@venturewild/workspace 0.3.7 → 0.4.0

package/server/src/logpaths.mjs

@@ -1,98 +1,98 @@
-// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
-// the operator channel all read the same set, and a tiny append/rotate/tail
-// helper for the new logs we write ourselves (cli, operator).
-//
-// WHY a registry and not just scattered paths: a brand-new user's install is the
-// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
-// and "I can't see what happened on their machine" is the #1 un-debuggable
-// failure. Centralising the log locations is what lets `wild-workspace doctor`
-// gather them and the operator channel tail them by name — never by arbitrary
-// path (the tail allowlist is TAILABLE below).
-//
-// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
-// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
-// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
-// them here for READING rather than moving them. Everything lives under
-// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
-
-import os from 'node:os';
-import path from 'node:path';
-import fs from 'node:fs';
-
-// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
-// defaults. Overridable via env for tests / unusual homes.
-export function globalDir(env = process.env) {
-  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
-}
-
-// Logical name → filename. The first three are written by existing components;
-// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
-export const LOG_FILES = Object.freeze({
-  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
-  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
-  daemon: 'daemon.log', //         the bmo-sync daemon
-  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
-  operator: 'operator.log', //     the consented operator channel's audit trail
-  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
-});
-
-// Logs the operator channel may tail BY NAME — never an arbitrary path.
-export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
-
-export function logFile(name, env = process.env) {
-  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
-}
-
-export function diagnosticsDir(env = process.env) {
-  return path.join(globalDir(env), 'diagnostics');
-}
-
-const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
-
-// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
-export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
-  try {
-    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
-  } catch {
-    /* missing / racing rename — nothing to rotate */
-  }
-}
-
-// Append a timestamped line to a named log; ensures the dir + rotates. Returns
-// the file path. Never throws — logging must not break the caller's path.
-export function appendLine(name, line, env = process.env) {
-  const file = logFile(name, env);
-  try {
-    fs.mkdirSync(path.dirname(file), { recursive: true });
-    rotateIfBig(file);
-    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
-  } catch {
-    /* read-only fs etc. — degrade silently */
-  }
-  return file;
-}
-
-// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
-// Returns '' when the file is missing/unreadable.
-export function tailFile(file, n = 200) {
-  try {
-    // Drop the trailing newline so the last line isn't an empty entry.
-    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
-    return lines.slice(Math.max(0, lines.length - n)).join('\n');
-  } catch {
-    return '';
-  }
-}
-
-// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
-export function listLogs(env = process.env) {
-  return TAILABLE.map((name) => {
-    const file = logFile(name, env);
-    try {
-      const st = fs.statSync(file);
-      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
-    } catch {
-      return { name, file, exists: false, size: null, mtime: null };
-    }
-  });
-}
+// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
+// the operator channel all read the same set, and a tiny append/rotate/tail
+// helper for the new logs we write ourselves (cli, operator).
+//
+// WHY a registry and not just scattered paths: a brand-new user's install is the
+// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
+// and "I can't see what happened on their machine" is the #1 un-debuggable
+// failure. Centralising the log locations is what lets `wild-workspace doctor`
+// gather them and the operator channel tail them by name — never by arbitrary
+// path (the tail allowlist is TAILABLE below).
+//
+// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
+// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
+// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
+// them here for READING rather than moving them. Everything lives under
+// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
+
+import os from 'node:os';
+import path from 'node:path';
+import fs from 'node:fs';
+
+// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
+// defaults. Overridable via env for tests / unusual homes.
+export function globalDir(env = process.env) {
+  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
+}
+
+// Logical name → filename. The first three are written by existing components;
+// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
+export const LOG_FILES = Object.freeze({
+  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
+  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
+  daemon: 'daemon.log', //         the bmo-sync daemon
+  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
+  operator: 'operator.log', //     the consented operator channel's audit trail
+  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
+});
+
+// Logs the operator channel may tail BY NAME — never an arbitrary path.
