@opencode-cloud/core 1.0.8 → 1.0.10

package/Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "opencode-cloud-core"
-version = "1.0.8"
+version = "1.0.10"
 edition = "2024"
-rust-version = "1.85"
+rust-version = "1.88"
 license = "MIT"
 repository = "https://github.com/pRizz/opencode-cloud"
 homepage = "https://github.com/pRizz/opencode-cloud"
@@ -32,6 +32,7 @@ thiserror = "2"
 anyhow = "1"
 tracing = "0.1"
 console = "0.16"
+chrono = { version = "0.4", default-features = false, features = ["std", "clock"] }
 
 # NAPI dependencies (optional - only for Node bindings)
 napi = { version = "2", features = ["tokio_rt", "napi9"], optional = true }
@@ -46,10 +47,16 @@ tokio-retry = "0.3"
 indicatif = { version = "0.17", features = ["tokio", "futures"] }
 http-body-util = "0.1"
 bytes = "1.9"
+reqwest = { version = "0.12", features = ["json"] }
 
 # Platform service management (macOS)
 plist = "1.8"
 
+# Host management
+whoami = "1.5"
+ssh2-config = "0.6"
+dirs = "6"
+
 [build-dependencies]
 napi-build = "2"
 

package/README.md

@@ -9,6 +9,13 @@
 
 A production-ready toolkit for deploying [opencode](https://github.com/anomalyco/opencode) as a persistent cloud service.
 
+## Quick install (cargo)
+
+```bash
+cargo install opencode-cloud
+opencode-cloud --version
+```
+
 ## Features
 
 - Cross-platform CLI (`opencode-cloud` / `occ`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/config/mod.rs

@@ -5,6 +5,7 @@
 
 pub mod paths;
 pub mod schema;
+pub mod validation;
 
 use std::fs::{self, File};
 use std::io::{Read, Write};
@@ -13,8 +14,12 @@ use std::path::PathBuf;
 use anyhow::{Context, Result};
 use jsonc_parser::parse_to_serde_value;
 
-pub use paths::{get_config_dir, get_config_path, get_data_dir, get_pid_path};
-pub use schema::Config;
+pub use paths::{get_config_dir, get_config_path, get_data_dir, get_hosts_path, get_pid_path};
+pub use schema::{Config, validate_bind_address};
+pub use validation::{
+    ValidationError, ValidationWarning, display_validation_error, display_validation_warning,
+    validate_config,
+};
 
 /// Ensure the config directory exists
 ///
@@ -84,7 +89,7 @@ pub fn load_config() -> Result<Config> {
 
     // Parse JSONC (JSON with comments)
     let parsed_value = parse_to_serde_value(&contents, &Default::default())
-        .map_err(|e| anyhow::anyhow!("Invalid JSONC in config file: {}", e))?
+        .map_err(|e| anyhow::anyhow!("Invalid JSONC in config file: {e}"))?
         .ok_or_else(|| anyhow::anyhow!("Config file is empty"))?;
 
     // Deserialize into Config struct (deny_unknown_fields will reject unknown keys)

package/src/config/paths.rs

@@ -72,6 +72,13 @@ pub fn get_pid_path() -> Option<PathBuf> {
     get_data_dir().map(|d| d.join("opencode-cloud.pid"))
 }
 
+/// Get the full path to the hosts configuration file
+///
+/// Returns: `{config_dir}/hosts.json`
+pub fn get_hosts_path() -> Option<PathBuf> {
+    get_config_dir().map(|d| d.join("hosts.json"))
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -105,4 +112,11 @@ mod tests {
         assert!(path.is_some());
         assert!(path.unwrap().ends_with("opencode-cloud.pid"));
     }
+
+    #[test]
+    fn test_hosts_path_ends_with_hosts_json() {
+        let path = get_hosts_path();
+        assert!(path.is_some());
+        assert!(path.unwrap().ends_with("hosts.json"));
+    }
 }

package/src/config/schema.rs

@@ -3,6 +3,7 @@
 //! Defines the structure and defaults for the config.json file.
 
 use serde::{Deserialize, Serialize};
+use std::net::{IpAddr, Ipv4Addr};
 
