create-workframe 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.dockerignore +22 -0
- package/.gitignore +73 -0
- package/LICENSE +201 -0
- package/NOTICE +12 -0
- package/README.md +111 -0
- package/SECURITY.md +40 -0
- package/bin/create-workframe.js +2814 -0
- package/bin/workframe.js +329 -0
- package/docs/workspace-instructions/WORKFRAME_DISCORD.md +20 -0
- package/docs/workspace-instructions/WORKFRAME_DOCUMENTS_AND_ARTIFACTS.md +20 -0
- package/docs/workspace-instructions/WORKFRAME_KANBAN.md +20 -0
- package/docs/workspace-instructions/WORKFRAME_ONBOARDING.md +21 -0
- package/docs/workspace-instructions/WORKFRAME_ROUTING.md +29 -0
- package/docs/workspace-instructions/WORKFRAME_TELEGRAM.md +19 -0
- package/package.json +67 -0
- package/profiles/README.md +15 -0
- package/profiles/architect/AGENTS.md +29 -0
- package/profiles/architect/SOUL.md +44 -0
- package/profiles/architect/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/designer/AGENTS.md +26 -0
- package/profiles/designer/SOUL.md +31 -0
- package/profiles/designer/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/dev/AGENTS.md +28 -0
- package/profiles/dev/SOUL.md +31 -0
- package/profiles/dev/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/docs/AGENTS.md +27 -0
- package/profiles/docs/SOUL.md +30 -0
- package/profiles/docs/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/research/AGENTS.md +26 -0
- package/profiles/research/SOUL.md +31 -0
- package/profiles/research/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/visionary/AGENTS.md +25 -0
- package/profiles/visionary/SOUL.md +31 -0
- package/profiles/visionary/skills/devops/kanban-worker/SKILL.md +27 -0
- package/profiles/workframe-agent/AGENTS.md +37 -0
- package/profiles/workframe-agent/SETUP.md +185 -0
- package/profiles/workframe-agent/SOUL.md +61 -0
- package/profiles/workframe-agent/skills/devops/botfather/SKILL.md +85 -0
- package/profiles/workframe-agent/skills/devops/kanban-handoff-pattern/SKILL.md +58 -0
- package/profiles/workframe-agent/skills/devops/workframe-cohort/SKILL.md +54 -0
- package/prompts/WORKFRAME_PROMPT_TEMPLATES.md +16 -0
- package/rules/.hermes.md +11 -0
- package/rules/AGENTS.md +22 -0
- package/rules/workspace-README.md +5 -0
- package/scripts/apply-update-hermes.sh +17 -0
- package/scripts/apply-update-workframe.sh +77 -0
- package/scripts/bootstrap-workspace-link.sh +8 -0
- package/scripts/bundle-workframe-ui.mjs +77 -0
- package/scripts/compose-docker-host.sh +37 -0
- package/scripts/create_workframe_scaffold.py +648 -0
- package/scripts/ensure-compose-host-paths.mjs +51 -0
- package/scripts/fix-zk-encryption-key.sh +35 -0
- package/scripts/lib/install-identity.mjs +212 -0
- package/scripts/lib/workframe-registry.mjs +290 -0
- package/scripts/new-project.mjs +68 -0
- package/scripts/restart-gateway-hermes.sh +12 -0
- package/scripts/security_audit.py +156 -0
- package/scripts/select_agent_pack.py +31 -0
- package/scripts/set-compose-public-url.mjs +92 -0
- package/scripts/setup-stack-secrets.sh +50 -0
- package/scripts/sync-canonical-to-package.mjs +146 -0
- package/scripts/test-scaffold.mjs +390 -0
- package/scripts/verify-public-deploy.sh +105 -0
- package/shared/WORKFRAME_AGENT_LIBRARY.md +31 -0
- package/shared/WORKFRAME_AGENT_OPERATIONS.md +29 -0
- package/shared/WORKFRAME_AGENT_PACKS.json +64 -0
- package/shared/WORKFRAME_AGENT_PACKS.yaml +20 -0
- package/shared/WORKFRAME_CHAT_PERMISSION_MODEL.md +20 -0
- package/shared/WORKFRAME_HANDOFF_SCHEMA.md +25 -0
- package/shared/WORKFRAME_SKILL_CURATION.md +27 -0
- package/shared/agent-avatars/ada.png +0 -0
- package/shared/agent-avatars/aibert.png +0 -0
- package/shared/agent-avatars/amelia.png +0 -0
- package/shared/agent-avatars/andy.png +0 -0
- package/shared/agent-avatars/arc.png +0 -0
- package/shared/agent-avatars/bob.png +0 -0
- package/shared/agent-avatars/buzz.png +0 -0
- package/shared/agent-avatars/carl.png +0 -0
- package/shared/agent-avatars/catalog.json +171 -0
- package/shared/agent-avatars/corbu.png +0 -0
- package/shared/agent-avatars/diana.png +0 -0
- package/shared/agent-avatars/ella.png +0 -0
- package/shared/agent-avatars/elvis.png +0 -0
- package/shared/agent-avatars/f1.png +0 -0
- package/shared/agent-avatars/f2.png +0 -0
- package/shared/agent-avatars/f3.png +0 -0
- package/shared/agent-avatars/f4.png +0 -0
- package/shared/agent-avatars/f5.png +0 -0
- package/shared/agent-avatars/f6.png +0 -0
- package/shared/agent-avatars/frida.png +0 -0
- package/shared/agent-avatars/george.png +0 -0
- package/shared/agent-avatars/grace.png +0 -0
- package/shared/agent-avatars/hedy.png +0 -0
- package/shared/agent-avatars/hermes.png +0 -0
- package/shared/agent-avatars/isaac.png +0 -0
- package/shared/agent-avatars/jes.png +0 -0
- package/shared/agent-avatars/john.png +0 -0
- package/shared/agent-avatars/joni.png +0 -0
- package/shared/agent-avatars/leo.png +0 -0
- package/shared/agent-avatars/louis.png +0 -0
- package/shared/agent-avatars/ludwig.png +0 -0
- package/shared/agent-avatars/m1.png +0 -0
- package/shared/agent-avatars/m2.png +0 -0
- package/shared/agent-avatars/m3.png +0 -0
- package/shared/agent-avatars/m4.png +0 -0
- package/shared/agent-avatars/m5.png +0 -0
- package/shared/agent-avatars/m6.png +0 -0
- package/shared/agent-avatars/marie.png +0 -0
- package/shared/agent-avatars/marilyn.png +0 -0
- package/shared/agent-avatars/neil.png +0 -0
- package/shared/agent-avatars/nikola.png +0 -0
- package/shared/agent-avatars/nina.png +0 -0
- package/shared/agent-avatars/paul.png +0 -0
- package/shared/agent-avatars/ringo.png +0 -0
- package/shared/agent-avatars/rosie.png +0 -0