+export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
+
+export function logFile(name, env = process.env) {
+  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
+}
+
+export function diagnosticsDir(env = process.env) {
+  return path.join(globalDir(env), 'diagnostics');
+}
+
+const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
+
+// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
+export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
+  try {
+    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
+  } catch {
+    /* missing / racing rename — nothing to rotate */
+  }
+}
+
+// Append a timestamped line to a named log; ensures the dir + rotates. Returns
+// the file path. Never throws — logging must not break the caller's path.
+export function appendLine(name, line, env = process.env) {
+  const file = logFile(name, env);
+  try {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    rotateIfBig(file);
+    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
+  } catch {
+    /* read-only fs etc. — degrade silently */
+  }
+  return file;
+}
+
+// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
+// Returns '' when the file is missing/unreadable.
+export function tailFile(file, n = 200) {
+  try {
+    // Drop the trailing newline so the last line isn't an empty entry.
+    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
+    return lines.slice(Math.max(0, lines.length - n)).join('\n');
+  } catch {
+    return '';
+  }
+}
+
+// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
+export function listLogs(env = process.env) {
+  return TAILABLE.map((name) => {
+    const file = logFile(name, env);
+    try {
+      const st = fs.statSync(file);
+      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
+    } catch {
+      return { name, file, exists: false, size: null, mtime: null };
+    }
+  });
+}

package/server/src/observability.mjs

@@ -1,45 +1,45 @@
-// Consent for the proactive session + install observability feed (session-reporter.mjs
-// + transcript.mjs).
-//
-// DEFAULT-ON: an absent file means consented — because the disclosure is shown at
-// onboarding, and this is the model the apps users already trust use (they retain
-// sessions by default with an easy off). An explicit opt-out persists here. Kept
-// in its own file (not agent-identity.json) so it's readable at first load —
-// before the agent is even named — and trivial to flip. Mirrors operator.mjs.
-//
-// What "on" actually streams: WHAT happened + install health, never the words
-// (redaction lives in session-reporter.mjs). Off also hard-stops the kill switch
-// path WILD_WORKSPACE_NO_TELEMETRY=1, which disables ALL telemetry regardless.
-
-import fs from 'node:fs';
-import path from 'node:path';
-
-export const OBSERVABILITY_VERSION = 1;
-
-function consentFile(dataDir) {
-  return path.join(dataDir, 'observability.json');
-}
-
-export function loadObservabilityConsent(dataDir) {
-  try {
-    const p = JSON.parse(fs.readFileSync(consentFile(dataDir), 'utf8'));
-    return {
-      enabled: p.enabled !== false,
-      decidedAt: p.decidedAt ? Number(p.decidedAt) : null,
-      version: Number(p.version) || OBSERVABILITY_VERSION,
-    };
-  } catch {
-    return { enabled: true, decidedAt: null, version: OBSERVABILITY_VERSION }; // default-on
-  }
-}
-
-export function setObservabilityConsent(dataDir, enabled) {
-  const rec = { enabled: Boolean(enabled), decidedAt: Date.now(), version: OBSERVABILITY_VERSION };
-  try {
-    fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(consentFile(dataDir), JSON.stringify(rec, null, 2), { mode: 0o600 });
-  } catch {
-    /* read-only fs — fall back to in-memory for this run */
-  }
-  return rec;
-}
+// Consent for the proactive session + install observability feed (session-reporter.mjs
+// + transcript.mjs).
+//
+// DEFAULT-ON: an absent file means consented — because the disclosure is shown at
+// onboarding, and this is the model the apps users already trust use (they retain
+// sessions by default with an easy off). An explicit opt-out persists here. Kept
+// in its own file (not agent-identity.json) so it's readable at first load —
+// before the agent is even named — and trivial to flip. Mirrors operator.mjs.