 /// Main configuration structure for opencode-cloud
 ///
@@ -40,6 +41,65 @@ pub struct Config {
     /// Seconds between restart attempts (default: 5)
     #[serde(default = "default_restart_delay")]
     pub restart_delay: u32,
+
+    /// Username for opencode basic auth (default: None, triggers wizard)
+    #[serde(default)]
+    pub auth_username: Option<String>,
+
+    /// Password for opencode basic auth (default: None, triggers wizard)
+    #[serde(default)]
+    pub auth_password: Option<String>,
+
+    /// Environment variables passed to container (default: empty)
+    /// Format: ["KEY=value", "KEY2=value2"]
+    #[serde(default)]
+    pub container_env: Vec<String>,
+
+    /// Bind address for opencode web UI (default: "127.0.0.1")
+    /// Use "0.0.0.0" or "::" for network exposure (requires explicit opt-in)
+    #[serde(default = "default_bind_address")]
+    pub bind_address: String,
+
+    /// Trust proxy headers (X-Forwarded-For, etc.) for load balancer deployments
+    #[serde(default)]
+    pub trust_proxy: bool,
+
+    /// Allow unauthenticated access when network exposed
+    /// Requires double confirmation on first start
+    #[serde(default)]
+    pub allow_unauthenticated_network: bool,
+
+    /// Maximum auth attempts before rate limiting
+    #[serde(default = "default_rate_limit_attempts")]
+    pub rate_limit_attempts: u32,
+
+    /// Rate limit window in seconds
+    #[serde(default = "default_rate_limit_window")]
+    pub rate_limit_window_seconds: u32,
+
+    /// List of usernames configured in container (for persistence tracking)
+    /// Passwords are NOT stored here - only in container's /etc/shadow
+    #[serde(default)]
+    pub users: Vec<String>,
+
+    /// Cockpit web console port (default: 9090)
+    /// Only used when cockpit_enabled is true
+    #[serde(default = "default_cockpit_port")]
+    pub cockpit_port: u16,
+
+    /// Enable Cockpit web console (default: false)
+    ///
+    /// When enabled:
+    /// - Container uses systemd as init (required for Cockpit)
+    /// - Requires Linux host with native Docker (does NOT work on macOS Docker Desktop)
+    /// - Cockpit web UI accessible at cockpit_port
+    ///
+    /// When disabled (default):
+    /// - Container uses tini as init (lightweight, works everywhere)
+    /// - Works on macOS, Linux, and Windows
+    /// - No Cockpit web UI
+    #[serde(default = "default_cockpit_enabled")]
+    pub cockpit_enabled: bool,
 }
 
 fn default_opencode_web_port() -> u16 {
@@ -66,6 +126,55 @@ fn default_restart_delay() -> u32 {
     5
 }
 
