@venturewild/workspace 0.1.9 → 0.1.10

package/server/src/service.mjs

@@ -42,7 +42,7 @@ function currentUid() { return typeof process.getuid === 'function' ? process.ge
 
 /** Is per-user autostart implemented for this platform yet? */
 export function isSupported(platform = process.platform) {
-  return platform === 'win32' || platform === 'darwin';
+  return platform === 'win32' || platform === 'darwin' || platform === 'linux';
 }
 
 /** Shared: read the supervisor's pidfile and report whether that pid is alive. */
@@ -225,6 +225,108 @@ async function macStatus({ dir, launchAgentsDir, execFileImpl, probeImpl, uid, p
   return { installed, runValue: installed ? plist : null, supervisorPid, supervisorAlive, serverUp, loaded };
 }
 
+// --- Linux implementation (systemd --user) ----------------------------------
+//
+// Mirrors the macOS model: write the unit, `enable` it for the NEXT login, but
+// do NOT `--now` it at install time (that would start the supervisor and grab
+// :5173, colliding with the `wild-workspace` the user runs this session). The
+// user systemd manager auto-starts WantedBy=default.target units at login.
+// Crash-restart is free via Restart=always (footgun checklist §8). `systemctl
+// --user` needs a user DBus/session bus; if it's absent (headless box) the unit
+// file is still written and `enabled:false` is reported so the caller can warn.
+
+export const SYSTEMD_UNIT = 'wild-workspace.service';
+
+function defaultSystemdUserDir() {
+  const xdg = process.env.XDG_CONFIG_HOME;
+  return xdg ? path.join(xdg, 'systemd', 'user') : path.join(os.homedir(), '.config', 'systemd', 'user');
+}
+export function unitPath(systemdUserDir) {
+  return path.join(systemdUserDir, SYSTEMD_UNIT);
+}
+
+// A user unit that runs `node <cli> service run` at login + relaunches on exit.
+// `WantedBy=default.target` is the USER manager's login target — NOT
+// `multi-user.target` (which doesn't exist in user systemd; a real VS Code bug,
+// always-on-design.md §7). Paths are double-quoted so spaces in $HOME survive.
+export function buildUnit({ node, cli, workspaceDir }) {
+  const env = workspaceDir ? [`Environment=WILD_WORKSPACE_DIR=${workspaceDir}`] : [];
+  return [
+    '[Unit]',
+    'Description=wild-workspace always-on supervisor',
+    'After=default.target',
+    '',
+    '[Service]',
+    'Type=simple',
+    `ExecStart="${node}" "${cli}" service run`,
+    'Restart=always',
+    'RestartSec=2',
+    ...env,
+    '',
+    '[Install]',
+    'WantedBy=default.target',
+    '',
+  ].join('\n');
+}
+
+async function linuxInstall({ node, cli, workspaceDir, port, version }, { dir, systemdUserDir, execFileImpl }) {
+  fs.mkdirSync(dir, { recursive: true });
+  fs.mkdirSync(systemdUserDir, { recursive: true });
+  const unit = unitPath(systemdUserDir);
+  const serviceJson = path.join(dir, 'service.json');
+  fs.writeFileSync(unit, buildUnit({ node, cli, workspaceDir }), 'utf8');
+  fs.writeFileSync(
+    serviceJson,
+    JSON.stringify({ node, cli, workspaceDir, port, version, installedAt: new Date().toISOString() }, null, 2),
+    'utf8',
+  );
+  // Enable for the NEXT login (no --now → don't grab :5173 this session). Both
+  // calls are best-effort: a box without a user session bus still gets the unit
+  // file, and `enabled:false` tells the caller to warn instead of failing hard.
+  let enabled = false, note = null;
+  try {
+    await execFileImpl('systemctl', ['--user', 'daemon-reload']);
+    await execFileImpl('systemctl', ['--user', 'enable', SYSTEMD_UNIT]);
+    enabled = true;
+  } catch (e) {
+    note = `unit written but \`systemctl --user enable\` failed (${String(e?.message || e).split('\n')[0]}); ` +
+      `run it after logging into a graphical session, or start manually with \`wild-workspace\`.`;
+  }
+  return { installed: true, mechanism: 'systemd --user', launcher: unit, unit, runValue: unit, serviceJson, enabled, startsAtNextLogin: true, note };
+}
+
+async function linuxUninstall({ dir, systemdUserDir, execFileImpl, killImpl }) {
+  // disable --now both stops a running instance and removes the login symlink.
+  let disabled = false;
+  try { await execFileImpl('systemctl', ['--user', 'disable', '--now', SYSTEMD_UNIT]); disabled = true; } catch { /* not enabled */ }
+  const unit = unitPath(systemdUserDir);
+  let removedKey = false;
+  try { if (fs.existsSync(unit)) { fs.unlinkSync(unit); removedKey = true; } } catch { /* gone */ }
+  try { await execFileImpl('systemctl', ['--user', 'daemon-reload']); } catch { /* no session bus */ }
+  // A manually-started supervisor still holds the lock — stop it too (mirror).
+  let stoppedPid = null;
+  try {
+    const pid = Number(fs.readFileSync(path.join(dir, 'supervisor.lock'), 'utf8').trim());
+    if (pid) { killImpl(pid); stoppedPid = pid; }
+  } catch { /* none running */ }
+  try { fs.unlinkSync(path.join(dir, 'service.json')); } catch { /* gone */ }
+  return { uninstalled: true, removedKey, disabled, stoppedPid };
+}
+
+async function linuxStatus({ dir, systemdUserDir, execFileImpl, probeImpl, port }) {
+  const unit = unitPath(systemdUserDir);
+  const installed = fs.existsSync(unit); // the unit file IS the persistent registration
+  let enabled = false, active = false, mainPid = null;
+  try { const { stdout } = await execFileImpl('systemctl', ['--user', 'is-enabled', SYSTEMD_UNIT]); enabled = /enabled/.test(stdout); } catch { /* not enabled / no bus */ }
+  try { const { stdout } = await execFileImpl('systemctl', ['--user', 'is-active', SYSTEMD_UNIT]); active = /^active/m.test(stdout.trim()); } catch { /* inactive */ }
+  try { const { stdout } = await execFileImpl('systemctl', ['--user', 'show', SYSTEMD_UNIT, '-p', 'MainPID', '--value']); mainPid = Number(String(stdout).trim()) || null; } catch { /* none */ }
+  let { supervisorPid, supervisorAlive } = supervisorLiveness(dir);
+  if (mainPid) { supervisorPid = mainPid; supervisorAlive = true; }
+  else if (active) { supervisorAlive = true; }
+  const serverUp = await probeImpl(port);
+  return { installed, runValue: installed ? unit : null, supervisorPid, supervisorAlive, serverUp, enabled, active };
+}
+
 // --- public API (platform dispatch) ----------------------------------------
 
