@venturewild/workspace 0.2.0 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/bin/wild-workspace.mjs

@@ -23,6 +23,8 @@ import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
 import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
 import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
 import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
+import { openOwnerBrowser } from '../src/owner-browser.mjs';
+import { planReset, applyReset, RESET_KEEPS } from '../src/reset.mjs';
 
 const __filename = url.fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -44,6 +46,8 @@ Usage:
   wild-workspace login <payload>  bind this install to a slug
                                   (paste the blob from workspace.venturewild.llc)
   wild-workspace logout           clear the bound account (slug + token)
+  wild-workspace reset [--yes]    back to the beginning: unlink + reset onboarding +
+                                  flush local config (preview without --yes; keeps your files)
   wild-workspace whoami           show the currently-bound account
   wild-workspace rotate-token     mint a new account token; invalidates the old one
   wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
@@ -84,6 +88,7 @@ function parseArgs(argv) {
     else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
     else if (arg === '--share') { opts.share = true; }
     else if (arg === '--rotate') { opts.rotate = true; }
+    else if (arg === '--yes' || arg === '-y') { opts.yes = true; }
     else if (arg === '--kind') { opts.kind = argv[++i]; }
     else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
     else if (arg.startsWith('--')) {
@@ -278,6 +283,73 @@ async function runLogoutCommand() {
   console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
 }
 
+// `wild-workspace reset [--yes]` — back to the beginning: unlink the account,
+// reset onboarding, flush local config/state. NEVER touches workspace files.
+// Without --yes it's a dry run (prints exactly what it WOULD remove).
+async function runResetCommand(opts) {
+  const config = buildConfig(opts);
+  const gdir = globalDir();
+  const before = loadAccount(config.dataDir);
+
+  // Collect every data dir that might hold this install's account/onboarding:
+  // the one this invocation resolves (cwd-keyed) + the always-on workspace's
+  // (recorded in service.json), in case `reset` is run from a different folder.
+  const dataDirs = new Set([config.dataDir]);
+  try {
+    const svc = JSON.parse(readFileSync(path.join(gdir, 'service.json'), 'utf8'));
+    if (svc.workspaceDir) dataDirs.add(path.join(path.resolve(svc.workspaceDir), '.wild-workspace'));
+  } catch { /* no always-on registration — fine */ }
+
+  const targets = planReset({ dataDirs: [...dataDirs], globalDir: gdir, includeMarketplace: true });
+  const present = targets.filter((t) => t.exists);
+
+  console.log('wild-workspace reset — back to the beginning\n');
+  if (before) {
+    console.log(`  currently linked: ${before.email}  (slug: ${before.slug})`);
+    console.log('');
+  }
+  if (present.length === 0) {
+    console.log('  Nothing to clear — this install is already at a clean state.');
+    return;
+  }
+
+  console.log(`  ${opts.yes ? 'Removing' : 'Would remove'}:`);
+  for (const t of present) console.log(`    - ${t.path}${t.kind === 'dir' ? '  (folder)' : ''}`);
+  console.log('');
+  console.log('  Keeps (untouched):');
+  for (const k of RESET_KEEPS) console.log(`    · ${k}`);
+  console.log('');
+
+  if (!opts.yes) {
+    console.log('  This was a PREVIEW. Re-run to actually reset:');
+    console.log('    wild-workspace reset --yes');
+    return;
+  }
+
+  const { removed, failed } = applyReset(present);
+  console.log(`  ✓ cleared ${removed.length} item(s).`);
+  if (failed.length) {
+    console.log(`  ⚠ ${failed.length} could not be removed (in use? close the app + retry):`);
+    for (const f of failed) console.log(`    - ${f.path}: ${f.error}`);
+    process.exitCode = 1;
+  }
+  console.log('');
+  // The running server still holds the old account/secrets in memory — a restart
+  // is what makes the reset take effect (and re-arms a fresh onboarding).
+  if (await probeHealth(config.port)) {
+    console.log('  ⚠ a workspace server is still running with the old state. Restart it:');
+    console.log(`     stop it (close the app / kill :${config.port}); always-on restarts it clean,`);
+    console.log('     or run `wild-workspace` yourself.');
+    console.log('');
+  }
+  console.log('  Next:');
+  console.log('    • `wild-workspace login <blob>`  — re-link to a slug, then `wild-workspace`');
+  console.log('    • or just `wild-workspace`       — start fresh and re-run onboarding');
+  console.log('');
+  console.log('  Note: the canvas LAYOUT is stored in your browser, not here — open the');
+  console.log('  workspace in a fresh/incognito window (or clear site data) for a blank canvas.');
+}
+
 async function runRotateTokenCommand() {
   const config = buildConfig({});
   const account = loadAccount(config.dataDir);
@@ -570,81 +642,8 @@ async function runOperatorCommand(action = 'status', opts = {}) {
 // autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
 // the per-OS launcher invokes at login; the others manage registration. All
 // per-user, no admin.
-// The URL to open for the LOCAL owner. A slug-linked install runs in public
-// mode (the server denies anon — C1), so the owner must authenticate: append
-// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
-// and strips from the address bar (S1). A localhost-only install needs no token.
-// The token is only ever placed in the URL we hand the browser — never printed.
-function localBrowserUrl(config) {
-  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-  const base = `http://${host}:${config.port}`;
-  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
-}
-
-// Ask the running local server (over genuine loopback) for a one-time sign-in
-// link to the PUBLIC url. Returns the URL or null (no slug / older server).
-async function fetchPublicBootstrapUrl(config) {
-  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-  try {
-    const ac = new AbortController();
-    const t = setTimeout(() => ac.abort(), 4000);
-    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
-      method: 'POST',
-      signal: ac.signal,
-    });
-    clearTimeout(t);
-    if (!r.ok) return null;
-    const body = await r.json().catch(() => ({}));
-    return typeof body.url === 'string' ? body.url : null;
-  } catch {
-    return null;
-  }
-}
-
-// Poll the public url's /api/health until the tunnel forwards (200) or we give
-// up — so we never open the owner onto a 502 "warming up" page.
-async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
-  const base = String(shareBaseUrl || '').replace(/\/$/, '');
-  if (!/^https?:\/\//.test(base)) return false;
-  for (let i = 0; i < tries; i += 1) {
-    try {
-      const ac = new AbortController();
-      const t = setTimeout(() => ac.abort(), 2500);
-      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
-      clearTimeout(t);
-      if (r.ok) return true;
-    } catch { /* not up yet */ }
-    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
-  }
-  return false;
-}
-
-// Open the owner's browser the friendliest way for THIS install:
-//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
-//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
-//    confirmed up. If it isn't ready yet, fall back to localhost (always works
-//    locally) and tell them their public url is warming up.
-//  - localhost-only: just open localhost.
-// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
-async function openOwnerBrowser(config) {
-  let open;
-  try { open = (await import('open')).default; } catch { return; }
-  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
-  if (slugLinked) {
-    const url = await fetchPublicBootstrapUrl(config);
-    if (url && (await publicTunnelReady(config.shareBaseUrl))) {
-      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
-      try { await open(url); } catch { /* best-effort */ }
-      return;
-    }
-    // Tunnel not up yet (or older server) — open locally so first run is never a
-    // dead page; the public url comes alive on its own as the daemon links.
-    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
-    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
-    return;
-  }
-  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
-}
+// First-run browser orchestration lives in a shebang-free module so it's
+// importable + unit-testable (server/test/owner-browser.test.mjs).
 
