@openpalm/lib 0.10.2 → 0.11.0-beta.2

package/src/control-plane/migrate-0110.test.ts

@@ -0,0 +1,177 @@
+/**
+ * Tests for the 0.11.0 auth-migration shim.
+ */
+import { describe, expect, it, beforeEach, afterEach } from "bun:test";
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+  chmodSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { migrateAuth0110 } from "./migrate-0110.js";
+import type { ControlPlaneState } from "./types.js";
+
+function makeState(homeDir: string): ControlPlaneState {
+  return {
+    homeDir,
+    configDir: join(homeDir, "config"),
+    stashDir: join(homeDir, "stash"),
+    workspaceDir: join(homeDir, "workspace"),
+    cacheDir: join(homeDir, "cache"),
+    stateDir: join(homeDir, "state"),
+    stackDir: join(homeDir, "config", "stack"),
+    services: {},
+    artifacts: { compose: "" },
+    artifactMeta: [],
+  };
+}
+
+function seedStackEnv(stackDir: string, content: string): string {
+  mkdirSync(stackDir, { recursive: true });
+  const path = join(stackDir, "stack.env");
+  writeFileSync(path, content, { encoding: "utf-8", mode: 0o600 });
+  chmodSync(path, 0o600);
+  return path;
+}
+
+describe("migrateAuth0110", () => {
+  let homeDir: string;
+
+  beforeEach(() => {
+    homeDir = mkdtempSync(join(tmpdir(), "openpalm-migrate-0110-"));
+  });
+
+  afterEach(() => {
+    rmSync(homeDir, { recursive: true, force: true });
+  });
+
+  it("no-ops on a fresh install (no stack.env)", () => {
+    const state = makeState(homeDir);
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(false);
+    expect(result.reason).toContain("fresh install");
+  });
+
+  it("promotes OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD and removes legacy keys", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "# header",
+        "OP_UI_TOKEN=legacy-token-value",
+        "OP_ASSISTANT_TOKEN=some-assistant-token",
+        "OP_OPENCODE_PASSWORD=opencode-secret",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("promoted OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=legacy-token-value");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    expect(after).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+    // Unrelated keys preserved
+    expect(after).toContain("OP_OPENCODE_PASSWORD=opencode-secret");
+
+    // Perms preserved
+    expect(statSync(stackEnvPath).mode & 0o777).toBe(0o600);
+
+    // Migration log appended
+    const logPath = join(state.stateDir, "logs", "migration-0.11.0.log");
+    expect(existsSync(logPath)).toBe(true);
+    const log = readFileSync(logPath, "utf-8");
+    expect(log).toContain("migrate-auth-0110");
+    expect(log).toContain("promoted OP_UI_TOKEN");
+  });
+
+  it("does not overwrite an existing OP_UI_LOGIN_PASSWORD", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=new-password",
+        "OP_UI_TOKEN=legacy-value",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).not.toContain("promoted");
+    expect(result.reason).toContain("removed OP_UI_TOKEN");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    expect(after).toContain("OP_UI_LOGIN_PASSWORD=new-password");
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+  });
+
+  it("removes OP_ASSISTANT_TOKEN even when only it is present", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_LOGIN_PASSWORD=pw",
+        "OP_ASSISTANT_TOKEN=stale",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    expect(result.reason).toContain("removed OP_ASSISTANT_TOKEN");
+    expect(readFileSync(stackEnvPath, "utf-8")).not.toMatch(/^OP_ASSISTANT_TOKEN=/m);
+  });
+
+  it("is idempotent: second run reports already-migrated", () => {
+    const state = makeState(homeDir);
+    seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=t",
+        "OP_ASSISTANT_TOKEN=t2",
+        "",
+      ].join("\n"),
+    );
+
+    const first = migrateAuth0110(state);
+    expect(first.migrated).toBe(true);
+
+    const second = migrateAuth0110(state);
+    expect(second.migrated).toBe(false);
+    expect(second.reason).toContain("already migrated");
+  });
+
+  it("treats an empty OP_UI_TOKEN value as not-set (no promotion)", () => {
+    const state = makeState(homeDir);
+    const stackEnvPath = seedStackEnv(
+      state.stackDir,
+      [
+        "OP_UI_TOKEN=",
+        "OP_ASSISTANT_TOKEN=foo",
+        "",
+      ].join("\n"),
+    );
+
+    const result = migrateAuth0110(state);
+    expect(result.migrated).toBe(true);
+    // Empty-string OP_UI_TOKEN should NOT be promoted as a password.
+    expect(result.reason).not.toContain("promoted");
+
+    const after = readFileSync(stackEnvPath, "utf-8");
+    // The empty OP_UI_TOKEN line is still removed.
+    expect(after).not.toMatch(/^OP_UI_TOKEN=/m);
+    // No OP_UI_LOGIN_PASSWORD added (would be an empty value).
+    expect(after).not.toMatch(/^OP_UI_LOGIN_PASSWORD=/m);
+  });
+});

