create-workframe 0.1.0 → 0.1.2

package/scripts/ensure-compose-host-paths.mjs

@@ -1,51 +1,51 @@
-#!/usr/bin/env node
-/**
- * Ensure WORKFRAME_HOST_* paths exist in compose .env (VPS in-app publish/sync).
- * Usage: node ensure-compose-host-paths.mjs --project-root /opt/workframe/ProjectX [--env path]
- */
-import fs from 'node:fs';
-import path from 'node:path';
-
-const args = process.argv.slice(2);
-const rootFlag = args.indexOf('--project-root');
-const envFlag = args.indexOf('--env');
-const projectRoot =
-  rootFlag >= 0 ? args[rootFlag + 1] : '/opt/workframe/ProjectX';
-const envPath =
-  envFlag >= 0
-    ? args[envFlag + 1]
-    : path.join(projectRoot, 'infra/compose/workframe/.env');
-const composeDir = path.join(projectRoot, 'infra/compose/workframe');
-
-function setIfEmpty(text, key, val) {
-  const esc = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-  const re = new RegExp(`^${esc}=(.*)$`, 'm');
-  const m = text.match(re);
-  if (m && String(m[1] || '').trim()) return text;
-  const line = `${key}=${val}`;
-  if (m) return text.replace(re, line);
-  return `${text}${text.endsWith('\n') || !text ? '' : '\n'}${line}\n`;
-}
-
-if (!fs.existsSync(envPath)) {
-  console.error(`Missing env file: ${envPath}`);
-  process.exit(1);
-}
-
-let text = fs.readFileSync(envPath, 'utf8');
-text = setIfEmpty(text, 'WORKFRAME_HOST_PROJECT_ROOT', projectRoot.replace(/\\/g, '/'));
-text = setIfEmpty(text, 'WORKFRAME_HOST_COMPOSE_DIR', composeDir.replace(/\\/g, '/'));
-fs.writeFileSync(envPath, text);
-
-console.log(
-  JSON.stringify(
-    {
-      ok: true,
-      env: envPath,
-      project_root: projectRoot.replace(/\\/g, '/'),
-      compose_dir: composeDir.replace(/\\/g, '/'),
-    },
-    null,
-    2,
-  ),
-);
+#!/usr/bin/env node
+/**
+ * Ensure WORKFRAME_HOST_* paths exist in compose .env (VPS in-app publish/sync).
+ * Usage: node ensure-compose-host-paths.mjs --project-root /opt/workframe/repo [--env path]
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+
+const args = process.argv.slice(2);
+const rootFlag = args.indexOf('--project-root');
+const envFlag = args.indexOf('--env');
+const projectRoot =
+  rootFlag >= 0 ? args[rootFlag + 1] : '/opt/workframe/repo';
+const envPath =
+  envFlag >= 0
+    ? args[envFlag + 1]
+    : path.join(projectRoot, 'infra/compose/workframe/.env');
+const composeDir = path.join(projectRoot, 'infra/compose/workframe');
+
+function setIfEmpty(text, key, val) {
+  const esc = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const re = new RegExp(`^${esc}=(.*)$`, 'm');
+  const m = text.match(re);
+  if (m && String(m[1] || '').trim()) return text;
+  const line = `${key}=${val}`;
+  if (m) return text.replace(re, line);
+  return `${text}${text.endsWith('\n') || !text ? '' : '\n'}${line}\n`;
+}
+
+if (!fs.existsSync(envPath)) {
+  console.error(`Missing env file: ${envPath}`);
+  process.exit(1);
+}
+
+let text = fs.readFileSync(envPath, 'utf8');
+text = setIfEmpty(text, 'WORKFRAME_HOST_PROJECT_ROOT', projectRoot.replace(/\\/g, '/'));
+text = setIfEmpty(text, 'WORKFRAME_HOST_COMPOSE_DIR', composeDir.replace(/\\/g, '/'));
+fs.writeFileSync(envPath, text);
+
+console.log(
+  JSON.stringify(
+    {
+      ok: true,
+      env: envPath,
+      project_root: projectRoot.replace(/\\/g, '/'),
+      compose_dir: composeDir.replace(/\\/g, '/'),
+    },
+    null,
+    2,
+  ),
+);

package/scripts/lib/install-identity.mjs

@@ -1,212 +1,212 @@
-/**
- * Per-install identity: slot-based localhost ports + stable install id for cookies.