 async function runServiceCommand(action = 'status', opts = {}) {
   const config = buildConfig(opts);
@@ -720,6 +719,9 @@ async function main() {
   if (opts.positional[0] === 'logout') {
     return runLogoutCommand();
   }
+  if (opts.positional[0] === 'reset') {
+    return runResetCommand(opts);
+  }
   if (opts.positional[0] === 'whoami') {
     return runWhoamiCommand();
   }

package/server/src/owner-browser.mjs

@@ -0,0 +1,84 @@
+// First-run browser orchestration for the LOCAL owner (B1). Extracted from the
+// CLI so it's importable + unit-testable without the bin's shebang. The CLI
+// (bin/wild-workspace.mjs) imports openOwnerBrowser; tests import the helpers.
+
+// The URL to open for the LOCAL owner. A slug-linked install runs in public
+// mode (the server denies anon — C1), so the owner must authenticate: append
+// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
+// and strips from the address bar (S1). A localhost-only install needs no token.
+// The token is only ever placed in the URL we hand the browser — never printed.
+export function localBrowserUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  const base = `http://${host}:${config.port}`;
+  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
+}
+
+// Ask the running local server (over genuine loopback) for a one-time sign-in
+// link to the PUBLIC url. Returns the URL or null (no slug / older server).
+export async function fetchPublicBootstrapUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  try {
+    const ac = new AbortController();
+    const t = setTimeout(() => ac.abort(), 4000);
+    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
+      method: 'POST',
+      signal: ac.signal,
+    });
+    clearTimeout(t);
+    if (!r.ok) return null;
+    const body = await r.json().catch(() => ({}));
+    return typeof body.url === 'string' ? body.url : null;
+  } catch {
+    return null;
+  }
+}
+
+// Poll the public url's /api/health until the tunnel forwards (200) or we give
+// up — so we never open the owner onto a 502 "warming up" page.
+export async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
+  const base = String(shareBaseUrl || '').replace(/\/$/, '');
+  if (!/^https?:\/\//.test(base)) return false;
+  for (let i = 0; i < tries; i += 1) {
+    try {
+      const ac = new AbortController();
+      const t = setTimeout(() => ac.abort(), 2500);
+      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
+      clearTimeout(t);
+      if (r.ok) return true;
+    } catch { /* not up yet */ }
+    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
+  }
+  return false;
+}
+
+// Open the owner's browser the friendliest way for THIS install:
+//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
+//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
+//    confirmed up. If it isn't ready yet, fall back to localhost (always works
+//    locally) and tell them their public url is warming up.
+//  - localhost-only: just open localhost.
+// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
+// `opts.open` / `opts.ready` are injectable seams for tests; in production the
+// opener is the dynamically-imported `open` package and `ready` uses the defaults.
+export async function openOwnerBrowser(config, opts = {}) {
+  let open = opts.open;
+  if (!open) {
+    try { open = (await import('open')).default; } catch { return; }
+  }
+  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
+  if (slugLinked) {
+    const link = await fetchPublicBootstrapUrl(config);
+    if (link && (await publicTunnelReady(config.shareBaseUrl, opts.ready))) {
+      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
+      try { await open(link); } catch { /* best-effort */ }
+      return 'public';
+    }
+    // Tunnel not up yet (or older server) — open locally so first run is never a
+    // dead page; the public url comes alive on its own as the daemon links.
+    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
+    return 'fallback-local';
+  }
+  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+  return 'local';
+}

