@neuralnomads/codenomad 0.5.1 → 0.7.0

package/dist/auth/auth-store.js

@@ -0,0 +1,134 @@
+import fs from "fs";
+import path from "path";
+import { hashPassword, verifyPassword } from "./password-hash";
+export class AuthStore {
+    constructor(authFilePath, logger) {
+        this.authFilePath = authFilePath;
+        this.logger = logger;
+        this.cachedFile = null;
+        this.overrideAuth = null;
+        this.bootstrapUsername = null;
+    }
+    getAuthFilePath() {
+        return this.authFilePath;
+    }
+    load() {
+        if (this.overrideAuth) {
+            return this.overrideAuth;
+        }
+        if (this.cachedFile) {
+            return this.cachedFile;
+        }
+        try {
+            if (!fs.existsSync(this.authFilePath)) {
+                return null;
+            }
+            const raw = fs.readFileSync(this.authFilePath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (!parsed || parsed.version !== 1) {
+                this.logger.warn({ authFilePath: this.authFilePath }, "Auth file has unsupported version");
+                return null;
+            }
+            this.cachedFile = parsed;
+            return parsed;
+        }
+        catch (error) {
+            this.logger.warn({ err: error, authFilePath: this.authFilePath }, "Failed to load auth file");
+            return null;
+        }
+    }
+    ensureInitialized(params) {
+        const password = params.password?.trim();
+        if (password) {
+            const now = new Date().toISOString();
+            const runtime = {
+                version: 1,
+                username: params.username,
+                password: hashPassword(password),
+                userProvided: true,
+                updatedAt: now,
+            };
+            this.overrideAuth = runtime;
+            this.cachedFile = null;
+            this.bootstrapUsername = null;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Using runtime auth password override; ignoring auth file");
+            return;
+        }
+        const existing = this.load();
+        if (existing) {
+            if (existing.username !== params.username) {
+                // Keep existing username unless explicitly overridden later.
+                this.logger.debug({ existing: existing.username, requested: params.username }, "Auth username differs from requested");
+            }
+            this.bootstrapUsername = null;
+            return;
+        }
+        if (params.allowBootstrapWithoutPassword) {
+            this.bootstrapUsername = params.username;
+            this.logger.debug({ authFilePath: this.authFilePath }, "No auth file present; bootstrap-only mode enabled");
+            return;
+        }
+        throw new Error(`No server password configured. Create ${this.authFilePath} or start with --password / CODENOMAD_SERVER_PASSWORD.`);
+    }
+    validateCredentials(username, password) {
+        const auth = this.load();
+        if (!auth) {
+            return false;
+        }
+        if (username !== auth.username) {
+            return false;
+        }
+        return verifyPassword(password, auth.password);
+    }
+    setPassword(params) {
+        if (this.overrideAuth) {
+            throw new Error("Server password is provided via CLI/env and cannot be changed while running. Restart without --password / CODENOMAD_SERVER_PASSWORD to use auth.json.");
+        }
+        const current = this.load();
+        if (!current) {
+            if (!this.bootstrapUsername) {
+                throw new Error("Auth is not initialized");
+            }
+            const created = {
+                version: 1,
+                username: this.bootstrapUsername,
+                password: hashPassword(params.password),
+                userProvided: params.markUserProvided,
+                updatedAt: new Date().toISOString(),
+            };
+            this.persist(created);
+            this.bootstrapUsername = null;
+            return { username: created.username, passwordUserProvided: created.userProvided };
+        }
+        const next = {
+            ...current,
+            password: hashPassword(params.password),
+            userProvided: params.markUserProvided,
+            updatedAt: new Date().toISOString(),
+        };
+        this.persist(next);
+        return { username: next.username, passwordUserProvided: next.userProvided };
+    }
+    getStatus() {
+        const current = this.load();
+        if (current) {
+            return { username: current.username, passwordUserProvided: current.userProvided };
+        }
+        if (this.bootstrapUsername) {
+            return { username: this.bootstrapUsername, passwordUserProvided: false };
+        }
+        throw new Error("Auth is not initialized");
+    }
+    persist(auth) {
+        try {
+            fs.mkdirSync(path.dirname(this.authFilePath), { recursive: true });
+            fs.writeFileSync(this.authFilePath, JSON.stringify(auth, null, 2), "utf-8");
+            this.cachedFile = auth;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Persisted auth file");
+        }
+        catch (error) {
+            this.logger.error({ err: error, authFilePath: this.authFilePath }, "Failed to persist auth file");
+            throw error;
+        }
+    }
+}

