@neuralnomads/codenomad 0.6.0 → 0.7.1

package/dist/opencode-config/plugin/lib/request.ts

@@ -0,0 +1,124 @@
+export type PluginEvent = {
+  type: string
+  properties?: Record<string, unknown>
+}
+
+export type CodeNomadConfig = {
+  instanceId: string
+  baseUrl: string
+}
+
+export function getCodeNomadConfig(): CodeNomadConfig {
+  return {
+    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
+    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
+  }
+}
+
+export function createCodeNomadRequester(config: CodeNomadConfig) {
+  const baseUrl = config.baseUrl.replace(/\/+$/, "")
+  const pluginBase = `${baseUrl}/workspaces/${encodeURIComponent(config.instanceId)}/plugin`
+  const authorization = buildInstanceAuthorizationHeader()
+
+  const buildUrl = (path: string) => {
+    if (path.startsWith("http://") || path.startsWith("https://")) {
+      return path
+    }
+    const normalized = path.startsWith("/") ? path : `/${path}`
+    return `${pluginBase}${normalized}`
+  }
+
+  const buildHeaders = (headers: HeadersInit | undefined, hasBody: boolean): Record<string, string> => {
+    const output: Record<string, string> = normalizeHeaders(headers)
+    output.Authorization = authorization
+    if (hasBody) {
+      output["Content-Type"] = output["Content-Type"] ?? "application/json"
+    }
+    return output
+  }
+
+  const fetchWithAuth = async (path: string, init?: RequestInit): Promise<Response> => {
+    const url = buildUrl(path)
+    const hasBody = init?.body !== undefined
+    const headers = buildHeaders(init?.headers, hasBody)
+
+    return fetch(url, {
+      ...init,
+      headers,
+    })
+  }
+
+  const requestJson = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+
+    if (response.status === 204) {
+      return undefined as T
+    }
+
+    return (await response.json()) as T
+  }
+
+  const requestVoid = async (path: string, init?: RequestInit): Promise<void> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+  }
+
+  const requestSseBody = async (path: string): Promise<ReadableStream<Uint8Array>> => {
+    const response = await fetchWithAuth(path, { headers: { Accept: "text/event-stream" } })
+    if (!response.ok || !response.body) {
+      throw new Error(`SSE unavailable (${response.status})`)
+    }
+    return response.body as ReadableStream<Uint8Array>
+  }
+
+  return {
+    buildUrl,
+    fetch: fetchWithAuth,
+    requestJson,
+    requestVoid,
+    requestSseBody,
+  }
+}
+
+function requireEnv(key: string): string {
+  const value = process.env[key]
+  if (!value || !value.trim()) {
+    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  }
+  return value
+}
+
+function buildInstanceAuthorizationHeader(): string {
+  const username = requireEnv("OPENCODE_SERVER_USERNAME")
+  const password = requireEnv("OPENCODE_SERVER_PASSWORD")
+  const token = Buffer.from(`${username}:${password}`, "utf8").toString("base64")
+  return `Basic ${token}`
+}
+
+function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
+  const output: Record<string, string> = {}
+  if (!headers) return output
+
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => {
+      output[key] = value
+    })
+    return output
+  }
+
+  if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      output[key] = value
+    }
+    return output
+  }
+
+  return { ...headers }
+}