- *
- * Slot N (1–99) → host ports N*10000 + tail:
- *   gateway 8642, dashboard 9119, api 9120, ui 8644, supervisor 8090
- *   slot 1 → 18642, 19119, 19120, 18644, 18090
- *   slot 2 → 28642, 29119, 29120, 28644, 28090
- *
- * ponytail: cookies use WORKFRAME_INSTALL_ID (not display name); auth DB is per install so same email can sign into many.
- */
-import crypto from 'node:crypto';
-import fs from 'node:fs';
-import net from 'node:net';
-import os from 'node:os';
-import path from 'node:path';
-
-export const PORT_TAIL = Object.freeze({
-  gateway: 8642,
-  dashboard: 9119,
-  api: 9120,
-  ui: 8644,
-  supervisor: 8090,
-});
-
-export function portsForSlot(slot) {
-  const n = Number(slot);
-  if (!Number.isInteger(n) || n < 1 || n > 99) {
-    throw new Error(`WORKFRAME_SLOT must be 1–99, got ${slot}`);
-  }
-  const base = n * 10_000;
-  return {
-    slot: n,
-    gateway: base + PORT_TAIL.gateway,
-    dashboard: base + PORT_TAIL.dashboard,
-    api: base + PORT_TAIL.api,
-    ui: base + PORT_TAIL.ui,
-    supervisor: base + PORT_TAIL.supervisor,
-  };
-}
-
-export function generateSupervisorToken() {
-  return crypto.randomBytes(32).toString('hex');
-}
-
-export function generateProxyToken() {
-  return crypto.randomBytes(32).toString('base64url');
-}
-
-export function generateApiToken() {
-  return crypto.randomBytes(32).toString('base64url');
-}
-
-export function generateDashboardAuthPassword() {
-  return crypto.randomBytes(18).toString('base64url');
-}
-
-export function generateDashboardAuthSecret() {
-  return crypto.randomBytes(24).toString('hex');
-}
-
-export function generateVaultKekB64() {
-  return crypto.randomBytes(32).toString('base64');
-}
-
-export function generateInstallId() {
-  return `wf_${crypto.randomBytes(6).toString('hex')}`;
-}
-
-export function sessionCookieNameFromEnv(env = process.env) {
-  const installId = String(env.WORKFRAME_INSTALL_ID || '').trim();
-  if (installId) {
-    const safe = installId.replace(/[^a-zA-Z0-9_-]+/g, '_').replace(/^_+|_+$/g, '');
-    if (safe) return `${safe}_session`;
-  }
-  const slug = String(env.WORKFRAME_PROJECT || 'workframe')
-    .toLowerCase()
-    .replace(/[^a-z0-9]+/g, '_')
-    .replace(/^_+|_+$/g, '') || 'workframe';
-  return `wf_${slug}_session`;
-}
-
-function portTaken(port, host = '127.0.0.1') {
-  return new Promise((resolve) => {
-    const socket = net.createConnection({ port, host });
-    const done = (taken) => {
-      socket.removeAllListeners();
-      socket.destroy();
-      resolve(taken);
-    };
-    socket.setTimeout(400);
-    socket.once('connect', () => done(true));
-    socket.once('timeout', () => done(false));
-    socket.once('error', () => done(false));
-  });
-}
-
-async function slotPortsFree(slot, host = '127.0.0.1') {
-  const ports = portsForSlot(slot);
-  for (const key of ['gateway', 'dashboard', 'api', 'ui']) {
-    if (await portTaken(ports[key], host)) return false;
-  }
-  return true;
-}
-
-/**
- * Pick the first free slot, or use preferredSlot when its ports are free.
