@venturewild/workspace 0.3.7 → 0.4.0

package/server/src/config.mjs

@@ -1,404 +1,404 @@
-// Central config + role definitions.
-// One UI permission-flagged per AR-19.
-
-import path from 'node:path';
-import os from 'node:os';
-import fs from 'node:fs';
-import crypto from 'node:crypto';
-import { fileURLToPath } from 'node:url';
-
-import { loadAccount } from './account.mjs';
-import { loadOperatorToken } from './operator.mjs';
-import { globalDir } from './logpaths.mjs';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-// Secrets that shipped as scaffold defaults. Forgeable — never allowed on a
-// non-localhost bind. Kept only so the startup guard can recognise them.
-export const WEAK_SECRETS = Object.freeze(
-  new Set(['dev-partner-token', 'dev-share-secret-change-me']),
-);
-
-const LOCAL_HOSTS = Object.freeze(new Set(['127.0.0.1', 'localhost', '::1']));
-
-export function isLocalhost(host) {
-  return LOCAL_HOSTS.has(host);
-}
-
-// The bmo-sync daemon's HTTP origin, derived from its WebSocket event-feed
-// URL so the two stay consistent when WILD_WORKSPACE_DAEMON_URL is overridden.
-function daemonHttpBase(wsUrl) {
-  try {
-    const u = new URL(wsUrl);
-    return `${u.protocol === 'wss:' ? 'https:' : 'http:'}//${u.host}`;
-  } catch {
-    return 'http://127.0.0.1:8320';
-  }
-}
-
-// Per-install secrets (partnerToken + shareSecret). They sign the owner's login
-// cookie, so they MUST be stable across restarts/upgrades — if they rotate, every
-// browser holding a cookie is silently logged out (the public URL then 401s until
-// the owner re-authenticates with a token). They live in the per-install GLOBAL
-// dir (~/.wild-workspace) — an ABSOLUTE path that never moves — NOT in the
-// workspace's `.wild-workspace`, which (a) is keyed off `process.cwd()` so it
-// shifts when the always-on supervisor relaunches from a different dir (the
-// real-world "logged out after upgrade" bug), and (b) is inside the synced
-// folder (CLAUDE.md rule #1: no system state in the synced workspace).
-//
-// A legacy in-workspace secrets.json is migrated forward (its tokens preserved,
-// so cookies issued before this version keep validating) and then removed from
-// the synced folder. Replaces the weak scaffold defaults so share tokens can't
-// be forged. (Concerns C1/C2.)
-function readSecretsFile(file) {
-  try {
-    const parsed = JSON.parse(fs.readFileSync(file, 'utf8'));
-    if (parsed && parsed.partnerToken && parsed.shareSecret) {
-      return {
-        partnerToken: parsed.partnerToken,
-        shareSecret: parsed.shareSecret,
-        // Phase 4: the loopback support-channel secret (may be absent on installs
-        // created before Phase 4 — loadOrCreateSecrets backfills it).
-        supportChannelSecret: parsed.supportChannelSecret,
-      };
-    }
-  } catch {
-    // missing / unreadable / malformed
-  }
-  return null;
-}
-
-function loadOrCreateSecrets(dataDir, env = process.env) {
-  const stablePath = path.join(globalDir(env), 'secrets.json');
-  const legacyPath = path.join(dataDir, 'secrets.json');
-
-  // 1. The stable per-install location wins.
-  const stable = readSecretsFile(stablePath);
-  if (stable) {
-    // Backfill the Phase-4 support-channel secret on installs created earlier,
-    // WITHOUT rotating the login-signing tokens (which would log everyone out).
-    // Re-read + rewrite the raw file so any other fields are preserved.
-    if (!stable.supportChannelSecret) {
-      stable.supportChannelSecret = crypto.randomBytes(32).toString('base64url');
-      try {
-        const raw = JSON.parse(fs.readFileSync(stablePath, 'utf8'));
-        raw.supportChannelSecret = stable.supportChannelSecret;
-        fs.writeFileSync(stablePath, JSON.stringify(raw, null, 2), { mode: 0o600 });
-      } catch {
-        // can't persist (read-only fs?) — still usable for this run
-      }
-    }
-    return stable;
-  }
-
-  // 2. Migrate a legacy in-workspace secrets file (preserve its tokens so
-  //    pre-existing login cookies keep validating); otherwise generate fresh.
