@rubytech/create-maxy 0.3.7 → 0.3.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "0.3.7",
+  "version": "0.3.9",
   "description": "Install Maxy — your personal AI assistant",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/maxy/app/api/admin/session/route.ts

@@ -2,10 +2,27 @@ import { NextResponse } from 'next/server'
 import { registerSession } from '../../../lib/claude-agent'
 import { readFileSync, readdirSync, existsSync } from 'node:fs'
 import { resolve } from 'node:path'
+import { createHash } from 'node:crypto'
 
-const ADMIN_PIN = process.env.ADMIN_PIN
+const PERSISTENT_DIR = resolve(process.env.HOME ?? '/root', '.maxy')
+const PIN_FILE = resolve(PERSISTENT_DIR, '.admin-pin')
 const ACCOUNTS_DIR = resolve(process.cwd(), '../platform/config/accounts')
 
+function hashPin(pin: string): string {
+  return createHash('sha256').update(pin).digest('hex')
+}
+
+function getStoredPinHash(): string | null {
+  if (existsSync(PIN_FILE)) {
+    return readFileSync(PIN_FILE, 'utf-8').trim()
+  }
+  // Fallback to env var (legacy)
+  if (process.env.ADMIN_PIN) {
+    return hashPin(process.env.ADMIN_PIN)
+  }
+  return null
+}
+
 function getDefaultAccountId(): string | null {
   if (!existsSync(ACCOUNTS_DIR)) return null
   const entries = readdirSync(ACCOUNTS_DIR, { withFileTypes: true })
@@ -25,9 +42,11 @@ function getDefaultAccountId(): string | null {
  * Body: { pin: string }
  */
 export async function POST(req: Request) {
-  if (!ADMIN_PIN) {
+  const storedHash = getStoredPinHash()
+
+  if (!storedHash) {
     return NextResponse.json(
-      { error: 'Admin access is not configured. Set ADMIN_PIN environment variable.' },
+      { error: 'PIN not configured. Complete onboarding first.' },
       { status: 503 },
     )
   }
@@ -39,14 +58,11 @@ export async function POST(req: Request) {
     return NextResponse.json({ error: 'Invalid request' }, { status: 400 })
   }
 
-  if (!body.pin || body.pin !== ADMIN_PIN) {
+  if (!body.pin || hashPin(body.pin) !== storedHash) {
     return NextResponse.json({ error: 'Invalid PIN' }, { status: 401 })
   }
 
-  const accountId = getDefaultAccountId()
-  if (!accountId) {
-    return NextResponse.json({ error: 'No account configured' }, { status: 503 })
-  }
+  const accountId = getDefaultAccountId() ?? 'default'
 
   const sessionKey = crypto.randomUUID()
   registerSession(sessionKey, 'admin', accountId)

package/payload/maxy/app/api/health/route.ts

@@ -0,0 +1,23 @@
+import { NextResponse } from 'next/server'
+import { existsSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const INSTALL_DIR = resolve(process.cwd(), '..')
+const PIN_FILE = resolve(INSTALL_DIR, '.maxy', '.admin-pin')
+const HOME_PIN_FILE = resolve(process.env.HOME ?? '/root', '.maxy', '.admin-pin')
+
+/**
+ * GET /api/health
+ * Returns platform state for the onboarding flow.
+ */
+export async function GET() {
+  const pinConfigured = existsSync(PIN_FILE) || existsSync(HOME_PIN_FILE) || !!process.env.ADMIN_PIN
+
+  // TODO: check Claude Code auth status
+  const claudeAuthenticated = false
+
+  return NextResponse.json({
+    pin_configured: pinConfigured,
+    claude_authenticated: claudeAuthenticated,
+  })
+}

package/payload/maxy/app/api/onboarding/set-pin/route.ts

@@ -0,0 +1,44 @@
+import { NextResponse } from 'next/server'
+import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { createHash } from 'node:crypto'
+
+const PERSISTENT_DIR = resolve(process.env.HOME ?? '/root', '.maxy')
+const PIN_FILE = resolve(PERSISTENT_DIR, '.admin-pin')
+
+function hashPin(pin: string): string {
+  return createHash('sha256').update(pin).digest('hex')
+}
+
+/**
+ * POST /api/onboarding/set-pin
+ * Sets the admin PIN. Only works when no PIN is configured.
+ * Body: { pin: string }
+ */
+export async function POST(req: Request) {
+  if (existsSync(PIN_FILE)) {
+    return NextResponse.json(
+      { error: 'PIN is already configured.' },
+      { status: 409 },
+    )
+  }
+
+  let body: { pin: string }
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Invalid request' }, { status: 400 })
+  }
+
+  if (!body.pin || body.pin.length < 4) {
+    return NextResponse.json(
+      { error: 'PIN must be at least 4 characters.' },
+      { status: 400 },
+    )
+  }
+
+  mkdirSync(PERSISTENT_DIR, { recursive: true })
+  writeFileSync(PIN_FILE, hashPin(body.pin), { mode: 0o600 })
+
+  return NextResponse.json({ ok: true })
+}

package/payload/maxy/app/globals.css

@@ -1340,11 +1340,42 @@ a:hover {
 
 .admin-pin-form form {
   display: flex;
+  flex-direction: column;
   gap: 8px;
   width: 100%;
   max-width: 300px;
 }
 