- */
-export async function allocateInstall({
-  projectName,
-  preferredSlot = null,
-  maxSlot = 9,
-  host = '127.0.0.1',
-  installId = null,
-} = {}) {
-  if (preferredSlot != null) {
-    const slot = Number(preferredSlot);
-    if (!await slotPortsFree(slot, host)) {
-      throw new Error(
-        `WORKFRAME_SLOT ${slot} ports are in use (${JSON.stringify(portsForSlot(slot))})`,
-      );
-    }
-    return {
-      installId: installId || generateInstallId(),
-      projectName,
-      slot,
-      ports: portsForSlot(slot),
-    };
-  }
-
-  for (let slot = 1; slot <= maxSlot; slot++) {
-    if (await slotPortsFree(slot, host)) {
-      return {
-        installId: installId || generateInstallId(),
-        projectName,
-        slot,
-        ports: portsForSlot(slot),
-      };
-    }
-  }
-  throw new Error(`No free Workframe install slot (1–${maxSlot}) on ${host}`);
-}
-
-export function envFileLines(install, { example = false, nativeProfile = '', deploy = 'docker', hermesHome = '' } = {}) {
-  const header = example
-    ? '# Copy to .env — one install = one slot + one WORKFRAME_INSTALL_ID.\n# Same email may be used across installs; each has its own auth DB.\n'
-    : '# Local Workframe install identity (.env is gitignored).\n';
-  const { ports, installId, slot } = install;
-  const deployLine = deploy === 'native' ? 'WORKFRAME_DEPLOY=native\n' : 'WORKFRAME_DEPLOY=docker\n';
-  const hermesLine = hermesHome ? `HERMES_DATA=${hermesHome.replace(/\\/g, '/')}\n` : '';
-  return `${header}${deployLine}${hermesLine}WORKFRAME_INSTALL_ID=${installId}
-WORKFRAME_SLOT=${slot}
-WORKFRAME_PROJECT=${install.projectName}
-WORKFRAME_GATEWAY_PORT=${ports.gateway}
-WORKFRAME_DASHBOARD_PORT=${ports.dashboard}
-WORKFRAME_UI_PORT=${ports.ui}
-WORKFRAME_UI_STATIC_DIR=./workframe-ui/public
-WORKFRAME_API_PORT=${ports.api}
-WORKFRAME_SUPERVISOR_PORT=${ports.supervisor}
-WORKFRAME_MISSION_PORT=${ports.api}
-WORKFRAME_NATIVE_PROFILE=${nativeProfile}
-SECURE_MODE=true
-DEV_LOCAL_UNSAFE=false
-WORKFRAME_DEPLOYMENT_MODE=trusted_team
-WORKFRAME_API_TOKEN=${example ? '' : generateApiToken()}
-WORKFRAME_SUPERVISOR_TOKEN=${example ? '' : generateSupervisorToken()}
-WORKFRAME_PROXY_TOKEN=${example ? '' : generateProxyToken()}
-HERMES_DASHBOARD_BASIC_AUTH_USERNAME=workframe
-HERMES_DASHBOARD_BASIC_AUTH_PASSWORD=${example ? '' : generateDashboardAuthPassword()}
-HERMES_DASHBOARD_BASIC_AUTH_SECRET=${example ? '' : generateDashboardAuthSecret()}
-# Credential vault KEK (32-byte base64). Required when WORKFRAME_DEPLOYMENT_MODE=public_multi_user.
-# Generate: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
-WORKFRAME_VAULT_KEK=${example ? '' : ''}
-APP_BASE_URL=http://127.0.0.1:${ports.ui}
-`;
-}
-
-/** Existing host Hermes install (never overwrites). Windows: %LOCALAPPDATA%\\hermes */
-export function detectHermesHome() {
-  const fromEnv = String(process.env.HERMES_HOME || '').trim();
-  if (fromEnv && fs.existsSync(path.join(fromEnv, 'config.yaml'))) return fromEnv;
-  const candidates = [];
-  if (process.platform === 'win32') {
-    const local = process.env.LOCALAPPDATA;
-    if (local) candidates.push(path.join(local, 'hermes'));
-  } else if (process.platform === 'darwin') {
-    candidates.push(path.join(os.homedir(), 'Library', 'Application Support', 'hermes'));
-  }
-  candidates.push(path.join(os.homedir(), '.hermes'));
-  for (const dir of candidates) {
-    if (fs.existsSync(path.join(dir, 'config.yaml'))) return dir;
-  }
-  return null;
-}
-
-export function resolveDeployMode(requested = 'auto') {
-  const mode = String(requested || 'auto').trim().toLowerCase();
-  if (mode === 'native' || mode === 'docker') return mode;
-  return detectHermesHome() ? 'native' : 'docker';
-}
-
-// ponytail: runnable self-check — node scripts/lib/install-identity.mjs
-import { pathToFileURL } from 'node:url';
-const isMain = process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href;
-if (isMain) {
-  const p1 = portsForSlot(1);
-  const p2 = portsForSlot(2);
-  console.assert(p1.ui === 18644 && p1.api === 19120 && p1.supervisor === 18090, 'slot 1 ports');
-  console.assert(p2.ui === 28644 && p2.gateway === 28642, 'slot 2 ports');
-  console.assert(sessionCookieNameFromEnv({ WORKFRAME_INSTALL_ID: 'wf_abc123' }) === 'wf_abc123_session');
-  allocateInstall({ projectName: 'Test', preferredSlot: 99 }).catch(() => {});
-  console.log('install-identity ok');
-}
+/**
+ * Per-install identity: slot-based localhost ports + stable install id for cookies.