- package/shared/agent-avatars/ste.png +0 -0
- package/shared/agent-avatars/steve.png +0 -0
- package/shared/agent-avatars/sun.png +0 -0
- package/shared/agent-avatars/tom.png +0 -0
- package/shared/agent-avatars/warren.png +0 -0
- package/shared/agent-avatars/woz.png +0 -0
- package/shared/agent-avatars/zaha.png +0 -0
- package/workframe-api/Dockerfile +14 -0
- package/workframe-api/README.md +28 -0
- package/workframe-api/action_proxy.py +131 -0
- package/workframe-api/auth_rate_limit.py +49 -0
- package/workframe-api/catalog/avatar-catalog.json +171 -0
- package/workframe-api/catalog/logo-catalog.json +86 -0
- package/workframe-api/catalog/user-avatar-catalog.json +171 -0
- package/workframe-api/credential_vault.py +445 -0
- package/workframe-api/data/.gitkeep +0 -0
- package/workframe-api/data/avatar-catalog.json +41 -0
- package/workframe-api/data/logo-catalog.json +14 -0
- package/workframe-api/data/user-avatar-catalog.json +18 -0
- package/workframe-api/email_sender.py +220 -0
- package/workframe-api/google_auth.py +90 -0
- package/workframe-api/install_api.py +359 -0
- package/workframe-api/internal_proxy_auth.py +150 -0
- package/workframe-api/llm_proxy.py +277 -0
- package/workframe-api/oidc_jwt.py +108 -0
- package/workframe-api/package.json +13 -0
- package/workframe-api/platform_auth.py +194 -0
- package/workframe-api/profile_secret_policy.py +86 -0
- package/workframe-api/public/assets/index-DPXu_lGn.css +1 -0
- package/workframe-api/public/assets/index-DYnLrCZZ.js +9 -0
- package/workframe-api/public/assets/index-DglUqFB_.js +9 -0
- package/workframe-api/public/index.html +12 -0
- package/workframe-api/requirements.txt +2 -0
- package/workframe-api/server.py +19646 -0
- package/workframe-api/site_meta.py +271 -0
- package/workframe-api/stack_config.py +427 -0
- package/workframe-api/tests/__init__.py +0 -0
- package/workframe-api/tests/db_setup.py +13 -0
- package/workframe-api/tests/test_admin_updates_gated.py +30 -0
- package/workframe-api/tests/test_agent_dm_bootstrap.py +196 -0
- package/workframe-api/tests/test_agent_profile_sync.py +76 -0
- package/workframe-api/tests/test_auth_email.py +222 -0
- package/workframe-api/tests/test_auth_hole_fix_selfcheck.py +99 -0
- package/workframe-api/tests/test_auth_rate_limit.py +19 -0
- package/workframe-api/tests/test_avatar_resolve.py +77 -0
- package/workframe-api/tests/test_child_soul_template.py +71 -0
- package/workframe-api/tests/test_credential_canary.py +135 -0
- package/workframe-api/tests/test_credential_isolation.py +448 -0
- package/workframe-api/tests/test_credential_resolution.py +206 -0
- package/workframe-api/tests/test_device_oauth.py +108 -0
- package/workframe-api/tests/test_doctor_repair.py +103 -0
- package/workframe-api/tests/test_ensure_profile_api.py +77 -0
- package/workframe-api/tests/test_gateway_compose_security.py +136 -0
- package/workframe-api/tests/test_install_secure_host.py +39 -0
- package/workframe-api/tests/test_internal_proxy_auth.py +125 -0
- package/workframe-api/tests/test_invite_runtime_bootstrap.py +72 -0
- package/workframe-api/tests/test_kanban_delegation.py +185 -0
- package/workframe-api/tests/test_llm_proxy.py +155 -0
- package/workframe-api/tests/test_login_access_policy.py +183 -0
- package/workframe-api/tests/test_mvp_model_bootstrap.py +75 -0
- package/workframe-api/tests/test_onboarding_bootstrap.py +248 -0
- package/workframe-api/tests/test_platform_auth.py +47 -0
- package/workframe-api/tests/test_profile_config_path.py +56 -0
- package/workframe-api/tests/test_profile_config_yaml_repair.py +63 -0
- package/workframe-api/tests/test_profile_create.py +72 -0
- package/workframe-api/tests/test_profile_identity_overlay.py +61 -0
- package/workframe-api/tests/test_profile_install_health.py +45 -0
- package/workframe-api/tests/test_profile_secret_policy.py +57 -0
- package/workframe-api/tests/test_profile_workspace_cwd.py +34 -0
- package/workframe-api/tests/test_provider_bootstrap.py +75 -0
- package/workframe-api/tests/test_provider_connect.py +54 -0
- package/workframe-api/tests/test_room_crud.py +192 -0
- package/workframe-api/tests/test_room_tenancy.py +701 -0
- package/workframe-api/tests/test_runtime_identity_backfill.py +34 -0
- package/workframe-api/tests/test_site_meta.py +81 -0
- package/workframe-api/tests/test_soul_stub.py +42 -0
- package/workframe-api/tests/test_space_member_sync.py +99 -0
- package/workframe-api/tests/test_stripe_stack_config.py +37 -0
- package/workframe-api/tests/test_supervisor_lifecycle.py +52 -0
- package/workframe-api/tests/test_turn_credential_vault.py +125 -0
- package/workframe-api/tests/test_updates.py +176 -0
- package/workframe-api/tests/test_user_cohort.py +113 -0
- package/workframe-api/tests/test_vault_envelope.py +110 -0
- package/workframe-api/tests/test_workspace_members.py +183 -0
- package/workframe-api/tests/test_workspace_messaging_sync.py +125 -0
- package/workframe-api/tests/test_workspace_provider_list.py +57 -0
- package/workframe-api/time-bind-chat.py +99 -0
- package/workframe-api/turn_credentials.py +226 -0
- package/workframe-api/updates.py +417 -0
- package/workframe-api/vault_kek.py +159 -0
- package/workframe-api/zk_auth.py +633 -0
- package/workframe-supervisor/Dockerfile +11 -0
- package/workframe-supervisor/profile_secret_policy.py +76 -0
- package/workframe-supervisor/server.py +787 -0
- package/workframe-supervisor/tests/test_exec_guard.py +42 -0
- package/workframe-supervisor/tests/test_server_import.py +21 -0
- package/workframe-ui/docker/nginx.conf +85 -0
- package/workframe-ui/public/assets/1-DLJbBkOb.png +0 -0
