@justin0713/opspilot 1.0.5 → 1.0.7

package/bin/opspilot.js

@@ -16,6 +16,7 @@
  */
 
 const { execSync, spawnSync } = require('child_process');
+const crypto = require('crypto');
 const fs   = require('fs');
 const path = require('path');
 const os   = require('os');
@@ -27,7 +28,9 @@ const PKG_VERSION = require('../package.json').version;
 const IMAGE      = 'opspilot/local:latest';
 const CONTAINER  = 'opspilot';
 const CONFIG_DIR  = path.join(os.homedir(), '.opspilot');
-const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const CONFIG_FILE      = path.join(CONFIG_DIR, 'config.json');
+const CREDENTIALS_FILE = path.join(CONFIG_DIR, '.credentials');  // chmod 600
+const SETUP_TOKEN_FILE = path.join(CONFIG_DIR, '.setup_token');  // temp, deleted after start
 
 const CYAN   = '\x1b[36m';
 const GREEN  = '\x1b[32m';
@@ -53,11 +56,75 @@ function tryRun(cmd) {
 }
 
 function checkDocker() {
-  if (!tryRun('docker --version')) {
+  if (tryRun('docker --version')) return;   // already installed
+
+  const platform = os.platform();
+  warn('Docker is not installed. Attempting auto-install...');
+
+  if (platform === 'darwin') {
+    // macOS — prefer Colima (lightweight, no GUI, works on managed Macs)
+    if (tryRun('brew --version')) {
+      log('Installing Colima + Docker CLI via Homebrew (no Docker Desktop needed)...');
+      try {
+        run('brew install colima docker');
+        log('Starting Colima...');
+        run('colima start');
+        ok('Docker is ready via Colima.');
+        return;
+      } catch (e) {
+        warn('Colima install failed. Trying Docker Desktop...');
+        try {
+          run('brew install --cask docker');
+          warn('Docker Desktop installed. Please open Docker Desktop from Applications,');
+          warn('wait for the whale icon in the menu bar, then run: opspilot start again.');
+          process.exit(0);
+        } catch (_) {}
+      }
+    }
+    // No Homebrew
     die(
-      'Docker is not installed or not in PATH.\n' +
-      '  Install Docker Desktop: https://docs.docker.com/get-docker/'
+      'Docker is required but could not be auto-installed.\n\n' +
+      '  Option 1 — Install Homebrew first, then retry:\n' +
+      '    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"\n\n' +
+      '  Option 2 — Install OrbStack (lightweight Docker Desktop alternative):\n' +
+      '    https://orbstack.dev\n\n' +
+      '  Option 3 — Run without Docker (Python only):\n' +
+      '    opspilot install-guide'
     );
+
+  } else if (platform === 'linux') {
+    log('Installing Docker via get.docker.com...');
+    try {
+      run('curl -fsSL https://get.docker.com | sh');
+      const user = tryRun('whoami');
+      if (user && user !== 'root') {
+        try { run(`sudo usermod -aG docker ${user}`); } catch (_) {}
+        warn(`Added ${user} to docker group. You may need to log out and back in.`);
+      }
+      ok('Docker installed. Starting Docker service...');
+      try { run('sudo systemctl enable --now docker'); } catch (_) {}
+      return;
+    } catch (e) {
+      die(
+        'Auto-install failed. Install Docker manually:\n' +
+        '  https://docs.docker.com/engine/install/'
+      );
+    }
+
+  } else {
+    // Windows or unknown
+    die(
+      'Docker is required.\n\n' +
+      '  Download Docker Desktop for Windows:\n' +
+      '    https://docs.docker.com/desktop/install/windows-install/\n\n' +
+      '  After installing, open Docker Desktop and wait for it to start,\n' +
+      '  then run: opspilot start'
+    );
+  }
+
+  // Final check after auto-install
+  if (!tryRun('docker --version')) {
+    die('Docker still not available after install. Please reopen your terminal and try again.');
   }
 }
 
@@ -98,15 +165,25 @@ function parseArgs(argv) {
 
 // ── Commands ─────────────────────────────────────────────────────────────────
 
+function generatePassword() {
+  // 18 random bytes → 24-char base64url (no shell-special chars)
+  return crypto.randomBytes(18).toString('base64url');
+}
+
+function writeCredentials(password) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CREDENTIALS_FILE, `username: admin\npassword: ${password}\n`);
+  try { fs.chmodSync(CREDENTIALS_FILE, 0o600); } catch (_) {}  // best-effort on Windows
+}
+
 function cmdStart(flags) {
   checkDocker();
 
-  const cfg        = loadConfig();
-  const token      = flags.token          || cfg.token      || '';
-  const url        = flags['cloud-url']   || cfg.cloudUrl   || '';
-  const port       = flags.port           || cfg.port       || '5000';
-  const data       = flags['data-dir']    || cfg.dataDir    || 'opspilot-data';
-  const adminPass  = flags['admin-password'] || '';
+  const cfg   = loadConfig();
+  const token = flags.token        || cfg.token    || '';
+  const url   = flags['cloud-url'] || cfg.cloudUrl || '';
+  const port  = flags.port         || cfg.port     || '5000';
+  const data  = flags['data-dir']  || cfg.dataDir  || 'opspilot-data';
 
   if (!token) {
     die(
@@ -116,7 +193,7 @@ function cmdStart(flags) {
     );
   }
 