+ *
+ * Slot N (1–99) → host ports N*10000 + tail:
+ *   gateway 8642, dashboard 9119, api 9120, ui 8644, supervisor 8090
+ *   slot 1 → 18642, 19119, 19120, 18644, 18090
+ *   slot 2 → 28642, 29119, 29120, 28644, 28090
+ *
+ * ponytail: cookies use WORKFRAME_INSTALL_ID (not display name); auth DB is per install so same email can sign into many.
+ */
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import net from 'node:net';
+import os from 'node:os';
+import path from 'node:path';
+
+export const PORT_TAIL = Object.freeze({
+  gateway: 8642,
+  dashboard: 9119,
+  api: 9120,
+  ui: 8644,
+  supervisor: 8090,
+});
+
+export function portsForSlot(slot) {
+  const n = Number(slot);
+  if (!Number.isInteger(n) || n < 1 || n > 99) {
+    throw new Error(`WORKFRAME_SLOT must be 1–99, got ${slot}`);
+  }
+  const base = n * 10_000;
+  return {
+    slot: n,
+    gateway: base + PORT_TAIL.gateway,
+    dashboard: base + PORT_TAIL.dashboard,
+    api: base + PORT_TAIL.api,
+    ui: base + PORT_TAIL.ui,
+    supervisor: base + PORT_TAIL.supervisor,
+  };
+}
+
+export function generateSupervisorToken() {
+  return crypto.randomBytes(32).toString('hex');
+}
+
+export function generateProxyToken() {
+  return crypto.randomBytes(32).toString('base64url');
+}
+
+export function generateApiToken() {
+  return crypto.randomBytes(32).toString('base64url');
+}
+
+export function generateDashboardAuthPassword() {
+  return crypto.randomBytes(18).toString('base64url');
+}
+
+export function generateDashboardAuthSecret() {
+  return crypto.randomBytes(24).toString('hex');
+}
+
+export function generateVaultKekB64() {
+  return crypto.randomBytes(32).toString('base64');
+}
+
+export function generateInstallId() {
+  return `wf_${crypto.randomBytes(6).toString('hex')}`;
+}
+
+export function sessionCookieNameFromEnv(env = process.env) {
+  const installId = String(env.WORKFRAME_INSTALL_ID || '').trim();
+  if (installId) {
+    const safe = installId.replace(/[^a-zA-Z0-9_-]+/g, '_').replace(/^_+|_+$/g, '');
+    if (safe) return `${safe}_session`;
+  }
+  const slug = String(env.WORKFRAME_PROJECT || 'workframe')
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '_')
+    .replace(/^_+|_+$/g, '') || 'workframe';
+  return `wf_${slug}_session`;
+}
+
+function portTaken(port, host = '127.0.0.1') {
+  return new Promise((resolve) => {
+    const socket = net.createConnection({ port, host });
+    const done = (taken) => {
+      socket.removeAllListeners();
+      socket.destroy();
+      resolve(taken);
+    };
+    socket.setTimeout(400);
+    socket.once('connect', () => done(true));
+    socket.once('timeout', () => done(false));
+    socket.once('error', () => done(false));
+  });
+}
+
+async function slotPortsFree(slot, host = '127.0.0.1') {
+  const ports = portsForSlot(slot);
+  for (const key of ['gateway', 'dashboard', 'api', 'ui']) {
+    if (await portTaken(ports[key], host)) return false;
+  }
+  return true;
+}
+
+/**
+ * Pick the first free slot, or use preferredSlot when its ports are free.
