npm - @opencode-cloud/core - Versions diffs - 4.3.0 → 5.0.1 - Mend

@opencode-cloud/core 4.3.0 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/Cargo.toml CHANGED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "4.3.0"
+version = "5.0.1"
 edition = "2024"
 rust-version = "1.88"
 license = "MIT"

package/README.md CHANGED Viewed

@@ -191,6 +191,12 @@ occ user add <username> --generate
 - Remove user: `occ user remove <username>`
 - Enable/disable account: `occ user enable <username>` / `occ user disable <username>`
+### User Persistence
+User accounts (including password hashes and lock status) persist across container updates and rebuilds.
+The CLI stores user records in a managed Docker volume mounted at `/var/lib/opencode-users` inside the container.
+No plaintext passwords are stored on the host.
 ### Legacy Authentication Fields
 The `auth_username` and `auth_password` config fields are **deprecated** and ignored. They are kept in the config schema for backward compatibility with existing deployments, but new users should be created via `occ user add` instead.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "4.3.0",
+  "version": "5.0.1",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/docker/container.rs CHANGED Viewed

@@ -6,8 +6,8 @@
 use super::dockerfile::{IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT};
 use super::mount::ParsedMount;
 use super::volume::{
-    MOUNT_CACHE, MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, MOUNT_STATE, VOLUME_CACHE,
-    VOLUME_CONFIG, VOLUME_PROJECTS, VOLUME_SESSION, VOLUME_STATE,
+    MOUNT_CACHE, MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, MOUNT_STATE, MOUNT_USERS,
+    VOLUME_CACHE, VOLUME_CONFIG, VOLUME_PROJECTS, VOLUME_SESSION, VOLUME_STATE, VOLUME_USERS,
 };
 use super::{DockerClient, DockerError};
 use bollard::container::{
@@ -121,6 +121,7 @@ pub async fn create_container(
     add_volume_mount(MOUNT_CACHE, VOLUME_CACHE);
     add_volume_mount(MOUNT_PROJECTS, VOLUME_PROJECTS);
     add_volume_mount(MOUNT_CONFIG, VOLUME_CONFIG);
+    add_volume_mount(MOUNT_USERS, VOLUME_USERS);
     // Add user-defined bind mounts from config/CLI
     if let Some(ref user_mounts) = bind_mounts {

package/src/docker/mod.rs CHANGED Viewed

@@ -54,15 +54,15 @@ pub use exec::{exec_command, exec_command_exit_code, exec_command_with_stdin};
 // User management operations
 pub use users::{
-    UserInfo, create_user, delete_user, list_users, lock_user, set_user_password, unlock_user,
-    user_exists,
+    UserInfo, create_user, delete_user, list_users, lock_user, persist_user, remove_persisted_user,
+    restore_persisted_users, set_user_password, unlock_user, user_exists,
 };
 // Volume management
 pub use volume::{
-    MOUNT_CACHE, MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, MOUNT_STATE, VOLUME_CACHE,
-    VOLUME_CONFIG, VOLUME_NAMES, VOLUME_PROJECTS, VOLUME_SESSION, VOLUME_STATE,
-    ensure_volumes_exist, remove_all_volumes, remove_volume, volume_exists,
+    MOUNT_CACHE, MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, MOUNT_STATE, MOUNT_USERS,
+    VOLUME_CACHE, VOLUME_CONFIG, VOLUME_NAMES, VOLUME_PROJECTS, VOLUME_SESSION, VOLUME_STATE,
+    VOLUME_USERS, ensure_volumes_exist, remove_all_volumes, remove_volume, volume_exists,
 };
 // Bind mount parsing and validation
@@ -136,6 +136,9 @@ pub async fn setup_and_start(
         container::start_container(client, container::CONTAINER_NAME).await?;
     }
+    // Restore persisted users after the container is running
+    users::restore_persisted_users(client, container::CONTAINER_NAME).await?;
     Ok(container_id)
 }