package/dist/auth/http-auth.js

@@ -0,0 +1,37 @@
+export function parseCookies(header) {
+    const result = {};
+    if (!header)
+        return result;
+    const parts = header.split(";");
+    for (const part of parts) {
+        const index = part.indexOf("=");
+        if (index < 0)
+            continue;
+        const key = part.slice(0, index).trim();
+        const value = part.slice(index + 1).trim();
+        if (!key)
+            continue;
+        result[key] = decodeURIComponent(value);
+    }
+    return result;
+}
+export function isLoopbackAddress(remoteAddress) {
+    if (!remoteAddress)
+        return false;
+    if (remoteAddress === "127.0.0.1" || remoteAddress === "::1")
+        return true;
+    if (remoteAddress === "::ffff:127.0.0.1")
+        return true;
+    return false;
+}
+export function wantsHtml(request) {
+    const accept = (request.headers["accept"] ?? "").toString().toLowerCase();
+    return accept.includes("text/html") || accept.includes("application/xhtml");
+}
+export function sendUnauthorized(request, reply) {
+    if (request.method === "GET" && !request.url.startsWith("/api/") && wantsHtml(request)) {
+        reply.redirect("/login");
+        return;
+    }
+    reply.code(401).send({ error: "Unauthorized" });
+}

package/dist/auth/manager.js

@@ -0,0 +1,87 @@
+import path from "path";
+import { AuthStore } from "./auth-store";
+import { TokenManager } from "./token-manager";
+import { SessionManager } from "./session-manager";
+import { isLoopbackAddress, parseCookies } from "./http-auth";
+export const BOOTSTRAP_TOKEN_STDOUT_PREFIX = "CODENOMAD_BOOTSTRAP_TOKEN:";
+export const DEFAULT_AUTH_USERNAME = "codenomad";
+export const DEFAULT_AUTH_COOKIE_NAME = "codenomad_session";
+export class AuthManager {
+    constructor(init, logger) {
+        this.init = init;
+        this.logger = logger;
+        this.sessionManager = new SessionManager();
+        this.cookieName = DEFAULT_AUTH_COOKIE_NAME;
+        const authFilePath = resolveAuthFilePath(init.configPath);
+        this.authStore = new AuthStore(authFilePath, logger.child({ component: "auth" }));
+        // Startup: password comes from CLI/env, auth.json, or bootstrap-only mode.
+        this.authStore.ensureInitialized({
+            username: init.username,
+            password: init.password,
+            allowBootstrapWithoutPassword: init.generateToken,
+        });
+        this.tokenManager = init.generateToken ? new TokenManager(60000) : null;
+    }
+    getCookieName() {
+        return this.cookieName;
+    }
+    isTokenBootstrapEnabled() {
+        return Boolean(this.tokenManager);
+    }
+    issueBootstrapToken() {
+        if (!this.tokenManager)
+            return null;
+        return this.tokenManager.generate();
+    }
+    consumeBootstrapToken(token) {
+        if (!this.tokenManager)
+            return false;
+        return this.tokenManager.consume(token);
+    }
+    validateLogin(username, password) {
+        return this.authStore.validateCredentials(username, password);
+    }
+    createSession(username) {
+        return this.sessionManager.createSession(username);
+    }
+    getStatus() {
+        return this.authStore.getStatus();
+    }
+    setPassword(password) {
+        return this.authStore.setPassword({ password, markUserProvided: true });
+    }
+    isLoopbackRequest(request) {
+        return isLoopbackAddress(request.socket.remoteAddress);
+    }
+    getSessionFromRequest(request) {
+        const cookies = parseCookies(request.headers.cookie);
+        const sessionId = cookies[this.cookieName];
+        const session = this.sessionManager.getSession(sessionId);
+        if (!session)
+            return null;
+        return { username: session.username, sessionId: session.id };
+    }
+    setSessionCookie(reply, sessionId) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId));
+    }
+    clearSessionCookie(reply) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0 }));
+    }
+}
+function resolveAuthFilePath(configPath) {
+    const resolvedConfigPath = resolvePath(configPath);
+    return path.join(path.dirname(resolvedConfigPath), "auth.json");
+}
+function resolvePath(filePath) {
+    if (filePath.startsWith("~/")) {
+        return path.join(process.env.HOME ?? "", filePath.slice(2));
+    }
+    return path.resolve(filePath);
+}
+function buildSessionCookie(name, value, options) {
+    const parts = [`${name}=${encodeURIComponent(value)}`, "HttpOnly", "Path=/", "SameSite=Lax"];
+    if (options?.maxAgeSeconds !== undefined) {
+        parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+    }
+    return parts.join("; ");
+}

