@pleri/olam-cli 0.1.135 → 0.1.136

package/host-cp/src/plan-chat-service.mjs

@@ -0,0 +1,271 @@
+// plan-chat-service — host-cp sidecar serving two HTTP surfaces on one port:
+//
+//   POST /v1/chunks         — bearer-auth write API; server-injects actor_id +
+//                             actor_type from the bearer principal, validates the
+//                             payload, INSERTs into a source Postgres.
+//   GET  /v1/shape          — proxied straight to a backing Electric SQL server
+//                             (read-only by Electric's contract; no extra auth).
+//   GET  /livez             — liveness probe (200 on healthy; matches the
+//                             agent-memory-service shape so host-cp uses one
+//                             probe pattern for both sidecars).
+//
+// The service is started by `olam plan-chat start` (deferred follow-up task)
+// and managed by host-cp's process supervisor in the long run. For now it is
+// runnable standalone via `node plan-chat-service.mjs`.
+//
+// Configuration is environment-driven so a single binary works in laptop
+// (the K3 container-spike), in a devbox container, and on a host-cp Mac:
+//
+//   OLAM_PLAN_CHAT_PORT          (default 3112)
+//   OLAM_PLAN_CHAT_DATABASE_URL  (default postgres://postgres:spike@localhost:54321/chunks)
+//   OLAM_PLAN_CHAT_ELECTRIC_URL  (default http://localhost:30001)
+//   OLAM_PLAN_CHAT_SECRET_PATH   (default ~/.olam/plan-chat-secret)
+
+import http from 'node:http';
+import { URL } from 'node:url';
+import pg from 'pg';
+import { ensureSecret, timingSafeEqual, SECRET_PATH } from './plan-chat-secret.mjs';
+
+const DEFAULT_PORT = 3112;
+const DEFAULT_DB_URL = 'postgres://postgres:spike@localhost:54321/chunks';
+const DEFAULT_ELECTRIC_URL = 'http://localhost:30001';
+
+const ACTOR_TYPES = new Set(['agent', 'operator', 'codex', 'system']);
+const ROLES = new Set(['user', 'assistant', 'tool', 'system']);
+
+/**
+ * Resolve the bearer principal to (actor_id, actor_type). The minimal-A2
+ * implementation treats every authenticated bearer as the same shared
+ * principal — refinement to multi-principal mapping lands when host-cp's
+ * auth-service integrates (Phase A follow-up, tracked at A6.1 / A4 wiring).
+ *
+ * Callers MUST never use client-supplied actor_id / actor_type; this
+ * function is the single source of authority. T3 mitigation depends on it.
+ *
+ * IMPORTANT — silent-collapse safeguard (audit finding A2.M3, 2026-05-13):
+ * when A4 begins configuring multiple secrets (e.g., agent + operator +
+ * codex bearers), this single-principal collapse becomes a foot-gun: every
+ * caller's writes are attributed to 'agent', regardless of which secret
+ * they authenticated with, and S3 audit-replay attributes operator actions
+ * to agent. The check below fails LOUD when more than one secret is
+ * configured, so an A4 multi-secret rollout cannot land until principal
+ * resolution is wired here. Remove the throw when this function actually
+ * inspects the bearer.
+ */
+function principalFromBearer(bearer) {
+  if (process.env.OLAM_PLAN_CHAT_SECRETS) {
+    // Multi-secret mode reserved for A4 / A6.1; minimal A2 doesn't support it.
