@openpalm/lib 0.9.6 → 0.9.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openpalm/lib",
-  "version": "0.9.6",
+  "version": "0.9.7",
   "license": "MPL-2.0",
   "type": "module",
   "description": "Shared control-plane library for OpenPalm — lifecycle, staging, secrets, channels, connections, scheduler",

package/src/control-plane/channels.ts

@@ -64,6 +64,9 @@ export function isAllowedService(value: string, stateDir?: string): boolean {
   if (value === "ollama" && stateDir) {
     return existsSync(`${stateDir}/artifacts/ollama.yml`);
   }
+  if ((value === "admin" || value === "caddy" || value === "docker-socket-proxy") && stateDir) {
+    return existsSync(`${stateDir}/artifacts/admin.yml`);
+  }
   if (value.startsWith("channel-")) {
     const ch = value.slice("channel-".length);
     if (!isValidChannelName(ch)) return false;

package/src/control-plane/connection-mapping.ts

@@ -143,10 +143,10 @@ export function buildMem0Mapping(input: Mem0ConnectionMappingInput): Mem0Connect
         config: embedConfig,
       },
       vector_store: {
-        provider: 'qdrant',
+        provider: 'sqlite-vec',
         config: {
           collection_name: 'memory',
-          path: '/data/qdrant',
+          db_path: '/data/memory.db',
           embedding_model_dims: input.embeddingDims,
         },
       },

package/src/control-plane/core-asset-provider.ts

@@ -9,6 +9,7 @@ export interface CoreAssetProvider {
   coreCompose(): string;
   caddyfile(): string;
   ollamaCompose(): string;
+  adminCompose(): string;
   agentsMd(): string;
   opencodeConfig(): string;
   adminOpencodeConfig(): string;

package/src/control-plane/core-assets.ts

@@ -193,6 +193,33 @@ export function readOllamaCompose(assets: CoreAssetProvider): string {
   return readFileSync(path, "utf-8");
 }
 
+// ── Admin Compose Overlay (DATA_HOME source of truth) ────────────────
+
+function adminComposePath(): string {
+  return `${resolveDataHome()}/admin.yml`;
+}
+
+export function ensureAdminCompose(assets: CoreAssetProvider): string {
+  const path = adminComposePath();
+  const content = assets.adminCompose();
+  mkdirSync(dirname(path), { recursive: true });
+  if (!existsSync(path)) {
+    writeFileSync(path, content);
+  } else if (sha256(readFileSync(path, "utf-8")) !== sha256(content)) {
+    const backupDir = join(dirname(path), "backups");
+    mkdirSync(backupDir, { recursive: true });
+    const ts = new Date().toISOString().replace(/[:.]/g, "-");
+    copyFileSync(path, join(backupDir, `admin.${ts}.yml`));
+    writeFileSync(path, content);
+  }
+  return path;
+}
+
+export function readAdminCompose(assets: CoreAssetProvider): string {
+  const path = ensureAdminCompose(assets);
+  return readFileSync(path, "utf-8");
+}
+
 // ── OpenCode System Config (DATA_HOME source of truth) ──────────────
 
 export function ensureOpenCodeSystemConfig(assets: CoreAssetProvider): void {
@@ -238,6 +265,7 @@ const MANAGED_ASSETS: { dataRelPath: string; githubFilename: string }[] = [
   { dataRelPath: "admin/opencode.jsonc", githubFilename: "admin-opencode.jsonc" },
   { dataRelPath: "assistant/AGENTS.md", githubFilename: "AGENTS.md" },
   { dataRelPath: "ollama.yml", githubFilename: "ollama.yml" },
+  { dataRelPath: "admin.yml", githubFilename: "admin.yml" },
   { dataRelPath: "secrets.env.schema", githubFilename: "secrets.env.schema" },
   { dataRelPath: "stack.env.schema", githubFilename: "stack.env.schema" }
 ];

package/src/control-plane/docker.ts

@@ -27,8 +27,9 @@ function parseEnvFile(path: string): Record<string, string> {
   try {
     const content = readFileSync(path, "utf-8");
     for (const line of content.split("\n")) {
-      const trimmed = line.trim();
+      let trimmed = line.trim();
       if (!trimmed || trimmed.startsWith("#")) continue;
+      trimmed = trimmed.replace(/^export\s+/, '');
       const eqIdx = trimmed.indexOf("=");
       if (eqIdx > 0) {
         vars[trimmed.slice(0, eqIdx)] = trimmed.slice(eqIdx + 1);