package/dist/auth/password-hash.js

@@ -0,0 +1,32 @@
+import crypto from "crypto";
+const DEFAULT_SCRYPT_PARAMS = {
+    N: 16384,
+    r: 8,
+    p: 1,
+    maxmem: 32 * 1024 * 1024,
+};
+export function hashPassword(password) {
+    const salt = crypto.randomBytes(16);
+    const params = DEFAULT_SCRYPT_PARAMS;
+    const keyLength = 64;
+    const derived = crypto.scryptSync(password, salt, keyLength, params);
+    return {
+        algorithm: "scrypt",
+        saltBase64: salt.toString("base64"),
+        hashBase64: Buffer.from(derived).toString("base64"),
+        keyLength,
+        params,
+    };
+}
+export function verifyPassword(password, record) {
+    if (record.algorithm !== "scrypt") {
+        return false;
+    }
+    const salt = Buffer.from(record.saltBase64, "base64");
+    const expected = Buffer.from(record.hashBase64, "base64");
+    const derived = crypto.scryptSync(password, salt, record.keyLength, record.params);
+    if (expected.length !== derived.length) {
+        return false;
+    }
+    return crypto.timingSafeEqual(expected, Buffer.from(derived));
+}

package/dist/auth/session-manager.js

@@ -0,0 +1,17 @@
+import crypto from "crypto";
+export class SessionManager {
+    constructor() {
+        this.sessions = new Map();
+    }
+    createSession(username) {
+        const id = crypto.randomBytes(32).toString("base64url");
+        const info = { id, createdAt: Date.now(), username };
+        this.sessions.set(id, info);
+        return info;
+    }
+    getSession(id) {
+        if (!id)
+            return undefined;
+        return this.sessions.get(id);
+    }
+}

package/dist/auth/token-manager.js

@@ -0,0 +1,27 @@
+import crypto from "crypto";
+export class TokenManager {
+    constructor(ttlMs) {
+        this.ttlMs = ttlMs;
+        this.token = null;
+    }
+    generate() {
+        const token = crypto.randomBytes(32).toString("base64url");
+        this.token = { token, createdAt: Date.now(), consumed: false };
+        return token;
+    }
+    consume(token) {
+        if (!this.token)
+            return false;
+        if (this.token.consumed)
+            return false;
+        if (Date.now() - this.token.createdAt > this.ttlMs)
+            return false;
+        if (token !== this.token.token)
+            return false;
+        this.token.consumed = true;
+        return true;
+    }
+    peek() {
+        return this.token?.token ?? null;
+    }
+}