+    throw new Error(
+      'plan-chat-service: OLAM_PLAN_CHAT_SECRETS is set but principalFromBearer ' +
+        "still hardcodes ('agent','agent'). Wire multi-principal resolution before " +
+        'enabling multi-secret mode (see plan A4 / A6.1).',
+    );
+  }
+  if (typeof bearer !== 'string' || bearer.length === 0) {
+    throw new Error('plan-chat-service: principalFromBearer called with empty bearer');
+  }
+  return { actorId: 'agent', actorType: 'agent' };
+}
+
+function readJson(req, limit = 65536) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let length = 0;
+    req.on('data', (chunk) => {
+      length += chunk.length;
+      if (length > limit) {
+        reject(Object.assign(new Error('payload-too-large'), { status: 413 }));
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on('end', () => {
+      try {
+        const body = Buffer.concat(chunks).toString('utf8');
+        if (!body) return resolve({});
+        resolve(JSON.parse(body));
+      } catch (_err) {
+        reject(Object.assign(new Error('invalid-json'), { status: 400 }));
+      }
+    });
+    req.on('error', reject);
+  });
+}
+
+function send(res, status, body) {
+  const json = typeof body === 'string' ? body : JSON.stringify(body);
+  res.writeHead(status, {
+    'content-type': typeof body === 'string' ? 'text/plain; charset=utf-8' : 'application/json',
+    'content-length': Buffer.byteLength(json),
+  });
+  res.end(json);
+}
+
+function unauthorized(res) {
+  send(res, 401, { error: 'unauthorized' });
+}
+
+function badRequest(res, message) {
+  send(res, 400, { error: 'bad-request', message });
+}
+
+function validateChunkInput(body) {
+  if (!body || typeof body !== 'object') return 'body must be an object';
+  const required = ['world_id', 'session_id', 'message_id', 'seq', 'role', 'chunk'];
+  for (const key of required) {
+    if (!(key in body)) return `missing field: ${key}`;
+  }
+  if (typeof body.world_id !== 'string' || body.world_id.length === 0) return 'world_id must be a non-empty string';
+  if (typeof body.session_id !== 'string' || body.session_id.length === 0) return 'session_id must be a non-empty string';
+  if (typeof body.message_id !== 'string' || body.message_id.length === 0) return 'message_id must be a non-empty string';
+  if (!Number.isInteger(body.seq) || body.seq < 0) return 'seq must be a non-negative integer';
+  if (typeof body.chunk !== 'string') return 'chunk must be a string';
+  if (!ROLES.has(body.role)) return `role must be one of ${[...ROLES].join(', ')}`;
+  // actor_id and actor_type from the client are IGNORED (server-derived).
+  return null;
+}
+
+/**
+ * Build the HTTP request handler. Pure factory — easy to test against a
+ * stubbed pool. Production callers pass a real pg.Pool.
+ */
+export function createHandler({ pool, bearer, electricUrl }) {
+  if (!pool) throw new Error('createHandler: { pool } required');
+  if (typeof bearer !== 'string' || bearer.length === 0) {
+    throw new Error('createHandler: { bearer } required');
+  }
+  const electricBase = electricUrl ?? DEFAULT_ELECTRIC_URL;
+
+  function checkAuth(req) {
+    const header = req.headers.authorization;
+    if (typeof header !== 'string' || !header.startsWith('Bearer ')) return false;
+    const supplied = header.slice('Bearer '.length).trim();
+    return timingSafeEqual(supplied, bearer);
+  }
+
+  async function handlePostChunks(req, res) {
+    if (!checkAuth(req)) return unauthorized(res);
+    let body;
+    try {
+      body = await readJson(req);
+    } catch (err) {
+      return send(res, err?.status ?? 400, { error: err?.message ?? 'bad-request' });
+    }
+    const invalid = validateChunkInput(body);
+    if (invalid) return badRequest(res, invalid);
+    const principal = principalFromBearer(bearer);
+    try {
+      await pool.query(
+        `INSERT INTO chunks
+           (world_id, session_id, message_id, seq, actor_id, actor_type, role, chunk)
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8)`,
+        [
+          body.world_id,
+          body.session_id,
+          body.message_id,
+          body.seq,
+          principal.actorId,
+          principal.actorType,
+          body.role,
+          body.chunk,
+        ],
+      );
+    } catch (err) {
+      if (err && typeof err === 'object' && 'code' in err && err.code === '23505') {
+        return send(res, 409, { error: 'duplicate', message: '(message_id, seq) already exists' });
+      }
+      return send(res, 500, { error: 'insert-failed', message: String(err?.message ?? err) });
+    }
+    return send(res, 201, {
+      world_id: body.world_id,
+      session_id: body.session_id,
+      message_id: body.message_id,
+      seq: body.seq,
+      actor_id: principal.actorId,
+      actor_type: principal.actorType,
+    });
+  }
+
+  async function handleGetShape(req, res, url) {
+    // Proxy directly to Electric — read-path is shape-server's responsibility,
+    // not ours; we just preserve the URL and add no auth (Electric is read-only).