+//
+// What "on" actually streams: WHAT happened + install health, never the words
+// (redaction lives in session-reporter.mjs). Off also hard-stops the kill switch
+// path WILD_WORKSPACE_NO_TELEMETRY=1, which disables ALL telemetry regardless.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const OBSERVABILITY_VERSION = 1;
+
+function consentFile(dataDir) {
+  return path.join(dataDir, 'observability.json');
+}
+
+export function loadObservabilityConsent(dataDir) {
+  try {
+    const p = JSON.parse(fs.readFileSync(consentFile(dataDir), 'utf8'));
+    return {
+      enabled: p.enabled !== false,
+      decidedAt: p.decidedAt ? Number(p.decidedAt) : null,
+      version: Number(p.version) || OBSERVABILITY_VERSION,
+    };
+  } catch {
+    return { enabled: true, decidedAt: null, version: OBSERVABILITY_VERSION }; // default-on
+  }
+}
+
+export function setObservabilityConsent(dataDir, enabled) {
+  const rec = { enabled: Boolean(enabled), decidedAt: Date.now(), version: OBSERVABILITY_VERSION };
+  try {
+    fs.mkdirSync(dataDir, { recursive: true });
+    fs.writeFileSync(consentFile(dataDir), JSON.stringify(rec, null, 2), { mode: 0o600 });
+  } catch {
+    /* read-only fs — fall back to in-memory for this run */
+  }
+  return rec;
+}

package/server/src/operator.mjs

@@ -1,92 +1,92 @@
-// Operator channel token — the consented "let the wild-workspace team help with
-// my install" capability (docs/SECURITY.md, docs/user-experience.md §5).
-//
-// SECURITY POSTURE: this channel is OFF by default. It only exists once a token
-// is minted (`wild-workspace operator enable`, an explicit user opt-in). With no
-// token, the operator role is unreachable and every /api/operator/* route 404s.
-// The token is a separate secret from the partner token (so it can be handed to
-// support + revoked independently), persisted 0600, and accepted ONLY in an
-// Authorization header — never a `?t=` query (it must not leak via logs /
-// history / referrer; SECURITY.md S1). Disabling deletes the token.
-
-import fs from 'node:fs';
-import path from 'node:path';
-import crypto from 'node:crypto';
-
-export function operatorFile(dataDir) {
-  return path.join(dataDir, 'operator.json');
-}
-
-// The token, or null when the channel is disabled (the common case).
-export function loadOperatorToken(dataDir) {
-  try {
-    const parsed = JSON.parse(fs.readFileSync(operatorFile(dataDir), 'utf8'));
-    return typeof parsed.operatorToken === 'string' && parsed.operatorToken
-      ? parsed.operatorToken
-      : null;
-  } catch {
-    return null;
-  }
-}
-
-// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
-// the value the server snapshotted at boot. Today `operator enable` writes the
-// token to disk but a long-running server keeps serving its cached "disabled"
-// state, so the channel 401s until a manual restart (the exact bug from the first
-// external install). A short TTL keeps this off the hot auth path — every request
-// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
-//
-// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
-// process don't read each other's tokens. `now` is injectable for tests.
-const _tokenCache = new Map(); // dataDir -> { token, at }
-export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
-  const t = now();
-  const hit = _tokenCache.get(dataDir);
-  if (hit && t - hit.at < ttlMs) return hit.token;
-  const token = loadOperatorToken(dataDir);
-  _tokenCache.set(dataDir, { token, at: t });
-  return token;
-}
-
-// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
-// a separate CLI process from the server, so they don't need this — it exists so
-// in-process callers (and tests) can force a re-read without waiting out the TTL.
-export function invalidateOperatorTokenCache(dataDir) {
-  if (dataDir === undefined) _tokenCache.clear();
-  else _tokenCache.delete(dataDir);
-}
-
-// Turn the channel on. Idempotent by default — returns the existing token if one
-// is already set (so a re-run doesn't invalidate the code the user already
-// shared). Pass { rotate:true } to force a fresh token. Returns the token, or
-// null if it couldn't be persisted.
