Generated vault at ${generatedVaultPath}`);
+    }
+  }
+
   const envIssues = validateEnvValues(envValues);
   if (envIssues.length > 0) {
     for (const issue of envIssues) fail(issue);
     throw new CliError('Env configuration is invalid', EXIT.FAIL);
   }
 
-  let domain = requiredOrFallback(
-    options.domain,
-    inferDomainFromRedirect(envValues.DISCORD_REDIRECT_URI) || nextConfig.domain
+  // Initialize owner account + managed vault when interactive setup provides credentials.
+  if (vaultName && ownerEmail && ownerPassword) {
+    const existingState = await loadManagedState(String(envValues.VAULT_PATH));
+    if (existingState) {
+      info('Managed vault already initialized; skipping owner and vault initialization.');
+    } else {
+      await initializeOwnerManagedVault({
+        vaultPath: envValues.VAULT_PATH,
+        vaultName,
+        ownerEmail,
+        ownerDisplayName,
+        ownerPassword,
+      });
+      success('Owner account created');
+      success(`Vault initialized: ${vaultName}`);
+    }
+  }
+
+  // Prompt for public server URL (used for invite claim redirects)
+  let hiveServerUrl = requiredOrFallback(
+    options.domain ? `https://${options.domain}` : '',
+    envValues.HIVE_SERVER_URL || (nextConfig.domain ? `https://${nextConfig.domain}` : ''),
   );
 
   if (!yes) {
     const response = await prompts({
       type: 'text',
-      name: 'domain',
-      message: 'Public domain for Hive server',
-      initial: domain,
+      name: 'url',
+      message: 'Public URL for Hive server (optional, used for invite links)',
+      initial: hiveServerUrl || '',
     });
-    if (response.domain !== undefined) {
-      domain = String(response.domain).trim();
+    if (response.url !== undefined) {
+      hiveServerUrl = String(response.url).trim();
     }
   }
 
-  if (!validateDomain(domain)) {
-    throw new CliError(`Invalid domain: ${domain}`);
-  }
+  if (hiveServerUrl) {
+    const updated = { ...envValues, HIVE_SERVER_URL: hiveServerUrl };
+    await writeEnvFile(envFile, updated);
+    envValues = updated;
+
+    // Derive domain for Cloudflare Tunnel config
+    let domain = nextConfig.domain;
+    try {
+      domain = new URL(hiveServerUrl).hostname;
+    } catch {
+      // ignore parse error
+    }
 
-  envValues = await setRedirectUriForDomain({ envFile, env: envValues, domain, yes });
+    if (domain && validateDomain(domain)) {
+      nextConfig = { ...nextConfig, domain };
+    }
+  }
 
   const shouldSetupTunnel = await promptConfirm('Configure Cloudflare Tunnel now?', yes, true);
   if (shouldSetupTunnel) {
@@ -102,6 +172,11 @@ export async function runSetupWizard(options) {
     );
     const tunnelService = await promptConfirm('Install cloudflared as a service?', yes, true);
 
+    const domain = nextConfig.domain;
+    if (!domain || !validateDomain(domain)) {
+      throw new CliError(`Cannot configure tunnel: invalid or missing domain (${domain})`);
+    }
+
     const tunnelResult = await setupTunnel({
       tunnelName,
       domain,

package/index.js

@@ -1,25 +1,20 @@
 import dotenv from 'dotenv';
 import { createServer } from 'http';
+import { existsSync } from 'fs';
 import { fileURLToPath } from 'url';
 import express from 'express';
 import { Server } from 'socket.io';
 import authRoutes from './routes/auth.js';
-import managedRoutes from './routes/managed.js';
+import dashboardRoutes from './routes/dashboard.js';
 import * as vault from './lib/vaultManager.js';
 import { attachHandlers } from './lib/socketHandler.js';
 import { startYjsServer, getActiveRooms, forceCloseRoom, getRoomStatus } from './lib/yjsServer.js';
-import { assertOwnerConsistency } from './lib/managedState.js';
-
-const REQUIRED = [
-  'VAULT_PATH',
-  'JWT_SECRET',
-  'DISCORD_CLIENT_ID',
-  'DISCORD_CLIENT_SECRET',
-  'DISCORD_REDIRECT_URI',
-  'OWNER_DISCORD_ID',
-];
-
-function validateEnv() {
+import { loadManagedState } from './lib/managedState.js';
+import { DEFAULT_ENV_FILE } from './cli/constants.js';
+
+const REQUIRED = ['JWT_SECRET'];
+
+function validateEnv({ allowSetupMode = false } = {}) {
   for (const key of REQUIRED) {
     if (!process.env[key]) {
       throw new Error(`[startup] Missing required env var: ${key}`);
@@ -31,16 +26,27 @@ function validateEnv() {
     throw new Error('[startup] PORT must be a positive integer');
   }
 
