create-workframe 0.1.0 → 0.1.1

package/scripts/apply-update-workframe.sh

@@ -1,77 +1,77 @@
-#!/usr/bin/env bash
-# Safe Workframe update — sync npm template (optional), rebuild API/supervisor/UI containers. Never wipes runtime/DB.
-set -euo pipefail
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-# shellcheck source=compose-docker-host.sh
-source "$SCRIPT_DIR/compose-docker-host.sh"
-
-workframe_compose_prepare
-PROJECT_ROOT="${WORKFRAME_HOST_PROJECT_ROOT:-${WORKFRAME_PROJECT_ROOT:-$compose_cd}}"
-
-echo "=== Workframe update (API + supervisor + UI) ==="
-echo "Project root: $PROJECT_ROOT"
-echo "Preserves: Agents/, Files/, .env, workframe-api/data, gateway/Hermes profiles"
-
-TARGET_VERSION="${WORKFRAME_UPDATE_VERSION:-}"
-NPM_PACKAGE="${WORKFRAME_NPM_PACKAGE:-create-workframe}"
-
-if [[ "${WORKFRAME_UPDATE_SKIP_NPM:-1}" == "1" ]] && [[ "${WORKFRAME_UPDATE_ALLOW_NPM:-}" != "1" ]]; then
-  echo "Skipping npm template sync (WORKFRAME_UPDATE_SKIP_NPM=1; set WORKFRAME_UPDATE_ALLOW_NPM=1 to fetch)"
-elif command -v npm >/dev/null 2>&1; then
-  if [[ "${WORKFRAME_UPDATE_ALLOW_NPM:-}" == "1" ]] && [[ -z "$TARGET_VERSION" ]]; then
-    echo "WORKFRAME_UPDATE_VERSION is required when WORKFRAME_UPDATE_ALLOW_NPM=1" >&2
-    exit 1
-  fi
-  TMP="$(mktemp -d)"
-  trap 'rm -rf "$TMP"' EXIT
-  echo "Fetching ${NPM_PACKAGE}@${TARGET_VERSION:-latest} from npm..."
-  (cd "$TMP" && npm pack "${NPM_PACKAGE}@${TARGET_VERSION:-latest}" --silent)
-  TARBALL="$(ls -1 "$TMP"/${NPM_PACKAGE}-*.tgz 2>/dev/null | head -n1 || true)"
-  if [[ -n "$TARBALL" ]]; then
-    EXPECTED="$(npm view "${NPM_PACKAGE}@${TARGET_VERSION:-latest}" dist.integrity --silent 2>/dev/null || true)"
-    if [[ -n "$EXPECTED" ]]; then
-      ACTUAL="sha512-$(sha512sum "$TARBALL" | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"
-      if [[ "$ACTUAL" != "$EXPECTED" ]]; then
-        echo "integrity mismatch for ${NPM_PACKAGE}@${TARGET_VERSION:-latest}" >&2
-        exit 1
-      fi
-      echo "integrity ok: ${NPM_PACKAGE}@${TARGET_VERSION:-latest}"
-    fi
-    tar -xf "$TARBALL" -C "$TMP"
-    PKG="$TMP/package"
-    for dir in workframe-api workframe-supervisor; do
-      if [[ -d "$PKG/$dir" ]]; then
-        echo "Syncing $dir/"
-        mkdir -p "$PROJECT_ROOT/$dir"
-        cp -a "$PKG/$dir/." "$PROJECT_ROOT/$dir/"
-      fi
-    done
-    if [[ -d "$PKG/workframe-ui/public" ]]; then
-      echo "Syncing workframe-ui/public/"
-      mkdir -p "$PROJECT_ROOT/workframe-ui/public"
-      cp -a "$PKG/workframe-ui/public/." "$PROJECT_ROOT/workframe-ui/public/"
-    fi
-    for script in apply-update-hermes.sh apply-update-workframe.sh restart-gateway-hermes.sh compose-docker-host.sh update-hermes.sh; do
-      if [[ -f "$PKG/scripts/$script" ]]; then
-        cp -a "$PKG/scripts/$script" "$PROJECT_ROOT/scripts/workframe/$script"
-        chmod +x "$PROJECT_ROOT/scripts/workframe/$script" 2>/dev/null || true
-      fi
-    done
-  else
-    echo "npm pack produced no tarball — skipping template sync"
-  fi
-else
-  echo "Skipping npm template sync (npm missing or WORKFRAME_UPDATE_SKIP_NPM=1)"
-fi
-
-echo "Rebuilding workframe-api and workframe-supervisor..."
-workframe_compose build workframe-api workframe-supervisor
-workframe_compose up -d --build --no-deps workframe-api workframe-supervisor
-
-if workframe_compose config --services 2>/dev/null | grep -qx workframe-ui; then
-  workframe_compose up -d --no-deps workframe-ui || workframe_compose restart workframe-ui || true
-elif workframe_compose config --services 2>/dev/null | grep -qx workframe; then
-  workframe_compose up -d --no-deps workframe || workframe_compose restart workframe || true
