@pleri/olam-cli 0.1.144 → 0.1.146

package/host-cp/src/server.mjs

@@ -37,6 +37,7 @@ import { subscribeDockerEvents } from './docker-events.mjs';
 import { createHostStream, newStreamId } from './host-stream.mjs';
 import { spawnUpgraderContainer } from './upgrade-spawner.mjs';
 import { parseProxyPath, perWorldBase, proxyToWorld } from './proxy.mjs';
+import { resolveHostCpEngine } from './engine-identity.mjs';
 import { StartupToken } from './auth.mjs';
 import { SseGate, isSsePath, wireRelease } from './sse-gate.mjs';
 import {
@@ -88,6 +89,11 @@ const HOST_CP_MODE = process.env.OLAM_HOST_CP_MODE
   ?? (fs.existsSync('/.dockerenv') ? 'container' : 'bare');
 const WORLD_HOST = HOST_CP_MODE === 'container' ? 'host.docker.internal' : '127.0.0.1';
 
+// Container-engine identity, surfaced to olam-cli via the X-Olam-Engine
+// response header on /health. Resolution lives in engine-identity.mjs so
+// unit tests can import the pure function without triggering server startup.
+const HOST_CP_ENGINE = resolveHostCpEngine();
+
 const PORT = parseInt(process.env.OLAM_HOST_CP_PORT ?? '19000', 10);
 // In container mode the host-cp talks to the docker daemon via the
 // socket-proxy sidecar (the proxy enforces the read-only API allow-list).
@@ -664,7 +670,13 @@ const server = http.createServer(async (req, res) => {
   // /health: fast diagnostics, no auth, no proxying. Docker healthcheck
   // hits this; SPA pre-load may also poll. Stays unauth so the container
   // healthcheck doesn't need to know the token.
+  //
+  // X-Olam-Engine header surfaces the active container-engine adapter to
+  // olam-cli (consumed by `olam doctor`, `olam logs`, `olam status`). Lives
+  // in the header (NOT the body) so the response body shape stays unchanged
+  // and probes don't accidentally leak engine identity to body parsers.
   if (url.pathname === '/health') {
+    res.setHeader('X-Olam-Engine', HOST_CP_ENGINE);
     return jsonReply(res, 200, {
       status: 'ok',
       phase: 'B4',
@@ -725,6 +737,13 @@ const server = http.createServer(async (req, res) => {
     if (served) return;
   }
 
+  // /api/plan-chat/* bypasses the host-cp session-token gate because the
+  // plan-chat-service it proxies to has its own Bearer auth (the
+  // plan-chat-secret). The proxy handler is registered later in the file;
+  // dispatch by continuing past the gate.
+  if (url.pathname.startsWith('/api/plan-chat/') || url.pathname === '/api/plan-chat') {
+    // fall through to the proxy route below
+  } else
   // ALL OTHER ROUTES require auth. Reject with 401 if neither cookie
   // nor Bearer header matches.
   if (!auth.isAuthorized(req)) {
@@ -1875,7 +1894,7 @@ const server = http.createServer(async (req, res) => {
     if (!await requirePlanCredential(res)) return;
     let body;
     try {
-      body = JSON.parse((await readRequestBody(req)) || '{}');
+      body = await readRequestBody(req);
     } catch (err) {
       return jsonReply(res, 400, { error: 'invalid_json', message: err.message });
     }
@@ -1920,6 +1939,66 @@ const server = http.createServer(async (req, res) => {
     }
   }
 
