@neuralnomads/codenomad 0.6.0 → 0.7.1

package/dist/auth/auth-store.js

@@ -0,0 +1,134 @@
+import fs from "fs";
+import path from "path";
+import { hashPassword, verifyPassword } from "./password-hash";
+export class AuthStore {
+    constructor(authFilePath, logger) {
+        this.authFilePath = authFilePath;
+        this.logger = logger;
+        this.cachedFile = null;
+        this.overrideAuth = null;
+        this.bootstrapUsername = null;
+    }
+    getAuthFilePath() {
+        return this.authFilePath;
+    }
+    load() {
+        if (this.overrideAuth) {
+            return this.overrideAuth;
+        }
+        if (this.cachedFile) {
+            return this.cachedFile;
+        }
+        try {
+            if (!fs.existsSync(this.authFilePath)) {
+                return null;
+            }
+            const raw = fs.readFileSync(this.authFilePath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (!parsed || parsed.version !== 1) {
+                this.logger.warn({ authFilePath: this.authFilePath }, "Auth file has unsupported version");
+                return null;
+            }
+            this.cachedFile = parsed;
+            return parsed;
+        }
+        catch (error) {
+            this.logger.warn({ err: error, authFilePath: this.authFilePath }, "Failed to load auth file");
+            return null;
+        }
+    }
+    ensureInitialized(params) {
+        const password = params.password?.trim();
+        if (password) {
+            const now = new Date().toISOString();
+            const runtime = {
+                version: 1,
+                username: params.username,
+                password: hashPassword(password),
+                userProvided: true,
+                updatedAt: now,
+            };
+            this.overrideAuth = runtime;
+            this.cachedFile = null;
+            this.bootstrapUsername = null;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Using runtime auth password override; ignoring auth file");
+            return;
+        }
+        const existing = this.load();
+        if (existing) {
+            if (existing.username !== params.username) {
+                // Keep existing username unless explicitly overridden later.
+                this.logger.debug({ existing: existing.username, requested: params.username }, "Auth username differs from requested");
+            }
+            this.bootstrapUsername = null;
+            return;
+        }
+        if (params.allowBootstrapWithoutPassword) {
+            this.bootstrapUsername = params.username;
+            this.logger.debug({ authFilePath: this.authFilePath }, "No auth file present; bootstrap-only mode enabled");
+            return;
+        }
+        throw new Error(`No server password configured. Create ${this.authFilePath} or start with --password / CODENOMAD_SERVER_PASSWORD.`);
+    }
+    validateCredentials(username, password) {
+        const auth = this.load();
+        if (!auth) {
+            return false;
+        }
+        if (username !== auth.username) {
+            return false;
+        }
+        return verifyPassword(password, auth.password);
+    }
+    setPassword(params) {
+        if (this.overrideAuth) {
+            throw new Error("Server password is provided via CLI/env and cannot be changed while running. Restart without --password / CODENOMAD_SERVER_PASSWORD to use auth.json.");
+        }
+        const current = this.load();
+        if (!current) {
+            if (!this.bootstrapUsername) {
+                throw new Error("Auth is not initialized");
+            }
+            const created = {
+                version: 1,
+                username: this.bootstrapUsername,
+                password: hashPassword(params.password),
+                userProvided: params.markUserProvided,
+                updatedAt: new Date().toISOString(),
+            };
+            this.persist(created);
+            this.bootstrapUsername = null;
+            return { username: created.username, passwordUserProvided: created.userProvided };
+        }
+        const next = {
+            ...current,
+            password: hashPassword(params.password),
+            userProvided: params.markUserProvided,
+            updatedAt: new Date().toISOString(),
+        };
+        this.persist(next);
+        return { username: next.username, passwordUserProvided: next.userProvided };
+    }
+    getStatus() {
+        const current = this.load();
+        if (current) {
+            return { username: current.username, passwordUserProvided: current.userProvided };
+        }
+        if (this.bootstrapUsername) {
+            return { username: this.bootstrapUsername, passwordUserProvided: false };
+        }
+        throw new Error("Auth is not initialized");
+    }
+    persist(auth) {
+        try {
+            fs.mkdirSync(path.dirname(this.authFilePath), { recursive: true });
+            fs.writeFileSync(this.authFilePath, JSON.stringify(auth, null, 2), "utf-8");
+            this.cachedFile = auth;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Persisted auth file");
+        }
+        catch (error) {
+            this.logger.error({ err: error, authFilePath: this.authFilePath }, "Failed to persist auth file");
+            throw error;
+        }
+    }
+}