 const unsupported = (platform, key) => ({
@@ -245,6 +347,13 @@ export async function installService(opts = {}, deps = {}) {
       launchAgentsDir: deps.launchAgentsDir || defaultLaunchAgentsDir(),
     });
   }
+  if (platform === 'linux') {
+    return linuxInstall(opts, {
+      dir: deps.dir || globalDir(),
+      systemdUserDir: deps.systemdUserDir || defaultSystemdUserDir(),
+      execFileImpl: deps.execFileImpl || execFileP,
+    });
+  }
   return unsupported(platform, 'installed');
 }
 
@@ -266,6 +375,14 @@ export async function uninstallService(deps = {}) {
       uid: deps.uid ?? currentUid(),
     });
   }
+  if (platform === 'linux') {
+    return linuxUninstall({
+      dir: deps.dir || globalDir(),
+      systemdUserDir: deps.systemdUserDir || defaultSystemdUserDir(),
+      execFileImpl: deps.execFileImpl || execFileP,
+      killImpl: deps.killImpl || ((pid) => process.kill(pid)),
+    });
+  }
   return unsupported(platform, 'uninstalled');
 }
 
@@ -289,5 +406,14 @@ export async function serviceStatus(opts = {}, deps = {}) {
       port: opts.port || 5173,
     });
   }
+  if (platform === 'linux') {
+    return linuxStatus({
+      dir: deps.dir || globalDir(),
+      systemdUserDir: deps.systemdUserDir || defaultSystemdUserDir(),
+      execFileImpl: deps.execFileImpl || execFileP,
+      probeImpl: deps.probeImpl || (async () => false),
+      port: opts.port || 5173,
+    });
+  }
   return { supported: false, platform };
 }

package/server/src/share.mjs

@@ -3,6 +3,7 @@
 
 import { SignJWT, jwtVerify } from 'jose';
 import { nanoid } from 'nanoid';
+import { readFileSync, writeFileSync } from 'node:fs';
 
 const SHARE_ISSUER = 'wild-workspace';
 
@@ -56,15 +57,48 @@ export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
   return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
 }
 
-// Simple in-memory token registry so the partner can list + revoke.
-// Reset on process restart — acceptable for v1; persisted in bmo-sync in v1.x.
+// Token registry so the partner can list + revoke. The revocation set (and the
+// active-token list) is persisted to `<dataDir>/revoked.json` so a "revoked"
+// share token stays revoked across a server restart (concern C8) — without it,
+// the in-memory set reset on restart and a previously-revoked-but-unexpired JWT
+// validated again by signature. No `persistPath` → in-memory only (tests).
 export class TokenRegistry {
-  constructor() {
-    this.tokens = new Map(); // jti -> { sub, role, workspaceId, exp, label, createdAt }
+  constructor({ persistPath = null } = {}) {
+    this.persistPath = persistPath;
+    this.tokens = new Map(); // sub -> { sub, role, workspaceId, exp, label, createdAt }
     this.revoked = new Set();
+    this._load();
+  }
+  _load() {
+    if (!this.persistPath) return;
+    try {
+      const data = JSON.parse(readFileSync(this.persistPath, 'utf8'));
+      if (Array.isArray(data.revoked)) this.revoked = new Set(data.revoked);
+      if (Array.isArray(data.tokens)) {
+        for (const t of data.tokens) if (t?.sub) this.tokens.set(t.sub, t);
+      }
+    } catch {
+      /* missing / corrupt — start empty */
+    }
+  }
+  _persist() {
+    if (!this.persistPath) return;
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      // Don't carry expired tokens forward; the revoked set stays (small).
+      const tokens = [...this.tokens.values()].filter((r) => r.exp > now);
+      writeFileSync(
+        this.persistPath,
+        JSON.stringify({ revoked: [...this.revoked], tokens }, null, 2),
+        { mode: 0o600 },
+      );
+    } catch {
+      /* read-only fs — revocation degrades to in-memory for this run */
+    }
   }
   add(record) {
     this.tokens.set(record.sub, record);
+    this._persist();
   }
   list() {
     const now = Math.floor(Date.now() / 1000);
@@ -73,6 +107,7 @@ export class TokenRegistry {
   revoke(sub) {
     this.revoked.add(sub);
     this.tokens.delete(sub);
+    this._persist();
   }
   isRevoked(sub) {
     return this.revoked.has(sub);