-export function enableOperator(dataDir, { rotate = false } = {}) {
-  const existing = loadOperatorToken(dataDir);
-  if (existing && !rotate) return existing;
-  const token = crypto.randomBytes(24).toString('base64url');
-  try {
-    fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(
-      operatorFile(dataDir),
-      JSON.stringify({ operatorToken: token, enabledAt: Date.now() }, null, 2),
-      { mode: 0o600 },
-    );
-  } catch {
-    return null;
-  }
-  return token;
-}
-
-// Turn the channel off (revoke). Returns true if a token file was removed.
-export function disableOperator(dataDir) {
-  try {
-    fs.rmSync(operatorFile(dataDir));
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-export function operatorStatus(dataDir) {
-  return { enabled: Boolean(loadOperatorToken(dataDir)), file: operatorFile(dataDir) };
-}
+// Operator channel token — the consented "let the wild-workspace team help with
+// my install" capability (docs/SECURITY.md, docs/user-experience.md §5).
+//
+// SECURITY POSTURE: this channel is OFF by default. It only exists once a token
+// is minted (`wild-workspace operator enable`, an explicit user opt-in). With no
+// token, the operator role is unreachable and every /api/operator/* route 404s.
+// The token is a separate secret from the partner token (so it can be handed to
+// support + revoked independently), persisted 0600, and accepted ONLY in an
+// Authorization header — never a `?t=` query (it must not leak via logs /
+// history / referrer; SECURITY.md S1). Disabling deletes the token.
+
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+
+export function operatorFile(dataDir) {
+  return path.join(dataDir, 'operator.json');
+}
+
+// The token, or null when the channel is disabled (the common case).
+export function loadOperatorToken(dataDir) {
+  try {
+    const parsed = JSON.parse(fs.readFileSync(operatorFile(dataDir), 'utf8'));
+    return typeof parsed.operatorToken === 'string' && parsed.operatorToken
+      ? parsed.operatorToken
+      : null;
+  } catch {
+    return null;
+  }
+}
+
+// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
+// the value the server snapshotted at boot. Today `operator enable` writes the
+// token to disk but a long-running server keeps serving its cached "disabled"
+// state, so the channel 401s until a manual restart (the exact bug from the first
+// external install). A short TTL keeps this off the hot auth path — every request
+// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
+//
+// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
+// process don't read each other's tokens. `now` is injectable for tests.
+const _tokenCache = new Map(); // dataDir -> { token, at }
+export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
+  const t = now();
+  const hit = _tokenCache.get(dataDir);
+  if (hit && t - hit.at < ttlMs) return hit.token;
+  const token = loadOperatorToken(dataDir);
+  _tokenCache.set(dataDir, { token, at: t });
+  return token;
+}
+
+// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
+// a separate CLI process from the server, so they don't need this — it exists so
+// in-process callers (and tests) can force a re-read without waiting out the TTL.
+export function invalidateOperatorTokenCache(dataDir) {
+  if (dataDir === undefined) _tokenCache.clear();
+  else _tokenCache.delete(dataDir);
+}
+
+// Turn the channel on. Idempotent by default — returns the existing token if one
+// is already set (so a re-run doesn't invalidate the code the user already
+// shared). Pass { rotate:true } to force a fresh token. Returns the token, or
+// null if it couldn't be persisted.
+export function enableOperator(dataDir, { rotate = false } = {}) {
+  const existing = loadOperatorToken(dataDir);
+  if (existing && !rotate) return existing;
+  const token = crypto.randomBytes(24).toString('base64url');
+  try {
+    fs.mkdirSync(dataDir, { recursive: true });
+    fs.writeFileSync(
+      operatorFile(dataDir),
+      JSON.stringify({ operatorToken: token, enabledAt: Date.now() }, null, 2),
+      { mode: 0o600 },
+    );
+  } catch {
+    return null;
+  }
+  return token;
+}
+
+// Turn the channel off (revoke). Returns true if a token file was removed.
+export function disableOperator(dataDir) {
+  try {
+    fs.rmSync(operatorFile(dataDir));
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function operatorStatus(dataDir) {
+  return { enabled: Boolean(loadOperatorToken(dataDir)), file: operatorFile(dataDir) };
+}