package/dist/server/http-server.js

@@ -14,6 +14,8 @@ import { registerStorageRoutes } from "./routes/storage";
 import { registerPluginRoutes } from "./routes/plugin";
 import { registerBackgroundProcessRoutes } from "./routes/background-processes";
 import { BackgroundProcessManager } from "../background-processes/manager";
+import { registerAuthRoutes } from "./routes/auth";
+import { sendUnauthorized, wantsHtml } from "../auth/http-auth";
 const DEFAULT_HTTP_PORT = 9898;
 export function createHttpServer(deps) {
     const app = Fastify({ logger: false });
@@ -53,8 +55,30 @@ export function createHttpServer(deps) {
         }
         done();
     });
+    const allowedDevOrigins = new Set(["http://localhost:3000", "http://127.0.0.1:3000"]);
     app.register(cors, {
-        origin: true,
+        origin: (origin, cb) => {
+            if (!origin) {
+                cb(null, true);
+                return;
+            }
+            let selfOrigin = null;
+            try {
+                selfOrigin = new URL(deps.serverMeta.httpBaseUrl).origin;
+            }
+            catch {
+                selfOrigin = null;
+            }
+            if (selfOrigin && origin === selfOrigin) {
+                cb(null, true);
+                return;
+            }
+            if (allowedDevOrigins.has(origin)) {
+                cb(null, true);
+                return;
+            }
+            cb(null, false);
+        },
         credentials: true,
     });
     app.register(replyFrom, {
@@ -71,6 +95,62 @@ export function createHttpServer(deps) {
         eventBus: deps.eventBus,
         logger: deps.logger.child({ component: "background-processes" }),
     });
+    registerAuthRoutes(app, { authManager: deps.authManager });
+    app.addHook("preHandler", (request, reply, done) => {
+        const rawUrl = request.raw.url ?? request.url;
+        const pathname = (rawUrl.split("?")[0] ?? "").trim();
+        const publicApiPaths = new Set(["/api/auth/login", "/api/auth/token", "/api/auth/status", "/api/auth/logout"]);
+        const publicPagePaths = new Set(["/login"]);
+        if (deps.authManager.isTokenBootstrapEnabled()) {
+            publicPagePaths.add("/auth/token");
+        }
+        if (publicApiPaths.has(pathname) || publicPagePaths.has(pathname)) {
+            done();
+            return;
+        }
+        const session = deps.authManager.getSessionFromRequest(request);
+        const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/");
+        if (requiresAuthForApi && !session) {
+            // Allow OpenCode plugin -> CodeNomad calls with per-instance basic auth.
+            const pluginMatch = pathname.match(/^\/workspaces\/([^/]+)\/plugin(?:\/|$)/);
+            if (pluginMatch) {
+                const workspaceId = pluginMatch[1];
+                const expected = deps.workspaceManager.getInstanceAuthorizationHeader(workspaceId);
+                const provided = Array.isArray(request.headers.authorization)
+                    ? request.headers.authorization[0]
+                    : request.headers.authorization;
+                if (expected && provided && provided === expected) {
+                    done();
+                    return;
+                }
+            }
+            sendUnauthorized(request, reply);
+            return;
+        }
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
+        done();
+    });
+    app.get("/", async (request, reply) => {
+        const session = deps.authManager.getSessionFromRequest(request);
+        if (!session) {
+            reply.redirect("/login");
+            return;
+        }
+        if (deps.uiDevServerUrl) {
+            await proxyToDevServer(request, reply, deps.uiDevServerUrl);
+            return;
+        }
+        const uiDir = deps.uiStaticDir;
+        const indexPath = path.join(uiDir, "index.html");
+        if (uiDir && fs.existsSync(indexPath)) {
+            reply.type("text/html").send(fs.readFileSync(indexPath, "utf-8"));
+            return;
+        }
+        reply.code(404).send({ message: "UI bundle missing" });
+    });
     registerWorkspaceRoutes(app, { workspaceManager: deps.workspaceManager });
     registerConfigRoutes(app, { configStore: deps.configStore, binaryRegistry: deps.binaryRegistry });
     registerFilesystemRoutes(app, { fileSystemBrowser: deps.fileSystemBrowser });
@@ -85,10 +165,10 @@ export function createHttpServer(deps) {
     registerBackgroundProcessRoutes(app, { backgroundProcessManager });
     registerInstanceProxyRoutes(app, { workspaceManager: deps.workspaceManager, logger: proxyLogger });
     if (deps.uiDevServerUrl) {
-        setupDevProxy(app, deps.uiDevServerUrl);
+        setupDevProxy(app, deps.uiDevServerUrl, deps.authManager);
     }
     else {
-        setupStaticUi(app, deps.uiStaticDir);
+        setupStaticUi(app, deps.uiStaticDir, deps.authManager);
     }
     return {
         instance: app,
@@ -192,11 +272,18 @@ async function proxyWorkspaceRequest(args) {
     const queryIndex = (request.raw.url ?? "").indexOf("?");
     const search = queryIndex >= 0 ? (request.raw.url ?? "").slice(queryIndex) : "";
     const targetUrl = `http://${INSTANCE_PROXY_HOST}:${port}${normalizedSuffix}${search}`;
+    const instanceAuthHeader = workspaceManager.getInstanceAuthorizationHeader(workspaceId);
     logger.debug({ workspaceId, method: request.method, targetUrl }, "Proxying request to instance");
     if (logger.isLevelEnabled("trace")) {
         logger.trace({ workspaceId, targetUrl, body: request.body }, "Instance proxy payload");
     }
     return reply.from(targetUrl, {
+        rewriteRequestHeaders: (_originalRequest, headers) => {
+            if (instanceAuthHeader) {
+                headers.authorization = instanceAuthHeader;
+            }
+            return headers;
+        },
         onError: (proxyReply, { error }) => {
             logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request");
             if (!proxyReply.sent) {
@@ -212,7 +299,7 @@ function normalizeInstanceSuffix(pathSuffix) {
     const trimmed = pathSuffix.replace(/^\/+/, "");
     return trimmed.length === 0 ? "/" : `/${trimmed}`;
 }
-function setupStaticUi(app, uiDir) {
+function setupStaticUi(app, uiDir, authManager) {
     if (!uiDir) {
         app.log.warn("UI static directory not provided; API endpoints only");
         return;
@@ -233,6 +320,11 @@ function setupStaticUi(app, uiDir) {
             reply.code(404).send({ message: "Not Found" });
             return;
         }
+        const session = authManager.getSessionFromRequest(request);
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
         if (fs.existsSync(indexPath)) {
             reply.type("text/html").send(fs.readFileSync(indexPath, "utf-8"));
         }
@@ -241,7 +333,7 @@ function setupStaticUi(app, uiDir) {
         }
     });
 }
-function setupDevProxy(app, upstreamBase) {
+function setupDevProxy(app, upstreamBase, authManager) {
     app.log.info({ upstreamBase }, "Proxying UI requests to development server");
     app.setNotFoundHandler((request, reply) => {
         const url = request.raw.url ?? "";
@@ -249,6 +341,11 @@ function setupDevProxy(app, upstreamBase) {
             reply.code(404).send({ message: "Not Found" });
             return;
         }
+        const session = authManager.getSessionFromRequest(request);
+        if (!session && wantsHtml(request)) {
+            reply.redirect("/login");
+            return;
+        }
         void proxyToDevServer(request, reply, upstreamBase);
     });
 }