-fi
-
-echo "=== Workframe update complete ==="
+#!/usr/bin/env bash
+# Safe Workframe update — sync npm template (optional), rebuild API/supervisor/UI containers. Never wipes runtime/DB.
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=compose-docker-host.sh
+source "$SCRIPT_DIR/compose-docker-host.sh"
+
+workframe_compose_prepare
+PROJECT_ROOT="${WORKFRAME_HOST_PROJECT_ROOT:-${WORKFRAME_PROJECT_ROOT:-$compose_cd}}"
+
+echo "=== Workframe update (API + supervisor + UI) ==="
+echo "Project root: $PROJECT_ROOT"
+echo "Preserves: Agents/, Files/, .env, workframe-api/data, gateway/Hermes profiles"
+
+TARGET_VERSION="${WORKFRAME_UPDATE_VERSION:-}"
+NPM_PACKAGE="${WORKFRAME_NPM_PACKAGE:-create-workframe}"
+
+if [[ "${WORKFRAME_UPDATE_SKIP_NPM:-1}" == "1" ]] && [[ "${WORKFRAME_UPDATE_ALLOW_NPM:-}" != "1" ]]; then
+  echo "Skipping npm template sync (WORKFRAME_UPDATE_SKIP_NPM=1; set WORKFRAME_UPDATE_ALLOW_NPM=1 to fetch)"
+elif command -v npm >/dev/null 2>&1; then
+  if [[ "${WORKFRAME_UPDATE_ALLOW_NPM:-}" == "1" ]] && [[ -z "$TARGET_VERSION" ]]; then
+    echo "WORKFRAME_UPDATE_VERSION is required when WORKFRAME_UPDATE_ALLOW_NPM=1" >&2
+    exit 1
+  fi
+  TMP="$(mktemp -d)"
+  trap 'rm -rf "$TMP"' EXIT
+  echo "Fetching ${NPM_PACKAGE}@${TARGET_VERSION:-latest} from npm..."
+  (cd "$TMP" && npm pack "${NPM_PACKAGE}@${TARGET_VERSION:-latest}" --silent)
+  TARBALL="$(ls -1 "$TMP"/${NPM_PACKAGE}-*.tgz 2>/dev/null | head -n1 || true)"
+  if [[ -n "$TARBALL" ]]; then
+    EXPECTED="$(npm view "${NPM_PACKAGE}@${TARGET_VERSION:-latest}" dist.integrity --silent 2>/dev/null || true)"
+    if [[ -n "$EXPECTED" ]]; then
+      ACTUAL="sha512-$(sha512sum "$TARBALL" | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"
+      if [[ "$ACTUAL" != "$EXPECTED" ]]; then
+        echo "integrity mismatch for ${NPM_PACKAGE}@${TARGET_VERSION:-latest}" >&2
+        exit 1
+      fi
+      echo "integrity ok: ${NPM_PACKAGE}@${TARGET_VERSION:-latest}"
+    fi
+    tar -xf "$TARBALL" -C "$TMP"
+    PKG="$TMP/package"
+    for dir in workframe-api workframe-supervisor; do
+      if [[ -d "$PKG/$dir" ]]; then
+        echo "Syncing $dir/"
+        mkdir -p "$PROJECT_ROOT/$dir"
+        cp -a "$PKG/$dir/." "$PROJECT_ROOT/$dir/"
+      fi
+    done
+    if [[ -d "$PKG/workframe-ui/public" ]]; then
+      echo "Syncing workframe-ui/public/"
+      mkdir -p "$PROJECT_ROOT/workframe-ui/public"
+      cp -a "$PKG/workframe-ui/public/." "$PROJECT_ROOT/workframe-ui/public/"
+    fi
+    for script in apply-update-hermes.sh apply-update-workframe.sh restart-gateway-hermes.sh compose-docker-host.sh update-hermes.sh; do
+      if [[ -f "$PKG/scripts/$script" ]]; then
+        cp -a "$PKG/scripts/$script" "$PROJECT_ROOT/scripts/workframe/$script"
+        chmod +x "$PROJECT_ROOT/scripts/workframe/$script" 2>/dev/null || true
+      fi
+    done
+  else
+    echo "npm pack produced no tarball — skipping template sync"
+  fi
+else
+  echo "Skipping npm template sync (npm missing or WORKFRAME_UPDATE_SKIP_NPM=1)"
+fi
+
+echo "Rebuilding workframe-api and workframe-supervisor..."
+workframe_compose build workframe-api workframe-supervisor
+workframe_compose up -d --build --no-deps workframe-api workframe-supervisor
+
+if workframe_compose config --services 2>/dev/null | grep -qx workframe-ui; then
+  workframe_compose up -d --no-deps workframe-ui || workframe_compose restart workframe-ui || true
+elif workframe_compose config --services 2>/dev/null | grep -qx workframe; then
+  workframe_compose up -d --no-deps workframe || workframe_compose restart workframe || true
+fi
+
+echo "=== Workframe update complete ==="