package/src/docker/users.rs CHANGED Viewed

@@ -8,7 +8,15 @@
 //! Instead, we use `chpasswd` which reads from stdin.
 use super::exec::{exec_command, exec_command_exit_code, exec_command_with_stdin};
+use super::volume::MOUNT_USERS;
 use super::{DockerClient, DockerError};
+use serde::{Deserialize, Serialize};
+/// User persistence store directory inside the container.
+///
+/// Format: one JSON file per user with strict permissions (root-owned, 0700 dir, 0600 files).
+/// Stored on a managed Docker volume mounted at this path.
+const USERS_STORE_DIR: &str = MOUNT_USERS;
 /// Information about a container user
 #[derive(Debug, Clone, PartialEq)]
@@ -25,6 +33,13 @@ pub struct UserInfo {
     pub locked: bool,
 }
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+struct PersistedUserRecord {
+    username: String,
+    password_hash: String,
+    locked: bool,
+}
 /// Create a new user in the container
 ///
 /// Creates a user with a home directory and /bin/bash shell.
@@ -96,6 +111,31 @@ pub async fn set_user_password(
     Ok(())
 }
+/// Set a user's password hash directly (no plaintext required)
+///
+/// Uses `usermod -p` with a precomputed shadow hash.
+async fn set_user_password_hash(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+    password_hash: &str,
+) -> Result<(), DockerError> {
+    if password_hash.is_empty() {
+        return Ok(());
+    }
+    let cmd = vec!["usermod", "-p", password_hash, username];
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+    if exit_code != 0 {
+        return Err(DockerError::Container(format!(
+            "Failed to set password hash for '{username}': usermod returned exit code {exit_code}"
+        )));
+    }
+    Ok(())
+}
 /// Check if a user exists in the container
 ///
 /// # Arguments
@@ -234,6 +274,81 @@ pub async fn list_users(
     Ok(users)
 }
+/// Persist a user's credentials and lock state to the managed volume.
+///
+/// Stores the shadow hash (not plaintext) and lock status in a JSON record.
+pub async fn persist_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    ensure_users_store_dir(client, container).await?;
+    let shadow_hash = get_user_shadow_hash(client, container, username).await?;
+    let locked = is_user_locked(client, container, username).await?;
+    let record = PersistedUserRecord {
+        username: username.to_string(),
+        password_hash: shadow_hash,
+        locked,
+    };
+    write_user_record(client, container, &record).await?;
+    Ok(())
+}
+/// Remove a persisted user record from the managed volume.
+pub async fn remove_persisted_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    let record_path = user_record_path(username);
+    let cmd_string = format!("rm -f {record_path}");
+    let cmd = vec!["sh", "-c", cmd_string.as_str()];
+    exec_command(client, container, cmd).await?;
+    Ok(())
+}
+/// Restore users from the persisted store into the container.
+///
+/// Returns the list of usernames restored or updated.
+pub async fn restore_persisted_users(
+    client: &DockerClient,
+    container: &str,
+) -> Result<Vec<String>, DockerError> {
+    let records = read_user_records(client, container).await?;
+    if records.is_empty() {
+        let users = list_users(client, container).await?;
+        let mut persisted = Vec::new();
+        for user in users {
+            persist_user(client, container, &user.username).await?;
+            persisted.push(user.username);
+        }
+        return Ok(persisted);
+    }
+    let mut restored = Vec::new();
+    for record in records {
+        if !user_exists(client, container, &record.username).await? {
+            create_user(client, container, &record.username).await?;
+        }
+        set_user_password_hash(client, container, &record.username, &record.password_hash).await?;
+        if record.locked {
+            lock_user(client, container, &record.username).await?;
+        } else {
+            unlock_user(client, container, &record.username).await?;
+        }
+        restored.push(record.username);
+    }
+    Ok(restored)
+}
 /// Check if a user account is locked
 ///
 /// Uses `passwd -S` to get account status.
@@ -256,6 +371,80 @@ async fn is_user_locked(
     Ok(false)
 }
+async fn ensure_users_store_dir(client: &DockerClient, container: &str) -> Result<(), DockerError> {
+    let cmd_string = format!("install -d -m 700 {USERS_STORE_DIR}");
+    let cmd = vec!["sh", "-c", cmd_string.as_str()];
+    exec_command(client, container, cmd).await?;
+    Ok(())
+}
+async fn get_user_shadow_hash(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<String, DockerError> {
+    let output = exec_command(client, container, vec!["getent", "shadow", username]).await?;
+    let line = output.lines().next().unwrap_or("").trim();
+    if line.is_empty() {
+        return Err(DockerError::Container(format!(
+            "Failed to read shadow entry for '{username}'"
+        )));
+    }
+    let fields: Vec<&str> = line.split(':').collect();
+    if fields.len() < 2 {
+        return Err(DockerError::Container(format!(
+            "Invalid shadow entry for '{username}'"
+        )));
+    }
+    Ok(fields[1].to_string())
+}
+async fn read_user_records(
+    client: &DockerClient,
+    container: &str,
+) -> Result<Vec<PersistedUserRecord>, DockerError> {
+    let list_command =
+        format!("if [ -d {USERS_STORE_DIR} ]; then ls -1 {USERS_STORE_DIR}/*.json 2>/dev/null; fi");
+    let list_cmd = vec!["sh", "-c", list_command.as_str()];
+    let output = exec_command(client, container, list_cmd).await?;
+    let mut records = Vec::new();
+    for path in output
+        .lines()
+        .map(str::trim)
+        .filter(|line| !line.is_empty())
+    {
+        let contents = exec_command(client, container, vec!["cat", path]).await?;
+        let record: PersistedUserRecord = serde_json::from_str(&contents).map_err(|e| {
+            DockerError::Container(format!("Failed to parse user record {path}: {e}"))
+        })?;
+        records.push(record);
+    }
+    Ok(records)
+}
+fn user_record_path(username: &str) -> String {
+    format!("{USERS_STORE_DIR}/{username}.json")
+}
+async fn write_user_record(
+    client: &DockerClient,
+    container: &str,
+    record: &PersistedUserRecord,
+) -> Result<(), DockerError> {
+    let payload =
+        serde_json::to_string_pretty(record).map_err(|e| DockerError::Container(e.to_string()))?;
+    let record_path = user_record_path(&record.username);
+    let write_command =
+        format!("install -d -m 700 {USERS_STORE_DIR} && umask 077 && cat > {record_path}");
+    let cmd = vec!["sh", "-c", write_command.as_str()];
+    exec_command_with_stdin(client, container, cmd, &payload).await?;
+    Ok(())
+}
 /// Parsed user info from /etc/passwd line (intermediate struct)
 struct ParsedUser {
     username: String,

