@venturewild/workspace 0.1.0

package/server/src/share.mjs

@@ -0,0 +1,80 @@
+// Share-by-URL token issuance + verification (AR-20).
+// Reuses bmo-sync invite shape: tokens are signed claims with role + workspace + expiry.
+
+import { SignJWT, jwtVerify } from 'jose';
+import { nanoid } from 'nanoid';
+
+const SHARE_ISSUER = 'wild-workspace';
+
+function secretToKey(secret) {
+  return new TextEncoder().encode(secret);
+}
+
+export async function mintShareToken({
+  secret,
+  workspaceId,
+  role,
+  ttlSeconds = 60 * 60 * 24, // 24h default per R17 mitigation
+  audience = 'wild-workspace-viewer',
+  subject = nanoid(12),
+}) {
+  if (!['viewer', 'client'].includes(role)) {
+    throw new Error(`shareable role must be 'viewer' or 'client'; got ${role}`);
+  }
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role,
+    workspaceId,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role, workspaceId, sub: subject };
+}
+
+export async function verifyShareToken(token, secret) {
+  if (!token) return null;
+  try {
+    const { payload } = await jwtVerify(token, secretToKey(secret), {
+      issuer: SHARE_ISSUER,
+    });
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
+  const base = shareBaseUrl.replace(/\/$/, '');
+  return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
+}
+
+// Simple in-memory token registry so the partner can list + revoke.
+// Reset on process restart — acceptable for v1; persisted in bmo-sync in v1.x.
+export class TokenRegistry {
+  constructor() {
+    this.tokens = new Map(); // jti -> { sub, role, workspaceId, exp, label, createdAt }
+    this.revoked = new Set();
+  }
+  add(record) {
+    this.tokens.set(record.sub, record);
+  }
+  list() {
+    const now = Math.floor(Date.now() / 1000);
+    return [...this.tokens.values()].filter((r) => r.exp > now && !this.revoked.has(r.sub));
+  }
+  revoke(sub) {
+    this.revoked.add(sub);
+    this.tokens.delete(sub);
+  }
+  isRevoked(sub) {
+    return this.revoked.has(sub);
+  }
+}