+fn default_bind_address() -> String {
+    "127.0.0.1".to_string()
+}
+
+fn default_rate_limit_attempts() -> u32 {
+    5
+}
+
+fn default_rate_limit_window() -> u32 {
+    60
+}
+
+fn default_cockpit_port() -> u16 {
+    9090
+}
+
+fn default_cockpit_enabled() -> bool {
+    false
+}
+
+/// Validate and parse a bind address string
+///
+/// Accepts:
+/// - IPv4 addresses: "127.0.0.1", "0.0.0.0"
+/// - IPv6 addresses: "::1", "::"
+/// - Bracketed IPv6: "[::1]"
+/// - "localhost" (resolves to 127.0.0.1)
+///
+/// Returns the parsed IpAddr or an error message.
+pub fn validate_bind_address(addr: &str) -> Result<IpAddr, String> {
+    let trimmed = addr.trim();
+
+    // Handle "localhost" as special case
+    if trimmed.eq_ignore_ascii_case("localhost") {
+        return Ok(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+    }
+
+    // Strip brackets from IPv6 addresses like "[::1]"
+    let stripped = if trimmed.starts_with('[') && trimmed.ends_with(']') {
+        &trimmed[1..trimmed.len() - 1]
+    } else {
+        trimmed
+    };
+
+    stripped.parse::<IpAddr>().map_err(|_| {
+        format!("Invalid IP address: '{addr}'. Use 127.0.0.1, ::1, 0.0.0.0, ::, or localhost")
+    })
+}
+
 impl Default for Config {
     fn default() -> Self {
         Self {
@@ -76,6 +185,17 @@ impl Default for Config {
             boot_mode: default_boot_mode(),
             restart_retries: default_restart_retries(),
             restart_delay: default_restart_delay(),
+            auth_username: None,
+            auth_password: None,
+            container_env: Vec::new(),
+            bind_address: default_bind_address(),
+            trust_proxy: false,
+            allow_unauthenticated_network: false,
+            rate_limit_attempts: default_rate_limit_attempts(),
+            rate_limit_window_seconds: default_rate_limit_window(),
+            users: Vec::new(),
+            cockpit_port: default_cockpit_port(),
+            cockpit_enabled: default_cockpit_enabled(),
         }
     }
 }
@@ -85,6 +205,51 @@ impl Config {
     pub fn new() -> Self {
         Self::default()
     }
+
+    /// Check if required auth credentials are configured
+    ///
+    /// Returns true if:
+    /// - Both auth_username and auth_password are Some and non-empty (legacy), OR
+    /// - The users array is non-empty (PAM-based auth)
+    ///
+    /// This is used to determine if the setup wizard needs to run.
+    pub fn has_required_auth(&self) -> bool {
+        // New PAM-based auth: users array
+        if !self.users.is_empty() {
+            return true;
+        }
+
+        // Legacy basic auth: username/password
+        match (&self.auth_username, &self.auth_password) {
+            (Some(username), Some(password)) => !username.is_empty() && !password.is_empty(),
+            _ => false,
+        }
+    }
+
+    /// Check if the bind address exposes the service to the network
+    ///
+    /// Returns true if bind_address is "0.0.0.0" (IPv4 all interfaces) or
+    /// "::" (IPv6 all interfaces).
+    pub fn is_network_exposed(&self) -> bool {
+        match validate_bind_address(&self.bind_address) {
+            Ok(IpAddr::V4(ip)) => ip.is_unspecified(),
+            Ok(IpAddr::V6(ip)) => ip.is_unspecified(),
+            Err(_) => false, // Invalid addresses are not considered exposed
+        }
+    }
+
+    /// Check if the bind address is localhost-only
+    ///
+    /// Returns true if bind_address is "127.0.0.1", "::1", or "localhost".
+    pub fn is_localhost(&self) -> bool {
+        match validate_bind_address(&self.bind_address) {
+            Ok(ip) => ip.is_loopback(),
+            Err(_) => {
+                // Also check for "localhost" string directly
+                self.bind_address.eq_ignore_ascii_case("localhost")
+            }
+        }
+    }
 }
 
 #[cfg(test)]
@@ -101,6 +266,16 @@ mod tests {
         assert_eq!(config.boot_mode, "user");
         assert_eq!(config.restart_retries, 3);
         assert_eq!(config.restart_delay, 5);
+        assert!(config.auth_username.is_none());
+        assert!(config.auth_password.is_none());
+        assert!(config.container_env.is_empty());
+        // Security fields
+        assert_eq!(config.bind_address, "127.0.0.1");
+        assert!(!config.trust_proxy);
+        assert!(!config.allow_unauthenticated_network);
+        assert_eq!(config.rate_limit_attempts, 5);
+        assert_eq!(config.rate_limit_window_seconds, 60);
+        assert!(config.users.is_empty());
     }
 
     #[test]
@@ -122,6 +297,16 @@ mod tests {
         assert_eq!(config.boot_mode, "user");
         assert_eq!(config.restart_retries, 3);
         assert_eq!(config.restart_delay, 5);
+        assert!(config.auth_username.is_none());
+        assert!(config.auth_password.is_none());
+        assert!(config.container_env.is_empty());
+        // Security fields should have defaults
+        assert_eq!(config.bind_address, "127.0.0.1");
+        assert!(!config.trust_proxy);
+        assert!(!config.allow_unauthenticated_network);
+        assert_eq!(config.rate_limit_attempts, 5);
+        assert_eq!(config.rate_limit_window_seconds, 60);
+        assert!(config.users.is_empty());
     }
 
     #[test]
@@ -134,6 +319,17 @@ mod tests {
             boot_mode: "system".to_string(),
             restart_retries: 5,
             restart_delay: 10,
+            auth_username: None,
+            auth_password: None,
+            container_env: Vec::new(),
+            bind_address: "0.0.0.0".to_string(),
+            trust_proxy: true,
+            allow_unauthenticated_network: false,
+            rate_limit_attempts: 10,
+            rate_limit_window_seconds: 120,
+            users: vec!["admin".to_string()],
+            cockpit_port: 9090,
+            cockpit_enabled: true,
         };
         let json = serde_json::to_string(&config).unwrap();
         let parsed: Config = serde_json::from_str(&json).unwrap();
@@ -141,6 +337,10 @@ mod tests {
         assert_eq!(parsed.boot_mode, "system");
         assert_eq!(parsed.restart_retries, 5);
         assert_eq!(parsed.restart_delay, 10);
+        assert_eq!(parsed.bind_address, "0.0.0.0");
+        assert!(parsed.trust_proxy);
+        assert_eq!(parsed.rate_limit_attempts, 10);
+        assert_eq!(parsed.users, vec!["admin"]);
     }
 