-  return { port };
+  // Ensure packaged onboarding assets are available on startup.
+  const assetsRoot = fileURLToPath(new URL('./assets', import.meta.url));
+  if (!existsSync(assetsRoot)) {
+    throw new Error('[startup] Missing packaged assets directory');
+  }
+
+  const hasVaultPath = Boolean(String(process.env.VAULT_PATH ?? '').trim());
+  if (!hasVaultPath && !allowSetupMode) {
+    throw new Error('[startup] Missing required env var: VAULT_PATH');
+  }
+
+  return { port, hasVaultPath };
 }
 
 /**
  * Start Hive server runtime.
  *
- * @param {{ envFile?: string, quiet?: boolean }} [options]
+ * @param {{ envFile?: string, quiet?: boolean, allowSetupMode?: boolean }} [options]
  */
 export async function startHiveServer(options = {}) {
-  const { envFile, quiet = false } = options;
+  const { envFile, quiet = false, allowSetupMode = false } = options;
 
   dotenv.config(
     envFile
@@ -48,11 +54,17 @@ export async function startHiveServer(options = {}) {
       : undefined
   );
 
-  const { port } = validateEnv();
-  await assertOwnerConsistency(process.env.VAULT_PATH, process.env.OWNER_DISCORD_ID);
+  process.env.HIVE_ENV_FILE = envFile || process.env.HIVE_ENV_FILE || DEFAULT_ENV_FILE;
+
+  const { port, hasVaultPath } = validateEnv({ allowSetupMode });
+  if (hasVaultPath) {
+    await loadManagedState(process.env.VAULT_PATH);
+  }
 
   const app = express();
   const httpServer = createServer(app);
+  app.locals.hiveEnvFile = process.env.HIVE_ENV_FILE;
+  app.locals.activateRealtime = null;
 
   const io = new Server(httpServer, {
     cors: {
@@ -75,9 +87,16 @@ export async function startHiveServer(options = {}) {
     next();
   });
 
+  const setupRequired = (req, res, next) => {
+    if (!String(process.env.VAULT_PATH ?? '').trim()) {
+      return res.status(503).json({ ok: false, error: 'Setup required: configure vault path first.' });
+    }
+    next();
+  };
+
   // Auth routes
-  app.use('/auth', authRoutes);
-  app.use('/managed', managedRoutes);
+  app.use('/auth', setupRequired, authRoutes);
+  app.use('/dashboard', dashboardRoutes);
 
   // Health check
   app.get('/health', (req, res) => res.json({ ok: true, ts: Date.now() }));
@@ -91,33 +110,46 @@ export async function startHiveServer(options = {}) {
     });
   }
 
-  attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom);
-  const yjsWss = startYjsServer(httpServer, broadcastFileUpdated);
-
-  httpServer.on('upgrade', (req, socket, head) => {
-    const { pathname } = new URL(req.url, 'http://localhost');
-    if (pathname.startsWith('/yjs')) {
-      yjsWss.handleUpgrade(req, socket, head, (ws) => {
-        yjsWss.emit('connection', ws, req);
-      });
-    }
-    // Socket.IO handles /socket.io upgrades automatically via its own listener
-  });
+  let realtimeActive = false;
+  let yjsWss = null;
+  const activateRealtime = async () => {
+    if (realtimeActive) return;
+    const vaultPath = String(process.env.VAULT_PATH ?? '').trim();
+    if (!vaultPath) return;
+    await loadManagedState(vaultPath);
+    attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom);
+    yjsWss = startYjsServer(httpServer, broadcastFileUpdated);
+    httpServer.on('upgrade', (req, socket, head) => {
+      const { pathname } = new URL(req.url, 'http://localhost');
+      if (pathname.startsWith('/yjs')) {
+        yjsWss.handleUpgrade(req, socket, head, (ws) => {
+          yjsWss.emit('connection', ws, req);
+        });
+      }
+      // Socket.IO handles /socket.io upgrades automatically via its own listener
+    });
 