package/src/control-plane/migrate-0110.ts

@@ -0,0 +1,99 @@
+/**
+ * One-shot migration for the 0.11.0 auth refactor.
+ *
+ * Existing installs have OP_UI_TOKEN and OP_ASSISTANT_TOKEN in
+ * config/stack/stack.env. The 0.11.0 refactor (auth-and-proxy-refactor-plan.md)
+ * replaces them with a single OP_UI_LOGIN_PASSWORD. If we don't migrate,
+ * operators get locked out the moment they run the new UI build because the
+ * login route compares the cookie against process.env.OP_UI_LOGIN_PASSWORD,
+ * which is empty on existing installs.
+ *
+ * Migration logic (idempotent):
+ *   - If OP_UI_LOGIN_PASSWORD is unset AND OP_UI_TOKEN is set, copy
+ *     OP_UI_TOKEN's value into OP_UI_LOGIN_PASSWORD.
+ *   - Remove OP_UI_TOKEN and OP_ASSISTANT_TOKEN from stack.env (they're
+ *     no longer used).
+ *   - Append a one-line summary to state/logs/migration-0.11.0.log.
+ *   - If OP_UI_LOGIN_PASSWORD is already set, leave it alone — the operator
+ *     already migrated or set up fresh.
+ *
+ * Called from ensureSecrets so it runs before any auth-required code path
+ * gets a chance to see the half-migrated state.
+ */
+import {
+  existsSync,
+  readFileSync,
+  writeFileSync,
+  chmodSync,
+  appendFileSync,
+  mkdirSync,
+} from "node:fs";
+import { dirname } from "node:path";
+import { parseEnvContent, removeEnvKey, upsertEnvValue } from "./env.js";
+import { migration0110LogPath } from "./paths.js";
+import type { ControlPlaneState } from "./types.js";
+
+export type MigrateAuth0110Result = {
+  /** True if any change was written to stack.env. */
+  migrated: boolean;
+  /** Human-readable description of what changed (or why nothing did). */
+  reason: string;
+};
+
+export function migrateAuth0110(state: ControlPlaneState): MigrateAuth0110Result {
+  const stackEnvPath = `${state.stackDir}/stack.env`;
+  if (!existsSync(stackEnvPath)) {
+    return { migrated: false, reason: "no stack.env yet (fresh install)" };
+  }
+
+  const before = readFileSync(stackEnvPath, "utf-8");
+  const parsed = parseEnvContent(before);
+  const hasLoginPw = typeof parsed.OP_UI_LOGIN_PASSWORD === "string" && parsed.OP_UI_LOGIN_PASSWORD.length > 0;
+  const hasUiToken = typeof parsed.OP_UI_TOKEN === "string" && parsed.OP_UI_TOKEN.length > 0;
+  const hasAssistantToken = "OP_ASSISTANT_TOKEN" in parsed;
+  const hasUiTokenLine = "OP_UI_TOKEN" in parsed;
+
+  if (hasLoginPw && !hasUiTokenLine && !hasAssistantToken) {
+    return { migrated: false, reason: "already migrated" };
+  }
+
+  let content = before;
+  const changes: string[] = [];
+
+  if (!hasLoginPw && hasUiToken) {
+    content = upsertEnvValue(content, "OP_UI_LOGIN_PASSWORD", parsed.OP_UI_TOKEN);
+    changes.push("promoted OP_UI_TOKEN → OP_UI_LOGIN_PASSWORD");
+  }
+  if (hasUiTokenLine) {
+    content = removeEnvKey(content, "OP_UI_TOKEN");
+    changes.push("removed OP_UI_TOKEN");
+  }
+  if (hasAssistantToken) {
+    content = removeEnvKey(content, "OP_ASSISTANT_TOKEN");
+    changes.push("removed OP_ASSISTANT_TOKEN");
+  }
+
+  if (changes.length === 0) {
+    return { migrated: false, reason: "no changes needed" };
+  }
+
+  // Preserve the 0600 mode the existing file should already have.
+  writeFileSync(stackEnvPath, content, { encoding: "utf-8", mode: 0o600 });
+  try { chmodSync(stackEnvPath, 0o600); } catch { /* best-effort */ }
+
+  // Best-effort audit line. The migration log is small and append-only;
+  // if it fails (perm error, fs full), we don't roll back the migration.
+  try {
+    const logPath = migration0110LogPath(state);
+    mkdirSync(dirname(logPath), { recursive: true });
+    appendFileSync(
+      logPath,
+      `${new Date().toISOString()} migrate-auth-0110 ${changes.join("; ")}\n`,
+      "utf-8",
+    );
+  } catch {
+    /* best-effort */
+  }
+
+  return { migrated: true, reason: changes.join("; ") };
+}