package/dist/background-processes/manager.js

@@ -6,6 +6,7 @@ const ROOT_DIR = ".codenomad/background_processes";
 const INDEX_FILE = "index.json";
 const OUTPUT_FILE = "output.txt";
 const STOP_TIMEOUT_MS = 2000;
+const EXIT_WAIT_TIMEOUT_MS = 5000;
 const MAX_OUTPUT_BYTES = 20 * 1024;
 const OUTPUT_PUBLISH_INTERVAL_MS = 1000;
 export class BackgroundProcessManager {
@@ -35,6 +36,10 @@ export class BackgroundProcessManager {
         const child = spawn("bash", ["-c", command], {
             cwd: workspace.path,
             stdio: ["ignore", "pipe", "pipe"],
+            detached: process.platform !== "win32",
+        });
+        child.on("exit", () => {
+            this.killProcessTree(child, "SIGTERM");
         });
         const record = {
             id,
@@ -60,7 +65,7 @@ export class BackgroundProcessManager {
                 resolve();
             });
         });
-        this.running.set(id, { child, outputPath, exitPromise, workspaceId });
+        this.running.set(id, { id, child, outputPath, exitPromise, workspaceId });
         let lastPublishAt = 0;
         const maybePublishSize = () => {
             const now = Date.now();
@@ -92,7 +97,7 @@ export class BackgroundProcessManager {
         }
         const running = this.running.get(processId);
         if (running?.child && !running.child.killed) {
-            running.child.kill("SIGTERM");
+            this.killProcessTree(running.child, "SIGTERM");
             await this.waitForExit(running);
         }
         if (record.status === "running") {
@@ -110,7 +115,7 @@ export class BackgroundProcessManager {
             return;
         const running = this.running.get(processId);
         if (running?.child && !running.child.killed) {
-            running.child.kill("SIGTERM");
+            this.killProcessTree(running.child, "SIGTERM");
             await this.waitForExit(running);
         }
         await this.removeFromIndex(workspaceId, processId);
@@ -197,22 +202,57 @@ export class BackgroundProcessManager {
         for (const [, running] of this.running.entries()) {
             if (running.workspaceId !== workspaceId)
                 continue;
-            running.child.kill("SIGTERM");
+            this.killProcessTree(running.child, "SIGTERM");
             await this.waitForExit(running);
         }
         await this.removeWorkspaceDir(workspaceId);
     }
+    killProcessTree(child, signal) {
+        const pid = child.pid;
+        if (!pid)
+            return;
+        if (process.platform !== "win32") {
+            try {
+                process.kill(-pid, signal);
+                return;
+            }
+            catch {
+                // Fall back to killing the direct child.
+            }
+        }
+        try {
+            child.kill(signal);
+        }
+        catch {
+            // ignore
+        }
+    }
     async waitForExit(running) {
-        let resolved = false;
-        const timeout = setTimeout(() => {
-            if (!resolved) {
-                running.child.kill("SIGKILL");
+        let exited = false;
+        const exitPromise = running.exitPromise.finally(() => {
+            exited = true;
+        });
+        const killTimeout = setTimeout(() => {
+            if (!exited) {
+                this.killProcessTree(running.child, "SIGKILL");
             }
         }, STOP_TIMEOUT_MS);
-        await running.exitPromise.finally(() => {
-            resolved = true;
-            clearTimeout(timeout);
-        });
+        try {
+            await Promise.race([
+                exitPromise,
+                new Promise((resolve) => {
+                    setTimeout(resolve, EXIT_WAIT_TIMEOUT_MS);
+                }),
+            ]);
+            if (!exited) {
+                this.killProcessTree(running.child, "SIGKILL");
+                this.running.delete(running.id);
+                this.deps.logger.warn({ pid: running.child.pid }, "Timed out waiting for background process to exit");
+            }
+        }
+        finally {
+            clearTimeout(killTimeout);
+        }
     }
     statusFromExit(code) {
         if (code === null)