-  // Chokidar watch for external (non-plugin) changes
-  vault.initWatcher((relPath, event) => {
-    const docName = encodeURIComponent(relPath);
-    if (getActiveRooms().has(docName)) {
+    vault.initWatcher((relPath, event) => {
+      const docName = encodeURIComponent(relPath);
+      if (getActiveRooms().has(docName)) {
+        if (!quiet) {
+          console.log(`[chokidar] Ignoring external change to active room: ${relPath}`);
+        }
+        return;
+      }
       if (!quiet) {
-        console.log(`[chokidar] Ignoring external change to active room: ${relPath}`);
+        console.log(`[chokidar] External ${event}: ${relPath}`);
       }
-      return;
-    }
-    if (!quiet) {
-      console.log(`[chokidar] External ${event}: ${relPath}`);
-    }
-    io.emit('external-update', { relPath, event });
-  });
+      io.emit('external-update', { relPath, event });
+    });
+
+    realtimeActive = true;
+  };
+  app.locals.activateRealtime = activateRealtime;
+
+  if (hasVaultPath) {
+    await activateRealtime();
+  }
 
   await new Promise((resolve, reject) => {
     httpServer.once('error', reject);
@@ -126,7 +158,11 @@ export async function startHiveServer(options = {}) {
 
   if (!quiet) {
     console.log(`[server] Hive server listening on port ${port}`);
-    console.log(`[server] Vault: ${process.env.VAULT_PATH}`);
+    if (String(process.env.VAULT_PATH ?? '').trim()) {
+      console.log(`[server] Vault: ${process.env.VAULT_PATH}`);
+    } else {
+      console.log('[server] Setup mode: VAULT_PATH not configured yet');
+    }
   }
 
   return {

package/lib/accountState.js

@@ -0,0 +1,189 @@
+import { randomUUID, scrypt as scryptCb, timingSafeEqual } from 'crypto';
+import { existsSync } from 'fs';
+import { mkdir, readFile, writeFile } from 'fs/promises';
+import { dirname, join, resolve } from 'path';
+import { promisify } from 'util';
+
+const scrypt = promisify(scryptCb);
+
+const STATE_VERSION = 1;
+const STATE_REL_PATH = join('.hive', 'accounts-state.json');
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function normalizeEmail(value) {
+  return String(value ?? '').trim().toLowerCase();
+}
+
+function parseEmail(value) {
+  const email = String(value ?? '').trim();
+  const emailNorm = normalizeEmail(email);
+  if (!emailNorm || !emailNorm.includes('@')) {
+    throw new Error('A valid email is required');
+  }
+  return { email, emailNorm };
+}
+
+function normalizeDisplayName(value) {
+  const displayName = String(value ?? '').trim();
+  if (!displayName || displayName.length > 32) {
+    throw new Error('Display name must be 1-32 characters');
+  }
+  return displayName;
+}
+
+function normalizeAccount(raw) {
+  if (!raw || typeof raw !== 'object') return null;
+  const id = String(raw.id ?? '').trim();
+  const email = String(raw.email ?? '').trim();
+  const emailNorm = normalizeEmail(raw.emailNorm ?? email);
+  const displayName = String(raw.displayName ?? '').trim();
+  const passwordHash = String(raw.passwordHash ?? '').trim();
+  const passwordSalt = String(raw.passwordSalt ?? '').trim();
+  const createdAt = String(raw.createdAt ?? '').trim();
+  const updatedAt = String(raw.updatedAt ?? '').trim();
+
+  if (!id || !emailNorm || !displayName || !passwordHash || !passwordSalt || !createdAt || !updatedAt) {
+    return null;
+  }
+
+  return {
+    id,
+    email,
+    emailNorm,
+    displayName,
+    passwordHash,
+    passwordSalt,
+    createdAt,
+    updatedAt,
+  };
+}
+
+function normalizeState(raw) {
+  const source = raw && typeof raw === 'object' ? raw : {};
+  const accountsRaw = source.accounts && typeof source.accounts === 'object' ? source.accounts : {};
+
+  const accounts = {};
+  for (const [id, value] of Object.entries(accountsRaw)) {
+    const normalized = normalizeAccount(value);
+    if (normalized) {
+      accounts[id] = normalized;
+    }
+  }
+
+  return {
+    version: STATE_VERSION,
+    accounts,
+  };
+}
+
+async function hashPassword(password, salt) {
+  const input = String(password ?? '');
+  if (input.length < 8) {
+    throw new Error('Password must be at least 8 characters');
+  }
+  const derived = await scrypt(input, salt, 64);
+  return Buffer.from(derived).toString('hex');
+}
+
+export function getAccountsStatePath(vaultPath) {
+  return join(resolve(vaultPath), STATE_REL_PATH);
+}
+
+export async function loadAccountsState(vaultPath) {
+  const filePath = getAccountsStatePath(vaultPath);
+  if (!existsSync(filePath)) {
+    return normalizeState(null);
+  }
+  const raw = await readFile(filePath, 'utf-8');
+  const parsed = JSON.parse(raw);
+  return normalizeState(parsed);
+}
+
+export async function saveAccountsState(vaultPath, state) {
+  const filePath = getAccountsStatePath(vaultPath);
+  const normalized = normalizeState(state);
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, `${JSON.stringify(normalized, null, 2)}\n`, 'utf-8');
+  return normalized;
+}
+
+export async function createAccount({ vaultPath, email, password, displayName }) {
+  const { emailNorm } = parseEmail(email);
+  const nextDisplayName = normalizeDisplayName(displayName);
+
+  const state = await loadAccountsState(vaultPath);
+  const existing = Object.values(state.accounts).find((row) => row.emailNorm === emailNorm);
+  if (existing) {
+    throw new Error('An account already exists for this email');
+  }
+
+  const id = randomUUID();
+  const passwordSalt = randomUUID();
+  const passwordHash = await hashPassword(password, passwordSalt);
+  const ts = nowIso();
+
+  state.accounts[id] = {
+    id,
+    email: String(email ?? '').trim(),
+    emailNorm,
+    displayName: nextDisplayName,
+    passwordHash,
+    passwordSalt,
+    createdAt: ts,
+    updatedAt: ts,
+  };
+
+  await saveAccountsState(vaultPath, state);
+  return toPublicAccount(state.accounts[id]);
+}
+
+export async function createOwnerAccount({ vaultPath, email, displayName, password }) {
+  return createAccount({
+    vaultPath,
+    email,
+    password,
+    displayName,
+  });
+}
+
+export async function authenticateAccount({ vaultPath, email, password }) {
+  const { emailNorm } = parseEmail(email);
+  const state = await loadAccountsState(vaultPath);
+  const account = Object.values(state.accounts).find((row) => row.emailNorm === emailNorm);
+  if (!account) {
+    throw new Error('Invalid email or password');
+  }
+
+  const derived = await hashPassword(password, account.passwordSalt);
+  const actual = Buffer.from(account.passwordHash, 'hex');
+  const incoming = Buffer.from(derived, 'hex');
+  if (actual.length !== incoming.length || !timingSafeEqual(actual, incoming)) {
+    throw new Error('Invalid email or password');
+  }
+
+  return toPublicAccount(account);
+}
+
+export async function getAccountById(vaultPath, accountId) {
+  const id = String(accountId ?? '').trim();
+  if (!id) return null;
+
+  const state = await loadAccountsState(vaultPath);
+  const account = state.accounts[id];
+  if (!account) return null;
+  return toPublicAccount(account);
+}
+
+export function toPublicAccount(account) {
+  return {
+    id: account.id,
+    email: account.email,
+    emailNorm: account.emailNorm,
+    displayName: account.displayName,
+    createdAt: account.createdAt,
+    updatedAt: account.updatedAt,
+  };
+}

