@neuralnomads/codenomad 0.5.1 → 0.7.0

package/dist/opencode-config/plugin/lib/client.ts

@@ -1,74 +1,41 @@
-export type PluginEvent = {
-  type: string
-  properties?: Record<string, unknown>
-}
+import { createCodeNomadRequester, type CodeNomadConfig, type PluginEvent } from "./request"
 
-export type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
-export function getCodeNomadConfig(): CodeNomadConfig {
-  return {
-    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
-    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
-  }
-}
+export { getCodeNomadConfig, type CodeNomadConfig, type PluginEvent } from "./request"
 
 export function createCodeNomadClient(config: CodeNomadConfig) {
-  return {
-    postEvent: (event: PluginEvent) => postPluginEvent(config.baseUrl, config.instanceId, event),
-    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(config.baseUrl, config.instanceId, onEvent),
-  }
-}
+  const requester = createCodeNomadRequester(config)
 
-function requireEnv(key: string): string {
-  const value = process.env[key]
-  if (!value || !value.trim()) {
-    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  return {
+    postEvent: (event: PluginEvent) =>
+      requester.requestVoid("/event", {
+        method: "POST",
+        body: JSON.stringify(event),
+      }),
+    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(requester, onEvent),
   }
-  return value
 }
 
 function delay(ms: number) {
   return new Promise<void>((resolve) => setTimeout(resolve, ms))
 }
 
-async function postPluginEvent(baseUrl: string, instanceId: string, event: PluginEvent) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/event`
-  const response = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(event),
-  })
-
-  if (!response.ok) {
-    throw new Error(`[CodeNomadPlugin] POST ${url} failed (${response.status})`)
-  }
-}
-
-async function startPluginEvents(baseUrl: string, instanceId: string, onEvent: (event: PluginEvent) => void) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/events`
-
+async function startPluginEvents(
+  requester: ReturnType<typeof createCodeNomadRequester>,
+  onEvent: (event: PluginEvent) => void,
+) {
   // Fail plugin startup if we cannot establish the initial connection.
-  const initialBody = await connectWithRetries(url, 3)
+  const initialBody = await connectWithRetries(requester, 3)
 
   // After startup, keep reconnecting; throw after 3 consecutive failures.
-  void consumeWithReconnect(url, onEvent, initialBody)
+  void consumeWithReconnect(requester, onEvent, initialBody)
 }
 
-async function connectWithRetries(url: string, maxAttempts: number) {
+async function connectWithRetries(requester: ReturnType<typeof createCodeNomadRequester>, maxAttempts: number) {
   let lastError: unknown
 
   for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
     try {
-      const response = await fetch(url, { headers: { Accept: "text/event-stream" } })
-      if (!response.ok || !response.body) {
-        throw new Error(`[CodeNomadPlugin] SSE unavailable (${response.status})`)
-      }
-      return response.body
+      return await requester.requestSseBody("/events")
     } catch (error) {
       lastError = error
       await delay(500 * attempt)
@@ -76,11 +43,12 @@ async function connectWithRetries(url: string, maxAttempts: number) {
   }
 
   const reason = lastError instanceof Error ? lastError.message : String(lastError)
-  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad after ${maxAttempts} retries: ${reason}`)
+  const url = requester.buildUrl("/events")
+  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad at ${url} after ${maxAttempts} retries: ${reason}`)
 }
 
 async function consumeWithReconnect(
-  url: string,
+  requester: ReturnType<typeof createCodeNomadRequester>,
   onEvent: (event: PluginEvent) => void,
   initialBody: ReadableStream<Uint8Array>,
 ) {
@@ -90,7 +58,7 @@ async function consumeWithReconnect(
   while (true) {
     try {
       if (!body) {
-        body = await connectWithRetries(url, 3)
+        body = await connectWithRetries(requester, 3)
       }
 
       await consumeSseBody(body, onEvent)