-  const legacy = readSecretsFile(legacyPath);
-  const secrets = legacy || {
-    partnerToken: crypto.randomBytes(24).toString('base64url'),
-    shareSecret: crypto.randomBytes(32).toString('base64url'),
-  };
-  // The support-channel secret can be (re)generated freely — it's not used to
-  // sign anything durable, just to authenticate the local daemon → server hop.
-  if (!secrets.supportChannelSecret) {
-    secrets.supportChannelSecret = crypto.randomBytes(32).toString('base64url');
-  }
-
-  // 3. Persist to the stable location.
-  try {
-    fs.mkdirSync(path.dirname(stablePath), { recursive: true });
-    fs.writeFileSync(stablePath, JSON.stringify(secrets, null, 2), { mode: 0o600 });
-  } catch {
-    // can't persist (read-only fs?) — still use the secrets for this run
-  }
-
-  // 4. Best-effort: drop the legacy copy so the signing secret stops living in
-  //    the synced workspace folder. Only after a successful migration.
-  if (legacy) {
-    try {
-      fs.rmSync(legacyPath, { force: true });
-    } catch {
-      // leave it; it's now inert (the stable copy takes precedence)
-    }
-  }
-
-  return secrets;
-}
-
-// Refuse to start in public mode with a forgeable secret. (Concerns C1/C2.)
-export function assertSecureBinding(config) {
-  if (!config.publicMode) return;
-  if (WEAK_SECRETS.has(config.partnerToken) || WEAK_SECRETS.has(config.shareSecret)) {
-    throw new Error(
-      `Refusing to run in public mode with a default secret. ` +
-        `Set WILD_WORKSPACE_PARTNER_TOKEN and WILD_WORKSPACE_SHARE_SECRET, ` +
-        `or remove them so per-install secrets are generated.`,
-    );
-  }
-}
-
-export const ROLES = Object.freeze({
-  PARTNER: 'partner',
-  VIEWER: 'viewer',
-  CLIENT: 'client',
-  // The consented support/operator channel (off by default — see operator.mjs).
-  OPERATOR: 'operator',
-});
-
-export const ROLE_CAPABILITIES = Object.freeze({
-  partner: {
-    chat: true,
-    chatWrite: true,
-    preview: true,
-    fileTree: true,
-    terminal: true,
-    inbox: true,
-    share: true,
-    sync: true,
-    deploy: true,
-    requestChanges: false,
-    operate: true, // the owner can also drive the operator allowlist locally
-  },
-  viewer: {
-    chat: true,
-    chatWrite: false,
-    preview: true,
-    fileTree: false,
-    terminal: false,
-    inbox: false,
-    share: false,
-    sync: false,
-    deploy: false,
-    requestChanges: false,
-    operate: false,
-  },
-  client: {
-    chat: true,
-    chatWrite: true,
-    preview: true,
-    fileTree: false,
-    terminal: false,
-    inbox: false,
-    share: false,
-    sync: false,
-    deploy: false,
-    requestChanges: true,
-    operate: false,
-  },
-  // Operator: remote diagnose + a curated remediation allowlist. Read-only on
-  // chat (can SEE the conversation to help, cannot drive the agent — chatWrite
-  // stays false), plus the `operate` capability the /api/operator/* routes gate
-  // on. Reachable only with the dedicated operator token (operator.mjs).