+  // /api/plan-chat/* — passthrough proxy to plan-chat-service.
+  // The sidecar runs on PLAN_CHAT_SERVICE_URL (default http://127.0.0.1:3112).
+  // Strips the /api/plan-chat prefix; forwards method, headers, body, and
+  // query verbatim. Streams the response (Electric SQL long-poll friendly).
+  // Auth: client supplies Bearer; we don't add or strip it.
+  if (url.pathname.startsWith('/api/plan-chat/') || url.pathname === '/api/plan-chat') {
+    const upstreamBase =
+      process.env.PLAN_CHAT_SERVICE_URL ??
+      // Default depends on where host-cp runs. In-container = host.docker.internal;
+      // bare-node = 127.0.0.1. DOCKER_HOST=tcp://* implies container mode.
+      ((process.env.DOCKER_HOST ?? '').startsWith('tcp://')
+        ? 'http://host.docker.internal:3112'
+        : 'http://127.0.0.1:3112');
+    const subPath = url.pathname === '/api/plan-chat'
+      ? '/'
+      : url.pathname.slice('/api/plan-chat'.length);
+    const upstreamUrl = new URL(subPath + url.search, upstreamBase);
+    try {
+      const headers = {};
+      for (const [k, v] of Object.entries(req.headers)) {
+        if (k === 'host' || k === 'connection' || k === 'content-length') continue;
+        if (Array.isArray(v)) headers[k] = v.join(', ');
+        else if (typeof v === 'string') headers[k] = v;
+      }
+      // Buffer body for non-GET/HEAD; GET shouldn't carry one.
+      let body;
+      if (req.method !== 'GET' && req.method !== 'HEAD') {
+        const chunks = [];
+        for await (const c of req) chunks.push(c);
+        body = Buffer.concat(chunks);
+      }
+      const upstreamRes = await fetch(upstreamUrl.toString(), {
+        method: req.method,
+        headers,
+        body,
+        redirect: 'manual',
+      });
+      res.statusCode = upstreamRes.status;
+      upstreamRes.headers.forEach((value, name) => {
+        if (name === 'content-encoding' || name === 'transfer-encoding' || name === 'connection') return;
+        res.setHeader(name, value);
+      });
+      if (upstreamRes.body) {
+        const reader = upstreamRes.body.getReader();
+        while (true) {
+          const { value, done } = await reader.read();
+          if (done) break;
+          res.write(value);
+        }
+      }
+      return res.end();
+    } catch (err) {
+      return jsonReply(res, 502, {
+        error: 'plan_chat_proxy_failed',
+        upstream: upstreamUrl.toString(),
+        message: err.message,
+      });
+    }
+  }
+
   // GET /api/worlds/:id/processes
   // GET /api/worlds/:id/processes/stream — SSE fanout (5s cadence, per-world)
   // Handler: routes/process-port.mjs → handleListProcesses
@@ -1992,6 +2071,85 @@ const server = http.createServer(async (req, res) => {
     }
   }
 