package/dist/opencode-config/plugin/lib/request.ts

@@ -0,0 +1,124 @@
+export type PluginEvent = {
+  type: string
+  properties?: Record<string, unknown>
+}
+
+export type CodeNomadConfig = {
+  instanceId: string
+  baseUrl: string
+}
+
+export function getCodeNomadConfig(): CodeNomadConfig {
+  return {
+    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
+    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
+  }
+}
+
+export function createCodeNomadRequester(config: CodeNomadConfig) {
+  const baseUrl = config.baseUrl.replace(/\/+$/, "")
+  const pluginBase = `${baseUrl}/workspaces/${encodeURIComponent(config.instanceId)}/plugin`
+  const authorization = buildInstanceAuthorizationHeader()
+
+  const buildUrl = (path: string) => {
+    if (path.startsWith("http://") || path.startsWith("https://")) {
+      return path
+    }
+    const normalized = path.startsWith("/") ? path : `/${path}`
+    return `${pluginBase}${normalized}`
+  }
+
+  const buildHeaders = (headers: HeadersInit | undefined, hasBody: boolean): Record<string, string> => {
+    const output: Record<string, string> = normalizeHeaders(headers)
+    output.Authorization = authorization
+    if (hasBody) {
+      output["Content-Type"] = output["Content-Type"] ?? "application/json"
+    }
+    return output
+  }
+
+  const fetchWithAuth = async (path: string, init?: RequestInit): Promise<Response> => {
+    const url = buildUrl(path)
+    const hasBody = init?.body !== undefined
+    const headers = buildHeaders(init?.headers, hasBody)
+
+    return fetch(url, {
+      ...init,
+      headers,
+    })
+  }
+
+  const requestJson = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+
+    if (response.status === 204) {
+      return undefined as T
+    }
+
+    return (await response.json()) as T
+  }
+
+  const requestVoid = async (path: string, init?: RequestInit): Promise<void> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+  }
+
+  const requestSseBody = async (path: string): Promise<ReadableStream<Uint8Array>> => {
+    const response = await fetchWithAuth(path, { headers: { Accept: "text/event-stream" } })
+    if (!response.ok || !response.body) {
+      throw new Error(`SSE unavailable (${response.status})`)
+    }
+    return response.body as ReadableStream<Uint8Array>
+  }
+
+  return {
+    buildUrl,
+    fetch: fetchWithAuth,
+    requestJson,
+    requestVoid,
+    requestSseBody,
+  }
+}
+
+function requireEnv(key: string): string {
+  const value = process.env[key]
+  if (!value || !value.trim()) {
+    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  }
+  return value
+}
+
+function buildInstanceAuthorizationHeader(): string {
+  const username = requireEnv("OPENCODE_SERVER_USERNAME")
+  const password = requireEnv("OPENCODE_SERVER_PASSWORD")
+  const token = Buffer.from(`${username}:${password}`, "utf8").toString("base64")
+  return `Basic ${token}`
+}
+
+function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
+  const output: Record<string, string> = {}
+  if (!headers) return output
+
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => {
+      output[key] = value
+    })
+    return output
+  }
+
+  if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      output[key] = value
+    }
+    return output
+  }
+
+  return { ...headers }
+}