-  operator: {
-    chat: true,
-    chatWrite: false,
-    preview: true,
-    fileTree: true,
-    terminal: false,
-    inbox: false,
-    share: false,
-    sync: false,
-    deploy: false,
-    requestChanges: false,
-    operate: true,
-  },
-});
-
-export const DEFAULT_AGENTS = Object.freeze([
-  {
-    id: 'claude',
-    binary: 'claude',
-    label: 'Claude Code',
-    description: 'Anthropic Claude Code',
-    args: ['-p', '--output-format', 'stream-json', '--include-partial-messages', '--verbose'],
-    streamFormat: 'claude-stream-json',
-  },
-  {
-    id: 'gemini',
-    binary: 'gemini',
-    label: 'Gemini CLI',
-    description: 'Google Gemini',
-    args: ['-p'],
-    streamFormat: 'text',
-  },
-  {
-    id: 'glm',
-    binary: 'glm',
-    label: 'GLM (Z.AI)',
-    description: 'GLM-4.6 via Z.AI',
-    args: ['-p', '--permission-mode', 'bypassPermissions'],
-    streamFormat: 'text',
-  },
-  {
-    id: 'codex',
-    binary: 'codex',
-    label: 'Codex (OpenAI)',
-    description: 'GPT-5 / o3 via Codex CLI',
-    args: ['exec', '--skip-git-repo-check'],
-    streamFormat: 'text',
-  },
-]);
-
-export function buildConfig(overrides = {}) {
-  const env = overrides.env || process.env;
-  const portOverride = overrides.port;
-  const resolvedPort =
-    typeof portOverride === 'number'
-      ? portOverride
-      : Number(env.WILD_WORKSPACE_PORT || 5173);
-  const workspaceDir = path.resolve(
-    overrides.workspaceDir || env.WILD_WORKSPACE_DIR || process.cwd(),
-  );
-  const dataDir = path.resolve(
-    overrides.dataDir ||
-      env.WILD_WORKSPACE_DATA_DIR ||
-      path.join(workspaceDir, '.wild-workspace'),
-  );
-  // Lazy: only load/generate persisted secrets if neither an override nor an
-  // env var supplies one — keeps tests that pass both from touching the fs.
-  let _secrets = null;
-  const secrets = () => (_secrets ??= loadOrCreateSecrets(dataDir, env));
-  const host = overrides.host || env.WILD_WORKSPACE_HOST || '127.0.0.1';
-  // Per-install bmo-sync account — null until the user runs `wild-workspace
-  // login` with the payload from `workspace.venturewild.llc`. Its presence
-  // upgrades the install to a real slug (shareBaseUrl flips to the user's
-  // subdomain) and lights up the /api/session.account field for the UI.
-  // Loaded BEFORE publicMode because a logged-in install is publicly reachable.
-  const account =
-    overrides.account === undefined ? loadAccount(dataDir) : overrides.account;
-  // publicMode = "treat every request as untrusted". True for a non-localhost
-  // bind, OR when WILD_WORKSPACE_PUBLIC=1 — needed when a tunnel (Cloudflare
-  // etc.) forwards public traffic to a localhost-bound server, since the bind
-  // address alone would otherwise look local. Drives the C1 auth posture.
-  const publicMode =
-    overrides.publicMode ??
-    (env.WILD_WORKSPACE_PUBLIC === '1' ||
-      !isLocalhost(host) ||
-      // CRITICAL (C1): a slug-linked install is reachable from the public
-      // internet via <slug>.venturewild.llc — the daemon forwards that traffic
-      // to this server FROM 127.0.0.1, so a non-public server would auto-grant
-      // `partner` (full RCE) to every anonymous visitor. Having an account token
-      // ⟺ the tunnel is exposing this machine, so force public mode even when the
-      // always-on supervisor (or a bare `wild-workspace`) launches without
-      // WILD_WORKSPACE_PUBLIC=1. The local owner authenticates via the partner
-      // token the launcher appends to the localhost URL (?t=, then S1 cookie).
-      Boolean(account?.accountToken));
-  // bmo-sync: the local daemon's event feed (a WebSocket URL).
-  const daemonUrl =
-    overrides.daemonUrl ||
-    env.WILD_WORKSPACE_DAEMON_URL ||
-    'ws://127.0.0.1:8320/api/events';
-  const accountShareBase = account?.slug
-    ? `https://${account.slug}.venturewild.llc`
-    : null;
-  return {
-    port: resolvedPort,
-    host,
-    publicMode,
-    workspaceDir,
-    dataDir,
-    webDir:
-      overrides.webDir ||
-      env.WILD_WORKSPACE_WEB_DIR ||
-      path.resolve(__dirname, '..', '..', 'web', 'dist'),
-    openBrowser: overrides.openBrowser ?? env.WILD_WORKSPACE_NO_OPEN !== '1',
-    shareBaseUrl:
-      overrides.shareBaseUrl ||
-      env.WILD_WORKSPACE_SHARE_BASE_URL ||
-      accountShareBase ||
-      `http://${host}:${resolvedPort}`,
-    // The signed-in account (if any). Kept on the server-side config so
-    // /api/session can expose the public bits (slug, email, accountId, displayName)
-    // to the UI while accountToken stays here only.