- package/workframe-ui/public/assets/10-uwRwj5ce.png +0 -0
- package/workframe-ui/public/assets/11-5OuV9F_e.png +0 -0
- package/workframe-ui/public/assets/12-u_axjxW-.png +0 -0
- package/workframe-ui/public/assets/13-ldSvcMsH.png +0 -0
- package/workframe-ui/public/assets/14-xdcALEYD.png +0 -0
- package/workframe-ui/public/assets/15-aZ4snEFB.png +0 -0
- package/workframe-ui/public/assets/16-L_5-DttY.png +0 -0
- package/workframe-ui/public/assets/2-zOPZTppD.png +0 -0
- package/workframe-ui/public/assets/3-Dc3WoVu5.png +0 -0
- package/workframe-ui/public/assets/4-C50hk7_m.png +0 -0
- package/workframe-ui/public/assets/5-Eweetkq4.png +0 -0
- package/workframe-ui/public/assets/6-5sOXgfkw.png +0 -0
- package/workframe-ui/public/assets/7-BqRBCbiC.png +0 -0
- package/workframe-ui/public/assets/8-DEDKS94h.png +0 -0
- package/workframe-ui/public/assets/9-DNj34GW-.png +0 -0
- package/workframe-ui/public/assets/ada-DsvuOc9n.png +0 -0
- package/workframe-ui/public/assets/aibert-BCz8Lo8H.png +0 -0
- package/workframe-ui/public/assets/amelia-DUf3EBGu.png +0 -0
- package/workframe-ui/public/assets/andy-Cpymuhhx.png +0 -0
- package/workframe-ui/public/assets/arc-CBDYvkAF.js +1 -0
- package/workframe-ui/public/assets/architecture-7EHR7CIX-CtbQKTuT.js +1 -0
- package/workframe-ui/public/assets/architectureDiagram-3BPJPVTR-XnBRKeW0.js +36 -0
- package/workframe-ui/public/assets/array-BifhSqXX.js +1 -0
- package/workframe-ui/public/assets/avatars/ada.png +0 -0
- package/workframe-ui/public/assets/avatars/aibert.png +0 -0
- package/workframe-ui/public/assets/avatars/amelia.png +0 -0
- package/workframe-ui/public/assets/avatars/andy.png +0 -0
- package/workframe-ui/public/assets/avatars/bob.png +0 -0
- package/workframe-ui/public/assets/avatars/buzz.png +0 -0
- package/workframe-ui/public/assets/avatars/carl.png +0 -0
- package/workframe-ui/public/assets/avatars/catalog.json +171 -0
- package/workframe-ui/public/assets/avatars/corbu.png +0 -0
- package/workframe-ui/public/assets/avatars/diana.png +0 -0
- package/workframe-ui/public/assets/avatars/elvis.png +0 -0
- package/workframe-ui/public/assets/avatars/frida.png +0 -0
- package/workframe-ui/public/assets/avatars/george.png +0 -0
- package/workframe-ui/public/assets/avatars/grace.png +0 -0
- package/workframe-ui/public/assets/avatars/hedy.png +0 -0
- package/workframe-ui/public/assets/avatars/hermes.png +0 -0
- package/workframe-ui/public/assets/avatars/isaac.png +0 -0
- package/workframe-ui/public/assets/avatars/john.png +0 -0
- package/workframe-ui/public/assets/avatars/joni.png +0 -0
- package/workframe-ui/public/assets/avatars/leo.png +0 -0
- package/workframe-ui/public/assets/avatars/louis.png +0 -0
- package/workframe-ui/public/assets/avatars/ludwig.png +0 -0
- package/workframe-ui/public/assets/avatars/marie.png +0 -0
- package/workframe-ui/public/assets/avatars/marilyn.png +0 -0
- package/workframe-ui/public/assets/avatars/nikola.png +0 -0
- package/workframe-ui/public/assets/avatars/nina.png +0 -0
- package/workframe-ui/public/assets/avatars/paul.png +0 -0
- package/workframe-ui/public/assets/avatars/ringo.png +0 -0
- package/workframe-ui/public/assets/avatars/rosie.png +0 -0
- package/workframe-ui/public/assets/avatars/steve.png +0 -0
- package/workframe-ui/public/assets/avatars/sun.png +0 -0
- package/workframe-ui/public/assets/avatars/warren.png +0 -0
- package/workframe-ui/public/assets/avatars/woz.png +0 -0
- package/workframe-ui/public/assets/avatars/zaha.png +0 -0
- package/workframe-ui/public/assets/blockDiagram-GPEHLZMM-VYHUfVhd.js +132 -0
- package/workframe-ui/public/assets/bob-DRz-48Id.png +0 -0
- package/workframe-ui/public/assets/branding/banner.png +0 -0
- package/workframe-ui/public/assets/branding/og-default.png +0 -0
- package/workframe-ui/public/assets/branding/workframe'white.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-1.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-2.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-3.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-4.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-5.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-banner.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-logo-horizontal-mini.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-logo-horizontal-nano.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-logo-horizontal.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-logo-vertical-alt.png +0 -0
- package/workframe-ui/public/assets/branding/workframe-logo-vertical.png +0 -0
- package/workframe-ui/public/assets/branding/workframe.png +0 -0
- package/workframe-ui/public/assets/buzz-mC4PtMvC.png +0 -0
- package/workframe-ui/public/assets/c4Diagram-AAUBKEIU-BTjUcJpm.js +10 -0
- package/workframe-ui/public/assets/carl-CtE74db_.png +0 -0
- package/workframe-ui/public/assets/channel-Dy4Z4-jn.js +1 -0
- package/workframe-ui/public/assets/chunk-2J33WTMH-w7uu7R-b.js +1 -0
- package/workframe-ui/public/assets/chunk-3OPIFGDE-Cb9LtnDX.js +62 -0
- package/workframe-ui/public/assets/chunk-4BX2VUAB-DiQ-qCwH.js +1 -0
- package/workframe-ui/public/assets/chunk-55IACEB6-C-mLFr7z.js +1 -0
- package/workframe-ui/public/assets/chunk-5ZQYHXKU-DOesfiCI.js +2 -0
- package/workframe-ui/public/assets/chunk-727SXJPM-BJ3oBZuz.js +206 -0
- package/workframe-ui/public/assets/chunk-AQP2D5EJ-CCA6xpGs.js +231 -0
- package/workframe-ui/public/assets/chunk-BSJP7CBP-a0cMNFb2.js +1 -0
- package/workframe-ui/public/assets/chunk-CSCIHK7Q-kuqN8EIY.js +122 -0
- package/workframe-ui/public/assets/chunk-FMBD7UC4-DyPgYHCg.js +15 -0
- package/workframe-ui/public/assets/chunk-KSCS5N6A-CdUuvR0V.js +10 -0