package/dist/server/http-server.js

@@ -14,6 +14,8 @@ import { registerStorageRoutes } from "./routes/storage";
 import { registerPluginRoutes } from "./routes/plugin";
 import { registerBackgroundProcessRoutes } from "./routes/background-processes";
 import { BackgroundProcessManager } from "../background-processes/manager";
+import { registerAuthRoutes } from "./routes/auth";
+import { sendUnauthorized, wantsHtml } from "../auth/http-auth";
 const DEFAULT_HTTP_PORT = 9898;
 export function createHttpServer(deps) {
     const app = Fastify({ logger: false });
@@ -53,8 +55,30 @@ export function createHttpServer(deps) {
         }
         done();
     });
+    const allowedDevOrigins = new Set(["http://localhost:3000", "http://127.0.0.1:3000"]);
     app.register(cors, {
-        origin: true,
+        origin: (origin, cb) => {
+            if (!origin) {
+                cb(null, true);
+                return;
+            }
+            let selfOrigin = null;
+            try {
+                selfOrigin = new URL(deps.serverMeta.httpBaseUrl).origin;
+            }
+            catch {
+                selfOrigin = null;
+            }
+            if (selfOrigin && origin === selfOrigin) {
+                cb(null, true);
+                return;
+            }
+            if (allowedDevOrigins.has(origin)) {
+                cb(null, true);
+                return;
+            }
+            cb(null, false);
+        },
         credentials: true,
     });
     app.register(replyFrom, {
@@ -71,6 +95,62 @@ export function createHttpServer(deps) {
         eventBus: deps.eventBus,
         logger: deps.logger.child({ component: "background-processes" }),
     });
+    registerAuthRoutes(app, { authManager: deps.authManager });
+    app.addHook("preHandler", (request, reply, done) => {
+        const rawUrl = request.raw.url ?? request.url;
+        const pathname = (rawUrl.split("?")[0] ?? "").trim();
+        const publicApiPaths = new Set(["/api/auth/login", "/api/auth/token", "/api/auth/status", "/api/auth/logout"]);
+        const publicPagePaths = new Set(["/login"]);
+        if (deps.authManager.isTokenBootstrapEnabled()) {
+            publicPagePaths.add("/auth/token");
+        }
+        if (publicApiPaths.has(pathname) || publicPagePaths.has(pathname)) {
+            done();
+            return;
+        }
+        const session = deps.authManager.getSessionFromRequest(request);
+        const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/");
+        if (requiresAuthForApi && !session) {
+            // Allow OpenCode plugin -> CodeNomad calls with per-instance basic auth.
+            const pluginMatch = pathname.match(/^\/workspaces\/([^/]+)\/plugin(?:\/|$)/);
+            if (pluginMatch) {
+                const workspaceId = pluginMatch[1];
+                const expected = deps.workspaceManager.getInstanceAuthorizationHeader(workspaceId);
+                const provided = Array.isArray(request.headers.authorization)
+                    ? request.headers.authorization[0]
+                    : request.headers.authorization;
+                if (expected && provided && provided === expected) {
+                    done();
+                    return;
+                }
+            }
+            sendUnauthorized(request, reply);
+            return;
+        }
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
+        done();
+    });
+    app.get("/", async (request, reply) => {
+        const session = deps.authManager.getSessionFromRequest(request);
+        if (!session) {
+            reply.redirect("/login");
+            return;
+        }
+        if (deps.uiDevServerUrl) {
+            await proxyToDevServer(request, reply, deps.uiDevServerUrl);