package/dist/auth/http-auth.js

@@ -0,0 +1,37 @@
+export function parseCookies(header) {
+    const result = {};
+    if (!header)
+        return result;
+    const parts = header.split(";");
+    for (const part of parts) {
+        const index = part.indexOf("=");
+        if (index < 0)
+            continue;
+        const key = part.slice(0, index).trim();
+        const value = part.slice(index + 1).trim();
+        if (!key)
+            continue;
+        result[key] = decodeURIComponent(value);
+    }
+    return result;
+}
+export function isLoopbackAddress(remoteAddress) {
+    if (!remoteAddress)
+        return false;
+    if (remoteAddress === "127.0.0.1" || remoteAddress === "::1")
+        return true;
+    if (remoteAddress === "::ffff:127.0.0.1")
+        return true;
+    return false;
+}
+export function wantsHtml(request) {
+    const accept = (request.headers["accept"] ?? "").toString().toLowerCase();
+    return accept.includes("text/html") || accept.includes("application/xhtml");
+}
+export function sendUnauthorized(request, reply) {
+    if (request.method === "GET" && !request.url.startsWith("/api/") && wantsHtml(request)) {
+        reply.redirect("/login");
+        return;
+    }
+    reply.code(401).send({ error: "Unauthorized" });
+}

package/dist/auth/manager.js

@@ -0,0 +1,87 @@
+import path from "path";
+import { AuthStore } from "./auth-store";
+import { TokenManager } from "./token-manager";
+import { SessionManager } from "./session-manager";
+import { isLoopbackAddress, parseCookies } from "./http-auth";
+export const BOOTSTRAP_TOKEN_STDOUT_PREFIX = "CODENOMAD_BOOTSTRAP_TOKEN:";
+export const DEFAULT_AUTH_USERNAME = "codenomad";
+export const DEFAULT_AUTH_COOKIE_NAME = "codenomad_session";
+export class AuthManager {
+    constructor(init, logger) {
+        this.init = init;
+        this.logger = logger;
+        this.sessionManager = new SessionManager();
+        this.cookieName = DEFAULT_AUTH_COOKIE_NAME;
+        const authFilePath = resolveAuthFilePath(init.configPath);
+        this.authStore = new AuthStore(authFilePath, logger.child({ component: "auth" }));
+        // Startup: password comes from CLI/env, auth.json, or bootstrap-only mode.
+        this.authStore.ensureInitialized({
+            username: init.username,
+            password: init.password,
+            allowBootstrapWithoutPassword: init.generateToken,
+        });
+        this.tokenManager = init.generateToken ? new TokenManager(60000) : null;
+    }
+    getCookieName() {
+        return this.cookieName;
+    }
+    isTokenBootstrapEnabled() {
+        return Boolean(this.tokenManager);
+    }
+    issueBootstrapToken() {
+        if (!this.tokenManager)
+            return null;
+        return this.tokenManager.generate();
+    }
+    consumeBootstrapToken(token) {
+        if (!this.tokenManager)
+            return false;
+        return this.tokenManager.consume(token);
+    }
+    validateLogin(username, password) {
+        return this.authStore.validateCredentials(username, password);
+    }
+    createSession(username) {
+        return this.sessionManager.createSession(username);
+    }
+    getStatus() {
+        return this.authStore.getStatus();
+    }
+    setPassword(password) {
+        return this.authStore.setPassword({ password, markUserProvided: true });
+    }
+    isLoopbackRequest(request) {
+        return isLoopbackAddress(request.socket.remoteAddress);
+    }
+    getSessionFromRequest(request) {
+        const cookies = parseCookies(request.headers.cookie);
+        const sessionId = cookies[this.cookieName];
+        const session = this.sessionManager.getSession(sessionId);
+        if (!session)
+            return null;
+        return { username: session.username, sessionId: session.id };
+    }
+    setSessionCookie(reply, sessionId) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId));
+    }
+    clearSessionCookie(reply) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0 }));
+    }
+}
+function resolveAuthFilePath(configPath) {
+    const resolvedConfigPath = resolvePath(configPath);
+    return path.join(path.dirname(resolvedConfigPath), "auth.json");
+}
+function resolvePath(filePath) {
+    if (filePath.startsWith("~/")) {
+        return path.join(process.env.HOME ?? "", filePath.slice(2));
+    }
+    return path.resolve(filePath);
+}
+function buildSessionCookie(name, value, options) {
+    const parts = [`${name}=${encodeURIComponent(value)}`, "HttpOnly", "Path=/", "SameSite=Lax"];
+    if (options?.maxAgeSeconds !== undefined) {
+        parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+    }
+    return parts.join("; ");
+}