- package/workframe-ui/public/assets/chunk-L5ZTLDWV-Dq9NoWmK.js +1 -0
- package/workframe-ui/public/assets/chunk-LZXEDZCA-p74rddlO.js +2 -0
- package/workframe-ui/public/assets/chunk-ND2GUHAM-DBD2u1Gz.js +1 -0
- package/workframe-ui/public/assets/chunk-NNHCCRGN-DlpIbxXb.js +159 -0
- package/workframe-ui/public/assets/chunk-NZK2D7GU-BeIeYFnd.js +1 -0
- package/workframe-ui/public/assets/chunk-O5CBEL6O-ClHc56ib.js +70 -0
- package/workframe-ui/public/assets/chunk-QZHKN3VN-CtBEchFK.js +1 -0
- package/workframe-ui/public/assets/chunk-WU5MYG2G-B9pBtriN.js +1 -0
- package/workframe-ui/public/assets/chunk-XPW4576I-EFr8R_1p.js +32 -0
- package/workframe-ui/public/assets/classDiagram-4FO5ZUOK-BMAEA8jI.js +1 -0
- package/workframe-ui/public/assets/classDiagram-v2-Q7XG4LA2-BMAEA8jI.js +1 -0
- package/workframe-ui/public/assets/corbu-KiaMXzXQ.png +0 -0
- package/workframe-ui/public/assets/cose-bilkent-S5V4N54A-C7aPBODd.js +1 -0
- package/workframe-ui/public/assets/cytoscape.esm-h6BdjjI9.js +321 -0
- package/workframe-ui/public/assets/dagre-BM42HDAG-BdU1Rv-H.js +4 -0
- package/workframe-ui/public/assets/dagre-Bx709z4p.js +1 -0
- package/workframe-ui/public/assets/defaultLocale-C8Fc0cco.js +1 -0
- package/workframe-ui/public/assets/diagram-2AECGRRQ-DWowSo85.js +43 -0
- package/workframe-ui/public/assets/diagram-5GNKFQAL-MnxBbceO.js +10 -0
- package/workframe-ui/public/assets/diagram-KO2AKTUF-DQaLRXFf.js +3 -0
- package/workframe-ui/public/assets/diagram-LMA3HP47-CQaBud9k.js +24 -0
- package/workframe-ui/public/assets/diagram-OG6HWLK6-D8bAXbY9.js +24 -0
- package/workframe-ui/public/assets/diana-DW0MsL38.png +0 -0
- package/workframe-ui/public/assets/dist-DGpTLHr_.js +1 -0
- package/workframe-ui/public/assets/elvis-LCFaZIcT.png +0 -0
- package/workframe-ui/public/assets/erDiagram-TEJ5UH35-1E-xSvBK.js +85 -0
- package/workframe-ui/public/assets/eventmodeling-FCH6USID-D75cstNT.js +1 -0
- package/workframe-ui/public/assets/flowDiagram-I6XJVG4X-CgOVD5hu.js +162 -0
- package/workframe-ui/public/assets/frida-CXFA0w3F.png +0 -0
- package/workframe-ui/public/assets/ganttDiagram-6RSMTGT7-JFYAIauo.js +292 -0
- package/workframe-ui/public/assets/george-DBSH2Sm2.png +0 -0
- package/workframe-ui/public/assets/gitGraph-WXDBUCRP-B9REenIl.js +1 -0
- package/workframe-ui/public/assets/gitGraphDiagram-PVQCEYII-BQ7NcMSn.js +106 -0
- package/workframe-ui/public/assets/grace-BhV0UPc0.png +0 -0
- package/workframe-ui/public/assets/graphlib-B8gBHxth.js +1 -0
- package/workframe-ui/public/assets/hedy-BR2IHift.png +0 -0
- package/workframe-ui/public/assets/hermes-CqCzcE0y.png +0 -0
- package/workframe-ui/public/assets/index-Dnw6vjqb.js +133 -0
- package/workframe-ui/public/assets/index-DpAGxump.css +1 -0
- package/workframe-ui/public/assets/info-J43DQDTF-CL6-eTjH.js +1 -0
- package/workframe-ui/public/assets/infoDiagram-5YYISTIA-LJTODW4W.js +2 -0
- package/workframe-ui/public/assets/init-D6jRqBbL.js +1 -0
- package/workframe-ui/public/assets/isaac-D1nhJAuv.png +0 -0
- package/workframe-ui/public/assets/ishikawaDiagram-YF4QCWOH-bchrQVuo.js +70 -0
- package/workframe-ui/public/assets/john-zSPWwNi4.png +0 -0
- package/workframe-ui/public/assets/joni-BFLoyfJP.png +0 -0
- package/workframe-ui/public/assets/journeyDiagram-JHISSGLW-DkrvYuxP.js +139 -0
- package/workframe-ui/public/assets/kanban-definition-UN3LZRKU-DFRbj0IG.js +89 -0
- package/workframe-ui/public/assets/katex-Vhh-h91d.js +257 -0
- package/workframe-ui/public/assets/leo-C_3IOL11.png +0 -0
- package/workframe-ui/public/assets/line-Vd48P7-O.js +1 -0
- package/workframe-ui/public/assets/linear-Ckizh2G7.js +1 -0
- package/workframe-ui/public/assets/louis-DEEECFSX.png +0 -0
- package/workframe-ui/public/assets/ludwig-_hoKhhyK.png +0 -0
- package/workframe-ui/public/assets/marie-DET6MsfO.png +0 -0
- package/workframe-ui/public/assets/marilyn-DTqwt8Yh.png +0 -0
- package/workframe-ui/public/assets/mermaid-parser.core-Bkimsnqj.js +4 -0
- package/workframe-ui/public/assets/mermaid.core-x0TvVuPo.js +9 -0
- package/workframe-ui/public/assets/mindmap-definition-RKZ34NQL-6ykAFPEz.js +96 -0
- package/workframe-ui/public/assets/nikola-B4PtHrJv.png +0 -0
- package/workframe-ui/public/assets/nina-BYbrOn0d.png +0 -0
- package/workframe-ui/public/assets/ordinal-hYBb2elL.js +1 -0
- package/workframe-ui/public/assets/packet-YPE3B663-Dw3xgMDt.js +1 -0
- package/workframe-ui/public/assets/path-BWPyau1x.js +1 -0
- package/workframe-ui/public/assets/paul-CGURYQIn.png +0 -0
- package/workframe-ui/public/assets/pie-LRSECV5Y-DATysawG.js +1 -0
- package/workframe-ui/public/assets/pieDiagram-4H26LBE5-SJKD1S0S.js +30 -0
- package/workframe-ui/public/assets/project-logos/1.png +0 -0
- package/workframe-ui/public/assets/project-logos/10.png +0 -0
- package/workframe-ui/public/assets/project-logos/11.png +0 -0
- package/workframe-ui/public/assets/project-logos/12.png +0 -0
- package/workframe-ui/public/assets/project-logos/13.png +0 -0
- package/workframe-ui/public/assets/project-logos/14.png +0 -0
- package/workframe-ui/public/assets/project-logos/15.png +0 -0
- package/workframe-ui/public/assets/project-logos/16.png +0 -0
- package/workframe-ui/public/assets/project-logos/2.png +0 -0
- package/workframe-ui/public/assets/project-logos/3.png +0 -0
- package/workframe-ui/public/assets/project-logos/4.png +0 -0
- package/workframe-ui/public/assets/project-logos/5.png +0 -0
- package/workframe-ui/public/assets/project-logos/6.png +0 -0
- package/workframe-ui/public/assets/project-logos/7.png +0 -0
- package/workframe-ui/public/assets/project-logos/8.png +0 -0
- package/workframe-ui/public/assets/project-logos/9.png +0 -0