     #[test]
@@ -149,4 +349,274 @@ mod tests {
         let result: Result<Config, _> = serde_json::from_str(json);
         assert!(result.is_err());
     }
+
+    #[test]
+    fn test_serialize_deserialize_roundtrip_with_auth_fields() {
+        let config = Config {
+            auth_username: Some("admin".to_string()),
+            auth_password: Some("secret123".to_string()),
+            container_env: vec!["FOO=bar".to_string(), "BAZ=qux".to_string()],
+            ..Config::default()
+        };
+        let json = serde_json::to_string(&config).unwrap();
+        let parsed: Config = serde_json::from_str(&json).unwrap();
+        assert_eq!(config, parsed);
+        assert_eq!(parsed.auth_username, Some("admin".to_string()));
+        assert_eq!(parsed.auth_password, Some("secret123".to_string()));
+        assert_eq!(parsed.container_env, vec!["FOO=bar", "BAZ=qux"]);
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_false_when_both_none() {
+        let config = Config::default();
+        assert!(!config.has_required_auth());
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_false_when_username_none() {
+        let config = Config {
+            auth_username: None,
+            auth_password: Some("secret".to_string()),
+            ..Config::default()
+        };
+        assert!(!config.has_required_auth());
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_false_when_password_none() {
+        let config = Config {
+            auth_username: Some("admin".to_string()),
+            auth_password: None,
+            ..Config::default()
+        };
+        assert!(!config.has_required_auth());
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_false_when_username_empty() {
+        let config = Config {
+            auth_username: Some(String::new()),
+            auth_password: Some("secret".to_string()),
+            ..Config::default()
+        };
+        assert!(!config.has_required_auth());
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_false_when_password_empty() {
+        let config = Config {
+            auth_username: Some("admin".to_string()),
+            auth_password: Some(String::new()),
+            ..Config::default()
+        };
+        assert!(!config.has_required_auth());
+    }
+
+    #[test]
+    fn test_has_required_auth_returns_true_when_both_set() {
+        let config = Config {
+            auth_username: Some("admin".to_string()),
+            auth_password: Some("secret123".to_string()),
+            ..Config::default()
+        };
+        assert!(config.has_required_auth());
+    }
+
+    // Tests for validate_bind_address
+
+    #[test]
+    fn test_validate_bind_address_ipv4_localhost() {
+        let result = validate_bind_address("127.0.0.1");
+        assert!(result.is_ok());
+        let ip = result.unwrap();
+        assert!(ip.is_loopback());
+    }
+
+    #[test]
+    fn test_validate_bind_address_ipv4_all_interfaces() {
+        let result = validate_bind_address("0.0.0.0");
+        assert!(result.is_ok());
+        let ip = result.unwrap();
+        assert!(ip.is_unspecified());
+    }
+
+    #[test]
+    fn test_validate_bind_address_ipv6_localhost() {
+        let result = validate_bind_address("::1");
+        assert!(result.is_ok());
+        let ip = result.unwrap();
+        assert!(ip.is_loopback());
+    }
+
+    #[test]
+    fn test_validate_bind_address_ipv6_all_interfaces() {
+        let result = validate_bind_address("::");
+        assert!(result.is_ok());
+        let ip = result.unwrap();
+        assert!(ip.is_unspecified());
+    }
+
+    #[test]
+    fn test_validate_bind_address_localhost_string() {
+        let result = validate_bind_address("localhost");
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap().to_string(), "127.0.0.1");
+    }
+
+    #[test]
+    fn test_validate_bind_address_localhost_case_insensitive() {
+        let result = validate_bind_address("LOCALHOST");
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap().to_string(), "127.0.0.1");
+    }
+
+    #[test]
+    fn test_validate_bind_address_bracketed_ipv6() {
+        let result = validate_bind_address("[::1]");
+        assert!(result.is_ok());
+        assert!(result.unwrap().is_loopback());
+    }
+
+    #[test]
+    fn test_validate_bind_address_invalid() {