package/dist/server/routes/auth-pages/login.html

@@ -0,0 +1,134 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeNomad Login</title>
+    <style>
+      body {
+        font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial;
+        background: #0b0b0f;
+        color: #fff;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100vh;
+        margin: 0;
+      }
+      .card {
+        width: 420px;
+        max-width: calc(100vw - 32px);
+        background: #14141c;
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        border-radius: 14px;
+        padding: 24px;
+      }
+      h1 {
+        font-size: 18px;
+        margin: 0 0 12px;
+      }
+      p {
+        margin: 0 0 18px;
+        color: rgba(255, 255, 255, 0.7);
+        font-size: 13px;
+        line-height: 1.4;
+      }
+      label {
+        display: block;
+        font-size: 12px;
+        margin: 10px 0 6px;
+        color: rgba(255, 255, 255, 0.75);
+      }
+      input {
+        width: 100%;
+        box-sizing: border-box;
+        padding: 10px 12px;
+        border-radius: 10px;
+        border: 1px solid rgba(255, 255, 255, 0.12);
+        background: #0f0f16;
+        color: #fff;
+      }
+      button {
+        width: 100%;
+        margin-top: 14px;
+        padding: 10px 12px;
+        border-radius: 10px;
+        border: 0;
+        background: #4c6fff;
+        color: #fff;
+        font-weight: 600;
+        cursor: pointer;
+      }
+      .error {
+        margin-top: 12px;
+        color: #ff6b6b;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Sign in</h1>
+      <p>This CodeNomad server is protected. Enter your credentials to continue.</p>
+
+      <label for="username">Username</label>
+      <input id="username" autocomplete="username" placeholder="{{DEFAULT_USERNAME}}" value="" />
+
+      <label for="password">Password</label>
+      <input id="password" type="password" autocomplete="current-password" value="" />
+
+      <button id="submit" type="button">Continue</button>
+      <div id="error" class="error" style="display: none"></div>
+    </div>
+
+    <script>
+      const $ = (id) => document.getElementById(id)
+      const errorEl = $("error")
+      const showError = (msg) => {
+        errorEl.textContent = msg
+        errorEl.style.display = "block"
+      }
+      const hideError = () => {
+        errorEl.textContent = ""
+        errorEl.style.display = "none"
+      }
+
+      async function submit() {
+        hideError()
+        const username = $("username").value.trim()
+        const password = $("password").value
+        if (!username || !password) {
+          showError("Username and password are required.")
+          return
+        }
+        try {
+          const res = await fetch("/api/auth/login", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ username, password }),
+            credentials: "include",
+          })
+          if (!res.ok) {
+            let message = ""
+            try {
+              const json = await res.json()
+              message = json && json.error ? String(json.error) : ""
+            } catch {
+              message = ""
+            }
+            showError(message || `Login failed (${res.status})`)
+            return
+          }
+          window.location.href = "/"
+        } catch (e) {
+          showError(e && e.message ? e.message : String(e))
+        }
+      }
+
+      $("submit").addEventListener("click", submit)
+      $("password").addEventListener("keydown", (e) => {
+        if (e.key === "Enter") submit()
+      })
+    </script>
+  </body>
+</html>