package/dist/auth/password-hash.js

@@ -0,0 +1,32 @@
+import crypto from "crypto";
+const DEFAULT_SCRYPT_PARAMS = {
+    N: 16384,
+    r: 8,
+    p: 1,
+    maxmem: 32 * 1024 * 1024,
+};
+export function hashPassword(password) {
+    const salt = crypto.randomBytes(16);
+    const params = DEFAULT_SCRYPT_PARAMS;
+    const keyLength = 64;
+    const derived = crypto.scryptSync(password, salt, keyLength, params);
+    return {
+        algorithm: "scrypt",
+        saltBase64: salt.toString("base64"),
+        hashBase64: Buffer.from(derived).toString("base64"),
+        keyLength,
+        params,
+    };
+}
+export function verifyPassword(password, record) {
+    if (record.algorithm !== "scrypt") {
+        return false;
+    }
+    const salt = Buffer.from(record.saltBase64, "base64");
+    const expected = Buffer.from(record.hashBase64, "base64");
+    const derived = crypto.scryptSync(password, salt, record.keyLength, record.params);
+    if (expected.length !== derived.length) {
+        return false;
+    }
+    return crypto.timingSafeEqual(expected, Buffer.from(derived));
+}

package/dist/auth/session-manager.js

@@ -0,0 +1,17 @@
+import crypto from "crypto";
+export class SessionManager {
+    constructor() {
+        this.sessions = new Map();
+    }
+    createSession(username) {
+        const id = crypto.randomBytes(32).toString("base64url");
+        const info = { id, createdAt: Date.now(), username };
+        this.sessions.set(id, info);
+        return info;
+    }
+    getSession(id) {
+        if (!id)
+            return undefined;
+        return this.sessions.get(id);
+    }
+}

package/dist/auth/token-manager.js

@@ -0,0 +1,27 @@
+import crypto from "crypto";
+export class TokenManager {
+    constructor(ttlMs) {
+        this.ttlMs = ttlMs;
+        this.token = null;
+    }
+    generate() {
+        const token = crypto.randomBytes(32).toString("base64url");
+        this.token = { token, createdAt: Date.now(), consumed: false };
+        return token;
+    }
+    consume(token) {
+        if (!this.token)
+            return false;
+        if (this.token.consumed)
+            return false;
+        if (Date.now() - this.token.createdAt > this.ttlMs)
+            return false;
+        if (token !== this.token.token)
+            return false;
+        this.token.consumed = true;
+        return true;
+    }
+    peek() {
+        return this.token?.token ?? null;
+    }
+}