+  // ── /v1/worlds/:id/{status,logs} (Phase C / C1) ─────────────────
+  //
+  // Engine-agnostic per-world surfaces consumed by `olam status <world>`
+  // and `olam logs <world>`. Delegates to the active ContainerEngine
+  // (DockerEngine or KubernetesEngine) so the wire shape is identical
+  // regardless of the underlying runtime per Decision 17.
+  //
+  // Auth: this branch is INSIDE the `auth.isAuthorized(req)` gate above
+  // (line 742) — any caller without a valid token has already received
+  // 401. The v1-worlds-endpoints.test.mjs source-asserts that this
+  // route is registered after the auth gate, NOT outside it
+  // (Decision 18 — security-critical positional contract).
+  //
+  // worldId hardening: the K8s engine uses worldId as a labelSelector
+  // value (`olam-world-id=<worldId>`). A worldId containing `,` could
+  // synthesise additional label clauses ("comma-injection"). A token-
+  // holding caller already has full host-cp access so this is
+  // defense-in-depth, but we still reject non-canonical values to keep
+  // the engine's external query shape predictable.
+  const V1_WORLD_ID = /^[A-Za-z0-9._-]+$/;
+  const v1WorldsStatusMatch = /^\/v1\/worlds\/([^/?#]+)\/status\/?$/.exec(url.pathname);
+  if (v1WorldsStatusMatch && req.method === 'GET') {
+    const worldId = decodeURIComponent(v1WorldsStatusMatch[1]);
+    if (!V1_WORLD_ID.test(worldId)) {
+      return jsonReply(res, 400, { error: 'invalid_world_id', worldId });
+    }
+    try {
+      const report = await hostCpEngine.getWorldStatus(worldId);
+      return jsonReply(res, 200, report);
+    } catch (err) {
+      return jsonReply(res, 500, {
+        error: 'engine_error',
+        worldId,
+        message: err?.message ?? String(err),
+      });
+    }
+  }
+
+  const v1WorldsLogsMatch = /^\/v1\/worlds\/([^/?#]+)\/logs\/?$/.exec(url.pathname);
+  if (v1WorldsLogsMatch && req.method === 'GET') {
+    const worldId = decodeURIComponent(v1WorldsLogsMatch[1]);
+    if (!V1_WORLD_ID.test(worldId)) {
+      return jsonReply(res, 400, { error: 'invalid_world_id', worldId });
+    }
+    const tailParam = url.searchParams.get('tail');
+    const followParam = url.searchParams.get('follow');
+    const serviceParam = url.searchParams.get('service');
+    const opts = {
+      tail: tailParam != null ? parseInt(tailParam, 10) : 200,
+      follow: followParam === '1' || followParam === 'true',
+      ...(serviceParam ? { service: serviceParam } : {}),
+    };
+    const abortController = new AbortController();
+    req.on('close', () => abortController.abort());
+    res.writeHead(200, {
+      'Content-Type': 'text/plain; charset=utf-8',
+      'Cache-Control': 'no-cache',
+    });
+    try {
+      // Engine yields canonical { ts, container, subContainer, line }
+      // records; server formats one line per record: `<ts> <pod>/<container> <line>`.
+      const iterable = hostCpEngine.getWorldLogs(worldId, { ...opts, signal: abortController.signal });
+      for await (const rec of iterable) {
+        if (res.writableEnded || abortController.signal.aborted) break;
+        const ts = rec.ts || '-';
+        const container = rec.container || '-';
+        const sub = rec.subContainer || container;
+        res.write(`${ts} ${container}/${sub} ${rec.line}\n`);
+      }
+    } catch (err) {
+      if (!res.writableEnded) {
+        res.write(`# engine error: ${err?.message ?? String(err)}\n`);
+      }
+    } finally {
+      if (!res.writableEnded) res.end();
+    }
+    return;
+  }
+
   // Anything else → 404. B4 ships static SPA serving + auth.
   jsonReply(res, 404, {
     error: 'not_found',
@@ -2376,8 +2534,8 @@ const DIST_DIR = (() => {
   return '/app/dist'; // fallback; readFile will surface ENOENT
 })();
 
-const SPA_ROUTES = new Set(['/', '/worlds', '/workspaces', '/inbox', '/repos', '/runbooks']);
-const SPA_PREFIX = ['/world/', '/worlds/', '/workspaces/', '/inbox/', '/repos/', '/runbooks/'];
+const SPA_ROUTES = new Set(['/', '/worlds', '/workspaces', '/inbox', '/repos', '/runbooks', '/plan']);
+const SPA_PREFIX = ['/world/', '/worlds/', '/workspaces/', '/inbox/', '/repos/', '/runbooks/', '/session/', '/plan/'];
 
 // Top-level path segments that are NOT world IDs. Mirrors RESERVED_SEGMENTS
 // in lib/worldId.ts — keep in sync.
@@ -2517,7 +2675,7 @@ async function tryServeStatic(req, res, pathname) {
 // memory thereafter. Cache invalidates on dist/ mtime change so a
 // rebuilt bundle is picked up without restart.
 let _spaCache = null;
-let _spaCacheMtime = 0;
+let _spaCacheKey = '';
 