+            return;
+        }
+        const uiDir = deps.uiStaticDir;
+        const indexPath = path.join(uiDir, "index.html");
+        if (uiDir && fs.existsSync(indexPath)) {
+            reply.type("text/html").send(fs.readFileSync(indexPath, "utf-8"));
+            return;
+        }
+        reply.code(404).send({ message: "UI bundle missing" });
+    });
     registerWorkspaceRoutes(app, { workspaceManager: deps.workspaceManager });
     registerConfigRoutes(app, { configStore: deps.configStore, binaryRegistry: deps.binaryRegistry });
     registerFilesystemRoutes(app, { fileSystemBrowser: deps.fileSystemBrowser });
@@ -85,10 +165,10 @@ export function createHttpServer(deps) {
     registerBackgroundProcessRoutes(app, { backgroundProcessManager });
     registerInstanceProxyRoutes(app, { workspaceManager: deps.workspaceManager, logger: proxyLogger });
     if (deps.uiDevServerUrl) {
-        setupDevProxy(app, deps.uiDevServerUrl);
+        setupDevProxy(app, deps.uiDevServerUrl, deps.authManager);
     }
     else {
-        setupStaticUi(app, deps.uiStaticDir);
+        setupStaticUi(app, deps.uiStaticDir, deps.authManager);
     }
     return {
         instance: app,
@@ -192,11 +272,18 @@ async function proxyWorkspaceRequest(args) {
     const queryIndex = (request.raw.url ?? "").indexOf("?");
     const search = queryIndex >= 0 ? (request.raw.url ?? "").slice(queryIndex) : "";
     const targetUrl = `http://${INSTANCE_PROXY_HOST}:${port}${normalizedSuffix}${search}`;
+    const instanceAuthHeader = workspaceManager.getInstanceAuthorizationHeader(workspaceId);
     logger.debug({ workspaceId, method: request.method, targetUrl }, "Proxying request to instance");
     if (logger.isLevelEnabled("trace")) {
         logger.trace({ workspaceId, targetUrl, body: request.body }, "Instance proxy payload");
     }
     return reply.from(targetUrl, {
+        rewriteRequestHeaders: (_originalRequest, headers) => {
+            if (instanceAuthHeader) {
+                headers.authorization = instanceAuthHeader;
+            }
+            return headers;
+        },
         onError: (proxyReply, { error }) => {
             logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request");
             if (!proxyReply.sent) {
@@ -212,7 +299,7 @@ function normalizeInstanceSuffix(pathSuffix) {
     const trimmed = pathSuffix.replace(/^\/+/, "");
     return trimmed.length === 0 ? "/" : `/${trimmed}`;
 }
-function setupStaticUi(app, uiDir) {
+function setupStaticUi(app, uiDir, authManager) {
     if (!uiDir) {
         app.log.warn("UI static directory not provided; API endpoints only");
         return;
@@ -233,6 +320,11 @@ function setupStaticUi(app, uiDir) {
             reply.code(404).send({ message: "Not Found" });
             return;
         }
+        const session = authManager.getSessionFromRequest(request);
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
         if (fs.existsSync(indexPath)) {
             reply.type("text/html").send(fs.readFileSync(indexPath, "utf-8"));
         }
@@ -241,7 +333,7 @@ function setupStaticUi(app, uiDir) {
         }
     });
 }
-function setupDevProxy(app, upstreamBase) {
+function setupDevProxy(app, upstreamBase, authManager) {
     app.log.info({ upstreamBase }, "Proxying UI requests to development server");
     app.setNotFoundHandler((request, reply) => {
         const url = request.raw.url ?? "";
@@ -249,6 +341,11 @@ function setupDevProxy(app, upstreamBase) {
             reply.code(404).send({ message: "Not Found" });
             return;
         }
+        const session = authManager.getSessionFromRequest(request);
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
         void proxyToDevServer(request, reply, upstreamBase);
     });
 }