+ */
+export async function allocateInstall({
+  projectName,
+  preferredSlot = null,
+  maxSlot = 9,
+  host = '127.0.0.1',
+  installId = null,
+} = {}) {
+  if (preferredSlot != null) {
+    const slot = Number(preferredSlot);
+    if (!await slotPortsFree(slot, host)) {
+      throw new Error(
+        `WORKFRAME_SLOT ${slot} ports are in use (${JSON.stringify(portsForSlot(slot))})`,
+      );
+    }
+    return {
+      installId: installId || generateInstallId(),
+      projectName,
+      slot,
+      ports: portsForSlot(slot),
+    };
+  }
+
+  for (let slot = 1; slot <= maxSlot; slot++) {
+    if (await slotPortsFree(slot, host)) {
+      return {
+        installId: installId || generateInstallId(),
+        projectName,
+        slot,
+        ports: portsForSlot(slot),
+      };
+    }
+  }
+  throw new Error(`No free Workframe install slot (1–${maxSlot}) on ${host}`);
+}
+
+export function envFileLines(install, { example = false, nativeProfile = '', deploy = 'docker', hermesHome = '' } = {}) {
+  const header = example
+    ? '# Copy to .env — one install = one slot + one WORKFRAME_INSTALL_ID.\n# Same email may be used across installs; each has its own auth DB.\n'
+    : '# Local Workframe install identity (.env is gitignored).\n';
+  const { ports, installId, slot } = install;
+  const deployLine = deploy === 'native' ? 'WORKFRAME_DEPLOY=native\n' : 'WORKFRAME_DEPLOY=docker\n';
+  const hermesLine = hermesHome ? `HERMES_DATA=${hermesHome.replace(/\\/g, '/')}\n` : '';
+  return `${header}${deployLine}${hermesLine}WORKFRAME_INSTALL_ID=${installId}
+WORKFRAME_SLOT=${slot}
+WORKFRAME_PROJECT=${install.projectName}
+WORKFRAME_GATEWAY_PORT=${ports.gateway}
+WORKFRAME_DASHBOARD_PORT=${ports.dashboard}
+WORKFRAME_UI_PORT=${ports.ui}
+WORKFRAME_UI_STATIC_DIR=./workframe-ui/public
+WORKFRAME_API_PORT=${ports.api}
+WORKFRAME_SUPERVISOR_PORT=${ports.supervisor}
+WORKFRAME_MISSION_PORT=${ports.api}
+WORKFRAME_NATIVE_PROFILE=${nativeProfile}
+SECURE_MODE=true
+DEV_LOCAL_UNSAFE=false
+WORKFRAME_DEPLOYMENT_MODE=trusted_team
+WORKFRAME_API_TOKEN=${example ? '' : generateApiToken()}
+WORKFRAME_SUPERVISOR_TOKEN=${example ? '' : generateSupervisorToken()}
+WORKFRAME_PROXY_TOKEN=${example ? '' : generateProxyToken()}
+HERMES_DASHBOARD_BASIC_AUTH_USERNAME=workframe
+HERMES_DASHBOARD_BASIC_AUTH_PASSWORD=${example ? '' : generateDashboardAuthPassword()}
+HERMES_DASHBOARD_BASIC_AUTH_SECRET=${example ? '' : generateDashboardAuthSecret()}
+# Credential vault KEK (32-byte base64). Required when WORKFRAME_DEPLOYMENT_MODE=public_multi_user.
+# Generate: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
+WORKFRAME_VAULT_KEK=${example ? '' : ''}
+APP_BASE_URL=http://127.0.0.1:${ports.ui}
+`;
+}
+
+/** Existing host Hermes install (never overwrites). Windows: %LOCALAPPDATA%\\hermes */
+export function detectHermesHome() {
+  const fromEnv = String(process.env.HERMES_HOME || '').trim();
+  if (fromEnv && fs.existsSync(path.join(fromEnv, 'config.yaml'))) return fromEnv;
+  const candidates = [];
+  if (process.platform === 'win32') {
+    const local = process.env.LOCALAPPDATA;
+    if (local) candidates.push(path.join(local, 'hermes'));
+  } else if (process.platform === 'darwin') {
+    candidates.push(path.join(os.homedir(), 'Library', 'Application Support', 'hermes'));
+  }
+  candidates.push(path.join(os.homedir(), '.hermes'));
+  for (const dir of candidates) {
+    if (fs.existsSync(path.join(dir, 'config.yaml'))) return dir;
+  }
+  return null;
+}
+
+export function resolveDeployMode(requested = 'auto') {
+  const mode = String(requested || 'auto').trim().toLowerCase();
+  if (mode === 'native' || mode === 'docker') return mode;
+  return detectHermesHome() ? 'native' : 'docker';
+}
+
+// ponytail: runnable self-check — node scripts/lib/install-identity.mjs
+import { pathToFileURL } from 'node:url';
+const isMain = process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (isMain) {
+  const p1 = portsForSlot(1);
+  const p2 = portsForSlot(2);
+  console.assert(p1.ui === 18644 && p1.api === 19120 && p1.supervisor === 18090, 'slot 1 ports');
+  console.assert(p2.ui === 28644 && p2.gateway === 28642, 'slot 2 ports');
+  console.assert(sessionCookieNameFromEnv({ WORKFRAME_INSTALL_ID: 'wf_abc123' }) === 'wf_abc123_session');
+  allocateInstall({ projectName: 'Test', preferredSlot: 99 }).catch(() => {});
+  console.log('install-identity ok');
+}