@openpalm/lib 0.10.2 → 0.11.0-beta.10

package/src/control-plane/rollback.ts

@@ -11,11 +11,12 @@ import type { ControlPlaneState } from "./types.js";
 import { resolveRollbackDir } from "./home.js";
 
 /** Files that are tracked for rollback (relative to homeDir).
- *  Only vault/stack/ files are included — vault/user/ and config/ are
- *  user-owned and never overwritten by lifecycle operations. */
+ *  Only config/ system files are included — user-editable config files
+ *  are never overwritten by lifecycle operations. */
 const SNAPSHOT_FILES = [
-  "vault/stack/stack.env",
-  "vault/stack/guardian.env",
+  "config/stack/stack.env",
+  "config/stack/guardian.env",
+  "config/auth.json",
 ];
 
 /**
@@ -43,12 +44,12 @@ export function snapshotCurrentState(state: ControlPlaneState): void {
     safeCopy(src, dest);
   }
 
-  // Snapshot stack/core.compose.yml
-  const coreCompose = join(state.homeDir, "stack/core.compose.yml");
-  safeCopy(coreCompose, join(rollbackDir, "stack/core.compose.yml"));
+  // Snapshot config/stack/core.compose.yml
+  const coreCompose = join(state.homeDir, "config/stack/core.compose.yml");
+  safeCopy(coreCompose, join(rollbackDir, "config/stack/core.compose.yml"));
 
-  // Snapshot stack/addons/*/compose.yml
-  const addonsDir = join(state.homeDir, "stack/addons");
+  // Snapshot config/stack/addons/*/compose.yml
+  const addonsDir = join(state.homeDir, "config/stack/addons");
   if (existsSync(addonsDir)) {
     for (const entry of readdirSync(addonsDir, { withFileTypes: true })) {
       if (entry.isDirectory()) {
@@ -56,7 +57,7 @@ export function snapshotCurrentState(state: ControlPlaneState): void {
         if (existsSync(addonCompose)) {
           safeCopy(
             addonCompose,
-            join(rollbackDir, "stack/addons", entry.name, "compose.yml"),
+            join(rollbackDir, "config/stack/addons", entry.name, "compose.yml"),
           );
         }
       }
@@ -87,14 +88,14 @@ export function restoreSnapshot(state: ControlPlaneState): void {
     safeCopy(src, dest);
   }
 
-  // Restore stack/core.compose.yml
-  const srcCoreCompose = join(rollbackDir, "stack/core.compose.yml");
+  // Restore config/stack/core.compose.yml
+  const srcCoreCompose = join(rollbackDir, "config/stack/core.compose.yml");
   if (existsSync(srcCoreCompose)) {
-    safeCopy(srcCoreCompose, join(state.homeDir, "stack/core.compose.yml"));
+    safeCopy(srcCoreCompose, join(state.homeDir, "config/stack/core.compose.yml"));
   }
 
-  // Restore stack/addons/*/compose.yml
-  const srcAddons = join(rollbackDir, "stack/addons");
+  // Restore config/stack/addons/*/compose.yml
+  const srcAddons = join(rollbackDir, "config/stack/addons");
   if (existsSync(srcAddons)) {
     for (const entry of readdirSync(srcAddons, { withFileTypes: true })) {
       if (entry.isDirectory()) {
@@ -102,7 +103,7 @@ export function restoreSnapshot(state: ControlPlaneState): void {
         if (existsSync(srcAddonCompose)) {
           safeCopy(
             srcAddonCompose,
-            join(state.homeDir, "stack/addons", entry.name, "compose.yml"),
+            join(state.homeDir, "config/stack/addons", entry.name, "compose.yml"),
           );
         }
       }

package/src/control-plane/scheduler.ts

@@ -1,24 +1,27 @@
-/** Automation scheduler — types, parsing, and action execution. */
-import { parse as parseYaml } from "yaml";
+/**
+ * Automation scheduler — types and akm CLI integration.
+ *
+ * Automations are AKM markdown task files at ${stashDir}/tasks/*.md.
+ * Scheduling is handled by the OS cron daemon (via `akm tasks sync`).
+ * Execution is handled by `akm tasks run <id>`.
+ */
 import { execFile } from "node:child_process";
-import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { existsSync, readdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { createLogger } from "../logger.js";
+import { loadMarkdownTasks, taskToAutomationConfig } from "./markdown-task.js";
 
 const logger = createLogger("scheduler");
 