 /**
  * Bootstrap script injected into the SPA shell. Two responsibilities:
@@ -2595,11 +2753,34 @@ let _spaCacheMtime = 0;
 //       and the token-comparison check skips reload when the cookie
 //       already matches (so non-rotation 401s — e.g. genuine auth
 //       failures — don't cause a refresh loop).
-const BOOTSTRAP_SCRIPT = `<script>(function(){function ck(){var m=document.cookie.match(/olam_host_cp_token=([^;]+)/);return m?m[1]:'';}function sw(t){document.cookie='olam_host_cp_token='+t+'; path=/; samesite=strict';}try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);sw(d.token);}}catch(e){console.error('[host-cp bootstrap]',e);}var reloading=false;function recover(){if(reloading)return;try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);if(d.token&&ck()!==d.token){reloading=true;sw(d.token);console.warn('[host-cp auth recover] token rotated; reloading');location.reload();}}}catch(e){console.error('[host-cp auth recover]',e);}}var HN=['/api/bootstrap','/api/worlds','/api/projects','/api/workspaces','/api/workspaces/match','/api/repos','/api/runbooks','/api/auth','/api/host-stream','/health'];var WP=['/api/','/session/','/hooks/','/dispatch','/lanes','/codex/','/review/'];function sr(p){if(typeof p!=='string')return false;if(p.startsWith('/api/world/'))return false;for(var i=0;i<HN.length;i++){var n=HN[i];if(p===n||p.startsWith(n+'?')||p.startsWith(n+'/'))return false;}for(var j=0;j<WP.length;j++){var w=WP[j];if(p===w||p===w.replace(/\\/$/,'')||p.startsWith(w)||p.startsWith(w.replace(/\\/$/,'')+'?')||p.startsWith(w.replace(/\\/$/,'')+'/'))return true;}return false;}function wid(){var p=location.pathname;var m=p.match(/^\\/(world|inbox)\\/([^/?#]+)/);if(m)return m[2];if(/^\\/(?:worlds?|workspaces?|world|sandbox|inbox|plan|design|repos|runbooks|assets|api|health|favicon)($|\\/|\\?)/.test(p))return null;var r=p.match(/^\\/([a-z][a-z0-9-]+)(?:\\/|$|\\?)/);return r?r[1]:null;}function rw(p){var w=wid();return w?'/api/world/'+w+p:p;}var of=window.fetch.bind(window);window.fetch=function(input,init){var pr;if(typeof input==='string'&&sr(input))pr=of(rw(input),init);else if(input&&typeof input.url==='string'&&sr(input.url))pr=of(new Request(rw(input.url),input),init);else pr=of(input,init);return pr.then(function(res){if(res&&res.status===401)recover();return res;});};var OE=window.EventSource;if(OE){window.EventSource=function(u,i){var s=u;if(typeof s==='string'&&sr(s))s=rw(s);var es=new OE(s,i);es.addEventListener('error',function(){if(es.readyState===OE.CLOSED)recover();});return es;};window.EventSource.prototype=OE.prototype;window.EventSource.CONNECTING=OE.CONNECTING;window.EventSource.OPEN=OE.OPEN;window.EventSource.CLOSED=OE.CLOSED;}})();</script>`;
+const BOOTSTRAP_SCRIPT = `<script>(function(){function ck(){var m=document.cookie.match(/olam_host_cp_token=([^;]+)/);return m?m[1]:'';}function sw(t){document.cookie='olam_host_cp_token='+t+'; path=/; samesite=strict';}try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);sw(d.token);}}catch(e){console.error('[host-cp bootstrap]',e);}var reloading=false;function recover(){if(reloading)return;try{var x=new XMLHttpRequest();x.open('GET','/api/bootstrap',false);x.send();if(x.status===200){var d=JSON.parse(x.responseText);if(d.token&&ck()!==d.token){reloading=true;sw(d.token);console.warn('[host-cp auth recover] token rotated; reloading');location.reload();}}}catch(e){console.error('[host-cp auth recover]',e);}}var HN=['/api/bootstrap','/api/worlds','/api/projects','/api/workspaces','/api/workspaces/match','/api/repos','/api/runbooks','/api/auth','/api/host-stream','/api/plan-chat','/api/plan/agent-runtime','/health'];var WP=['/api/','/session/','/hooks/','/dispatch','/lanes','/codex/','/review/'];function sr(p){if(typeof p!=='string')return false;if(p.startsWith('/api/world/'))return false;for(var i=0;i<HN.length;i++){var n=HN[i];if(p===n||p.startsWith(n+'?')||p.startsWith(n+'/'))return false;}for(var j=0;j<WP.length;j++){var w=WP[j];if(p===w||p===w.replace(/\\/$/,'')||p.startsWith(w)||p.startsWith(w.replace(/\\/$/,'')+'?')||p.startsWith(w.replace(/\\/$/,'')+'/'))return true;}return false;}function wid(){var p=location.pathname;var m=p.match(/^\\/(world|inbox|session)\\/([^/?#]+)/);if(m)return m[2];if(/^\\/(?:worlds?|workspaces?|world|sandbox|session|inbox|plan|design|repos|runbooks|assets|api|health|favicon)($|\\/|\\?)/.test(p))return null;var r=p.match(/^\\/([a-z][a-z0-9-]+)(?:\\/|$|\\?)/);return r?r[1]:null;}function rw(p){var w=wid();return w?'/api/world/'+w+p:p;}var of=window.fetch.bind(window);window.fetch=function(input,init){var pr;if(typeof input==='string'&&sr(input))pr=of(rw(input),init);else if(input&&typeof input.url==='string'&&sr(input.url))pr=of(new Request(rw(input.url),input),init);else pr=of(input,init);return pr.then(function(res){if(res&&res.status===401)recover();return res;});};var OE=window.EventSource;if(OE){window.EventSource=function(u,i){var s=u;if(typeof s==='string'&&sr(s))s=rw(s);var es=new OE(s,i);es.addEventListener('error',function(){if(es.readyState===OE.CLOSED)recover();});return es;};window.EventSource.prototype=OE.prototype;window.EventSource.CONNECTING=OE.CONNECTING;window.EventSource.OPEN=OE.OPEN;window.EventSource.CLOSED=OE.CLOSED;}})();</script>`;
+
+/**
+ * Build the plan-chat bearer injection script. Reads
+ * ~/.olam/plan-chat-secret on every shell render (cheap; tiny file)
+ * so secret rotation propagates without restart. Missing secret →
+ * no injection; PlanChatRoute falls back to the URL-hash channel.
+ *
+ * Operator-local single-user mode only. Multi-tenant deploys will
+ * replace this with one of the 3 candidates in chunks-collection.ts.
+ */
+function buildPlanChatBearerInjection() {
+  try {
+    const bearer = readPlanChatSecret();
+    if (!bearer) return '';
+    // JSON.stringify escapes for safe embedding inside the <script>.
+    return `<script>window.__OLAM_PLAN_CHAT_BEARER__=${JSON.stringify(bearer)};</script>`;
+  } catch {
+    return '';
+  }
+}
 