package/dist/server/routes/auth-pages/login.html

@@ -0,0 +1,134 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeNomad Login</title>
+    <style>
+      body {
+        font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial;
+        background: #0b0b0f;
+        color: #fff;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100vh;
+        margin: 0;
+      }
+      .card {
+        width: 420px;
+        max-width: calc(100vw - 32px);
+        background: #14141c;
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        border-radius: 14px;
+        padding: 24px;
+      }
+      h1 {
+        font-size: 18px;
+        margin: 0 0 12px;
+      }
+      p {
+        margin: 0 0 18px;
+        color: rgba(255, 255, 255, 0.7);
+        font-size: 13px;
+        line-height: 1.4;
+      }
+      label {
+        display: block;
+        font-size: 12px;
+        margin: 10px 0 6px;
+        color: rgba(255, 255, 255, 0.75);
+      }
+      input {
+        width: 100%;
+        box-sizing: border-box;
+        padding: 10px 12px;
+        border-radius: 10px;
+        border: 1px solid rgba(255, 255, 255, 0.12);
+        background: #0f0f16;
+        color: #fff;
+      }
+      button {
+        width: 100%;
+        margin-top: 14px;
+        padding: 10px 12px;
+        border-radius: 10px;
+        border: 0;
+        background: #4c6fff;
+        color: #fff;
+        font-weight: 600;
+        cursor: pointer;
+      }
+      .error {
+        margin-top: 12px;
+        color: #ff6b6b;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Sign in</h1>
+      <p>This CodeNomad server is protected. Enter your credentials to continue.</p>
+
+      <label for="username">Username</label>
+      <input id="username" autocomplete="username" placeholder="{{DEFAULT_USERNAME}}" value="" />
+
+      <label for="password">Password</label>
+      <input id="password" type="password" autocomplete="current-password" value="" />
+
+      <button id="submit" type="button">Continue</button>
+      <div id="error" class="error" style="display: none"></div>
+    </div>
+
+    <script>
+      const $ = (id) => document.getElementById(id)
+      const errorEl = $("error")
+      const showError = (msg) => {
+        errorEl.textContent = msg
+        errorEl.style.display = "block"
+      }
+      const hideError = () => {
+        errorEl.textContent = ""
+        errorEl.style.display = "none"
+      }
+
+      async function submit() {
+        hideError()
+        const username = $("username").value.trim()
+        const password = $("password").value
+        if (!username || !password) {
+          showError("Username and password are required.")
+          return
+        }
+        try {
+          const res = await fetch("/api/auth/login", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ username, password }),
+            credentials: "include",
+          })
+          if (!res.ok) {
+            let message = ""
+            try {
+              const json = await res.json()
+              message = json && json.error ? String(json.error) : ""
+            } catch {
+              message = ""
+            }
+            showError(message || `Login failed (${res.status})`)
+            return
+          }
+          window.location.href = "/"
+        } catch (e) {
+          showError(e && e.message ? e.message : String(e))
+        }
+      }
+
+      $("submit").addEventListener("click", submit)
+      $("password").addEventListener("keydown", (e) => {
+        if (e.key === "Enter") submit()
+      })
+    </script>
+  </body>
+</html>

package/dist/server/routes/auth-pages/token.html

@@ -0,0 +1,93 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeNomad</title>
+    <style>
+      body {
+        font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial;
+        background: #0b0b0f;
+        color: #fff;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100vh;
+        margin: 0;
+      }
+      .card {
+        width: 420px;
+        max-width: calc(100vw - 32px);
+        background: #14141c;
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        border-radius: 14px;
+        padding: 24px;
+      }
+      h1 {
+        font-size: 18px;
+        margin: 0 0 12px;
+      }
+      p {
+        margin: 0;
+        color: rgba(255, 255, 255, 0.7);
+        font-size: 13px;
+        line-height: 1.4;
+      }
+      .error {
+        margin-top: 12px;
+        color: #ff6b6b;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Connecting…</h1>
+      <p>Finalizing local authentication.</p>
+      <div id="error" class="error" style="display: none"></div>
+    </div>
+
+    <script>
+      const token = (location.hash || "").replace(/^#/, "").trim()
+      const errorEl = document.getElementById("error")
+      const showError = (msg) => {
+        errorEl.textContent = msg
+        errorEl.style.display = "block"
+      }
+
+      async function run() {
+        if (!token) {
+          showError("Missing bootstrap token.")
+          return
+        }
+
+        try {
+          const res = await fetch("/api/auth/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ token }),
+            credentials: "include",
+          })
+
+          if (!res.ok) {
+            let message = ""
+            try {
+              const json = await res.json()
+              message = json && json.error ? String(json.error) : ""
+            } catch {
+              message = ""
+            }
+            showError(message || `Token exchange failed (${res.status})`)
+            return
+          }
+
+          window.location.replace("/")
+        } catch (e) {
+          showError(e && e.message ? e.message : String(e))
+        }
+      }
+
+      run()
+    </script>
+  </body>
+</html>