package/src/control-plane/paths.ts

@@ -0,0 +1,82 @@
+/**
+ * Authoritative path resolution for the OpenPalm control plane.
+ *
+ * Every consumer imports from here instead of concatenating paths inline.
+ * When the directory layout changes, update this file only.
+ *
+ * Layout:
+ *   config/        — user-editable config + system config files (auth.json, akm/)
+ *   config/stack/  — compose runtime + stack config (stack.env, guardian.env, stack.yml, addons/)
+ *   cache/         — regenerable/semi-persistent data (akm cache, guardian cache, rollback)
+ *   state/         — persistent service data (assistant, admin, guardian, logs, backups, registry)
+ *   stash/         — akm knowledge (skills, vaults, agents)
+ *   workspace/     — shared work area
+ */
+import type { ControlPlaneState } from "./types.js";
+
+// ── Config directory — user + system config ─────────────────────────────────
+
+/** OpenCode auth token store */
+export const authJsonPath          = (s: ControlPlaneState): string => `${s.configDir}/auth.json`;
+/** akm setup config directory (AKM_CONFIG_DIR) */
+export const akmConfigDir          = (s: ControlPlaneState): string => `${s.configDir}/akm`;
+/** akm setup config file (written by admin on capability save) */
+export const akmConfigPath         = (s: ControlPlaneState): string => `${s.configDir}/akm/config.json`;
+export const tasksDir              = (s: ControlPlaneState): string => `${s.stashDir}/tasks`;
+export const assistantConfigDir    = (s: ControlPlaneState): string => `${s.configDir}/assistant`;
+
+// ── Config/stack directory — compose runtime + stack config ─────────────────
+
+/** System env: capabilities, secrets, tokens */
+export const stackEnvPath          = (s: ControlPlaneState): string => `${s.stackDir}/stack.env`;
+/** Guardian HMAC channel secrets */
+export const guardianEnvPath       = (s: ControlPlaneState): string => `${s.stackDir}/guardian.env`;
+/** Stack spec: capability assignments */
+export const stackSpecFilePath     = (s: ControlPlaneState): string => `${s.stackDir}/stack.yml`;
+
+// ── Cache directory — regenerable/semi-persistent ───────────────────────────
+
+export const akmCacheDir           = (s: ControlPlaneState): string => `${s.cacheDir}/akm`;
+export const guardianCacheDir      = (s: ControlPlaneState): string => `${s.cacheDir}/guardian`;
+export const rollbackDir           = (s: ControlPlaneState): string => `${s.cacheDir}/rollback`;
+
+// ── State directory — persistent service data ───────────────────────────────
+
+export const assistantServiceDir   = (s: ControlPlaneState): string => `${s.stateDir}/assistant`;
+export const adminServiceDir       = (s: ControlPlaneState): string => `${s.stateDir}/admin`;
+export const guardianServiceDir    = (s: ControlPlaneState): string => `${s.stateDir}/guardian`;
+export const guardianStashDir      = (s: ControlPlaneState): string => `${s.stateDir}/guardian/stash`;
+export const guardianAkmDir        = (s: ControlPlaneState): string => `${s.stateDir}/guardian/akm`;
+/** Shared akm operational data (data/, state/ — NOT config, which lives in config/akm/) */
+export const akmStateDir           = (s: ControlPlaneState): string => `${s.stateDir}/akm`;
+export const taskLogDir            = (s: ControlPlaneState, id: string): string => `${s.cacheDir}/akm/tasks/logs/${id}`;
+export const taskLogsRootDir       = (s: ControlPlaneState): string => `${s.cacheDir}/akm/tasks/logs`;
+export const logsDir               = (s: ControlPlaneState): string => `${s.stateDir}/logs`;
+/**
+ * Guardian's own audit log of channel ingress (HMAC verify, replay, rate
+ * limit). Phase 6 of the auth/proxy refactor removed the OpenPalm-side
+ * `admin-audit.jsonl` — OpenCode session logs are the audit trail for
+ * chat + tool activity.
+ */
+export const guardianAuditPath     = (s: ControlPlaneState): string => `${s.stateDir}/logs/guardian-audit.log`;
+/** One-shot 0.11.0 migration log (OP_UI_TOKEN → OPENCODE_SERVER_PASSWORD, endpoints.json move) */
+export const migration0110LogPath  = (s: ControlPlaneState): string => `${s.stateDir}/logs/migration-0.11.0.log`;
+export const backupsDir            = (s: ControlPlaneState): string => `${s.stateDir}/backups`;
+export const registryDir           = (s: ControlPlaneState): string => `${s.stateDir}/registry`;
+export const registryAddonsDir     = (s: ControlPlaneState): string => `${s.stateDir}/registry/addons`;
+export const registryAutomationsDir = (s: ControlPlaneState): string => `${s.stateDir}/registry/automations`;
+export const secretsDir            = (s: ControlPlaneState): string => `${s.stateDir}/secrets`;
+export const secretProviderPath    = (s: ControlPlaneState): string => `${s.stateDir}/secrets/provider.json`;
+export const secretsIndexPath      = (s: ControlPlaneState): string => `${s.stateDir}/secrets/plaintext-index.json`;
+export const passStoreDir          = (s: ControlPlaneState): string => `${s.stateDir}/secrets/pass-store`;
+
+// ── Stash directory ─────────────────────────────────────────────────────────
+
+/** akm vault:user file — lives in the stash */
+export const akmUserVaultPath      = (s: ControlPlaneState): string => `${s.stashDir}/vaults/user.env`;
+
+// ── Stack directory ─────────────────────────────────────────────────────────
+
+export const coreComposePath       = (s: ControlPlaneState): string => `${s.stackDir}/core.compose.yml`;
+export const addonsStackDir        = (s: ControlPlaneState): string => `${s.stackDir}/addons`;
+export const addonComposePath      = (s: ControlPlaneState, name: string): string => `${s.stackDir}/addons/${name}/compose.yml`;