package/dist/index.js

@@ -17,6 +17,7 @@ import { InstanceEventBridge } from "./workspaces/instance-events";
 import { createLogger } from "./logger";
 import { launchInBrowser } from "./launcher";
 import { startReleaseMonitor } from "./releases/release-monitor";
+import { AuthManager, BOOTSTRAP_TOKEN_STDOUT_PREFIX, DEFAULT_AUTH_USERNAME } from "./auth/manager";
 const require = createRequire(import.meta.url);
 const packageJson = require("../package.json");
 const __filename = fileURLToPath(import.meta.url);
@@ -40,7 +41,14 @@ function parseCliOptions(argv) {
         .addOption(new Option("--log-destination <path>", "Log destination file (defaults to stdout)").env("CLI_LOG_DESTINATION"))
         .addOption(new Option("--ui-dir <path>", "Directory containing the built UI bundle").env("CLI_UI_DIR").default(DEFAULT_UI_STATIC_DIR))
         .addOption(new Option("--ui-dev-server <url>", "Proxy UI requests to a running dev server").env("CLI_UI_DEV_SERVER"))
-        .addOption(new Option("--launch", "Launch the UI in a browser after start").env("CLI_LAUNCH").default(false));
+        .addOption(new Option("--launch", "Launch the UI in a browser after start").env("CLI_LAUNCH").default(false))
+        .addOption(new Option("--username <username>", "Username for server authentication")
+        .env("CODENOMAD_SERVER_USERNAME")
+        .default(DEFAULT_AUTH_USERNAME))
+        .addOption(new Option("--password <password>", "Password for server authentication").env("CODENOMAD_SERVER_PASSWORD"))
+        .addOption(new Option("--generate-token", "Emit a one-time bootstrap token for desktop")
+        .env("CODENOMAD_GENERATE_TOKEN")
+        .default(false));
     program.parse(argv, { from: "user" });
     const parsed = program.opts();
     const resolvedRoot = parsed.workspaceRoot ?? parsed.root ?? process.cwd();
@@ -56,6 +64,9 @@ function parseCliOptions(argv) {
         uiStaticDir: parsed.uiDir,
         uiDevServer: parsed.uiDevServer,
         launch: Boolean(parsed.launch),
+        authUsername: parsed.username,
+        authPassword: parsed.password,
+        generateToken: Boolean(parsed.generateToken),
     };
 }
 function parsePort(input) {
@@ -77,7 +88,11 @@ async function main() {
     const workspaceLogger = logger.child({ component: "workspace" });
     const configLogger = logger.child({ component: "config" });
     const eventLogger = logger.child({ component: "events" });
-    logger.info({ options }, "Starting CodeNomad CLI server");
+    const logOptions = {
+        ...options,
+        authPassword: options.authPassword ? "[REDACTED]" : undefined,
+    };
+    logger.info({ options: logOptions }, "Starting CodeNomad CLI server");
     const eventBus = new EventBus(eventLogger);
     const serverMeta = {
         httpBaseUrl: `http://${options.host}:${options.port}`,
@@ -89,6 +104,18 @@ async function main() {
         workspaceRoot: options.rootDir,
         addresses: [],
     };
+    const authManager = new AuthManager({
+        configPath: options.configPath,
+        username: options.authUsername,
+        password: options.authPassword,
+        generateToken: options.generateToken,
+    }, logger.child({ component: "auth" }));
+    if (options.generateToken) {
+        const token = authManager.issueBootstrapToken();
+        if (token) {
+            console.log(`${BOOTSTRAP_TOKEN_STDOUT_PREFIX}${token}`);
+        }
+    }
     const configStore = new ConfigStore(options.configPath, eventBus, configLogger);
     const binaryRegistry = new BinaryRegistry(configStore, eventBus, configLogger);
     const workspaceManager = new WorkspaceManager({
@@ -129,6 +156,7 @@ async function main() {
         eventBus,
         serverMeta,
         instanceStore,
+        authManager,
         uiStaticDir: options.uiStaticDir,
         uiDevServerUrl: options.uiDevServer,
         logger,