+// ── Types ─────────────────────────────────────────────────────────────────
 
-export type ActionType = "api" | "http" | "shell" | "assistant";
+export type ActionType = "api" | "http" | "shell" | "assistant" | "workflow";
 
 export type AutomationAction = {
   type: ActionType;
   method?: string;
   path?: string;
   url?: string;
-  body?: unknown;
-  headers?: Record<string, string>;
-  command?: string[];
-  timeout?: number;
   content?: string;
   agent?: string;
 };
@@ -34,13 +37,7 @@ export type AutomationConfig = {
   fileName: string;
 };
 
-export type ExecutionLogEntry = {
-  at: string;
-  ok: boolean;
-  durationMs: number;
-  error?: string;
-};
-
+// ── Schedule presets (UI display labels only) ─────────────────────────────
 
 export const SCHEDULE_PRESETS: Record<string, string> = {
   "every-minute": "* * * * *",
@@ -54,213 +51,55 @@ export const SCHEDULE_PRESETS: Record<string, string> = {
   "weekly-sunday-4am": "0 4 * * 0"
 };
 
-/** Resolve a preset name to cron expression, or pass through raw cron. */
-export function resolveSchedule(schedule: string): string {
-  return SCHEDULE_PRESETS[schedule] ?? schedule;
-}
-
-export function parseAutomationYaml(
-  content: string,
-  fileName: string
-): AutomationConfig | null {
-  let doc: Record<string, unknown>;
-  try {
-    doc = parseYaml(content) as Record<string, unknown>;
-  } catch (err) {
-    logger.warn("failed to parse automation YAML", { fileName, error: String(err) });
-    return null;
-  }
-
-  if (!doc || typeof doc !== "object") {
-    logger.warn("automation YAML is not an object", { fileName });
-    return null;
-  }
+// ── Load automations from AKM task files ──────────────────────────────────
 
-  const rawSchedule = doc.schedule;
-  if (typeof rawSchedule !== "string" || !rawSchedule.trim()) {
-    logger.warn("automation missing or empty 'schedule'", { fileName });
-    return null;
-  }
-
-  const action = doc.action;
-  if (!action || typeof action !== "object") {
-    logger.warn("automation missing or invalid 'action'", { fileName });
-    return null;
-  }
-
-  const actionObj = action as Record<string, unknown>;
-  const actionType = actionObj.type as string | undefined;
-  if (!actionType || !["api", "http", "shell", "assistant"].includes(actionType)) {
-    logger.warn("automation action has invalid 'type'", {
-      fileName,
-      type: String(actionType)
-    });
-    return null;
-  }
-
-  if (actionType === "api" && typeof actionObj.path !== "string") {
-    logger.warn("api action missing 'path'", { fileName });
-    return null;
-  }
-  if (actionType === "http" && typeof actionObj.url !== "string") {
-    logger.warn("http action missing 'url'", { fileName });
-    return null;
-  }
-  if (actionType === "shell") {
-    if (!Array.isArray(actionObj.command) || actionObj.command.length === 0) {
-      logger.warn("shell action missing or empty 'command' array", { fileName });
-      return null;
-    }
-  }
-  if (actionType === "assistant") {
-    if (typeof actionObj.content !== "string" || !actionObj.content.trim()) {
-      logger.warn("assistant action missing or empty 'content'", { fileName });
-      return null;
-    }
-  }
-
-  const schedule = resolveSchedule(rawSchedule.trim());
-
-  return {
-    name: typeof doc.name === "string" ? doc.name : fileName.replace(/\.yml$/, ""),
-    description: typeof doc.description === "string" ? doc.description : "",
-    schedule,
-    timezone: typeof doc.timezone === "string" ? doc.timezone : "UTC",
-    enabled: doc.enabled !== false,
-    action: {
-      type: actionType as ActionType,
-      method: typeof actionObj.method === "string" ? actionObj.method : "GET",
-      path: typeof actionObj.path === "string" ? actionObj.path : undefined,
-      url: typeof actionObj.url === "string" ? actionObj.url : undefined,
-      body: actionObj.body,
-      headers: (actionObj.headers && typeof actionObj.headers === "object" && !Array.isArray(actionObj.headers) &&
-        Object.values(actionObj.headers as Record<string, unknown>).every((v) => typeof v === "string"))
-        ? (actionObj.headers as Record<string, string>) : undefined,
-      command: Array.isArray(actionObj.command)
-        ? actionObj.command.map(String)
-        : undefined,
-      content: typeof actionObj.content === "string" ? actionObj.content : undefined,
-      agent: typeof actionObj.agent === "string" ? actionObj.agent : undefined,
-      timeout:
-        typeof actionObj.timeout === "number"
-          ? actionObj.timeout
-          : actionType === "assistant" ? 120_000 : 30_000
-    },
-    on_failure:
-      doc.on_failure === "audit" ? "audit" : "log",
-    fileName
-  };
-}
-
-export function loadAutomations(configDir: string): AutomationConfig[] {
-  const dir = join(configDir, "automations");
-  if (!existsSync(dir)) return [];
-
-  const files = readdirSync(dir, { withFileTypes: true });
-  const configs: AutomationConfig[] = [];
-
-  for (const entry of files) {
-    if (!entry.isFile()) continue;
-    if (!entry.name.endsWith(".yml")) {
-      logger.warn("non-.yml file in automations dir (ignored)", {
-        file: entry.name,
-        hint: "automation files must use .yml extension"
-      });
-      continue;
-    }
-
-    const content = readFileSync(join(dir, entry.name), "utf-8");
-    const config = parseAutomationYaml(content, entry.name);
-    if (config) configs.push(config);
-  }
-
-  return configs;
+export function loadAutomations(stashDir: string): AutomationConfig[] {
+  return loadMarkdownTasks(stashDir).map(taskToAutomationConfig);
 }
 