+        let result = validate_bind_address("not-an-ip");
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("Invalid IP address"));
+    }
+
+    #[test]
+    fn test_validate_bind_address_whitespace() {
+        let result = validate_bind_address("  127.0.0.1  ");
+        assert!(result.is_ok());
+    }
+
+    // Tests for is_network_exposed
+
+    #[test]
+    fn test_is_network_exposed_ipv4_all() {
+        let config = Config {
+            bind_address: "0.0.0.0".to_string(),
+            ..Config::default()
+        };
+        assert!(config.is_network_exposed());
+    }
+
+    #[test]
+    fn test_is_network_exposed_ipv6_all() {
+        let config = Config {
+            bind_address: "::".to_string(),
+            ..Config::default()
+        };
+        assert!(config.is_network_exposed());
+    }
+
+    #[test]
+    fn test_is_network_exposed_localhost_false() {
+        let config = Config::default();
+        assert!(!config.is_network_exposed());
+    }
+
+    #[test]
+    fn test_is_network_exposed_ipv6_localhost_false() {
+        let config = Config {
+            bind_address: "::1".to_string(),
+            ..Config::default()
+        };
+        assert!(!config.is_network_exposed());
+    }
+
+    // Tests for is_localhost
+
+    #[test]
+    fn test_is_localhost_ipv4() {
+        let config = Config {
+            bind_address: "127.0.0.1".to_string(),
+            ..Config::default()
+        };
+        assert!(config.is_localhost());
+    }
+
+    #[test]
+    fn test_is_localhost_ipv6() {
+        let config = Config {
+            bind_address: "::1".to_string(),
+            ..Config::default()
+        };
+        assert!(config.is_localhost());
+    }
+
+    #[test]
+    fn test_is_localhost_string() {
+        let config = Config {
+            bind_address: "localhost".to_string(),
+            ..Config::default()
+        };
+        assert!(config.is_localhost());
+    }
+
+    #[test]
+    fn test_is_localhost_all_interfaces_false() {
+        let config = Config {
+            bind_address: "0.0.0.0".to_string(),
+            ..Config::default()
+        };
+        assert!(!config.is_localhost());
+    }
+
+    // Tests for security fields serialization
+
+    #[test]
+    fn test_serialize_deserialize_with_security_fields() {
+        let config = Config {
+            bind_address: "0.0.0.0".to_string(),
+            trust_proxy: true,
+            allow_unauthenticated_network: true,
+            rate_limit_attempts: 10,
+            rate_limit_window_seconds: 120,
+            users: vec!["admin".to_string(), "developer".to_string()],
+            ..Config::default()
+        };
+        let json = serde_json::to_string(&config).unwrap();
+        let parsed: Config = serde_json::from_str(&json).unwrap();
+        assert_eq!(config, parsed);
+        assert_eq!(parsed.bind_address, "0.0.0.0");
+        assert!(parsed.trust_proxy);
+        assert!(parsed.allow_unauthenticated_network);
+        assert_eq!(parsed.rate_limit_attempts, 10);
+        assert_eq!(parsed.rate_limit_window_seconds, 120);
+        assert_eq!(parsed.users, vec!["admin", "developer"]);
+    }
+
+    // Tests for Cockpit fields
+
+    #[test]
+    fn test_default_config_cockpit_fields() {
+        let config = Config::default();
+        assert_eq!(config.cockpit_port, 9090);
+        // cockpit_enabled defaults to false (requires Linux host)
+        assert!(!config.cockpit_enabled);
+    }
+
+    #[test]
+    fn test_serialize_deserialize_with_cockpit_fields() {
+        let config = Config {
+            cockpit_port: 9091,
+            cockpit_enabled: false,
+            ..Config::default()
+        };
+        let json = serde_json::to_string(&config).unwrap();
+        let parsed: Config = serde_json::from_str(&json).unwrap();
+        assert_eq!(parsed.cockpit_port, 9091);
+        assert!(!parsed.cockpit_enabled);
+    }
+
+    #[test]
+    fn test_cockpit_fields_default_on_missing() {
+        // Old configs without cockpit fields should get defaults
+        let json = r#"{"version": 1}"#;
+        let config: Config = serde_json::from_str(json).unwrap();
+        assert_eq!(config.cockpit_port, 9090);
+        // cockpit_enabled defaults to false (requires Linux host)
+        assert!(!config.cockpit_enabled);
+    }
 }