package/dist/index.js

@@ -17,6 +17,7 @@ import { InstanceEventBridge } from "./workspaces/instance-events";
 import { createLogger } from "./logger";
 import { launchInBrowser } from "./launcher";
 import { startReleaseMonitor } from "./releases/release-monitor";
+import { AuthManager, BOOTSTRAP_TOKEN_STDOUT_PREFIX, DEFAULT_AUTH_USERNAME } from "./auth/manager";
 const require = createRequire(import.meta.url);
 const packageJson = require("../package.json");
 const __filename = fileURLToPath(import.meta.url);
@@ -40,7 +41,14 @@ function parseCliOptions(argv) {
         .addOption(new Option("--log-destination <path>", "Log destination file (defaults to stdout)").env("CLI_LOG_DESTINATION"))
         .addOption(new Option("--ui-dir <path>", "Directory containing the built UI bundle").env("CLI_UI_DIR").default(DEFAULT_UI_STATIC_DIR))
         .addOption(new Option("--ui-dev-server <url>", "Proxy UI requests to a running dev server").env("CLI_UI_DEV_SERVER"))
-        .addOption(new Option("--launch", "Launch the UI in a browser after start").env("CLI_LAUNCH").default(false));
+        .addOption(new Option("--launch", "Launch the UI in a browser after start").env("CLI_LAUNCH").default(false))
+        .addOption(new Option("--username <username>", "Username for server authentication")
+        .env("CODENOMAD_SERVER_USERNAME")
+        .default(DEFAULT_AUTH_USERNAME))
+        .addOption(new Option("--password <password>", "Password for server authentication").env("CODENOMAD_SERVER_PASSWORD"))
+        .addOption(new Option("--generate-token", "Emit a one-time bootstrap token for desktop")
+        .env("CODENOMAD_GENERATE_TOKEN")
+        .default(false));
     program.parse(argv, { from: "user" });
     const parsed = program.opts();
     const resolvedRoot = parsed.workspaceRoot ?? parsed.root ?? process.cwd();
@@ -56,6 +64,9 @@ function parseCliOptions(argv) {
         uiStaticDir: parsed.uiDir,
         uiDevServer: parsed.uiDevServer,
         launch: Boolean(parsed.launch),
+        authUsername: parsed.username,
+        authPassword: parsed.password,
+        generateToken: Boolean(parsed.generateToken),
     };
 }
 function parsePort(input) {
@@ -77,7 +88,11 @@ async function main() {
     const workspaceLogger = logger.child({ component: "workspace" });
     const configLogger = logger.child({ component: "config" });
     const eventLogger = logger.child({ component: "events" });
-    logger.info({ options }, "Starting CodeNomad CLI server");
+    const logOptions = {
+        ...options,
+        authPassword: options.authPassword ? "[REDACTED]" : undefined,
+    };
+    logger.info({ options: logOptions }, "Starting CodeNomad CLI server");
     const eventBus = new EventBus(eventLogger);
     const serverMeta = {
         httpBaseUrl: `http://${options.host}:${options.port}`,
@@ -89,6 +104,18 @@ async function main() {
         workspaceRoot: options.rootDir,
         addresses: [],
     };
+    const authManager = new AuthManager({
+        configPath: options.configPath,
+        username: options.authUsername,
+        password: options.authPassword,
+        generateToken: options.generateToken,
+    }, logger.child({ component: "auth" }));
+    if (options.generateToken) {
+        const token = authManager.issueBootstrapToken();
+        if (token) {
+            console.log(`${BOOTSTRAP_TOKEN_STDOUT_PREFIX}${token}`);
+        }
+    }
     const configStore = new ConfigStore(options.configPath, eventBus, configLogger);
     const binaryRegistry = new BinaryRegistry(configStore, eventBus, configLogger);
     const workspaceManager = new WorkspaceManager({
@@ -129,6 +156,7 @@ async function main() {
         eventBus,
         serverMeta,
         instanceStore,
+        authManager,
         uiStaticDir: options.uiStaticDir,
         uiDevServerUrl: options.uiDevServer,
         logger,