package/src/control-plane/provider-config.ts

@@ -8,7 +8,7 @@ export type SecretProviderConfig = {
 };
 
 function providerConfigPath(state: ControlPlaneState): string {
-  return `${state.dataDir}/secrets/provider.json`;
+  return `${state.stateDir}/secrets/provider.json`;
 }
 
 export function readSecretProviderConfig(state: ControlPlaneState): SecretProviderConfig | null {
@@ -28,7 +28,7 @@ export function readSecretProviderConfig(state: ControlPlaneState): SecretProvid
 }
 
 export function writeSecretProviderConfig(state: ControlPlaneState, config: SecretProviderConfig): void {
-  const dir = `${state.dataDir}/secrets`;
+  const dir = `${state.stateDir}/secrets`;
   mkdirSync(dir, { recursive: true });
   writeFileSync(providerConfigPath(state), JSON.stringify(config, null, 2) + '\n');
 }

package/src/control-plane/provider-models.ts

@@ -0,0 +1,154 @@
+/**
+ * Provider model discovery and API key resolution.
+ *
+ * Used by the admin capabilities test endpoint and the CLI setup wizard
+ * to enumerate the models a configured provider exposes.
+ */
+import { readStackEnv } from "./secrets.js";
+import { PROVIDER_DEFAULT_URLS } from "../provider-constants.js";
+
+/** Static model list for Anthropic (no listing API available). */
+const ANTHROPIC_MODELS = [
+  "claude-opus-4-6",
+  "claude-sonnet-4-6",
+  "claude-opus-4-20250514",
+  "claude-sonnet-4-20250514",
+  "claude-haiku-4-5-20251001",
+  "claude-3-5-sonnet-20241022",
+  "claude-3-5-haiku-20241022",
+];
+
+
+/**
+ * Resolve an API key reference.
+ *
+ * - Empty input → empty string.
+ * - `env:NAME` form → looks up `NAME` in `process.env` first, then falls back
+ *   to `config/stack/stack.env` resolved against `stackDir`.
+ * - Anything else → returned verbatim (treated as a literal key value).
+ */
+function resolveApiKey(apiKeyRef: string, stackDir: string): string {
+  if (!apiKeyRef) return "";
+  if (!apiKeyRef.startsWith("env:")) return apiKeyRef;
+
+  const varName = apiKeyRef.slice(4);
+  if (process.env[varName]) return process.env[varName]!;
+
+  const secrets = readStackEnv(stackDir);
+  return secrets[varName] ?? "";
+}
+
+
+export type ModelDiscoveryReason =
+  | 'none'
+  | 'provider_static'
+  | 'provider_http'
+  | 'missing_base_url'
+  | 'timeout'
+  | 'network';
+
+export type ProviderModelsResult = {
+  models: string[];
+  status: 'ok' | 'recoverable_error';
+  reason: ModelDiscoveryReason;
+  error?: string;
+};
+
+const HTTP_STATUS_LABELS: Record<number, string> = {
+  401: 'Invalid or missing API key',
+  403: 'Access denied — check API key permissions',
+  404: 'Endpoint not found — verify the base URL',
+  429: 'Rate limited — try again shortly',
+  500: 'Provider internal error',
+  502: 'Provider returned a bad gateway error',
+  503: 'Provider is temporarily unavailable',
+};
+
+/**
+ * Enumerate available models for a provider. Returns an `ok` result with a
+ * sorted model list when the provider responds successfully, or a
+ * `recoverable_error` with a structured reason otherwise. Network and timeout
+ * failures are caught and mapped to a result rather than thrown.