package/scripts/bootstrap-workspace-link.sh

@@ -1,8 +1,8 @@
-#!/bin/sh
-# Hermes sets HERMES_WRITE_SAFE_ROOT=/opt/data — user artifacts must resolve under it.
-# Bind host Files at /opt/data/workspace; keep /workspace as a symlink for agents and API.
-mkdir -p /opt/data/workspace
-if [ -L /workspace ] || [ ! -e /workspace ]; then
-  rm -rf /workspace 2>/dev/null || true
-  ln -sfn /opt/data/workspace /workspace
-fi
+#!/bin/sh
+# Hermes sets HERMES_WRITE_SAFE_ROOT=/opt/data — user artifacts must resolve under it.
+# Bind host Files at /opt/data/workspace; keep /workspace as a symlink for agents and API.
+mkdir -p /opt/data/workspace
+if [ -L /workspace ] || [ ! -e /workspace ]; then
+  rm -rf /workspace 2>/dev/null || true
+  ln -sfn /opt/data/workspace /workspace
+fi

package/scripts/bundle-workframe-ui.mjs

@@ -2,7 +2,7 @@
 /**
  * Build apps/web and copy dist into create-workframe/workframe-ui/public for npm publish.
  * Canonical UI pipeline: apps/web `npm run build` → dist (same as monorepo `pnpm build:web`).
- * Run from ProjectX root: node packages/create-workframe/scripts/bundle-workframe-ui.mjs
+ * Run from repository root: node packages/create-workframe/scripts/bundle-workframe-ui.mjs
  */
 import fs from 'node:fs';
 import path from 'node:path';
@@ -11,8 +11,8 @@ import { spawnSync } from 'node:child_process';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = path.resolve(__dirname, '..');
-const PROJECTX_ROOT = path.resolve(PKG_ROOT, '../..');
-const UI_SRC = path.join(PROJECTX_ROOT, 'apps/web');
+const REPO_ROOT = path.resolve(PKG_ROOT, '../..');
+const UI_SRC = path.join(REPO_ROOT, 'apps/web');
 const UI_DEST = path.join(PKG_ROOT, 'workframe-ui', 'public');
 