package/lib/authTokens.js

@@ -0,0 +1,75 @@
+import { createHash, randomBytes } from 'crypto';
+import jwt from 'jsonwebtoken';
+
+const PURPOSE_CLAIM_SESSION = 'claim-session';
+
+function getJwtSecret() {
+  const secret = String(process.env.JWT_SECRET ?? '').trim();
+  if (!secret) {
+    throw new Error('JWT_SECRET is required');
+  }
+  return secret;
+}
+
+function parsePositiveInt(value, fallback) {
+  const parsed = parseInt(String(value ?? '').trim(), 10);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function downloadTicketTtlMinutes() {
+  return parsePositiveInt(process.env.HIVE_BUNDLE_GRANT_TTL_MINUTES, 15);
+}
+
+function bootstrapTokenTtlHours() {
+  return parsePositiveInt(process.env.HIVE_BOOTSTRAP_TOKEN_TTL_HOURS, 24);
+}
+
+export function hashToken(token) {
+  return createHash('sha256').update(String(token ?? ''), 'utf-8').digest('hex');
+}
+
+export function signClaimSessionToken(account) {
+  const payload = {
+    purpose: PURPOSE_CLAIM_SESSION,
+    accountId: account.id,
+    displayName: account.displayName,
+    emailNorm: account.emailNorm,
+  };
+
+  return jwt.sign(payload, getJwtSecret(), { expiresIn: '7d' });
+}
+
+export function verifyClaimSessionToken(token) {
+  const decoded = jwt.verify(String(token ?? ''), getJwtSecret());
+  if (!decoded || decoded.purpose !== PURPOSE_CLAIM_SESSION) {
+    throw new Error('Invalid session token');
+  }
+  return decoded;
+}
+
+export function issueDownloadTicket() {
+  const ttlMinutes = downloadTicketTtlMinutes();
+  const ttlMs = ttlMinutes * 60 * 1000;
+  const token = randomBytes(32).toString('hex');
+  return {
+    token,
+    tokenHash: hashToken(token),
+    expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+  };
+}
+
+export function issueBootstrapToken({ memberId, vaultId }) {
+  const ttlHours = bootstrapTokenTtlHours();
+  const ttlMs = ttlHours * 60 * 60 * 1000;
+  const token = randomBytes(32).toString('hex');
+
+  return {
+    token,
+    memberId,
+    vaultId,
+    expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+  };
+}