+// ── Execute an automation via akm tasks run ───────────────────────────────
 
-export const SAFE_PATH_RE = /^\/admin\/[a-zA-Z0-9/._-]+$/;
-
-export async function executeApiAction(
-  action: AutomationAction,
-  adminToken: string
-): Promise<void> {
-  if (!action.path || !SAFE_PATH_RE.test(action.path) || action.path.includes('..')) {
-    logger.warn(`Scheduler: rejecting unsafe action path: ${action.path}`);
-    return;
-  }
-  const adminUrl = process.env.OP_ADMIN_API_URL || "http://admin:8100";
-  const url = `${adminUrl}${action.path}`;
-  const { "x-admin-token": _dropped, "authorization": _dropped2, ...safeHeaders } = action.headers ?? {};
-  const headers: Record<string, string> = {
-    ...safeHeaders,
-    "x-admin-token": adminToken,
-    "x-requested-by": "automation",
-  };
-  if (action.body) {
-    headers["content-type"] = "application/json";
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), action.timeout ?? 30_000);
-  try {
-    const resp = await fetch(url, {
-      method: action.method ?? "GET",
-      headers,
-      body: action.body ? JSON.stringify(action.body) : undefined,
-      signal: controller.signal
-    });
-    if (!resp.ok) {
-      throw new Error(`HTTP ${resp.status} ${resp.statusText}`);
-    }
-  } finally {
-    clearTimeout(timer);
-  }
+export interface AutomationRunResult {
+  ok: boolean;
+  status: string;
+  error?: string;
 }
 
-export async function executeHttpAction(action: AutomationAction): Promise<void> {
-  if (!action.url) throw new Error("http action requires a url");
-  const headers: Record<string, string> = { ...action.headers };
-  if (action.body) {
-    headers["content-type"] = headers["content-type"] ?? "application/json";
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), action.timeout ?? 30_000);
-  try {
-    const resp = await fetch(action.url, {
-      method: action.method ?? "GET",
-      headers,
-      body: action.body ? JSON.stringify(action.body) : undefined,
-      signal: controller.signal
-    });
-    if (!resp.ok) {
-      throw new Error(`HTTP ${resp.status} ${resp.statusText}`);
-    }
-  } finally {
-    clearTimeout(timer);
-  }
+export async function executeAutomation(
+  id: string,
+  akmEnv: NodeJS.ProcessEnv,
+): Promise<AutomationRunResult> {
+  // Strip .md suffix if caller passes the full filename
+  const taskId = id.replace(/\.md$/, "");
+  return new Promise((resolve) => {
+    execFile(
+      "akm",
+      ["tasks", "run", taskId],
+      { env: { ...process.env, ...akmEnv } },
+      (error, _stdout, stderr) => {
+        if (error) {
+          const msg = stderr?.trim() || error.message;
+          logger.warn("akm tasks run failed", { id: taskId, error: msg });
+          resolve({ ok: false, status: "failed", error: msg });
+        } else {
+          resolve({ ok: true, status: "completed" });
+        }
+      }
+    );
+  });
 }
 
