@venturewild/workspace 0.1.14 → 0.2.1

package/server/src/logpaths.mjs

@@ -1,98 +1,98 @@
-// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
-// the operator channel all read the same set, and a tiny append/rotate/tail
-// helper for the new logs we write ourselves (cli, operator).
-//
-// WHY a registry and not just scattered paths: a brand-new user's install is the
-// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
-// and "I can't see what happened on their machine" is the #1 un-debuggable
-// failure. Centralising the log locations is what lets `wild-workspace doctor`
-// gather them and the operator channel tail them by name — never by arbitrary
-// path (the tail allowlist is TAILABLE below).
-//
-// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
-// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
-// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
-// them here for READING rather than moving them. Everything lives under
-// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
-
-import os from 'node:os';
-import path from 'node:path';
-import fs from 'node:fs';
-
-// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
-// defaults. Overridable via env for tests / unusual homes.
-export function globalDir(env = process.env) {
-  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
-}
-
-// Logical name → filename. The first three are written by existing components;
-// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
-export const LOG_FILES = Object.freeze({
-  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
-  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
-  daemon: 'daemon.log', //         the bmo-sync daemon
-  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
-  operator: 'operator.log', //     the consented operator channel's audit trail
-  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
-});
-
-// Logs the operator channel may tail BY NAME — never an arbitrary path.
-export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
-
-export function logFile(name, env = process.env) {
-  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
-}
-
-export function diagnosticsDir(env = process.env) {
-  return path.join(globalDir(env), 'diagnostics');
-}
-
-const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
-
-// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
-export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
-  try {
-    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
-  } catch {
-    /* missing / racing rename — nothing to rotate */
-  }
-}
-
-// Append a timestamped line to a named log; ensures the dir + rotates. Returns
-// the file path. Never throws — logging must not break the caller's path.
-export function appendLine(name, line, env = process.env) {
-  const file = logFile(name, env);
-  try {
-    fs.mkdirSync(path.dirname(file), { recursive: true });
-    rotateIfBig(file);
-    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
-  } catch {
-    /* read-only fs etc. — degrade silently */
-  }
-  return file;
-}
-
-// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
-// Returns '' when the file is missing/unreadable.
-export function tailFile(file, n = 200) {
-  try {
-    // Drop the trailing newline so the last line isn't an empty entry.
-    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
-    return lines.slice(Math.max(0, lines.length - n)).join('\n');
-  } catch {
-    return '';
-  }
-}
-
-// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
-export function listLogs(env = process.env) {
-  return TAILABLE.map((name) => {
-    const file = logFile(name, env);
-    try {
-      const st = fs.statSync(file);
-      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
-    } catch {
-      return { name, file, exists: false, size: null, mtime: null };
-    }
-  });
-}
+// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
+// the operator channel all read the same set, and a tiny append/rotate/tail
+// helper for the new logs we write ourselves (cli, operator).
+//
+// WHY a registry and not just scattered paths: a brand-new user's install is the
+// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
+// and "I can't see what happened on their machine" is the #1 un-debuggable
+// failure. Centralising the log locations is what lets `wild-workspace doctor`
+// gather them and the operator channel tail them by name — never by arbitrary
+// path (the tail allowlist is TAILABLE below).
+//
+// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
+// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
+// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
+// them here for READING rather than moving them. Everything lives under
+// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
+
+import os from 'node:os';
+import path from 'node:path';
+import fs from 'node:fs';
+
+// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
+// defaults. Overridable via env for tests / unusual homes.
+export function globalDir(env = process.env) {
+  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
+}
+
+// Logical name → filename. The first three are written by existing components;
+// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
+export const LOG_FILES = Object.freeze({
+  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
+  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
+  daemon: 'daemon.log', //         the bmo-sync daemon
+  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
+  operator: 'operator.log', //     the consented operator channel's audit trail
+  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
+});
+
+// Logs the operator channel may tail BY NAME — never an arbitrary path.
+export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
+
+export function logFile(name, env = process.env) {
+  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
+}
+
+export function diagnosticsDir(env = process.env) {
+  return path.join(globalDir(env), 'diagnostics');
+}
+
+const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
+
+// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
+export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
+  try {
+    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
+  } catch {
+    /* missing / racing rename — nothing to rotate */
+  }
+}
+
+// Append a timestamped line to a named log; ensures the dir + rotates. Returns
+// the file path. Never throws — logging must not break the caller's path.
+export function appendLine(name, line, env = process.env) {
+  const file = logFile(name, env);
+  try {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    rotateIfBig(file);
+    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
+  } catch {
+    /* read-only fs etc. — degrade silently */
+  }
+  return file;
+}
+
+// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
+// Returns '' when the file is missing/unreadable.
+export function tailFile(file, n = 200) {
+  try {
+    // Drop the trailing newline so the last line isn't an empty entry.
+    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
+    return lines.slice(Math.max(0, lines.length - n)).join('\n');
+  } catch {
+    return '';
+  }
+}
+
+// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
+export function listLogs(env = process.env) {
+  return TAILABLE.map((name) => {
+    const file = logFile(name, env);
+    try {
+      const st = fs.statSync(file);
+      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
+    } catch {
+      return { name, file, exists: false, size: null, mtime: null };
+    }
+  });
+}