-  // Persist for next run
+  // Persist token for next run (never persists password)
   saveConfig({ token, cloudUrl: url || 'https://teams.codetop.net', port, dataDir: data });
 
   // Stop existing container if running
@@ -133,13 +210,29 @@ function cmdStart(flags) {
   log(`Pulling ${IMAGE} ...`);
   run(`docker pull ${IMAGE}`);
 
+  // ── Secure first-run password delivery ────────────────────────────────────
+  // Detect first run: credentials file doesn't exist yet
+  const isFirstRun = !fs.existsSync(CREDENTIALS_FILE);
+  let setupMount = '';
+
+  if (isFirstRun) {
+    const password = generatePassword();
+
+    // 1. Write to host temp file (chmod 600) — never passed as CLI arg or env var
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(SETUP_TOKEN_FILE, password);
+    try { fs.chmodSync(SETUP_TOKEN_FILE, 0o600); } catch (_) {}
+
+    // 2. Save to credentials file (chmod 600) for `opspilot password` command
+    writeCredentials(password);
+
+    // 3. Mount into container read-only — entrypoint reads & deletes it
+    setupMount = `-v "${SETUP_TOKEN_FILE}:/app/.setup_token:ro" `;
+  }
+
   // Volume arg: named volume or host path
-  const isAbsolute = path.isAbsolute(data);
   const volArg = `${data}:/app/data`;
 
-  // Admin password env (first-run only — ignored if users.json already exists in volume)
-  const adminEnv = adminPass ? `-e SHELLSHADOW_INITIAL_ADMIN_PASSWORD=${adminPass} ` : '';
-
   log(`Starting OpsPilot Local on port ${port} ...`);
   run(
     `docker run -d ` +
@@ -148,26 +241,44 @@ function cmdStart(flags) {
     `-e OPSPILOT_CLOUD_URL=${url || 'https://teams.codetop.net'} ` +
     `-e OPSPILOT_CLOUD_TOKEN=${token} ` +
     `-e OPSPILOT_PORT=5000 ` +
-    adminEnv +
+    setupMount +
     `-v ${volArg} ` +
     `--restart unless-stopped ` +
     `${IMAGE}`
   );
 
+  // 4. Delete the temp setup token from host immediately after container starts
+  try { fs.unlinkSync(SETUP_TOKEN_FILE); } catch (_) {}
+
   console.log('');
   ok(`OpsPilot Local is running!`);
   console.log(`${BOLD}  URL      :${RESET} http://localhost:${port}`);
   console.log(`${BOLD}  Username :${RESET} admin`);
-  if (adminPass) {
-    console.log(`${BOLD}  Password :${RESET} ${adminPass}  ${YELLOW}← change this after first login${RESET}`);
-  } else {
-    console.log(`${BOLD}  Password :${RESET} ${YELLOW}check logs → opspilot logs | grep SECURITY${RESET}`);
+  if (isFirstRun) {
+    console.log(`${BOLD}  Password :${RESET} run ${CYAN}opspilot password${RESET} to reveal`);
   }
-  console.log(`${BOLD}  Data     :${RESET} ${isAbsolute ? data : `docker volume '${data}'`}`);
+  console.log(`${BOLD}  Data     :${RESET} ${path.isAbsolute(data) ? data : `docker volume '${data}'`}`);
   console.log('');
-  console.log(`  ${CYAN}opspilot logs -f${RESET}   — tail live logs`);
-  console.log(`  ${CYAN}opspilot stop${RESET}       — stop the server`);
-  console.log(`  ${CYAN}opspilot update${RESET}     — upgrade to latest`);
+  console.log(`  ${CYAN}opspilot password${RESET}   — show first-run admin password`);
+  console.log(`  ${CYAN}opspilot logs -f${RESET}    — tail live logs`);
+  console.log(`  ${CYAN}opspilot stop${RESET}        — stop the server`);
+  console.log(`  ${CYAN}opspilot update${RESET}      — upgrade to latest`);
+}
+
+function cmdPassword() {
+  if (!fs.existsSync(CREDENTIALS_FILE)) {
+    warn('No credentials file found. Already cleared, or this is not a first-run install.');
+    warn(`File would be at: ${CREDENTIALS_FILE}`);
+    return;
+  }
+  const content = fs.readFileSync(CREDENTIALS_FILE, 'utf8').trim();
+  console.log('');
+  console.log(`${BOLD}First-run admin credentials${RESET} (${CREDENTIALS_FILE}):`);
+  console.log('');
+  content.split('\n').forEach(line => console.log(`  ${line}`));
+  console.log('');
+  console.log(`${YELLOW}Change your password after first login, then run:${RESET}`);
+  console.log(`  ${CYAN}opspilot password --clear${RESET}`);
 }
 
 function cmdStop() {
@@ -229,6 +340,50 @@ function cmdConfig() {
   console.log(JSON.stringify(safe, null, 2));
 }
 