 function npmCmd() {

package/scripts/compose-docker-host.sh

@@ -1,37 +1,37 @@
-#!/usr/bin/env bash
-# Shared docker compose invocation for in-container apply (docker.sock on host).
-set -euo pipefail
-
-workframe_compose_prepare() {
-  compose_cd=""
-  compose_files=()
-
-  # Host-bindings overlay: docker.sock apply from supervisor uses WORKFRAME_HOST_* paths.
-  if [[ -n "${WORKFRAME_HOST_COMPOSE_DIR:-}" && -n "${WORKFRAME_COMPOSE_DIR:-}" \
-        && -f "${WORKFRAME_COMPOSE_DIR}/docker-compose.yml" \
-        && -f "${WORKFRAME_COMPOSE_DIR}/docker-compose.host-bindings.yml" ]]; then
-    compose_cd="${WORKFRAME_COMPOSE_DIR}"
-    compose_files=(-f docker-compose.yml -f docker-compose.host-bindings.yml)
-    return 0
-  fi
-
-  # ponytail: docker Desktop resolves WORKFRAME_HOST_* via socket even when path is not visible in this container.
-  if [[ -n "${WORKFRAME_HOST_COMPOSE_DIR:-}" ]]; then
-    compose_cd="${WORKFRAME_HOST_COMPOSE_DIR}"
-    compose_files=(-f docker-compose.yml)
-    return 0
-  fi
-
-  compose_cd="${WORKFRAME_COMPOSE_DIR:-${WORKFRAME_PROJECT_ROOT:-.}}"
-  compose_files=(-f docker-compose.yml)
-}
-
-workframe_compose() {
-  workframe_compose_prepare
-  cd "$compose_cd"
-  if [[ ! -f docker-compose.yml ]]; then
-    echo "docker-compose.yml not found in $compose_cd" >&2
-    exit 1
-  fi
-  docker compose "${compose_files[@]}" "$@"
-}
+#!/usr/bin/env bash
+# Shared docker compose invocation for in-container apply (docker.sock on host).
+set -euo pipefail
+
+workframe_compose_prepare() {
+  compose_cd=""
+  compose_files=()
+
+  # Host-bindings overlay: docker.sock apply from supervisor uses WORKFRAME_HOST_* paths.
+  if [[ -n "${WORKFRAME_HOST_COMPOSE_DIR:-}" && -n "${WORKFRAME_COMPOSE_DIR:-}" \
+        && -f "${WORKFRAME_COMPOSE_DIR}/docker-compose.yml" \
+        && -f "${WORKFRAME_COMPOSE_DIR}/docker-compose.host-bindings.yml" ]]; then
+    compose_cd="${WORKFRAME_COMPOSE_DIR}"
+    compose_files=(-f docker-compose.yml -f docker-compose.host-bindings.yml)
+    return 0
+  fi
+
+  # ponytail: docker Desktop resolves WORKFRAME_HOST_* via socket even when path is not visible in this container.
+  if [[ -n "${WORKFRAME_HOST_COMPOSE_DIR:-}" ]]; then
+    compose_cd="${WORKFRAME_HOST_COMPOSE_DIR}"
+    compose_files=(-f docker-compose.yml)
+    return 0
+  fi
+
+  compose_cd="${WORKFRAME_COMPOSE_DIR:-${WORKFRAME_PROJECT_ROOT:-.}}"
+  compose_files=(-f docker-compose.yml)
+}
+
+workframe_compose() {
+  workframe_compose_prepare
+  cd "$compose_cd"
+  if [[ ! -f docker-compose.yml ]]; then
+    echo "docker-compose.yml not found in $compose_cd" >&2
+    exit 1
+  fi
+  docker compose "${compose_files[@]}" "$@"
+}