package/server/src/owner-browser.mjs

@@ -0,0 +1,84 @@
+// First-run browser orchestration for the LOCAL owner (B1). Extracted from the
+// CLI so it's importable + unit-testable without the bin's shebang. The CLI
+// (bin/wild-workspace.mjs) imports openOwnerBrowser; tests import the helpers.
+
+// The URL to open for the LOCAL owner. A slug-linked install runs in public
+// mode (the server denies anon — C1), so the owner must authenticate: append
+// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
+// and strips from the address bar (S1). A localhost-only install needs no token.
+// The token is only ever placed in the URL we hand the browser — never printed.
+export function localBrowserUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  const base = `http://${host}:${config.port}`;
+  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
+}
+
+// Ask the running local server (over genuine loopback) for a one-time sign-in
+// link to the PUBLIC url. Returns the URL or null (no slug / older server).
+export async function fetchPublicBootstrapUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  try {
+    const ac = new AbortController();
+    const t = setTimeout(() => ac.abort(), 4000);
+    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
+      method: 'POST',
+      signal: ac.signal,
+    });
+    clearTimeout(t);
+    if (!r.ok) return null;
+    const body = await r.json().catch(() => ({}));
+    return typeof body.url === 'string' ? body.url : null;
+  } catch {
+    return null;
+  }
+}
+
+// Poll the public url's /api/health until the tunnel forwards (200) or we give
+// up — so we never open the owner onto a 502 "warming up" page.
+export async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
+  const base = String(shareBaseUrl || '').replace(/\/$/, '');
+  if (!/^https?:\/\//.test(base)) return false;
+  for (let i = 0; i < tries; i += 1) {
+    try {
+      const ac = new AbortController();
+      const t = setTimeout(() => ac.abort(), 2500);
+      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
+      clearTimeout(t);
+      if (r.ok) return true;
+    } catch { /* not up yet */ }
+    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
+  }
+  return false;
+}
+
+// Open the owner's browser the friendliest way for THIS install:
+//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
+//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
+//    confirmed up. If it isn't ready yet, fall back to localhost (always works
+//    locally) and tell them their public url is warming up.
+//  - localhost-only: just open localhost.
+// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
+// `opts.open` / `opts.ready` are injectable seams for tests; in production the
+// opener is the dynamically-imported `open` package and `ready` uses the defaults.
+export async function openOwnerBrowser(config, opts = {}) {
+  let open = opts.open;
+  if (!open) {
+    try { open = (await import('open')).default; } catch { return; }
+  }
+  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
+  if (slugLinked) {
+    const link = await fetchPublicBootstrapUrl(config);
+    if (link && (await publicTunnelReady(config.shareBaseUrl, opts.ready))) {
+      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
+      try { await open(link); } catch { /* best-effort */ }
+      return 'public';
+    }
+    // Tunnel not up yet (or older server) — open locally so first run is never a
+    // dead page; the public url comes alive on its own as the daemon links.
+    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
+    return 'fallback-local';
+  }
+  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+  return 'local';
+}