-const SHELL_SAFE_ENV_KEYS = [
-  "PATH", "HOME", "LANG", "LC_ALL", "TZ", "NODE_ENV",
-  "OP_HOME",
-];
-
-export function executeShellAction(action: AutomationAction): Promise<void> {
-  if (!action.command?.length) throw new Error("shell action requires a non-empty command array");
-  const cmd = action.command;
-
-  const safeEnv: Record<string, string> = {};
-  for (const key of SHELL_SAFE_ENV_KEYS) {
-    if (process.env[key]) safeEnv[key] = process.env[key]!;
-  }
+// ── Sync crontab with stash/tasks/*.md ───────────────────────────────────
 
+export async function syncAutomations(akmEnv: NodeJS.ProcessEnv): Promise<void> {
   return new Promise((resolve, reject) => {
     execFile(
-      cmd[0],
-      cmd.slice(1),
-      { env: safeEnv, timeout: action.timeout ?? 30_000 },
+      "akm",
+      ["tasks", "sync"],
+      { env: { ...process.env, ...akmEnv } },
       (error, _stdout, stderr) => {
         if (error) {
-          reject(new Error(`shell command failed: ${stderr || error.message}`));
+          reject(new Error(stderr?.trim() || error.message));
         } else {
           resolve();
         }
@@ -269,58 +108,32 @@ export function executeShellAction(action: AutomationAction): Promise<void> {
   });
 }
 
-export async function executeAssistantAction(action: AutomationAction): Promise<void> {
-  if (!action.content) {
-    throw new Error("assistant action requires a non-empty 'content' field");
-  }
-
-  const baseUrl = process.env.OPENCODE_API_URL ?? "http://assistant:4096";
-  const password = process.env.OPENCODE_SERVER_PASSWORD;
-  const headers: Record<string, string> = { "content-type": "application/json" };
-  if (password) {
-    headers["authorization"] = `Basic ${Buffer.from(`opencode:${password}`, "utf8").toString("base64")}`;
-  }
-
-  const sessionRes = await fetch(`${baseUrl}/session`, {
-    method: "POST",
-    headers,
-    signal: AbortSignal.timeout(10_000),
-    body: JSON.stringify({ title: `automation/${action.agent ?? "default"}` }),
-  });
-  if (!sessionRes.ok) {
-    const body = await sessionRes.text().catch(() => "");
-    throw new Error(`OpenCode POST /session ${sessionRes.status}: ${body}`);
-  }
-  const { id: sessionId } = (await sessionRes.json()) as { id: string };
-  if (typeof sessionId !== "string" || !/^[a-zA-Z0-9_-]+$/.test(sessionId)) {
-    throw new Error("Invalid session ID from assistant");
-  }
-
-  const msgRes = await fetch(`${baseUrl}/session/${sessionId}/message`, {
-    method: "POST",
-    headers,
-    signal: AbortSignal.timeout(action.timeout ?? 120_000),
-    body: JSON.stringify({ parts: [{ type: "text", text: action.content }] }),
-  });
-  if (!msgRes.ok) {
-    const body = await msgRes.text().catch(() => "");
-    throw new Error(`OpenCode POST /session/${sessionId}/message ${msgRes.status}: ${body}`);
-  }
-  logger.info("assistant action completed");
-}
-
-export async function executeAction(
-  action: AutomationAction,
-  adminToken: string
-): Promise<void> {
-  switch (action.type) {
-    case "api":
-      return executeApiAction(action, adminToken);
-    case "http":
-      return executeHttpAction(action);
-    case "shell":
-      return executeShellAction(action);
-    case "assistant":
-      return executeAssistantAction(action);
+// ── Read akm task execution logs ──────────────────────────────────────────
+
+export function readAutomationLogs(
+  id: string,
+  cacheDir: string,
+  limit: number = 50,
+): string[] {
+  const taskId = id.replace(/\.md$/, "");
+  const logDir = join(cacheDir, "akm", "tasks", "logs", taskId);
+  if (!existsSync(logDir)) return [];
+
+  const logFiles = readdirSync(logDir, { withFileTypes: true })
+    .filter((e) => e.isFile() && e.name.endsWith(".log"))
+    .map((e) => ({ name: e.name, path: join(logDir, e.name) }))
+    .sort((a, b) => b.name.localeCompare(a.name)); // newest first (ISO timestamp names)
+
+  const lines: string[] = [];
+  for (const { path } of logFiles) {
+    if (lines.length >= limit) break;
+    try {
+      const content = readFileSync(path, "utf-8");
+      const fileLines = content.split("\n").filter(Boolean).reverse(); // newest within file last
+      lines.push(...fileLines.slice(0, limit - lines.length));
+    } catch {
+      // skip unreadable log files
+    }
   }
+  return lines.slice(0, limit);
 }