package/scripts/ensure-compose-host-paths.mjs

@@ -1,51 +1,51 @@
-#!/usr/bin/env node
-/**
- * Ensure WORKFRAME_HOST_* paths exist in compose .env (VPS in-app publish/sync).
- * Usage: node ensure-compose-host-paths.mjs --project-root /opt/workframe/ProjectX [--env path]
- */
-import fs from 'node:fs';
-import path from 'node:path';
-
-const args = process.argv.slice(2);
-const rootFlag = args.indexOf('--project-root');
-const envFlag = args.indexOf('--env');
-const projectRoot =
-  rootFlag >= 0 ? args[rootFlag + 1] : '/opt/workframe/ProjectX';
-const envPath =
-  envFlag >= 0
-    ? args[envFlag + 1]
-    : path.join(projectRoot, 'infra/compose/workframe/.env');
-const composeDir = path.join(projectRoot, 'infra/compose/workframe');
-
-function setIfEmpty(text, key, val) {
-  const esc = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-  const re = new RegExp(`^${esc}=(.*)$`, 'm');
-  const m = text.match(re);
-  if (m && String(m[1] || '').trim()) return text;
-  const line = `${key}=${val}`;
-  if (m) return text.replace(re, line);
-  return `${text}${text.endsWith('\n') || !text ? '' : '\n'}${line}\n`;
-}
-
-if (!fs.existsSync(envPath)) {
-  console.error(`Missing env file: ${envPath}`);
-  process.exit(1);
-}
-
-let text = fs.readFileSync(envPath, 'utf8');
-text = setIfEmpty(text, 'WORKFRAME_HOST_PROJECT_ROOT', projectRoot.replace(/\\/g, '/'));
-text = setIfEmpty(text, 'WORKFRAME_HOST_COMPOSE_DIR', composeDir.replace(/\\/g, '/'));
-fs.writeFileSync(envPath, text);
-
-console.log(
-  JSON.stringify(
-    {
-      ok: true,
-      env: envPath,
-      project_root: projectRoot.replace(/\\/g, '/'),
-      compose_dir: composeDir.replace(/\\/g, '/'),
-    },
-    null,
-    2,
-  ),
-);
+#!/usr/bin/env node
+/**
+ * Ensure WORKFRAME_HOST_* paths exist in compose .env (VPS in-app publish/sync).
+ * Usage: node ensure-compose-host-paths.mjs --project-root /opt/workframe/repo [--env path]
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+
+const args = process.argv.slice(2);
+const rootFlag = args.indexOf('--project-root');
+const envFlag = args.indexOf('--env');
+const projectRoot =
+  rootFlag >= 0 ? args[rootFlag + 1] : '/opt/workframe/repo';
+const envPath =
+  envFlag >= 0
+    ? args[envFlag + 1]
+    : path.join(projectRoot, 'infra/compose/workframe/.env');
+const composeDir = path.join(projectRoot, 'infra/compose/workframe');
+
+function setIfEmpty(text, key, val) {
+  const esc = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const re = new RegExp(`^${esc}=(.*)$`, 'm');
+  const m = text.match(re);
+  if (m && String(m[1] || '').trim()) return text;
+  const line = `${key}=${val}`;
+  if (m) return text.replace(re, line);
+  return `${text}${text.endsWith('\n') || !text ? '' : '\n'}${line}\n`;
+}
+
+if (!fs.existsSync(envPath)) {
+  console.error(`Missing env file: ${envPath}`);
+  process.exit(1);
+}
+
+let text = fs.readFileSync(envPath, 'utf8');
+text = setIfEmpty(text, 'WORKFRAME_HOST_PROJECT_ROOT', projectRoot.replace(/\\/g, '/'));
+text = setIfEmpty(text, 'WORKFRAME_HOST_COMPOSE_DIR', composeDir.replace(/\\/g, '/'));
+fs.writeFileSync(envPath, text);
+
+console.log(
+  JSON.stringify(
+    {
+      ok: true,
+      env: envPath,
+      project_root: projectRoot.replace(/\\/g, '/'),
+      compose_dir: composeDir.replace(/\\/g, '/'),
+    },
+    null,
+    2,
+  ),
+);