package/dist/server/routes/auth-pages/token.html

@@ -0,0 +1,93 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeNomad</title>
+    <style>
+      body {
+        font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial;
+        background: #0b0b0f;
+        color: #fff;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100vh;
+        margin: 0;
+      }
+      .card {
+        width: 420px;
+        max-width: calc(100vw - 32px);
+        background: #14141c;
+        border: 1px solid rgba(255, 255, 255, 0.08);
+        border-radius: 14px;
+        padding: 24px;
+      }
+      h1 {
+        font-size: 18px;
+        margin: 0 0 12px;
+      }
+      p {
+        margin: 0;
+        color: rgba(255, 255, 255, 0.7);
+        font-size: 13px;
+        line-height: 1.4;
+      }
+      .error {
+        margin-top: 12px;
+        color: #ff6b6b;
+        font-size: 13px;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Connecting…</h1>
+      <p>Finalizing local authentication.</p>
+      <div id="error" class="error" style="display: none"></div>
+    </div>
+
+    <script>
+      const token = (location.hash || "").replace(/^#/, "").trim()
+      const errorEl = document.getElementById("error")
+      const showError = (msg) => {
+        errorEl.textContent = msg
+        errorEl.style.display = "block"
+      }
+
+      async function run() {
+        if (!token) {
+          showError("Missing bootstrap token.")
+          return
+        }
+
+        try {
+          const res = await fetch("/api/auth/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ token }),
+            credentials: "include",
+          })
+
+          if (!res.ok) {
+            let message = ""
+            try {
+              const json = await res.json()
+              message = json && json.error ? String(json.error) : ""
+            } catch {
+              message = ""
+            }
+            showError(message || `Token exchange failed (${res.status})`)
+            return
+          }
+
+          window.location.replace("/")
+        } catch (e) {
+          showError(e && e.message ? e.message : String(e))
+        }
+      }
+
+      run()
+    </script>
+  </body>
+</html>