package/src/control-plane/secret-mappings.ts

@@ -29,10 +29,8 @@ type CoreSecretMapping = {
 };
 
 const STATIC_CORE_MAPPINGS: CoreSecretMapping[] = [
-  // Core authentication tokens
-  { secretKey: 'openpalm/admin-token', envKey: 'OP_ADMIN_TOKEN', scope: 'system' },
-  { secretKey: 'openpalm/assistant-token', envKey: 'OP_ASSISTANT_TOKEN', scope: 'system' },
-  { secretKey: 'openpalm/memory/auth-token', envKey: 'OP_MEMORY_TOKEN', scope: 'system' },
+  // Core authentication
+  { secretKey: 'openpalm/ui-login-password', envKey: 'OP_UI_LOGIN_PASSWORD', scope: 'system' },
   { secretKey: 'openpalm/opencode/server-password', envKey: 'OP_OPENCODE_PASSWORD', scope: 'system' },
   // LLM provider API keys
   { secretKey: 'openpalm/openai/api-key', envKey: 'OPENAI_API_KEY', scope: 'user' },
@@ -47,8 +45,6 @@ const STATIC_CORE_MAPPINGS: CoreSecretMapping[] = [
   { secretKey: 'openpalm/mcp/api-key', envKey: 'MCP_API_KEY', scope: 'user' },
   { secretKey: 'openpalm/embedding/api-key', envKey: 'EMBEDDING_API_KEY', scope: 'user' },
   { secretKey: 'openpalm/lmstudio/api-key', envKey: 'LMSTUDIO_API_KEY', scope: 'user' },
-  { secretKey: 'openpalm/openviking/api-key', envKey: 'OPENVIKING_API_KEY', scope: 'user' },
-  { secretKey: 'openpalm/openviking/vlm-api-key', envKey: 'VLM_API_KEY', scope: 'user' },
   // Channel-specific credentials
   { secretKey: 'openpalm/discord/bot-token', envKey: 'DISCORD_BOT_TOKEN', scope: 'user' },
   { secretKey: 'openpalm/slack/bot-token', envKey: 'SLACK_BOT_TOKEN', scope: 'user' },
@@ -66,7 +62,7 @@ type SecretIndexFile = {
 };
 
 function secretIndexPath(state: ControlPlaneState): string {
-  return `${state.dataDir}/secrets/plaintext-index.json`;
+  return `${state.stateDir}/secrets/plaintext-index.json`;
 }
 
 function normalizeIndexedKey(key: string): string {
@@ -148,7 +144,7 @@ export function readPlaintextSecretIndex(state: ControlPlaneState): SecretIndexF
 }
 
 export function writePlaintextSecretIndex(state: ControlPlaneState, index: SecretIndexFile): void {
-  const dir = `${state.dataDir}/secrets`;
+  const dir = `${state.stateDir}/secrets`;
   mkdirSync(dir, { recursive: true });
   writeFileSync(secretIndexPath(state), JSON.stringify(index, null, 2) + '\n');
 }