+    const upstream = new URL(electricBase);
+    upstream.pathname = '/v1/shape';
+    for (const [key, value] of url.searchParams) upstream.searchParams.set(key, value);
+    try {
+      const upstreamRes = await fetch(upstream, {
+        method: 'GET',
+        headers: { accept: 'application/json' },
+      });
+      const text = await upstreamRes.text();
+      for (const header of ['electric-handle', 'electric-offset', 'electric-up-to-date', 'electric-schema']) {
+        const value = upstreamRes.headers.get(header);
+        if (value) res.setHeader(header, value);
+      }
+      send(res, upstreamRes.status, text || '[]');
+    } catch (err) {
+      send(res, 502, { error: 'shape-upstream-unreachable', message: String(err?.message ?? err) });
+    }
+  }
+
+  return async function handler(req, res) {
+    const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
+    if (req.method === 'GET' && url.pathname === '/livez') return send(res, 200, { ok: true });
+    if (req.method === 'POST' && url.pathname === '/v1/chunks') return handlePostChunks(req, res);
+    if (req.method === 'GET' && url.pathname === '/v1/shape') return handleGetShape(req, res, url);
+    return send(res, 404, { error: 'not-found' });
+  };
+}
+
+/**
+ * Boot the service. Returns the http.Server instance plus a stop() helper.
+ * Callers pass the resolved bearer + pool + electric URL; defaults live in
+ * the standalone launcher below.
+ */
+export async function startService(opts = {}) {
+  const port = opts.port ?? Number(process.env.OLAM_PLAN_CHAT_PORT ?? DEFAULT_PORT);
+  const databaseUrl =
+    opts.databaseUrl ?? process.env.OLAM_PLAN_CHAT_DATABASE_URL ?? DEFAULT_DB_URL;
+  const electricUrl =
+    opts.electricUrl ?? process.env.OLAM_PLAN_CHAT_ELECTRIC_URL ?? DEFAULT_ELECTRIC_URL;
+  const secretPath = opts.secretPath ?? process.env.OLAM_PLAN_CHAT_SECRET_PATH ?? SECRET_PATH;
+  const bearer = opts.bearer ?? ensureSecret(secretPath);
+
+  const pool = opts.pool ?? new pg.Pool({ connectionString: databaseUrl, max: 8 });
+  const handler = createHandler({ pool, bearer, electricUrl });
+  const server = http.createServer((req, res) => {
+    handler(req, res).catch((err) => {
+      try {
+        send(res, 500, { error: 'handler-crash', message: String(err?.message ?? err) });
+      } catch { /* response already started */ }
+    });
+  });
+
+  await new Promise((resolve, reject) => {
+    server.once('error', reject);
+    server.listen(port, () => resolve(undefined));
+  });
+
+  async function stop() {
+    await new Promise((resolve) => server.close(() => resolve(undefined)));
+    if (!opts.pool) await pool.end().catch(() => undefined);
+  }
+
+  return { server, stop, port, bearer };
+}
+
+// Standalone launcher (allows `node plan-chat-service.mjs` for ad-hoc runs +
+// the deferred `olam plan-chat start` lifecycle command).
+if (import.meta.url === `file://${process.argv[1]}`) {
+  startService()
+    .then(({ port }) => {
+      // eslint-disable-next-line no-console
+      console.log(`[plan-chat-service] listening on :${port}`);
+    })
+    .catch((err) => {
+      // eslint-disable-next-line no-console
+      console.error('[plan-chat-service] failed to start:', err);
+      process.exit(1);
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.135",
+  "version": "0.1.136",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"