- package/workframe-ui/public/assets/project-logos/catalog.json +86 -0
- package/workframe-ui/public/assets/quadrantDiagram-W4KKPZXB-BrYDZX8q.js +7 -0
- package/workframe-ui/public/assets/radar-GUYGQ44K-BmWYPCds.js +1 -0
- package/workframe-ui/public/assets/requirementDiagram-4Y6WPE33-DwL9Mc8e.js +84 -0
- package/workframe-ui/public/assets/ringo-WhfUNOyY.png +0 -0
- package/workframe-ui/public/assets/rosie-CAtcIf87.png +0 -0
- package/workframe-ui/public/assets/rough.esm-CSKSodPl.js +1 -0
- package/workframe-ui/public/assets/sankeyDiagram-5OEKKPKP-DYIFsL8h.js +40 -0
- package/workframe-ui/public/assets/sequenceDiagram-3UESZ5HK-0-FPkFk8.js +162 -0
- package/workframe-ui/public/assets/src-B_od6b6h.js +1 -0
- package/workframe-ui/public/assets/stateDiagram-AJRCARHV-BQCiBk6u.js +1 -0
- package/workframe-ui/public/assets/stateDiagram-v2-BHNVJYJU-B89jAMFF.js +1 -0
- package/workframe-ui/public/assets/steve-CgXXJ9EZ.png +0 -0
- package/workframe-ui/public/assets/sun-BLNAhoZd.png +0 -0
- package/workframe-ui/public/assets/timeline-definition-PNZ67QCA-DS3tFcXj.js +120 -0
- package/workframe-ui/public/assets/treeView-BLDUP644-DSyUCKLY.js +1 -0
- package/workframe-ui/public/assets/treemap-LRROVOQU-CEZaNh5Y.js +1 -0
- package/workframe-ui/public/assets/vennDiagram-CIIHVFJN-CD-Vc9NF.js +34 -0
- package/workframe-ui/public/assets/wardley-L42UT6IY-Drq5w1Mc.js +1 -0
- package/workframe-ui/public/assets/wardleyDiagram-YWT4CUSO-DouXDJoF.js +78 -0
- package/workframe-ui/public/assets/warren-DIH7UKMY.png +0 -0
- package/workframe-ui/public/assets/woz-D2yleG-V.png +0 -0
- package/workframe-ui/public/assets/xychartDiagram-2RQKCTM6-DDf_Lol5.js +7 -0
- package/workframe-ui/public/assets/zaha-wersOEq9.png +0 -0
- package/workframe-ui/public/favicon.ico +0 -0
- package/workframe-ui/public/favicon.svg +7 -0
- package/workframe-ui/public/icons.svg +24 -0
- package/workframe-ui/public/index.html +50 -0
- package/workframe-ui/public/manifest.webmanifest +18 -0
- package/workframe-ui/public/workframe-config.json +4 -0
|
@@ -0,0 +1,206 @@
|
|
|
1
|
+
import tempfile
|
|
2
|
+
import unittest
|
|
3
|
+
from pathlib import Path
|
|
4
|
+
from unittest.mock import patch
|
|
5
|
+
|
|
6
|
+
import server
|
|
7
|
+
from db_setup import ensure_workframe_schemas
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
class CredentialResolutionTests(unittest.TestCase):
|
|
11
|
+
def setUp(self) -> None:
|
|
12
|
+
self._tmp = tempfile.TemporaryDirectory()
|
|
13
|
+
self.addCleanup(self._tmp.cleanup)
|
|
14
|
+
self._old_data_dir = server.DATA_DIR
|
|
15
|
+
self._old_auth_db_path = server.AUTH_DB_PATH
|
|
16
|
+
server.DATA_DIR = Path(self._tmp.name)
|
|
17
|
+
server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
|
|
18
|
+
ensure_workframe_schemas()
|
|
19
|
+
|
|
20
|
+
def tearDown(self) -> None:
|
|
21
|
+
server.DATA_DIR = self._old_data_dir
|
|
22
|
+
server.AUTH_DB_PATH = self._old_auth_db_path
|
|
23
|
+
|
|
24
|
+
def _seed(self, *rows: tuple[object, ...]) -> None:
|
|
25
|
+
conn = server._workframe_db()
|
|
26
|
+
try:
|
|
27
|
+
conn.executemany(
|
|
28
|
+
"""
|
|
29
|
+
INSERT INTO credential_bindings (
|
|
30
|
+
id, workspace_id, user_id, agent_profile_id, provider,
|
|
31
|
+
credential_type, credential_ref, label, is_active,
|
|
32
|
+
expires_at, created_by, created_at, updated_at, deleted_at
|
|
33
|
+
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
|
|
34
|
+
""",
|
|
35
|
+
rows,
|
|
36
|
+
)
|
|
37
|
+
conn.commit()
|
|
38
|
+
finally:
|
|
39
|
+
conn.close()
|
|
40
|
+
|
|
41
|
+
def test_resolves_user_credential_before_workspace_credential(self) -> None:
|
|
42
|
+
self._seed(
|
|
43
|
+
(
|
|
44
|
+
"user-openai", None, "user-a", None, "openai",
|
|
45
|
+
"api_key", "user-ref", "User OpenAI", 1, None, "user-a",
|
|
46
|
+
"1", "1", None,
|
|
47
|
+
),
|
|
48
|
+
(
|
|
49
|
+
"workspace-openai", "workspace-a", None, None, "openai",
|
|
50
|
+
"api_key", "workspace-ref", "Workspace OpenAI", 1, None, "user-a",
|
|
51
|
+
"1", "1", None,
|
|
52
|
+
),
|
|
53
|
+
)
|
|
54
|
+
|
|
55
|
+
resolved = server._resolve_credential("user-a", "workspace-a", "openai")
|
|
56
|
+
|
|
57
|
+
self.assertEqual(resolved["credential_binding_id"], "user-openai")
|
|
58
|
+
self.assertEqual(resolved["scope"], "user")
|
|
59
|
+
self.assertEqual(resolved["credential_ref"], "user-ref")
|
|
60
|
+
|
|
61
|
+
def test_falls_back_to_workspace_when_user_has_no_matching_credential(self) -> None:
|
|
62
|
+
self._seed(
|
|
63
|
+
(
|
|
64
|
+
"workspace-openai", "workspace-a", None, None, "openai",
|
|
65
|
+
"api_key", "workspace-ref", "Workspace OpenAI", 1, None, "user-a",
|
|
66
|
+
"1", "1", None,
|
|
67
|
+
),
|
|
68
|
+
)
|
|
69
|
+
|
|
70
|
+
resolved = server._resolve_credential("user-b", "workspace-a", "openai")
|
|
71
|
+
|
|
72
|
+
self.assertEqual(resolved["credential_binding_id"], "workspace-openai")
|
|
73
|
+
self.assertEqual(resolved["scope"], "workspace")
|
|
74
|
+
self.assertEqual(resolved["credential_ref"], "workspace-ref")
|
|
75
|
+
|
|
76
|
+
def test_user_only_denies_workspace_fallback_for_dev_providers(self) -> None:
|
|
77
|
+
self._seed(
|
|
78
|
+
(
|
|
79
|
+
"workspace-github", "workspace-a", None, None, "github",
|
|
80
|
+
"api_key", "env:GITHUB_TOKEN", "Workspace GitHub", 1, None, "user-a",
|
|
81
|
+
"1", "1", None,
|
|
82
|
+
),
|
|
83
|
+
)
|
|
84
|
+
|
|
85
|
+
resolved = server._resolve_credential("user-b", "workspace-a", "github", user_only=True)
|
|
86
|
+
|
|
87
|
+
self.assertIsNone(resolved)
|
|
88
|
+
|
|
89
|
+
def test_resolves_user_env_without_db_binding(self) -> None:
|
|
90
|
+
old_hermes = server.HERMES_DATA
|
|
91
|
+