package/server/src/reset.mjs

@@ -0,0 +1,78 @@
+// `wild-workspace reset` — take an install back to the beginning so it can be
+// re-onboarded clean. UNLINKS the account (slug/email/computer), RESETS
+// onboarding, and FLUSHES local config/state (device secrets, token registry,
+// chat thread, canvas + bazaar local state).
+//
+// It deliberately NEVER touches the user's workspace files (CLAUDE.md rule #1),
+// nor the always-on registration / consent choices — those are install plumbing,
+// not "the beginning". See RESET_KEEPS for the honest list of what survives.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+// What survives a reset — documented so the command stays honest about scope.
+export const RESET_KEEPS = [
+  "the user's workspace files (everything outside .wild-workspace) — never touched",
+  'service.json — always-on registration stays armed',
+  'observability.json — your consent choice is preserved',
+  'operator.json — the support-channel token',
+  'logs/ + diagnostics/ — kept for debugging',
+];
+
+// Build the list of targets to remove. `dataDirs` are the (possibly several)
+// cwd-keyed `.wild-workspace` dirs that hold the account/onboarding/chat; the
+// stable `globalDir` (~/.wild-workspace) holds device secrets + canvas/bazaar
+// state. Each target is annotated with whether it currently exists.
+export function planReset({ dataDirs = [], globalDir, includeMarketplace = true }) {
+  const targets = [];
+  const seen = new Set();
+  const add = (root, name, kind) => {
+    if (!root) return;
+    const p = path.join(root, name);
+    if (seen.has(p)) return;
+    seen.add(p);
+    targets.push({ path: p, kind, name });
+  };
+  // Per-workspace data dirs: the account binding + onboarding + chat thread,
+  // plus legacy secret/registry locations.
+  for (const dir of dataDirs) {
+    add(dir, 'account.json', 'file'); // unlink slug / email / this computer
+    add(dir, 'agent-identity.json', 'file'); // re-trigger onboarding
+    add(dir, 'chat-session.json', 'file'); // fresh chat thread
+    add(dir, 'secrets.json', 'file'); // legacy location (now in globalDir)
+    add(dir, 'revoked.json', 'file'); // legacy location
+  }
+  // Stable global dir: device secrets (regenerated fresh on next start) + the
+  // token registry + local UI/marketplace state.
+  add(globalDir, 'secrets.json', 'file');
+  add(globalDir, 'revoked.json', 'file');
+  if (includeMarketplace) {
+    add(globalDir, 'canvas', 'dir'); // agent-made blocks + theme.json
+    add(globalDir, 'bazaar', 'dir'); // local shelf + ledger
+  }
+  for (const t of targets) {
+    try {
+      t.exists = fs.existsSync(t.path);
+    } catch {
+      t.exists = false;
+    }
+  }
+  return targets;
+}
+
+// Remove every target that exists. Returns what was removed vs. what failed.
+// Idempotent: a missing target is simply skipped.
+export function applyReset(targets) {
+  const removed = [];
+  const failed = [];
+  for (const t of targets) {
+    if (!t.exists) continue;
+    try {
+      fs.rmSync(t.path, { recursive: t.kind === 'dir', force: true });
+      removed.push(t.path);
+    } catch (e) {
+      failed.push({ path: t.path, error: e?.message || String(e) });
+    }
+  }
+  return { removed, failed };
+}