 async function renderSpaShell(filePath) {
   const stat = fs.statSync(filePath);
-  if (_spaCache !== null && stat.mtimeMs === _spaCacheMtime) {
+  const bearerInjection = buildPlanChatBearerInjection();
+  // Cache key must include the bearer so rotation invalidates correctly.
+  const cacheKey = stat.mtimeMs + ':' + bearerInjection.length;
+  if (_spaCache !== null && _spaCacheKey === cacheKey) {
     return _spaCache;
   }
   let html = fs.readFileSync(filePath, 'utf-8');
@@ -2610,10 +2791,12 @@ async function renderSpaShell(filePath) {
   // (/, /worlds, /workspaces, /world/<id>) reference the same bundle.
   html = html.replace(/(href|src)="\.\/assets\//g, '$1="/assets/');
   // Inject right after <head> so the bootstrap runs before any other
-  // script tag on the page.
-  html = html.replace(/<head>/i, `<head>\n    ${BOOTSTRAP_SCRIPT}`);
+  // script tag on the page. Bearer injection runs after the host-cp
+  // bootstrap so window.__OLAM_PLAN_CHAT_BEARER__ is set before the
+  // SPA bundle reads it.
+  html = html.replace(/<head>/i, `<head>\n    ${BOOTSTRAP_SCRIPT}\n    ${bearerInjection}`);
   _spaCache = html;
-  _spaCacheMtime = stat.mtimeMs;
+  _spaCacheKey = cacheKey;
   return html;
 }
 