package/scripts/fix-zk-encryption-key.sh

@@ -1,35 +1,35 @@
-#!/usr/bin/env bash
-# Fix ZK_AUTH_ENCRYPTION_KEY when it was generated as hex instead of base64.
-set -euo pipefail
-ENV_FILE="${1:-/opt/workframe/MyBusiness/.env}"
-FORCE="${2:-}"
-python3 - "$ENV_FILE" "$FORCE" <<'PY'
-import base64, os, re, sys
-from pathlib import Path
-env, force = Path(sys.argv[1]), sys.argv[2] == "--force"
-text = env.read_text(encoding="utf-8")
-m = re.search(r"^ZK_AUTH_ENCRYPTION_KEY=(.*)$", text, re.M)
-if not m:
-    print("ZK_AUTH_ENCRYPTION_KEY missing"); sys.exit(1)
-val = m.group(1).strip()
-try:
-    ok = len(base64.b64decode(val)) == 32
-except Exception:
-    ok = False
-if ok:
-    print("ZK_AUTH_ENCRYPTION_KEY already valid"); sys.exit(0)
-
-zk_db = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data")) / "zk_auth.db"
-if zk_db.is_file() and not force:
-    import sqlite3
-    n = sqlite3.connect(str(zk_db)).execute("SELECT COUNT(*) FROM identities").fetchone()[0]
-    if n > 0:
-        print(f"REFUSING: {n} encrypted identities present. Regenerating the KEK will lock "
-              f"out every existing user. Re-run with --force to proceed.", file=sys.stderr)
-        sys.exit(1)
-
-new_key = base64.b64encode(os.urandom(32)).decode()
-text = re.sub(r"^ZK_AUTH_ENCRYPTION_KEY=.*$", f"ZK_AUTH_ENCRYPTION_KEY={new_key}", text, flags=re.M)
-env.write_text(text, encoding="utf-8")
-print("ZK_AUTH_ENCRYPTION_KEY regenerated (was invalid base64)")
-PY
+#!/usr/bin/env bash
+# Fix ZK_AUTH_ENCRYPTION_KEY when it was generated as hex instead of base64.
+set -euo pipefail
+ENV_FILE="${1:-/opt/workframe/MyBusiness/.env}"
+FORCE="${2:-}"
+python3 - "$ENV_FILE" "$FORCE" <<'PY'
+import base64, os, re, sys
+from pathlib import Path
+env, force = Path(sys.argv[1]), sys.argv[2] == "--force"
+text = env.read_text(encoding="utf-8")
+m = re.search(r"^ZK_AUTH_ENCRYPTION_KEY=(.*)$", text, re.M)
+if not m:
+    print("ZK_AUTH_ENCRYPTION_KEY missing"); sys.exit(1)
+val = m.group(1).strip()
+try:
+    ok = len(base64.b64decode(val)) == 32
+except Exception:
+    ok = False
+if ok:
+    print("ZK_AUTH_ENCRYPTION_KEY already valid"); sys.exit(0)
+
+zk_db = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data")) / "zk_auth.db"
+if zk_db.is_file() and not force:
+    import sqlite3
+    n = sqlite3.connect(str(zk_db)).execute("SELECT COUNT(*) FROM identities").fetchone()[0]
+    if n > 0:
+        print(f"REFUSING: {n} encrypted identities present. Regenerating the KEK will lock "
+              f"out every existing user. Re-run with --force to proceed.", file=sys.stderr)
+        sys.exit(1)
+
+new_key = base64.b64encode(os.urandom(32)).decode()
+text = re.sub(r"^ZK_AUTH_ENCRYPTION_KEY=.*$", f"ZK_AUTH_ENCRYPTION_KEY={new_key}", text, flags=re.M)
+env.write_text(text, encoding="utf-8")
+print("ZK_AUTH_ENCRYPTION_KEY regenerated (was invalid base64)")
+PY