server.HERMES_DATA = Path(self._tmp.name) / "agents"
|
|
92
|
+
try:
|
|
93
|
+
user_id = "user-env-only"
|
|
94
|
+
user_home = server._user_hermes_home(user_id)
|
|
95
|
+
user_home.mkdir(parents=True, exist_ok=True)
|
|
96
|
+
server._upsert_env_secret(server._user_hermes_env_path(user_id), "OPENAI_API_KEY", "sk-user-env")
|
|
97
|
+
|
|
98
|
+
resolved = server._resolve_credential(user_id, "workspace-a", "openai")
|
|
99
|
+
|
|
100
|
+
self.assertIsNotNone(resolved)
|
|
101
|
+
assert resolved is not None
|
|
102
|
+
self.assertEqual(resolved["scope"], "user")
|
|
103
|
+
self.assertEqual(resolved["credential_ref"], "env:OPENAI_API_KEY")
|
|
104
|
+
finally:
|
|
105
|
+
server.HERMES_DATA = old_hermes
|
|
106
|
+
|
|
107
|
+
def test_ignores_inactive_and_deleted_credentials(self) -> None:
|
|
108
|
+
self._seed(
|
|
109
|
+
(
|
|
110
|
+
"inactive-user-openai", None, "user-a", None, "openai",
|
|
111
|
+
"api_key", "inactive-ref", "Inactive User OpenAI", 0, None, "user-a",
|
|
112
|
+
"1", "1", None,
|
|
113
|
+
),
|
|
114
|
+
(
|
|
115
|
+
"deleted-workspace-openai", "workspace-a", None, None, "openai",
|
|
116
|
+
"api_key", "deleted-ref", "Deleted Workspace OpenAI", 1, None, "user-a",
|
|
117
|
+
"1", "1", "1",
|
|
118
|
+
),
|
|
119
|
+
)
|
|
120
|
+
|
|
121
|
+
resolved = server._resolve_credential("user-a", "workspace-a", "openai")
|
|
122
|
+
|
|
123
|
+
self.assertIsNone(resolved)
|
|
124
|
+
|
|
125
|
+
def test_byok_blocks_workspace_llm_fallback(self) -> None:
|
|
126
|
+
conn = server._workframe_db()
|
|
127
|
+
try:
|
|
128
|
+
conn.execute(
|
|
129
|
+
"""
|
|
130
|
+
INSERT INTO workspaces (
|
|
131
|
+
id, slug, display_name, owner_id, status, settings_json, created_at, updated_at
|
|
132
|
+
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
|
|
133
|
+
""",
|
|
134
|
+
(
|
|
135
|
+
"workspace-byok",
|
|
136
|
+
"byok",
|
|
137
|
+
"BYOK",
|
|
138
|
+
"user-a",
|
|
139
|
+
"active",
|
|
140
|
+
'{"credential_mode":"byok"}',
|
|
141
|
+
"1",
|
|
142
|
+
"1",
|
|
143
|
+
),
|
|
144
|
+
)
|
|
145
|
+
conn.commit()
|
|
146
|
+
finally:
|
|
147
|
+
conn.close()
|
|
148
|
+
self._seed(
|
|
149
|
+
(
|
|
150
|
+
"workspace-or", "workspace-byok", None, None, "openrouter",
|
|
151
|
+
"api_key", "env:OPENROUTER_API_KEY", "Workspace OR", 1, None, "user-a",
|
|
152
|
+
"1", "1", None,
|
|
153
|
+
),
|
|
154
|
+
)
|
|
155
|
+
profile_dir = server._profile_dir("workframe-agent")
|
|
156
|
+
profile_dir.mkdir(parents=True, exist_ok=True)
|
|
157
|
+
server._upsert_env_secret(profile_dir / ".env", "OPENROUTER_API_KEY", "sk-workspace")
|
|
158
|
+
|
|
159
|
+
with self.assertRaises(ValueError) as ctx:
|
|
160
|
+
server._require_runtime_owner_provider("user-b", "workspace-byok", "openrouter")
|
|
161
|
+
|
|
162
|
+
self.assertIn("no_llm_provider_for_user", str(ctx.exception))
|
|
163
|
+
|
|
164
|
+
@patch.object(server, "_primary_profile", return_value="workframe-agent")
|
|
165
|
+
def test_workspace_mode_allows_llm_fallback(self, _primary) -> None:
|
|
166
|
+
conn = server._workframe_db()
|
|
167
|
+
try:
|
|
168
|
+
conn.execute(
|
|
169
|
+
"""
|
|
170
|
+
INSERT INTO workspaces (
|
|
171
|
+
id, slug, display_name, owner_id, status, settings_json, created_at, updated_at
|
|
172
|
+
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
|
|
173
|
+
""",
|
|
174
|
+
(
|
|
175
|
+
"workspace-pays",
|
|
176
|
+
"pays",
|
|
177
|
+
"Company pays",
|
|
178
|
+
"user-a",
|
|
179
|
+
"active",
|
|
180
|
+
'{"credential_mode":"workspace"}',
|
|
181
|
+
"1",
|
|
182
|
+
"1",
|
|
183
|
+
),
|
|
184
|
+
)
|
|
185
|
+
conn.commit()
|
|
186
|
+
finally:
|
|
187
|
+
conn.close()
|
|
188
|
+
self._seed(
|
|
189
|
+
(
|
|
190
|
+
"workspace-or-pays", "workspace-pays", None, None, "openrouter",
|
|
191
|
+
"api_key", "env:OPENROUTER_API_KEY", "Workspace OR", 1, None, "user-a",
|
|
192
|
+
"1", "1", None,
|
|
193
|
+
),
|
|
194
|
+
)
|
|
195
|
+
profile_dir = server._profile_dir("workframe-agent")
|
|
196
|
+
profile_dir.mkdir(parents=True, exist_ok=True)
|
|
197
|
+
server._upsert_env_secret(profile_dir / ".env", "OPENROUTER_API_KEY", "sk-workspace")
|
|
198
|
+
|
|
199
|
+
resolved = server._require_runtime_owner_provider("user-b", "workspace-pays", "openrouter")
|
|
200
|
+
|
|
201
|
+
self.assertEqual(resolved["scope"], "workspace")
|
|
202
|
+
self.assertEqual(resolved["credential_ref"], "env:OPENROUTER_API_KEY")
|
|
203
|
+
|
|
204
|
+
|
|
205
|
+
if __name__ == "__main__":
|
|
206
|
+
unittest.main()
|
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
3
|
+
import importlib.util
|
|
4
|
+
import json
|
|
5
|
+
from pathlib import Path
|
|
6
|
+
|
|
7
|
+
import pytest
|
|
8
|
+
|
|
9
|
+
SERVER_PATH = Path(__file__).resolve().parents[1] / "server.py"
|
|
10
|
+
spec = importlib.util.spec_from_file_location("workframe_server", SERVER_PATH)
|
|
11
|
+
server = importlib.util.module_from_spec(spec)
|
|
12
|
+
assert spec.loader is not None
|
|
13
|
+
spec.loader.exec_module(server)
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
@pytest.fixture()
|
|
17
|
+
def user_env(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> str:
|
|
18
|
+
monkeypatch.setattr(server, "HERMES_DATA", tmp_path)
|
|
19
|
+
user_id = "user-oauth-1"
|
|
20
|
+
return user_id
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
def test_parse_device_oauth_log_extracts_uri_and_code() -> None:
|
|
24
|
+
sample = (
|
|
25
|
+
"To continue, follow these steps:\n\n"
|
|
26
|
+
" 1. Open this URL in your browser:\n"
|
|
27
|
+
" \x1b[94mhttps://auth.openai.com/codex/device\x1b[0m\n\n"
|
|
28
|
+
" 2. Enter this code:\n"
|
|
29
|
+
" \x1b[94mABCD-1234\x1b[0m\n\n"