package/server/src/sync.mjs

@@ -0,0 +1,176 @@
+// bmo-sync folder sharing — wild-workspace's control plane for the daemon.
+//
+// wild-workspace does not run the sync engine; the bmo-sync daemon does
+// (a separate local process — see bmo-sync/daemon/README.md). This module is
+// the thin HTTP client wild-workspace uses to drive it:
+//
+//   - pair / detach / list a workspace folder against the local daemon
+//     (http://127.0.0.1:8320);
+//   - mint an invite against the central server's admin API — but only when
+//     an admin key is configured. Most installs only ever *redeem* invites,
+//     and that path runs entirely through the daemon and needs no secret.
+//
+// The daemon may not be running. Read paths (health / listWorkspaces /
+// status) degrade to an "offline" result instead of throwing; explicit
+// actions (pair / detach / createInvite) throw a readable error for the UI.
+
+const DAEMON_TIMEOUT_MS = 4000;
+// Pairing and invite creation reach the central server on Fly.io, which can
+// cold-start (~1s+) when idle — give those calls a longer leash.
+const SERVER_TIMEOUT_MS = 12000;
+
+export class SyncControl {
+  /**
+   * @param {object}        opts
+   * @param {string}        opts.daemonHttpUrl     daemon HTTP origin, e.g. http://127.0.0.1:8320
+   * @param {string}        opts.bmoSyncServerUrl  central server, e.g. https://sync.venturewild.llc
+   * @param {string|null}  [opts.adminKey]         central-server X-Admin-Key; null = redeem-only
+   * @param {typeof fetch} [opts.fetchImpl]        injectable fetch (tests)
+   */
+  constructor({ daemonHttpUrl, bmoSyncServerUrl, adminKey = null, fetchImpl } = {}) {
+    this.daemonBase = trimSlash(daemonHttpUrl) || 'http://127.0.0.1:8320';
+    this.serverBase = trimSlash(bmoSyncServerUrl) || 'https://sync.venturewild.llc';
+    this.adminKey = adminKey || null;
+    this._fetch = fetchImpl || globalThis.fetch;
+  }
+
+  /** True when this install can mint invites (an admin key is configured). */
+  get canInvite() {
+    return Boolean(this.adminKey);
+  }
+
+  /** Liveness of the local daemon. Never throws. */
+  async health() {
+    try {
+      const res = await this._fetch(`${this.daemonBase}/health`, {
+        signal: AbortSignal.timeout(DAEMON_TIMEOUT_MS),
+      });
+      if (!res.ok) return { running: false };
+      const body = await res.json().catch(() => ({}));
+      return { running: body?.status === 'ok' };
+    } catch {
+      return { running: false };
+    }
+  }
+
+  /** Paired workspaces the daemon is syncing. [] when the daemon is down. */
+  async listWorkspaces() {
+    try {
+      const res = await this._fetch(`${this.daemonBase}/api/workspaces`, {
+        signal: AbortSignal.timeout(DAEMON_TIMEOUT_MS),
+      });
+      if (!res.ok) return [];
+      const body = await res.json().catch(() => ({}));
+      return Array.isArray(body?.workspaces) ? body.workspaces : [];
+    } catch {
+      return [];
+    }
+  }
+
+  /**
+   * Snapshot for the Sync panel: daemon liveness, paired workspaces, and
+   * whether this install can mint invites. Never throws — a missing daemon
+   * is a normal, displayable state.
+   */
+  async status() {
+    const [health, workspaces] = await Promise.all([
+      this.health(),
+      this.listWorkspaces(),
+    ]);
+    return {
+      daemon: health,
+      workspaces,
+      paired: workspaces.length > 0,
+      canInvite: this.canInvite,
+    };
+  }
+
+  /**
+   * Pair this workspace folder with a shared project by redeeming an invite.
+   * The daemon redeems against the central server, persists the pairing, and
+   * starts syncing `rootPath`. Throws a readable error on a bad invite or an
+   * unreachable daemon.
+   */
+  async pair(inviteCode, rootPath) {
+    const code = String(inviteCode || '').trim();
+    if (!code) throw new Error('An invite code is required.');
+    if (!rootPath) throw new Error('No workspace folder to pair.');
+    const res = await this._daemonFetch(`${this.daemonBase}/api/pair`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ inviteCode: code, rootPath }),
+      // Pairing redeems against the central server — allow for a cold start.
+      signal: AbortSignal.timeout(SERVER_TIMEOUT_MS),
+    });
+    const body = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      throw new Error(body?.error || `Pairing failed (HTTP ${res.status}).`);
+    }
+    return body.workspace || body;
+  }
+
+  /** Stop syncing a workspace and forget the pairing. */
+  async detach(workspaceId) {
+    const id = String(workspaceId || '').trim();
+    if (!id) throw new Error('A workspace id is required.');
+    const res = await this._daemonFetch(
+      `${this.daemonBase}/api/workspaces/${encodeURIComponent(id)}`,
+      { method: 'DELETE', signal: AbortSignal.timeout(DAEMON_TIMEOUT_MS) },
+    );
+    const body = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      throw new Error(body?.error || `Disconnect failed (HTTP ${res.status}).`);
+    }
+    return { detached: Boolean(body.detached) };
+  }
+
+  /**
+   * Mint an invite code for a project on the central server. Requires an
+   * admin key; callers should check `canInvite` first and fall back to the
+   * paste-a-code flow when it is false.
+   */
+  async createInvite({ projectCode, displayName, expiresHours = 168 } = {}) {
+    if (!this.adminKey) {
+      throw new Error(
+        'Creating invites needs a bmo-sync admin key (set BMO_SYNC_ADMIN_KEY). ' +
+          'Without one, ask whoever owns the shared folder to send you a code.',
+      );
+    }
+    if (!projectCode) throw new Error('A paired project is required to invite into.');
+    let res;
+    try {
+      res = await this._fetch(`${this.serverBase}/api/admin/invites`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', 'x-admin-key': this.adminKey },
+        body: JSON.stringify({
+          project_code: projectCode,
+          display_name: displayName || 'Collaborator',
+          expires_hours: Number(expiresHours) || 168,
+        }),
+        signal: AbortSignal.timeout(SERVER_TIMEOUT_MS),
+      });
+    } catch {
+      throw new Error('Could not reach the bmo-sync server. Check your connection.');
+    }
+    const body = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      throw new Error(
+        body?.message || body?.error || `Invite creation failed (HTTP ${res.status}).`,
+      );
+    }
+    return { code: body.code, projectCode: body.project_code, expiresAt: body.expires_at };
+  }
+
+  /** A daemon fetch that turns a connection failure into a readable error. */
+  async _daemonFetch(url, init) {
+    try {
+      return await this._fetch(url, init);
+    } catch {
+      throw new Error("The bmo-sync daemon isn't running. Start it, then try again.");
+    }
+  }
+}
+
+function trimSlash(u) {
+  return typeof u === 'string' ? u.replace(/\/+$/, '') : '';
+}