-    account: account
-      ? {
-          slug: account.slug,
-          email: account.email,
-          accountId: account.accountId,
-          displayName: account.displayName,
-          loggedInAt: account.loggedInAt,
-          // accountToken is intentionally kept out of the broadcasted config
-          // shape — it's read separately by code that needs to authenticate
-          // against bmo-sync.
-        }
-      : null,
-    accountToken: account?.accountToken || null,
-    partnerToken:
-      overrides.partnerToken ||
-      env.WILD_WORKSPACE_PARTNER_TOKEN ||
-      secrets().partnerToken,
-    shareSecret:
-      overrides.shareSecret ||
-      env.WILD_WORKSPACE_SHARE_SECRET ||
-      secrets().shareSecret,
-    // Phase 4: authenticates the local bmo-sync daemon's loopback call to
-    // POST /api/support/agent-task (the daemon reads it from ~/.wild-workspace/
-    // secrets.json by the same convention). Never sent to the browser.
-    supportChannelSecret:
-      overrides.supportChannelSecret ||
-      env.WILD_WORKSPACE_SUPPORT_SECRET ||
-      secrets().supportChannelSecret,
-    // The operator-channel token — null unless the user explicitly enabled the
-    // channel (`wild-workspace operator enable`). Off by default. Server-side
-    // only; never broadcast to the browser.
-    operatorToken:
-      overrides.operatorToken ??
-      env.WILD_WORKSPACE_OPERATOR_TOKEN ??
-      loadOperatorToken(dataDir),
-    // RC1 hot-reload seam: the EXPLICIT token (override or env), with NO disk read.
-    // When this is null the live auth path re-reads the token file on each request
-    // (getOperatorToken) so `operator enable` takes effect with no restart; when a
-    // test/env pins a token, that value stays authoritative. (See index.mjs.)
-    operatorTokenExplicit:
-      overrides.operatorToken ?? env.WILD_WORKSPACE_OPERATOR_TOKEN ?? null,
-    workspaceId:
-      overrides.workspaceId ||
-      env.WILD_WORKSPACE_ID ||
-      path.basename(workspaceDir) ||
-      'workspace',
-    role: overrides.role || env.WILD_WORKSPACE_ROLE || ROLES.PARTNER,
-    // bmo-sync daemon — a separate local process; the bridge retries quietly
-    // when it is absent. daemonUrl is the WebSocket event feed; daemonHttpUrl
-    // is the same origin's HTTP API (pair / detach / list).
-    daemonUrl,
-    daemonHttpUrl: daemonHttpBase(daemonUrl),
-    // Auto-start the bmo-sync daemon when the server boots. On by default;
-    // WILD_WORKSPACE_DAEMON_AUTOSTART=0 disables it. Forced off under the test
-    // runner (VITEST / NODE_ENV=test) so the suite never spawns a real daemon.
-    daemonAutostart:
-      overrides.daemonAutostart ??
-      (env.WILD_WORKSPACE_DAEMON_AUTOSTART !== '0' &&
-        !env.VITEST &&
-        env.NODE_ENV !== 'test'),
-    // Central bmo-sync server (Fly.io). Used to redeem invites (via the
-    // daemon) and — only when an admin key is set — to mint them.
-    bmoSyncServerUrl:
-      overrides.bmoSyncServerUrl ||
-      env.WILD_WORKSPACE_BMO_SYNC_URL ||
-      env.BMO_SYNC_URL ||
-      'https://sync.venturewild.llc',
-    // Optional. Present only on an install that mints invites (the folder
-    // owner). Absent installs can still redeem. Never sent to the browser.
-    bmoSyncAdminKey:
-      overrides.bmoSyncAdminKey ||
-      env.BMO_SYNC_ADMIN_KEY ||
-      env.WILD_WORKSPACE_BMO_ADMIN_KEY ||
-      null,
-    home: os.homedir(),
-    nodeEnv: env.NODE_ENV || 'production',
-  };
-}
-
-// Read from package.json (the single source of truth) so the reported version
-// can never drift from the published release — `npm version` bumps it for free.
-// This previously hardcoded '0.1.0', so every release (0.1.1/0.1.2/0.1.3) shipped
-// a stale version to `--version`, /api/health, doctor, and all telemetry.