|
|
30
|
+
"Waiting for sign-in...\n"
|
|
31
|
+
)
|
|
32
|
+
parsed = server._parse_device_oauth_log(sample)
|
|
33
|
+
assert parsed["verification_uri"] == "https://auth.openai.com/codex/device"
|
|
34
|
+
assert parsed["user_code"] == "ABCD-1234"
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
def test_hermes_oauth_tokens_present_reads_providers_block(user_env: str) -> None:
|
|
38
|
+
auth_path = server._user_hermes_auth_path(user_env)
|
|
39
|
+
auth_path.parent.mkdir(parents=True, exist_ok=True)
|
|
40
|
+
auth_path.write_text(
|
|
41
|
+
json.dumps(
|
|
42
|
+
{
|
|
43
|
+
"providers": {
|
|
44
|
+
"openai-codex": {
|
|
45
|
+
"tokens": {"access_token": "tok", "refresh_token": "ref"},
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
),
|
|
50
|
+
encoding="utf-8",
|
|
51
|
+
)
|
|
52
|
+
assert server._hermes_oauth_tokens_present(user_env, "openai-codex") is True
|
|
53
|
+
|
|
54
|
+
|
|
55
|
+
def test_list_user_providers_marks_codex_connected_from_auth_json(user_env: str) -> None:
|
|
56
|
+
auth_path = server._user_hermes_auth_path(user_env)
|
|
57
|
+
auth_path.parent.mkdir(parents=True, exist_ok=True)
|
|
58
|
+
auth_path.write_text(
|
|
59
|
+
json.dumps(
|
|
60
|
+
{
|
|
61
|
+
"providers": {
|
|
62
|
+
"openai-codex": {
|
|
63
|
+
"tokens": {"access_token": "tok"},
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
),
|
|
68
|
+
encoding="utf-8",
|
|
69
|
+
)
|
|
70
|
+
payload = server.list_user_providers(user_env)
|
|
71
|
+
codex = next(row for row in payload["providers"] if row["id"] == "codex")
|
|
72
|
+
assert codex["connected"] is True
|
|
73
|
+
|
|
74
|
+
|
|
75
|
+
def test_load_user_hermes_auth_reads_gateway_fallback(user_env: str, monkeypatch: pytest.MonkeyPatch) -> None:
|
|
76
|
+
monkeypatch.setattr(server, "_read_gateway_data_file", lambda rel: json.dumps({
|
|
77
|
+
"providers": {"openai-codex": {"tokens": {"access_token": "tok"}}},
|
|
78
|
+
}))
|
|
79
|
+
loaded = server._load_user_hermes_auth(user_env)
|
|
80
|
+
assert isinstance(loaded, dict)
|
|
81
|
+
assert server._hermes_oauth_tokens_present(user_env, "openai-codex") is True
|
|
82
|
+
|
|
83
|
+
|
|
84
|
+
def test_spawn_hermes_device_oauth_uses_detached_exec(user_env: str, monkeypatch: pytest.MonkeyPatch) -> None:
|
|
85
|
+
calls: list[list[str]] = []
|
|
86
|
+
|
|
87
|
+
def fake_detached(cmd: list[str]) -> tuple[int, str]:
|
|
88
|
+
calls.append(cmd)
|
|
89
|
+
return 0, ""
|
|
90
|
+
|
|
91
|
+
monkeypatch.setattr(server, "_gateway_container_exec_detached", fake_detached)
|
|
92
|
+
rc, _ = server._spawn_hermes_device_oauth(user_env, "openai-codex", "/opt/data/profiles/x/.oauth.log")
|
|
93
|
+
assert rc == 0
|
|
94
|
+
assert calls
|
|
95
|
+
joined = " ".join(calls[0])
|
|
96
|
+
assert "auth add openai-codex" in joined
|
|
97
|
+
assert "su -s /bin/sh hermes" in joined
|
|
98
|
+
|
|
99
|
+
|
|
100
|
+
def test_list_user_providers_marks_deepseek_connected_from_env(user_env: str) -> None:
|
|
101
|
+
env_path = server._user_hermes_env_path(user_env)
|
|
102
|
+
env_path.parent.mkdir(parents=True, exist_ok=True)
|
|
103
|
+
env_path.write_text("DEEPSEEK_API_KEY=sk-deep\n", encoding="utf-8")
|
|
104
|
+
|
|
105
|
+
payload = server.list_user_providers(user_env)
|
|
106
|
+
deepseek = next(row for row in payload["providers"] if row["id"] == "deepseek")
|
|
107
|
+
|
|
108
|
+
assert deepseek["connected"] is True
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
"""Explicit doctor repair — opt-in runtime provisioning for agent DM rooms."""
|
|
2
|
+
import os
|
|
3
|
+
import tempfile
|
|
4
|
+
import unittest
|
|
5
|
+
from pathlib import Path
|
|
6
|
+
from unittest import mock
|
|
7
|
+
|
|
8
|
+
import server
|
|
9
|
+
from db_setup import ensure_workframe_schemas
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
class DoctorRepairTests(unittest.TestCase):
|
|
13
|
+
def setUp(self) -> None:
|
|
14
|
+
self.tmp = tempfile.TemporaryDirectory()
|
|
15
|
+
self.addCleanup(self.tmp.cleanup)
|
|
16
|
+
data = Path(self.tmp.name) / "data"
|
|
17
|
+
data.mkdir()
|
|
18
|
+
self.patches = [
|
|
19
|
+
mock.patch.object(server, "DATA_DIR", data),
|
|
20
|
+
mock.patch.object(server, "AUTH_DB_PATH", data / "auth.db"),
|
|
21
|
+
mock.patch.object(server, "_workframe_db_path", return_value=data / "workframe.db"),
|
|
22
|
+
mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Workframe"}, clear=False),
|
|
23
|
+
]
|
|
24
|
+
for patch in self.patches:
|
|
25
|
+
patch.start()
|
|
26
|
+
self.addCleanup(patch.stop)
|
|
27
|
+
ensure_workframe_schemas()
|
|
28
|
+
self.workspace_id = "ws-1"
|
|
29
|
+
self.user_id = "user-1"
|
|
30
|
+
self.agent_id = "a0000000-0000-4000-8000-000000000001"
|
|
31
|
+
self.agent_slug = "workframe-agent"
|
|
32
|
+
self.room_id = "room-1"
|
|
33
|
+
conn = server._workframe_db()
|
|
34
|
+
try:
|
|
35
|
+
now = "1"
|
|
36
|
+
conn.execute(
|
|
37
|
+
"INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
|
|
38
|
+
(self.workspace_id, "default", "Workframe", self.user_id, "active", now, now),
|
|
39
|
+
)
|
|
40
|
+
conn.execute(
|
|
41
|
+
"""
|
|
42
|
+
INSERT INTO agent_profiles (id, workspace_id, slug, display_name, status, created_at, updated_at)
|
|
43
|
+
VALUES (?, ?, ?, ?, 'available', ?, ?)
|
|
44
|
+
""",
|
|
45
|
+
(self.agent_id, self.workspace_id, self.agent_slug, "Agent", now, now),
|
|
46
|
+
)
|
|
47
|
+
conn.execute(
|
|
48
|
+
"""
|
|
49
|
+
INSERT INTO rooms (
|
|
50
|
+
id, workspace_id, agent_profile_id, name, slug, room_type, status, created_at, updated_at
|
|
51
|
+
) VALUES (?, ?, ?, 'Agent', 'dm-agent', 'direct', 'active', ?, ?)