package/src/control-plane/env.test.ts

@@ -0,0 +1,109 @@
+import { describe, expect, it } from "bun:test";
+import { parseEnvContent, mergeEnvContent } from "./env.js";
+
+// ── Special character round-trips ────────────────────────────────────────
+// Values written by mergeEnvContent (which uses quoteEnvValue internally)
+// must survive a parseEnvContent round-trip — the same path admin tokens
+// and API keys follow when written to secrets.env and read back.
+
+describe("special characters in env values", () => {
+  /** Write a value via mergeEnvContent, parse it back, assert identity. */
+  function roundTrip(key: string, value: string): string {
+    const written = mergeEnvContent("", { [key]: value });
+    const parsed = parseEnvContent(written);
+    expect(parsed[key]).toBe(value);
+    return written;
+  }
+
+  it("round-trips values containing = (common in base64 API keys)", () => {
+    roundTrip("TOKEN", "abc=def=ghi");
+    roundTrip("TOKEN", "dGVzdA==");
+    roundTrip("TOKEN", "key=value=extra=");
+  });
+
+  it("round-trips values containing $ (must not expand)", () => {
+    roundTrip("TOKEN", "price$100");
+    roundTrip("TOKEN", "$HOME/path");
+    roundTrip("TOKEN", "a]$b$c");
+  });
+
+  it("round-trips values containing double quotes", () => {
+    roundTrip("TOKEN", 'say "hello"');
+    roundTrip("TOKEN", '"quoted"');
+  });
+
+  it("round-trips values containing single quotes", () => {
+    roundTrip("TOKEN", "it's a token");
+    roundTrip("TOKEN", "don't stop");
+  });
+
+  it("round-trips values containing newlines", () => {
+    roundTrip("CERT", "line1\nline2");
+    roundTrip("CERT", "a\nb\nc");
+  });
+
+  it("round-trips values with + and / (base64 characters)", () => {
+    roundTrip("KEY", "abc+def/ghi=");
+    roundTrip("KEY", "sk-proj-A1b2C3+xyz/ZZZ==");
+  });
+
+  it("round-trips realistic API key with special chars", () => {
+    roundTrip("OPENAI_API_KEY", "sk-proj-abc123+def/456==");
+    roundTrip("ANTHROPIC_API_KEY", "sk-ant-api03-Abc$Def=Ghi");
+  });
+});
+
+// ── quoteEnvValue quoting strategy ───────────────────────────────────────
+
+describe("quoteEnvValue quoting strategy (via mergeEnvContent)", () => {
+  it("does not quote simple values", () => {
+    const result = mergeEnvContent("", { KEY: "simple123" });
+    expect(result).toContain("KEY=simple123");
+    expect(result).not.toMatch(/KEY=["']/);
+  });
+
+  it("single-quotes values with # (no single quote in value)", () => {
+    const result = mergeEnvContent("", { KEY: "val#ue" });
+    expect(result).toContain("KEY='val#ue'");
+  });
+
+  it("double-quotes values with $ when no single quote present", () => {
+    const result = mergeEnvContent("", { KEY: "val$ue" });
+    // Should use single quotes (preferred) since no single quote in value
+    const parsed = parseEnvContent(result);
+    expect(parsed.KEY).toBe("val$ue");
+  });
+
+  it("does not quote values that only contain =", () => {
+    // = is safe unquoted in dotenv values
+    const result = mergeEnvContent("", { KEY: "abc=def" });
+    expect(result).toContain("KEY=abc=def");
+    expect(result).not.toMatch(/KEY=["']/);
+  });
+});
+
+// ── Update-in-place with special characters ──────────────────────────────
+
+describe("mergeEnvContent updates existing keys with special char values", () => {
+  it("updates an existing key to a value with =", () => {
+    const input = "export ADMIN_TOKEN=old_value\n";
+    const result = mergeEnvContent(input, { ADMIN_TOKEN: "new=value=here" });
+    const parsed = parseEnvContent(result);
+    expect(parsed.ADMIN_TOKEN).toBe("new=value=here");
+  });
+
+  it("updates an existing key to a value with $", () => {
+    const input = "export ADMIN_TOKEN=old_value\n";
+    const result = mergeEnvContent(input, { ADMIN_TOKEN: "tok$en" });
+    const parsed = parseEnvContent(result);
+    expect(parsed.ADMIN_TOKEN).toBe("tok$en");
+  });
+
+  it("preserves export prefix when updating with special chars", () => {
+    const input = "export ADMIN_TOKEN=old_value\n";
+    const result = mergeEnvContent(input, { ADMIN_TOKEN: "new#value" });
+    expect(result).toMatch(/^export ADMIN_TOKEN=/m);
+    const parsed = parseEnvContent(result);
+    expect(parsed.ADMIN_TOKEN).toBe("new#value");
+  });
+});

package/src/control-plane/env.ts

@@ -16,12 +16,12 @@ export function parseEnvFile(filePath: string): Record<string, string> {
 
 function quoteEnvValue(value: string): string {
   if (value.length === 0) return '';
-  const needsQuoting = /[#"'\\\n\r]/.test(value) || value !== value.trim();
+  const needsQuoting = /[#"'\\\n\r$]/.test(value) || value !== value.trim();
   if (!needsQuoting) return value;
 
   if (!value.includes("'")) return `'${value}'`;
 
-  const escaped = value.replace(/\n/g, '\\n').replace(/\r/g, '\\r');
+  const escaped = value.replace(/\\/g, '\\\\').replace(/\$/g, '\\$').replace(/"/g, '\\"').replace(/\n/g, '\\n').replace(/\r/g, '\\r');
   return `"${escaped}"`;
 }
 

package/src/control-plane/fs-asset-provider.ts

@@ -27,6 +27,10 @@ export class FilesystemAssetProvider implements CoreAssetProvider {
     return this.read("ollama.yml");
   }
 
+  adminCompose(): string {
+    return this.read("admin.yml");
+  }
+
   agentsMd(): string {
     return this.read("assistant/AGENTS.md");
   }