package/server/src/reset.mjs

@@ -0,0 +1,78 @@
+// `wild-workspace reset` — take an install back to the beginning so it can be
+// re-onboarded clean. UNLINKS the account (slug/email/computer), RESETS
+// onboarding, and FLUSHES local config/state (device secrets, token registry,
+// chat thread, canvas + bazaar local state).
+//
+// It deliberately NEVER touches the user's workspace files (CLAUDE.md rule #1),
+// nor the always-on registration / consent choices — those are install plumbing,
+// not "the beginning". See RESET_KEEPS for the honest list of what survives.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+// What survives a reset — documented so the command stays honest about scope.
+export const RESET_KEEPS = [
+  "the user's workspace files (everything outside .wild-workspace) — never touched",
+  'service.json — always-on registration stays armed',
+  'observability.json — your consent choice is preserved',
+  'operator.json — the support-channel token',
+  'logs/ + diagnostics/ — kept for debugging',
+];
+
+// Build the list of targets to remove. `dataDirs` are the (possibly several)
+// cwd-keyed `.wild-workspace` dirs that hold the account/onboarding/chat; the
+// stable `globalDir` (~/.wild-workspace) holds device secrets + canvas/bazaar
+// state. Each target is annotated with whether it currently exists.
+export function planReset({ dataDirs = [], globalDir, includeMarketplace = true }) {
+  const targets = [];
+  const seen = new Set();
+  const add = (root, name, kind) => {
+    if (!root) return;
+    const p = path.join(root, name);
+    if (seen.has(p)) return;
+    seen.add(p);
+    targets.push({ path: p, kind, name });
+  };
+  // Per-workspace data dirs: the account binding + onboarding + chat thread,
+  // plus legacy secret/registry locations.
+  for (const dir of dataDirs) {
+    add(dir, 'account.json', 'file'); // unlink slug / email / this computer
+    add(dir, 'agent-identity.json', 'file'); // re-trigger onboarding
+    add(dir, 'chat-session.json', 'file'); // fresh chat thread
+    add(dir, 'secrets.json', 'file'); // legacy location (now in globalDir)
+    add(dir, 'revoked.json', 'file'); // legacy location
+  }
+  // Stable global dir: device secrets (regenerated fresh on next start) + the
+  // token registry + local UI/marketplace state.
+  add(globalDir, 'secrets.json', 'file');
+  add(globalDir, 'revoked.json', 'file');
+  if (includeMarketplace) {
+    add(globalDir, 'canvas', 'dir'); // agent-made blocks + theme.json
+    add(globalDir, 'bazaar', 'dir'); // local shelf + ledger
+  }
+  for (const t of targets) {
+    try {
+      t.exists = fs.existsSync(t.path);
+    } catch {
+      t.exists = false;
+    }
+  }
+  return targets;
+}
+
+// Remove every target that exists. Returns what was removed vs. what failed.
+// Idempotent: a missing target is simply skipped.
+export function applyReset(targets) {
+  const removed = [];
+  const failed = [];
+  for (const t of targets) {
+    if (!t.exists) continue;
+    try {
+      fs.rmSync(t.path, { recursive: t.kind === 'dir', force: true });
+      removed.push(t.path);
+    } catch (e) {
+      failed.push({ path: t.path, error: e?.message || String(e) });
+    }
+  }
+  return { removed, failed };
+}