package/src/docker/volume.rs CHANGED Viewed

@@ -23,13 +23,17 @@ pub const VOLUME_PROJECTS: &str = "opencode-workspace";
 /// Volume name for opencode configuration
 pub const VOLUME_CONFIG: &str = "opencode-config";
+/// Volume name for persisted user records
+pub const VOLUME_USERS: &str = "opencode-users";
 /// All volume names as array for iteration
-pub const VOLUME_NAMES: [&str; 5] = [
+pub const VOLUME_NAMES: [&str; 6] = [
     VOLUME_SESSION,
     VOLUME_STATE,
     VOLUME_CACHE,
     VOLUME_PROJECTS,
     VOLUME_CONFIG,
+    VOLUME_USERS,
 ];
 /// Mount point for opencode data inside container
@@ -47,6 +51,9 @@ pub const MOUNT_PROJECTS: &str = "/home/opencode/workspace";
 /// Mount point for configuration inside container
 pub const MOUNT_CONFIG: &str = "/home/opencode/.config/opencode";
+/// Mount point for persisted user records inside container
+pub const MOUNT_USERS: &str = "/var/lib/opencode-users";
 /// Ensure all required volumes exist
 ///
 /// Creates volumes if they don't exist. This operation is idempotent -
@@ -145,16 +152,18 @@ mod tests {
         assert_eq!(VOLUME_CACHE, "opencode-cache");
         assert_eq!(VOLUME_PROJECTS, "opencode-workspace");
         assert_eq!(VOLUME_CONFIG, "opencode-config");
+        assert_eq!(VOLUME_USERS, "opencode-users");
     }
     #[test]
     fn volume_names_array_has_all_volumes() {
-        assert_eq!(VOLUME_NAMES.len(), 5);
+        assert_eq!(VOLUME_NAMES.len(), 6);
         assert!(VOLUME_NAMES.contains(&VOLUME_SESSION));
         assert!(VOLUME_NAMES.contains(&VOLUME_STATE));
         assert!(VOLUME_NAMES.contains(&VOLUME_CACHE));
         assert!(VOLUME_NAMES.contains(&VOLUME_PROJECTS));
         assert!(VOLUME_NAMES.contains(&VOLUME_CONFIG));
+        assert!(VOLUME_NAMES.contains(&VOLUME_USERS));
     }
     #[test]
@@ -164,5 +173,6 @@ mod tests {
         assert_eq!(MOUNT_CACHE, "/home/opencode/.cache/opencode");
         assert_eq!(MOUNT_PROJECTS, "/home/opencode/workspace");
         assert_eq!(MOUNT_CONFIG, "/home/opencode/.config/opencode");
+        assert_eq!(MOUNT_USERS, "/var/lib/opencode-users");
     }
 }