-function readAppVersion() {
-  try {
-    const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '../../package.json'), 'utf8'));
-    return pkg.version || '0.0.0';
-  } catch {
-    return '0.0.0';
-  }
-}
-export const APP_VERSION = readAppVersion();
+// Central config + role definitions.
+// One UI permission-flagged per AR-19.
+
+import path from 'node:path';
+import os from 'node:os';
+import fs from 'node:fs';
+import crypto from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+
+import { loadAccount } from './account.mjs';
+import { loadOperatorToken } from './operator.mjs';
+import { globalDir } from './logpaths.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// Secrets that shipped as scaffold defaults. Forgeable — never allowed on a
+// non-localhost bind. Kept only so the startup guard can recognise them.
+export const WEAK_SECRETS = Object.freeze(
+  new Set(['dev-partner-token', 'dev-share-secret-change-me']),
+);
+
+const LOCAL_HOSTS = Object.freeze(new Set(['127.0.0.1', 'localhost', '::1']));
+
+export function isLocalhost(host) {
+  return LOCAL_HOSTS.has(host);
+}
+
+// The bmo-sync daemon's HTTP origin, derived from its WebSocket event-feed
+// URL so the two stay consistent when WILD_WORKSPACE_DAEMON_URL is overridden.
+function daemonHttpBase(wsUrl) {
+  try {
+    const u = new URL(wsUrl);
+    return `${u.protocol === 'wss:' ? 'https:' : 'http:'}//${u.host}`;
+  } catch {
+    return 'http://127.0.0.1:8320';
+  }
+}
+
+// Per-install secrets (partnerToken + shareSecret). They sign the owner's login
+// cookie, so they MUST be stable across restarts/upgrades — if they rotate, every
+// browser holding a cookie is silently logged out (the public URL then 401s until
+// the owner re-authenticates with a token). They live in the per-install GLOBAL
+// dir (~/.wild-workspace) — an ABSOLUTE path that never moves — NOT in the
+// workspace's `.wild-workspace`, which (a) is keyed off `process.cwd()` so it
+// shifts when the always-on supervisor relaunches from a different dir (the
+// real-world "logged out after upgrade" bug), and (b) is inside the synced
+// folder (CLAUDE.md rule #1: no system state in the synced workspace).
+//
+// A legacy in-workspace secrets.json is migrated forward (its tokens preserved,
+// so cookies issued before this version keep validating) and then removed from
+// the synced folder. Replaces the weak scaffold defaults so share tokens can't
+// be forged. (Concerns C1/C2.)
+function readSecretsFile(file) {
+  try {
+    const parsed = JSON.parse(fs.readFileSync(file, 'utf8'));
+    if (parsed && parsed.partnerToken && parsed.shareSecret) {
+      return {
+        partnerToken: parsed.partnerToken,
+        shareSecret: parsed.shareSecret,
+        // Phase 4: the loopback support-channel secret (may be absent on installs
+        // created before Phase 4 — loadOrCreateSecrets backfills it).
+        supportChannelSecret: parsed.supportChannelSecret,
+      };
+    }
+  } catch {
+    // missing / unreadable / malformed
+  }
+  return null;
+}
+
+function loadOrCreateSecrets(dataDir, env = process.env) {
+  const stablePath = path.join(globalDir(env), 'secrets.json');
+  const legacyPath = path.join(dataDir, 'secrets.json');
+
+  // 1. The stable per-install location wins.
+  const stable = readSecretsFile(stablePath);
+  if (stable) {
+    // Backfill the Phase-4 support-channel secret on installs created earlier,
+    // WITHOUT rotating the login-signing tokens (which would log everyone out).
+    // Re-read + rewrite the raw file so any other fields are preserved.
+    if (!stable.supportChannelSecret) {
+      stable.supportChannelSecret = crypto.randomBytes(32).toString('base64url');
+      try {
+        const raw = JSON.parse(fs.readFileSync(stablePath, 'utf8'));
+        raw.supportChannelSecret = stable.supportChannelSecret;
+        fs.writeFileSync(stablePath, JSON.stringify(raw, null, 2), { mode: 0o600 });
+      } catch {
+        // can't persist (read-only fs?) — still usable for this run
+      }
+    }
+    return stable;
+  }
+
+  // 2. Migrate a legacy in-workspace secrets file (preserve its tokens so
+  //    pre-existing login cookies keep validating); otherwise generate fresh.