package/dist/opencode-config/package.json

@@ -3,6 +3,6 @@
   "version": "0.5.0",
   "private": true,
   "dependencies": {
-    "@opencode-ai/plugin": "1.1.8"
+    "@opencode-ai/plugin": "1.1.16"
   }
 }

package/dist/opencode-config/plugin/lib/background-process.ts

@@ -1,5 +1,6 @@
 import path from "path"
 import { tool } from "@opencode-ai/plugin/tool"
+import { createCodeNomadRequester, type CodeNomadConfig } from "./request"
 
 type BackgroundProcess = {
   id: string
@@ -12,11 +13,6 @@ type BackgroundProcess = {
   outputSizeBytes?: number
 }
 
-type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
 type BackgroundProcessOptions = {
   baseDir: string
 }
@@ -27,30 +23,10 @@ type ParsedCommand = {
 }
 
 export function createBackgroundProcessTools(config: CodeNomadConfig, options: BackgroundProcessOptions) {
-  const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
-
-    const base = config.baseUrl.replace(/\/+$/, "")
-    const url = `${base}/workspaces/${config.instanceId}/plugin/background-processes${path}`
-    const headers = normalizeHeaders(init?.headers)
-    if (init?.body !== undefined) {
-      headers["Content-Type"] = "application/json"
-    }
-
-    const response = await fetch(url, {
-      ...init,
-      headers,
-    })
+  const requester = createCodeNomadRequester(config)
 
-    if (!response.ok) {
-      const message = await response.text()
-      throw new Error(message || `Request failed with ${response.status}`)
-    }
-
-    if (response.status === 204) {
-      return undefined as T
-    }
-
-    return (await response.json()) as T
+  const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    return requester.requestJson<T>(`/background-processes${path}`, init)
   }
 
   return {
@@ -249,13 +225,7 @@ function tokenize(input: string): string[] {
 
     if (char === "|" || char === "&" || char === ";") {
       flush()
-      const next = input[index + 1]
-      if ((char === "|" || char === "&") && next === char) {
-        tokens.push(char + next)
-        index += 1
-      } else {
-        tokens.push(char)
-      }
+      tokens.push(char)
       continue
     }
 
@@ -266,44 +236,18 @@ function tokenize(input: string): string[] {
   return tokens
 }
 
-function isSeparator(token: string) {
-  return token === "|" || token === "||" || token === "&&" || token === ";" || token === "&"
+function isSeparator(token: string): boolean {
+  return token === "|" || token === "&" || token === ";"
 }
 
-function unquote(value: string) {
-  if (value.length >= 2) {
-    const first = value[0]
-    const last = value[value.length - 1]
-    if ((first === "'" && last === "'") || (first === '"' && last === '"')) {
-      return value.slice(1, -1)
-    }
+function unquote(token: string): string {
+  if ((token.startsWith('"') && token.endsWith('"')) || (token.startsWith("'") && token.endsWith("'"))) {
+    return token.slice(1, -1)
   }
-  return value
+  return token
 }
 
-function isWithinBase(baseDir: string, target: string) {
-  const relative = path.relative(baseDir, target)
-  if (!relative) return true
-  return !relative.startsWith("..") && !path.isAbsolute(relative)
-}
-
-function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
-  const output: Record<string, string> = {}
-  if (!headers) return output
-
-  if (headers instanceof Headers) {
-    headers.forEach((value, key) => {
-      output[key] = value
-    })
-    return output
-  }
-
-  if (Array.isArray(headers)) {
-    for (const [key, value] of headers) {
-      output[key] = value
-    }
-    return output
-  }
-
-  return { ...headers }
+function isWithinBase(base: string, candidate: string): boolean {
+  const relative = path.relative(base, candidate)
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative))
 }

package/dist/opencode-config/plugin/lib/client.ts

@@ -1,74 +1,41 @@
-export type PluginEvent = {
-  type: string
-  properties?: Record<string, unknown>
-}
+import { createCodeNomadRequester, type CodeNomadConfig, type PluginEvent } from "./request"
 