+.pin-input-row {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+}
+
+.pin-input-row .chat-input {
+  flex: 1;
+}
+
+.pin-toggle {
+  background: none;
+  border: 1px solid var(--border-strong);
+  border-radius: 50%;
+  width: 40px;
+  height: 40px;
+  cursor: pointer;
+  font-size: 16px;
+  color: var(--text-secondary);
+  flex-shrink: 0;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  transition: border-color 0.15s;
+}
+
+.pin-toggle:hover {
+  border-color: var(--sage);
+}
+
 .admin-pin-error {
   color: #c44;
   font-size: 14px;

package/payload/maxy/app/page.tsx

@@ -3,6 +3,8 @@
 import { useState, useRef, useEffect, FormEvent } from 'react'
 import { ActivityEvent, type AdminEvent } from './admin/components/ActivityEvent'
 
+type AppState = 'loading' | 'set-pin' | 'enter-pin' | 'chat'
+
 interface Message {
   role: 'admin' | 'maxy'
   content?: string
@@ -10,9 +12,11 @@ interface Message {
 }
 
 export default function AdminPage() {
-  const [authenticated, setAuthenticated] = useState(false)
+  const [appState, setAppState] = useState<AppState>('loading')
   const [pin, setPin] = useState('')
+  const [confirmPin, setConfirmPin] = useState('')
   const [pinError, setPinError] = useState('')
+  const [showPin, setShowPin] = useState(false)
   const [sessionKey, setSessionKey] = useState<string | null>(null)
   const [messages, setMessages] = useState<Message[]>([])
   const [input, setInput] = useState('')
@@ -25,22 +29,80 @@ export default function AdminPage() {
     messagesEndRef.current?.scrollIntoView({ behavior: 'smooth' })
   }, [messages])
 
+  // Check platform state on mount
   useEffect(() => {
-    if (authenticated) inputRef.current?.focus()
-    else pinInputRef.current?.focus()
-  }, [authenticated])
+    async function checkHealth() {
+      try {
+        const res = await fetch('/api/health')
+        if (!res.ok) {
+          setAppState('set-pin')
+          return
+        }
+        const health = await res.json()
+        setAppState(health.pin_configured ? 'enter-pin' : 'set-pin')
+      } catch {
+        setAppState('set-pin')
+      }
+    }
+    checkHealth()
+  }, [])
+
+  useEffect(() => {
+    if (appState === 'set-pin' || appState === 'enter-pin') {
+      setTimeout(() => pinInputRef.current?.focus(), 100)
+    }
+    if (appState === 'chat') {
+      setTimeout(() => inputRef.current?.focus(), 100)
+    }
+  }, [appState])
 
-  async function handlePinSubmit(e: FormEvent) {
+  async function handleSetPin(e: FormEvent) {
     e.preventDefault()
     setPinError('')
 
+    if (pin.length < 4) {
+      setPinError('PIN must be at least 4 characters.')
+      return
+    }
+    if (pin !== confirmPin) {
+      setPinError('PINs do not match.')
+      return
+    }
+
     try {
-      const res = await fetch('/api/admin/session', {
+      const res = await fetch('/api/onboarding/set-pin', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ pin }),
       })
 
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}))
+        setPinError(data.error || 'Failed to set PIN.')
+        return
+      }
+
+      // PIN set — now log in with it
+      await doLogin(pin)
+    } catch {
+      setPinError('Could not connect.')
+    }
+  }
+
+  async function handleLogin(e: FormEvent) {
+    e.preventDefault()
+    setPinError('')
+    await doLogin(pin)
+  }
+
+  async function doLogin(pinValue: string) {
+    try {
+      const res = await fetch('/api/admin/session', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ pin: pinValue }),
+      })
+
       if (!res.ok) {
         const data = await res.json().catch(() => ({}))
         setPinError(data.error || 'Invalid PIN')
@@ -49,7 +111,9 @@ export default function AdminPage() {
 
       const data = await res.json()
       setSessionKey(data.session_key)
-      setAuthenticated(true)
+      setPin('')
+      setConfirmPin('')
+      setAppState('chat')
     } catch {
       setPinError('Could not connect.')
     }
@@ -97,16 +161,10 @@ export default function AdminPage() {
           if (payload === '[DONE]') continue
 
           let parsed: { type: string; [key: string]: unknown }
-          try {
-            parsed = JSON.parse(payload)
-          } catch {
-            continue
-          }
-
+          try { parsed = JSON.parse(payload) } catch { continue }
           if (parsed.type === 'done' || parsed.type === 'session_init') continue
 
           const event = parsed as AdminEvent
-
           setMessages(prev => {
             const updated = [...prev]
             const msg = updated[messageIndex]
@@ -136,12 +194,66 @@ export default function AdminPage() {
     }
   }
 