+function cmdInstallGuide() {
+  const platform = os.platform();
+  console.log(`
+${BOLD}${CYAN}OpsPilot Local — Docker Install Guide${RESET}
+
+Docker is required to run OpsPilot Local.
+The CLI will auto-install Docker when you run ${CYAN}opspilot start${RESET}.
+
+${BOLD}Auto-install behaviour by platform:${RESET}
+
+  ${BOLD}macOS${RESET}
+    • If Homebrew is installed → installs ${CYAN}Colima + Docker CLI${RESET} automatically
+      (lightweight, no Docker Desktop, works on managed/corporate Macs)
+    • If Homebrew is missing → installs Homebrew first:
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+      Then retry: ${CYAN}opspilot start --token <token>${RESET}
+
+  ${BOLD}Linux${RESET}
+    • Runs the official Docker install script automatically:
+        curl -fsSL https://get.docker.com | sh
+
+  ${BOLD}Windows${RESET}
+    • Cannot auto-install. Download Docker Desktop:
+        https://docs.docker.com/desktop/install/windows-install/
+
+${BOLD}Manual install options (macOS):${RESET}
+
+  1. ${CYAN}Colima${RESET} — lightweight, CLI-only, free (recommended for managed Macs)
+       brew install colima docker
+       colima start
+
+  2. ${CYAN}OrbStack${RESET} — lightweight Docker Desktop alternative
+       brew install orbstack
+       # or: https://orbstack.dev
+
+  3. ${CYAN}Docker Desktop${RESET} — official GUI app
+       brew install --cask docker
+       # or: https://www.docker.com/products/docker-desktop/
+
+${BOLD}Current platform:${RESET} ${platform}
+${BOLD}Docker status  :${RESET} ${tryRun('docker --version') || RED + 'not found' + RESET}
+`);
+}
+
 function printHelp() {
   console.log(`
 ${BOLD}${CYAN}OpsPilot Local${RESET} — CLI v${PKG_VERSION}
@@ -237,19 +392,20 @@ ${BOLD}Usage:${RESET}
   opspilot <command> [options]
 
 ${BOLD}Commands:${RESET}
-  ${CYAN}start${RESET}   Pull image and start the container
-  ${CYAN}stop${RESET}    Stop and remove the container
-  ${CYAN}logs${RESET}    Show container logs  (-f to follow)
-  ${CYAN}update${RESET}  Pull latest image and restart
-  ${CYAN}status${RESET}  Show container status
-  ${CYAN}config${RESET}  Show saved local config
+  ${CYAN}start${RESET}          Pull image and start the container  ${YELLOW}(auto-installs Docker if missing)${RESET}
+  ${CYAN}stop${RESET}           Stop and remove the container
+  ${CYAN}logs${RESET}           Show container logs  (-f to follow)
+  ${CYAN}update${RESET}         Pull latest image and restart
+  ${CYAN}status${RESET}         Show container status
+  ${CYAN}config${RESET}         Show saved local config
+  ${CYAN}password${RESET}       Show first-run admin password  (--clear to delete after reading)
+  ${CYAN}install-guide${RESET}  Show Docker installation instructions for your platform
 
 ${BOLD}Start options:${RESET}
-  --token           <token>     License token from OpsPilot Cloud  ${YELLOW}(required)${RESET}
-  --admin-password  <password>  Set admin password on first run     ${YELLOW}(recommended)${RESET}
-  --cloud-url       <url>       Cloud server URL  [default: https://teams.codetop.net]
-  --port            <port>      Local port        [default: 5000]
-  --data-dir        <path>      Host data path or Docker volume name  [default: opspilot-data]
+  --token      <token>  License token from OpsPilot Cloud  ${YELLOW}(required)${RESET}
+  --cloud-url  <url>    Cloud server URL  [default: https://teams.codetop.net]
+  --port       <port>   Local port        [default: 5000]
+  --data-dir   <path>   Host data path or Docker volume name  [default: opspilot-data]
 
 ${BOLD}Examples:${RESET}
   npx @justin0713/opspilot start --token eyJ...
@@ -282,8 +438,17 @@ switch (cmd) {
       cmdStart(Object.assign({}, cfg, parsed.flags));
     })();
     break;
-  case 'status': cmdStatus();             break;
-  case 'config': cmdConfig();             break;
+  case 'status':        cmdStatus();       break;
+  case 'config':        cmdConfig();       break;
+  case 'install-guide': cmdInstallGuide(); break;
+  case 'password':
+    if (parsed.flags.clear) {
+      try { fs.unlinkSync(CREDENTIALS_FILE); ok('Credentials file cleared.'); }
+      catch (_) { warn('No credentials file to clear.'); }
+    } else {
+      cmdPassword();
+    }
+    break;
   case undefined:
   case 'help':
   case '--help':

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@justin0713/opspilot",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "CLI installer for OpsPilot Local — self-hosted SSH operations platform",
   "license": "MIT",
   "homepage": "https://github.com/Albert0977/ShellShare#readme",