package/dist/server/routes/auth.js

@@ -0,0 +1,128 @@
+import fs from "fs";
+import { z } from "zod";
+import { isLoopbackAddress } from "../../auth/http-auth";
+const LoginSchema = z.object({
+    username: z.string().min(1),
+    password: z.string().min(1),
+});
+const TokenSchema = z.object({
+    token: z.string().min(1),
+});
+const PasswordSchema = z.object({
+    password: z.string().min(8),
+});
+const LOGIN_TEMPLATE_URL = new URL("./auth-pages/login.html", import.meta.url);
+const TOKEN_TEMPLATE_URL = new URL("./auth-pages/token.html", import.meta.url);
+let cachedLoginTemplate = null;
+let cachedTokenTemplate = null;
+function readTemplate(url, cache) {
+    if (cache)
+        return cache;
+    const content = fs.readFileSync(url, "utf-8");
+    return content;
+}
+function getLoginHtml(defaultUsername) {
+    if (!cachedLoginTemplate) {
+        cachedLoginTemplate = readTemplate(LOGIN_TEMPLATE_URL, null);
+    }
+    const escapedUsername = escapeHtml(defaultUsername);
+    return cachedLoginTemplate.replace(/\{\{DEFAULT_USERNAME\}\}/g, escapedUsername);
+}
+function getTokenHtml() {
+    if (!cachedTokenTemplate) {
+        cachedTokenTemplate = readTemplate(TOKEN_TEMPLATE_URL, null);
+    }
+    return cachedTokenTemplate;
+}
+export function registerAuthRoutes(app, deps) {
+    app.get("/login", async (_request, reply) => {
+        const status = deps.authManager.getStatus();
+        reply.type("text/html").send(getLoginHtml(status.username));
+    });
+    app.get("/auth/token", async (request, reply) => {
+        if (!deps.authManager.isTokenBootstrapEnabled()) {
+            reply.code(404).send({ error: "Not found" });
+            return;
+        }
+        if (!isLoopbackAddress(request.socket.remoteAddress)) {
+            reply.code(404).send({ error: "Not found" });
+            return;
+        }
+        reply.type("text/html").send(getTokenHtml());
+    });
+    app.get("/api/auth/status", async (request, reply) => {
+        const session = deps.authManager.getSessionFromRequest(request);
+        if (!session) {
+            reply.send({ authenticated: false });
+            return;
+        }
+        reply.send({ authenticated: true, ...deps.authManager.getStatus() });
+    });
+    app.post("/api/auth/login", async (request, reply) => {
+        const body = LoginSchema.parse(request.body ?? {});
+        const ok = deps.authManager.validateLogin(body.username, body.password);
+        if (!ok) {
+            reply.code(401).send({ error: "Invalid credentials" });
+            return;
+        }
+        const session = deps.authManager.createSession(body.username);
+        deps.authManager.setSessionCookie(reply, session.id);
+        reply.send({ ok: true });
+    });
+    app.post("/api/auth/token", async (request, reply) => {
+        if (!deps.authManager.isTokenBootstrapEnabled()) {
+            reply.code(404).send({ error: "Not found" });
+            return;
+        }
+        if (!isLoopbackAddress(request.socket.remoteAddress)) {
+            reply.code(404).send({ error: "Not found" });
+            return;
+        }
+        const body = TokenSchema.parse(request.body ?? {});
+        const ok = deps.authManager.consumeBootstrapToken(body.token);
+        if (!ok) {
+            reply.code(401).send({ error: "Invalid token" });
+            return;
+        }
+        const username = deps.authManager.getStatus().username;
+        const session = deps.authManager.createSession(username);
+        deps.authManager.setSessionCookie(reply, session.id);
+        reply.send({ ok: true });
+    });
+    app.post("/api/auth/logout", async (_request, reply) => {
+        deps.authManager.clearSessionCookie(reply);
+        reply.send({ ok: true });
+    });
+    app.post("/api/auth/password", async (request, reply) => {
+        const session = deps.authManager.getSessionFromRequest(request);
+        if (!session) {
+            reply.code(401).send({ error: "Unauthorized" });
+            return;
+        }
+        const body = PasswordSchema.parse(request.body ?? {});
+        try {
+            const status = deps.authManager.setPassword(body.password);
+            reply.send({ ok: true, ...status });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            reply.code(409).type("text/plain").send(message);
+        }
+    });
+}
+function escapeHtml(value) {
+    return value.replace(/[&<>"]/g, (char) => {
+        switch (char) {
+            case "&":
+                return "&amp;";
+            case "<":
+                return "&lt;";
+            case ">":
+                return "&gt;";
+            case '"':
+                return "&quot;";
+            default:
+                return char;
+        }
+    });
+}

package/dist/workspaces/instance-events.js

@@ -71,8 +71,13 @@ export class InstanceEventBridge {
     }
     async consumeStream(workspaceId, port, signal) {
         const url = `http://${INSTANCE_HOST}:${port}/event`;
+        const headers = { Accept: "text/event-stream" };
+        const authHeader = this.options.workspaceManager.getInstanceAuthorizationHeader(workspaceId);
+        if (authHeader) {
+            headers["Authorization"] = authHeader;
+        }
         const response = await fetch(url, {
-            headers: { Accept: "text/event-stream" },
+            headers,
             signal,
             dispatcher: STREAM_AGENT,
         });