+  const legacy = readSecretsFile(legacyPath);
+  const secrets = legacy || {
+    partnerToken: crypto.randomBytes(24).toString('base64url'),
+    shareSecret: crypto.randomBytes(32).toString('base64url'),
+  };
+  // The support-channel secret can be (re)generated freely — it's not used to
+  // sign anything durable, just to authenticate the local daemon → server hop.
+  if (!secrets.supportChannelSecret) {
+    secrets.supportChannelSecret = crypto.randomBytes(32).toString('base64url');
+  }
+
+  // 3. Persist to the stable location.
+  try {
+    fs.mkdirSync(path.dirname(stablePath), { recursive: true });
+    fs.writeFileSync(stablePath, JSON.stringify(secrets, null, 2), { mode: 0o600 });
+  } catch {
+    // can't persist (read-only fs?) — still use the secrets for this run
+  }
+
+  // 4. Best-effort: drop the legacy copy so the signing secret stops living in
+  //    the synced workspace folder. Only after a successful migration.
+  if (legacy) {
+    try {
+      fs.rmSync(legacyPath, { force: true });
+    } catch {
+      // leave it; it's now inert (the stable copy takes precedence)
+    }
+  }
+
+  return secrets;
+}
+
+// Refuse to start in public mode with a forgeable secret. (Concerns C1/C2.)
+export function assertSecureBinding(config) {
+  if (!config.publicMode) return;
+  if (WEAK_SECRETS.has(config.partnerToken) || WEAK_SECRETS.has(config.shareSecret)) {
+    throw new Error(
+      `Refusing to run in public mode with a default secret. ` +
+        `Set WILD_WORKSPACE_PARTNER_TOKEN and WILD_WORKSPACE_SHARE_SECRET, ` +
+        `or remove them so per-install secrets are generated.`,
+    );
+  }
+}
+
+export const ROLES = Object.freeze({
+  PARTNER: 'partner',
+  VIEWER: 'viewer',
+  CLIENT: 'client',
+  // The consented support/operator channel (off by default — see operator.mjs).
+  OPERATOR: 'operator',
+});
+
+export const ROLE_CAPABILITIES = Object.freeze({
+  partner: {
+    chat: true,
+    chatWrite: true,
+    preview: true,
+    fileTree: true,
+    terminal: true,
+    inbox: true,
+    share: true,
+    sync: true,
+    deploy: true,
+    requestChanges: false,
+    operate: true, // the owner can also drive the operator allowlist locally
+  },
+  viewer: {
+    chat: true,
+    chatWrite: false,
+    preview: true,
+    fileTree: false,
+    terminal: false,
+    inbox: false,
+    share: false,
+    sync: false,
+    deploy: false,
+    requestChanges: false,
+    operate: false,
+  },
+  client: {
+    chat: true,
+    chatWrite: true,
+    preview: true,
+    fileTree: false,
+    terminal: false,
+    inbox: false,
+    share: false,
+    sync: false,
+    deploy: false,
+    requestChanges: true,
+    operate: false,
+  },
+  // Operator: remote diagnose + a curated remediation allowlist. Read-only on
+  // chat (can SEE the conversation to help, cannot drive the agent — chatWrite
+  // stays false), plus the `operate` capability the /api/operator/* routes gate
+  // on. Reachable only with the dedicated operator token (operator.mjs).