package/dist/opencode-config/package.json

@@ -3,6 +3,6 @@
   "version": "0.5.0",
   "private": true,
   "dependencies": {
-    "@opencode-ai/plugin": "1.1.1"
+    "@opencode-ai/plugin": "1.1.12"
   }
 }

package/dist/opencode-config/plugin/lib/background-process.ts

@@ -1,5 +1,6 @@
 import path from "path"
 import { tool } from "@opencode-ai/plugin/tool"
+import { createCodeNomadRequester, type CodeNomadConfig } from "./request"
 
 type BackgroundProcess = {
   id: string
@@ -12,11 +13,6 @@ type BackgroundProcess = {
   outputSizeBytes?: number
 }
 
-type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
 type BackgroundProcessOptions = {
   baseDir: string
 }
@@ -27,30 +23,10 @@ type ParsedCommand = {
 }
 
 export function createBackgroundProcessTools(config: CodeNomadConfig, options: BackgroundProcessOptions) {
-  const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
-
-    const base = config.baseUrl.replace(/\/+$/, "")
-    const url = `${base}/workspaces/${config.instanceId}/plugin/background-processes${path}`
-    const headers = normalizeHeaders(init?.headers)
-    if (init?.body !== undefined) {
-      headers["Content-Type"] = "application/json"
-    }
-
-    const response = await fetch(url, {
-      ...init,
-      headers,
-    })
+  const requester = createCodeNomadRequester(config)
 
-    if (!response.ok) {
-      const message = await response.text()
-      throw new Error(message || `Request failed with ${response.status}`)
-    }
-
-    if (response.status === 204) {
-      return undefined as T
-    }
-
-    return (await response.json()) as T
+  const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    return requester.requestJson<T>(`/background-processes${path}`, init)
   }
 
   return {
@@ -249,13 +225,7 @@ function tokenize(input: string): string[] {
 
     if (char === "|" || char === "&" || char === ";") {
       flush()
-      const next = input[index + 1]
-      if ((char === "|" || char === "&") && next === char) {
-        tokens.push(char + next)
-        index += 1
-      } else {
-        tokens.push(char)
-      }
+      tokens.push(char)
       continue
     }
 
@@ -266,44 +236,18 @@ function tokenize(input: string): string[] {
   return tokens
 }
 
-function isSeparator(token: string) {
-  return token === "|" || token === "||" || token === "&&" || token === ";" || token === "&"
+function isSeparator(token: string): boolean {
+  return token === "|" || token === "&" || token === ";"
 }
 
-function unquote(value: string) {
-  if (value.length >= 2) {
-    const first = value[0]
-    const last = value[value.length - 1]
-    if ((first === "'" && last === "'") || (first === '"' && last === '"')) {
-      return value.slice(1, -1)
-    }
+function unquote(token: string): string {
+  if ((token.startsWith('"') && token.endsWith('"')) || (token.startsWith("'") && token.endsWith("'"))) {
+    return token.slice(1, -1)
   }
-  return value
+  return token
 }
 
-function isWithinBase(baseDir: string, target: string) {
-  const relative = path.relative(baseDir, target)
-  if (!relative) return true
-  return !relative.startsWith("..") && !path.isAbsolute(relative)
-}
-
-function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
-  const output: Record<string, string> = {}
-  if (!headers) return output
-
-  if (headers instanceof Headers) {
-    headers.forEach((value, key) => {
-      output[key] = value
-    })
-    return output
-  }
-
-  if (Array.isArray(headers)) {
-    for (const [key, value] of headers) {
-      output[key] = value
-    }
-    return output
-  }
-
-  return { ...headers }
+function isWithinBase(base: string, candidate: string): boolean {
+  const relative = path.relative(base, candidate)
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative))
 }