-export type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
-export function getCodeNomadConfig(): CodeNomadConfig {
-  return {
-    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
-    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
-  }
-}
+export { getCodeNomadConfig, type CodeNomadConfig, type PluginEvent } from "./request"
 
 export function createCodeNomadClient(config: CodeNomadConfig) {
-  return {
-    postEvent: (event: PluginEvent) => postPluginEvent(config.baseUrl, config.instanceId, event),
-    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(config.baseUrl, config.instanceId, onEvent),
-  }
-}
+  const requester = createCodeNomadRequester(config)
 
-function requireEnv(key: string): string {
-  const value = process.env[key]
-  if (!value || !value.trim()) {
-    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  return {
+    postEvent: (event: PluginEvent) =>
+      requester.requestVoid("/event", {
+        method: "POST",
+        body: JSON.stringify(event),
+      }),
+    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(requester, onEvent),
   }
-  return value
 }
 
 function delay(ms: number) {
   return new Promise<void>((resolve) => setTimeout(resolve, ms))
 }
 
-async function postPluginEvent(baseUrl: string, instanceId: string, event: PluginEvent) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/event`
-  const response = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(event),
-  })
-
-  if (!response.ok) {
-    throw new Error(`[CodeNomadPlugin] POST ${url} failed (${response.status})`)
-  }
-}
-
-async function startPluginEvents(baseUrl: string, instanceId: string, onEvent: (event: PluginEvent) => void) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/events`
-
+async function startPluginEvents(
+  requester: ReturnType<typeof createCodeNomadRequester>,
+  onEvent: (event: PluginEvent) => void,
+) {
   // Fail plugin startup if we cannot establish the initial connection.
-  const initialBody = await connectWithRetries(url, 3)
+  const initialBody = await connectWithRetries(requester, 3)
 
   // After startup, keep reconnecting; throw after 3 consecutive failures.
-  void consumeWithReconnect(url, onEvent, initialBody)
+  void consumeWithReconnect(requester, onEvent, initialBody)
 }
 
-async function connectWithRetries(url: string, maxAttempts: number) {
+async function connectWithRetries(requester: ReturnType<typeof createCodeNomadRequester>, maxAttempts: number) {
   let lastError: unknown
 
   for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
     try {
-      const response = await fetch(url, { headers: { Accept: "text/event-stream" } })
-      if (!response.ok || !response.body) {
-        throw new Error(`[CodeNomadPlugin] SSE unavailable (${response.status})`)
-      }
-      return response.body
+      return await requester.requestSseBody("/events")
     } catch (error) {
       lastError = error
       await delay(500 * attempt)
@@ -76,11 +43,12 @@ async function connectWithRetries(url: string, maxAttempts: number) {
   }
 
   const reason = lastError instanceof Error ? lastError.message : String(lastError)
-  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad after ${maxAttempts} retries: ${reason}`)
+  const url = requester.buildUrl("/events")
+  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad at ${url} after ${maxAttempts} retries: ${reason}`)
 }
 
 async function consumeWithReconnect(
-  url: string,
+  requester: ReturnType<typeof createCodeNomadRequester>,
   onEvent: (event: PluginEvent) => void,
   initialBody: ReadableStream<Uint8Array>,
 ) {
@@ -90,7 +58,7 @@ async function consumeWithReconnect(
   while (true) {
     try {
       if (!body) {
-        body = await connectWithRetries(url, 3)
+        body = await connectWithRetries(requester, 3)
       }
 
       await consumeSseBody(body, onEvent)