+ */
+export async function fetchProviderModels(
+  provider: string,
+  apiKeyRef: string,
+  baseUrl: string,
+  stackDir: string
+): Promise<ProviderModelsResult> {
+  try {
+    if (provider === "anthropic") {
+      return { models: [...ANTHROPIC_MODELS], status: 'ok', reason: 'provider_static' };
+    }
+
+    const resolvedKey = resolveApiKey(apiKeyRef, stackDir);
+
+    if (provider === "ollama") {
+      const base = baseUrl?.trim() || PROVIDER_DEFAULT_URLS.ollama;
+      const url = `${base.replace(/\/+$/, "")}/api/tags`;
+      const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
+      if (!res.ok) {
+        return {
+          models: [],
+          status: 'recoverable_error',
+          reason: 'provider_http',
+          error: `Ollama API returned ${res.status}: ${(HTTP_STATUS_LABELS[res.status] ?? `HTTP ${res.status}`)}`,
+        };
+      }
+      const data = (await res.json()) as { models?: { name: string }[] };
+      const models = (data.models ?? []).map((m) => m.name).sort();
+      return { models, status: 'ok', reason: 'none' };
+    }
+
+    const base = baseUrl?.trim() || PROVIDER_DEFAULT_URLS[provider] || "";
+    if (!base) {
+      return {
+        models: [],
+        status: 'recoverable_error',
+        reason: 'missing_base_url',
+        error: `No base URL configured for provider "${provider}"`,
+      };
+    }
+    const url = `${base.replace(/\/+$/, "")}/v1/models`;
+
+    const headers: Record<string, string> = {};
+    if (resolvedKey) {
+      headers["Authorization"] = `Bearer ${resolvedKey}`;
+    }
+
+    const res = await fetch(url, { headers, signal: AbortSignal.timeout(5000) });
+    if (!res.ok) {
+      let detail = '';
+      try {
+        const json = JSON.parse(await res.text()) as Record<string, unknown>;
+        const errObj = json.error as Record<string, unknown> | string | undefined;
+        detail = (typeof errObj === 'object' && errObj !== null && typeof errObj.message === 'string') ? errObj.message
+          : typeof errObj === 'string' ? errObj
+          : typeof json.message === 'string' ? json.message
+          : typeof json.detail === 'string' ? json.detail : '';
+      } catch { /* ignore parse errors */ }
+      return {
+        models: [],
+        status: 'recoverable_error',
+        reason: 'provider_http',
+        error: detail
+          ? `Provider API returned ${res.status}: ${detail}`
+          : `Provider API returned ${res.status}: ${(HTTP_STATUS_LABELS[res.status] ?? `HTTP ${res.status}`)}`,
+      };
+    }
+    const data = (await res.json()) as { data?: { id: string }[] };
+    const models = (data.data ?? []).map((m) => m.id).sort();
+    return { models, status: 'ok', reason: 'none' };
+  } catch (err) {
+    const message =
+      err instanceof Error && err.name === "TimeoutError"
+        ? "Request timed out after 5s"
+        : String(err);
+    return {
+      models: [],
+      status: 'recoverable_error',
+      reason: err instanceof Error && err.name === 'TimeoutError' ? 'timeout' : 'network',
+      error: message,
+    };
+  }
+}