-  function handleSubmit(e: FormEvent) {
-    e.preventDefault()
-    sendMessage(input.trim())
+  // --- Loading ---
+  if (appState === 'loading') {
+    return (
+      <div className="chat-page admin-page">
+        <header className="chat-header">
+          <img src="/brand/maxy-black.png" alt="Maxy" className="chat-logo" />
+        </header>
+      </div>
+    )
+  }
+
+  // --- Set PIN (first boot) ---
+  if (appState === 'set-pin') {
+    return (
+      <div className="chat-page admin-page">
+        <header className="chat-header">
+          <img src="/brand/maxy-black.png" alt="Maxy" className="chat-logo" />
+          <h1 className="chat-tagline">Welcome to Maxy</h1>
+          <p className="chat-intro">Choose a PIN to secure your admin access.</p>
+        </header>
+        <div className="admin-pin-form">
+          <form onSubmit={handleSetPin}>
+            <div className="pin-input-row">
+              <input
+                ref={pinInputRef}
+                type={showPin ? 'text' : 'password'}
+                value={pin}
+                onChange={e => setPin(e.target.value)}
+                placeholder="Choose a PIN"
+                className="chat-input"
+                autoFocus
+              />
+              <button type="button" className="pin-toggle" onClick={() => setShowPin(!showPin)} aria-label={showPin ? 'Hide' : 'Show'}>
+                {showPin ? '◉' : '○'}
+              </button>
+            </div>
+            <div className="pin-input-row">
+              <input
+                type={showPin ? 'text' : 'password'}
+                value={confirmPin}
+                onChange={e => setConfirmPin(e.target.value)}
+                placeholder="Confirm PIN"
+                className="chat-input"
+              />
+              <button type="submit" className="chat-send" disabled={!pin || !confirmPin} aria-label="Set PIN">
+                <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+                  <line x1="5" y1="12" x2="19" y2="12" />
+                  <polyline points="12 5 19 12 12 19" />
+                </svg>
+              </button>
+            </div>
+          </form>
+          {pinError && <p className="admin-pin-error">{pinError}</p>}
+        </div>
+      </div>
+    )
   }
 
-  if (!authenticated) {
+  // --- Enter PIN (returning user) ---
+  if (appState === 'enter-pin') {
     return (
       <div className="chat-page admin-page">
         <header className="chat-header">
@@ -150,22 +262,27 @@ export default function AdminPage() {
           <p className="chat-intro">Convenience as standard.</p>
         </header>
         <div className="admin-pin-form">
-          <form onSubmit={handlePinSubmit}>
-            <input
-              ref={pinInputRef}
-              type="password"
-              value={pin}
-              onChange={e => setPin(e.target.value)}
-              placeholder="Enter PIN"
-              className="chat-input"
-              autoFocus
-            />
-            <button type="submit" className="chat-send" disabled={!pin}>
-              <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
-                <line x1="5" y1="12" x2="19" y2="12" />
-                <polyline points="12 5 19 12 12 19" />
-              </svg>
-            </button>
+          <form onSubmit={handleLogin}>
+            <div className="pin-input-row">
+              <input
+                ref={pinInputRef}
+                type={showPin ? 'text' : 'password'}
+                value={pin}
+                onChange={e => setPin(e.target.value)}
+                placeholder="Enter PIN"
+                className="chat-input"
+                autoFocus
+              />
+              <button type="button" className="pin-toggle" onClick={() => setShowPin(!showPin)} aria-label={showPin ? 'Hide' : 'Show'}>
+                {showPin ? '◉' : '○'}
+              </button>
+              <button type="submit" className="chat-send" disabled={!pin}>
+                <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+                  <line x1="5" y1="12" x2="19" y2="12" />
+                  <polyline points="12 5 19 12 12 19" />
+                </svg>
+              </button>
+            </div>
           </form>
           {pinError && <p className="admin-pin-error">{pinError}</p>}
         </div>
@@ -173,6 +290,7 @@ export default function AdminPage() {
     )
   }
 
+  // --- Chat ---
   return (
     <div className="chat-page admin-page">
       <header className="chat-header">
@@ -206,7 +324,7 @@ export default function AdminPage() {
       </div>
 
       <div className="chat-input-area">
-        <form className="chat-form" onSubmit={handleSubmit}>
+        <form className="chat-form" onSubmit={(e) => { e.preventDefault(); sendMessage(input.trim()) }}>
           <input
             ref={inputRef}
             className="chat-input"