+  operator: {
+    chat: true,
+    chatWrite: false,
+    preview: true,
+    fileTree: true,
+    terminal: false,
+    inbox: false,
+    share: false,
+    sync: false,
+    deploy: false,
+    requestChanges: false,
+    operate: true,
+  },
+});
+
+export const DEFAULT_AGENTS = Object.freeze([
+  {
+    id: 'claude',
+    binary: 'claude',
+    label: 'Claude Code',
+    description: 'Anthropic Claude Code',
+    args: ['-p', '--output-format', 'stream-json', '--include-partial-messages', '--verbose'],
+    streamFormat: 'claude-stream-json',
+  },
+  {
+    id: 'gemini',
+    binary: 'gemini',
+    label: 'Gemini CLI',
+    description: 'Google Gemini',
+    args: ['-p'],
+    streamFormat: 'text',
+  },
+  {
+    id: 'glm',
+    binary: 'glm',
+    label: 'GLM (Z.AI)',
+    description: 'GLM-4.6 via Z.AI',
+    args: ['-p', '--permission-mode', 'bypassPermissions'],
+    streamFormat: 'text',
+  },
+  {
+    id: 'codex',
+    binary: 'codex',
+    label: 'Codex (OpenAI)',
+    description: 'GPT-5 / o3 via Codex CLI',
+    args: ['exec', '--skip-git-repo-check'],
+    streamFormat: 'text',
+  },
+]);
+
+export function buildConfig(overrides = {}) {
+  const env = overrides.env || process.env;
+  const portOverride = overrides.port;
+  const resolvedPort =
+    typeof portOverride === 'number'
+      ? portOverride
+      : Number(env.WILD_WORKSPACE_PORT || 5173);
+  const workspaceDir = path.resolve(
+    overrides.workspaceDir || env.WILD_WORKSPACE_DIR || process.cwd(),
+  );
+  const dataDir = path.resolve(
+    overrides.dataDir ||
+      env.WILD_WORKSPACE_DATA_DIR ||
+      path.join(workspaceDir, '.wild-workspace'),
+  );
+  // Lazy: only load/generate persisted secrets if neither an override nor an
+  // env var supplies one — keeps tests that pass both from touching the fs.
+  let _secrets = null;
+  const secrets = () => (_secrets ??= loadOrCreateSecrets(dataDir, env));
+  const host = overrides.host || env.WILD_WORKSPACE_HOST || '127.0.0.1';
+  // Per-install bmo-sync account — null until the user runs `wild-workspace
+  // login` with the payload from `workspace.venturewild.llc`. Its presence
+  // upgrades the install to a real slug (shareBaseUrl flips to the user's
+  // subdomain) and lights up the /api/session.account field for the UI.
+  // Loaded BEFORE publicMode because a logged-in install is publicly reachable.
+  const account =
+    overrides.account === undefined ? loadAccount(dataDir) : overrides.account;
+  // publicMode = "treat every request as untrusted". True for a non-localhost
+  // bind, OR when WILD_WORKSPACE_PUBLIC=1 — needed when a tunnel (Cloudflare
+  // etc.) forwards public traffic to a localhost-bound server, since the bind
+  // address alone would otherwise look local. Drives the C1 auth posture.
+  const publicMode =
+    overrides.publicMode ??
+    (env.WILD_WORKSPACE_PUBLIC === '1' ||
+      !isLocalhost(host) ||
+      // CRITICAL (C1): a slug-linked install is reachable from the public
+      // internet via <slug>.venturewild.llc — the daemon forwards that traffic
+      // to this server FROM 127.0.0.1, so a non-public server would auto-grant
+      // `partner` (full RCE) to every anonymous visitor. Having an account token
+      // ⟺ the tunnel is exposing this machine, so force public mode even when the
+      // always-on supervisor (or a bare `wild-workspace`) launches without
+      // WILD_WORKSPACE_PUBLIC=1. The local owner authenticates via the partner
+      // token the launcher appends to the localhost URL (?t=, then S1 cookie).
+      Boolean(account?.accountToken));
+  // bmo-sync: the local daemon's event feed (a WebSocket URL).
+  const daemonUrl =
+    overrides.daemonUrl ||
+    env.WILD_WORKSPACE_DAEMON_URL ||
+    'ws://127.0.0.1:8320/api/events';
+  const accountShareBase = account?.slug
+    ? `https://${account.slug}.venturewild.llc`
+    : null;
+  return {
+    port: resolvedPort,
+    host,
+    publicMode,
+    workspaceDir,
+    dataDir,
+    webDir:
+      overrides.webDir ||
+      env.WILD_WORKSPACE_WEB_DIR ||
+      path.resolve(__dirname, '..', '..', 'web', 'dist'),
+    openBrowser: overrides.openBrowser ?? env.WILD_WORKSPACE_NO_OPEN !== '1',
+    shareBaseUrl:
+      overrides.shareBaseUrl ||
+      env.WILD_WORKSPACE_SHARE_BASE_URL ||
+      accountShareBase ||
+      `http://${host}:${resolvedPort}`,
+    // The signed-in account (if any). Kept on the server-side config so
+    // /api/session can expose the public bits (slug, email, accountId, displayName)
+    // to the UI while accountToken stays here only.