@@ -2701,12 +2884,39 @@ startWorldsSnapshotLoop();
 startTunnelsSnapshotLoop();
 startListeningSnapshotLoop();
 
+// ── Phase 1a / B1 (PR3): engine-select + await-before-listen ─────
+//
+// Decision 15: the async KubernetesEngine factory MUST be fully awaited
+// BEFORE `server.listen()`. If the factory throws (context-allowlist guard
+// rejects a non-local kubectl context), startup aborts via the top-level
+// await's unhandled rejection — the HTTP server never binds. No half-live
+// state.
+//
+// Selection precedence matches the existing resolveHostCpEngine():
+//   1. OLAM_HOST_CP_ENGINE=kubernetes  → KubernetesEngine
+//   2. KUBERNETES_SERVICE_HOST set     → KubernetesEngine (autodetect)
+//   3. otherwise                       → DockerEngine
+//
+// DockerEngine ships as a sync factory (no await needed), but we still
+// resolve through the same async branch for symmetry — the call-site
+// migration to engine.* methods is a downstream task; today the engine
+// instance is held for /health diagnostic + future use.
+const hostCpEngine = await (async () => {
+  if (HOST_CP_ENGINE === 'kubernetes') {
+    const { createKubernetesEngine } = await import('./engines/kubernetes.mjs');
+    return createKubernetesEngine({ env: process.env });
+  }
+  const { createDockerEngine } = await import('./engines/docker.mjs');
+  return createDockerEngine({ dockerHost: DOCKER_HOST });
+})();
+
 server.listen(PORT, '0.0.0.0', () => {
   console.log(`olam-host-cp B3 listening on :${PORT}`);
   console.log(`  DOCKER_HOST=${DOCKER_HOST}`);
   console.log(`  cache TTL=${TTL_SEC}s`);
   console.log(`  worlds known: ${Object.keys(WORLDS).join(', ') || '(none)'}`);
   console.log(`  mode=${HOST_CP_MODE} world-host=${HOST_FOR_WORLD}`);
+  console.log(`  engine=${hostCpEngine.engineName}${hostCpEngine.context ? ` ctx=${hostCpEngine.context}` : ''}`);
   console.log(`  (override: OLAM_HOST_CP_MODE=container|bare, OLAM_HOST_FOR_WORLD=<host>)`);
   // Surface the auth wiring state at boot. An empty OLAM_AUTH_SECRET
   // here is silently fatal for the credential surfaces — the operator

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.144",
+  "version": "0.1.146",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"
@@ -31,7 +31,8 @@
     "test": "vitest run --passWithNoTests",
     "test:ci": "vitest run --reporter=basic --passWithNoTests",
     "test:docker": "vitest run --config vitest.config.docker.ts",
-    "audit:publish-deps": "node scripts/audit-publish-deps.mjs"
+    "audit:publish-deps": "node scripts/audit-publish-deps.mjs",
+    "audit:cli-bundle-k8s": "node scripts/audit-cli-bundle-k8s.mjs"
   },
   "dependencies": {
     "better-sqlite3": "^12.0.0",