+    account: account
+      ? {
+          slug: account.slug,
+          email: account.email,
+          accountId: account.accountId,
+          displayName: account.displayName,
+          loggedInAt: account.loggedInAt,
+          // accountToken is intentionally kept out of the broadcasted config
+          // shape — it's read separately by code that needs to authenticate
+          // against bmo-sync.
+        }
+      : null,
+    accountToken: account?.accountToken || null,
+    partnerToken:
+      overrides.partnerToken ||
+      env.WILD_WORKSPACE_PARTNER_TOKEN ||
+      secrets().partnerToken,
+    shareSecret:
+      overrides.shareSecret ||
+      env.WILD_WORKSPACE_SHARE_SECRET ||
+      secrets().shareSecret,
+    // Phase 4: authenticates the local bmo-sync daemon's loopback call to
+    // POST /api/support/agent-task (the daemon reads it from ~/.wild-workspace/
+    // secrets.json by the same convention). Never sent to the browser.
+    supportChannelSecret:
+      overrides.supportChannelSecret ||
+      env.WILD_WORKSPACE_SUPPORT_SECRET ||
+      secrets().supportChannelSecret,
+    // The operator-channel token — null unless the user explicitly enabled the
+    // channel (`wild-workspace operator enable`). Off by default. Server-side
+    // only; never broadcast to the browser.
+    operatorToken:
+      overrides.operatorToken ??
+      env.WILD_WORKSPACE_OPERATOR_TOKEN ??
+      loadOperatorToken(dataDir),
+    // RC1 hot-reload seam: the EXPLICIT token (override or env), with NO disk read.
+    // When this is null the live auth path re-reads the token file on each request
+    // (getOperatorToken) so `operator enable` takes effect with no restart; when a
+    // test/env pins a token, that value stays authoritative. (See index.mjs.)
+    operatorTokenExplicit:
+      overrides.operatorToken ?? env.WILD_WORKSPACE_OPERATOR_TOKEN ?? null,
+    workspaceId:
+      overrides.workspaceId ||
+      env.WILD_WORKSPACE_ID ||
+      path.basename(workspaceDir) ||
+      'workspace',
+    role: overrides.role || env.WILD_WORKSPACE_ROLE || ROLES.PARTNER,
+    // bmo-sync daemon — a separate local process; the bridge retries quietly
+    // when it is absent. daemonUrl is the WebSocket event feed; daemonHttpUrl
+    // is the same origin's HTTP API (pair / detach / list).
+    daemonUrl,
+    daemonHttpUrl: daemonHttpBase(daemonUrl),
+    // Auto-start the bmo-sync daemon when the server boots. On by default;
+    // WILD_WORKSPACE_DAEMON_AUTOSTART=0 disables it. Forced off under the test
+    // runner (VITEST / NODE_ENV=test) so the suite never spawns a real daemon.
+    daemonAutostart:
+      overrides.daemonAutostart ??
+      (env.WILD_WORKSPACE_DAEMON_AUTOSTART !== '0' &&
+        !env.VITEST &&
+        env.NODE_ENV !== 'test'),
+    // Central bmo-sync server (Fly.io). Used to redeem invites (via the
+    // daemon) and — only when an admin key is set — to mint them.
+    bmoSyncServerUrl:
+      overrides.bmoSyncServerUrl ||
+      env.WILD_WORKSPACE_BMO_SYNC_URL ||
+      env.BMO_SYNC_URL ||
+      'https://sync.venturewild.llc',
+    // Optional. Present only on an install that mints invites (the folder
+    // owner). Absent installs can still redeem. Never sent to the browser.
+    bmoSyncAdminKey:
+      overrides.bmoSyncAdminKey ||
+      env.BMO_SYNC_ADMIN_KEY ||
+      env.WILD_WORKSPACE_BMO_ADMIN_KEY ||
+      null,
+    home: os.homedir(),
+    nodeEnv: env.NODE_ENV || 'production',
+  };
+}
+
+// Read from package.json (the single source of truth) so the reported version
+// can never drift from the published release — `npm version` bumps it for free.
+// This previously hardcoded '0.1.0', so every release (0.1.1/0.1.2/0.1.3) shipped
+// a stale version to `--version`, /api/health, doctor, and all telemetry.
+function readAppVersion() {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '../../package.json'), 'utf8'));
+    return pkg.version || '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+export const APP_VERSION = readAppVersion();