|
|
52
|
+
""",
|
|
53
|
+
(self.room_id, self.workspace_id, self.agent_id, now, now),
|
|
54
|
+
)
|
|
55
|
+
conn.execute(
|
|
56
|
+
"""
|
|
57
|
+
INSERT INTO room_memberships (id, room_id, user_id, role, status, joined_at, updated_at)
|
|
58
|
+
VALUES ('rm-1', ?, ?, 'member', 'active', ?, ?)
|
|
59
|
+
""",
|
|
60
|
+
(self.room_id, self.user_id, now, now),
|
|
61
|
+
)
|
|
62
|
+
conn.commit()
|
|
63
|
+
finally:
|
|
64
|
+
conn.close()
|
|
65
|
+
|
|
66
|
+
@mock.patch.object(server, "_runtime_profile_on_disk", return_value=False)
|
|
67
|
+
def test_audit_reports_missing(self, _on_disk) -> None:
|
|
68
|
+
out = server.doctor_audit_agent_dm_runtimes()
|
|
69
|
+
self.assertTrue(out["ok"])
|
|
70
|
+
self.assertEqual(out["total"], 1)
|
|
71
|
+
self.assertEqual(out["present"], 0)
|
|
72
|
+
self.assertEqual(len(out["missing"]), 1)
|
|
73
|
+
self.assertEqual(out["missing"][0]["runtime"], "u-user-1-workframe-agent")
|
|
74
|
+
|
|
75
|
+
def test_resolved_session_title_falls_back_to_room_sessions(self) -> None:
|
|
76
|
+
with mock.patch.object(server, "_session_info", return_value={"title": ""}):
|
|
77
|
+
title = server._resolved_session_title(
|
|
78
|
+
"u-user-1-workframe-agent",
|
|
79
|
+
"sid-1",
|
|
80
|
+
"Session with Workframe Agent (9)",
|
|
81
|
+
)
|
|
82
|
+
self.assertEqual(title, "Session with Workframe Agent (9)")
|
|
83
|
+
|
|
84
|
+
@mock.patch.object(server, "_runtime_profile_on_disk")
|
|
85
|
+
@mock.patch.object(server, "ensure_runtime_profile")
|
|
86
|
+
def test_repair_provisions_missing(self, ensure_runtime, on_disk) -> None:
|
|
87
|
+
on_disk.side_effect = [False, True, True]
|
|
88
|
+
|
|
89
|
+
out = server.doctor_repair_agent_dm_runtimes(repair=True)
|
|
90
|
+
|
|
91
|
+
self.assertTrue(out["ok"])
|
|
92
|
+
self.assertEqual(out["missing_before"], 1)
|
|
93
|
+
self.assertEqual(len(out["repaired"]), 1)
|
|
94
|
+
ensure_runtime.assert_called_once_with(
|
|
95
|
+
"u-user-1-workframe-agent",
|
|
96
|
+
self.agent_slug,
|
|
97
|
+
self.user_id,
|
|
98
|
+
self.workspace_id,
|
|
99
|
+
)
|
|
100
|
+
|
|
101
|
+
|
|
102
|
+
if __name__ == "__main__":
|
|
103
|
+
unittest.main()
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
import importlib.util
|
|
2
|
+
import unittest
|
|
3
|
+
from pathlib import Path
|
|
4
|
+
from unittest.mock import patch
|
|
5
|
+
|
|
6
|
+
ROOT = Path(__file__).resolve().parents[2]
|
|
7
|
+
API = ROOT / "workframe-api" / "server.py"
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
def _load_api():
|
|
11
|
+
spec = importlib.util.spec_from_file_location("workframe_api", API)
|
|
12
|
+
mod = importlib.util.module_from_spec(spec)
|
|
13
|
+
assert spec and spec.loader
|
|
14
|
+
spec.loader.exec_module(mod)
|
|
15
|
+
return mod
|
|
16
|
+
|
|
17
|
+
|
|
18
|
+
class EnsureProfileApiTest(unittest.TestCase):
|
|
19
|
+
def test_healthy_profile_skips_gateway_reload(self) -> None:
|
|
20
|
+
api = _load_api()
|
|
21
|
+
with patch.object(api, "resolve_validated_profile", return_value="architect"), patch.object(
|
|
22
|
+
api, "_primary_profile", return_value="workframe-agent"
|
|
23
|
+
), patch.object(api, "_bootstrap_profile_providers") as bootstrap, patch.object(
|
|
24
|
+
api, "_profile_api_healthy", return_value=True
|
|
25
|
+
), patch.object(api, "_gateway_exec") as gateway_exec:
|
|
26
|
+
out = api.ensure_profile_api("architect", "user-1", "ws-1")
|
|
27
|
+
bootstrap.assert_not_called()
|
|
28
|
+
gateway_exec.assert_not_called()
|
|
29
|
+
self.assertFalse(out.get("started"))
|
|
30
|
+
|
|
31
|
+
def test_cold_start_waits_for_health(self) -> None:
|
|
32
|
+
api = _load_api()
|
|
33
|
+
with patch.object(api, "resolve_validated_profile", return_value="architect"), patch.object(
|
|
34
|
+
api, "_primary_profile", return_value="workframe-agent"
|
|
35
|
+
), patch.object(api, "_bootstrap_profile_providers", return_value=False), patch.object(
|
|
36
|
+
api, "_profile_api_healthy", side_effect=[False, False, True]
|
|
37
|
+
), patch.object(
|
|
38
|
+
api, "profile_gateway_lifecycle", return_value={"ok": True, "action": "start"}
|
|
39
|
+
) as start, patch.object(api, "_wait_profile_api_healthy", return_value=True) as wait:
|
|
40
|
+
out = api.ensure_profile_api("architect", "user-1", "ws-1")
|
|
41
|
+
start.assert_called_once_with("architect", "start", bootstrap_providers=True)
|
|
42
|
+
wait.assert_called_once()
|
|
43
|
+
self.assertTrue(out.get("started"))
|
|
44
|
+
|
|
45
|
+
def test_cold_start_skips_bootstrap_when_already_seeded(self) -> None:
|
|
46
|
+
api = _load_api()
|
|
47
|
+
with patch.object(api, "resolve_validated_profile", return_value="architect"), patch.object(
|
|
48
|
+
api, "_primary_profile", return_value="workframe-agent"
|
|
49
|
+
), patch.object(api, "_bootstrap_profile_providers") as bootstrap, patch.object(
|
|
50
|
+
api, "_profile_api_healthy", side_effect=[False, False, True]
|
|
51
|
+
), patch.object(
|
|
52
|
+
api, "profile_gateway_lifecycle", return_value={"ok": True, "action": "start"}
|
|
53
|
+
) as start, patch.object(api, "_wait_profile_api_healthy", return_value=True):
|
|
54
|
+
api.ensure_profile_api("architect", "user-1", "ws-1", bootstrap_providers=False)
|
|
55
|
+
bootstrap.assert_not_called()
|
|
56
|
+
start.assert_called_once_with("architect", "start", bootstrap_providers=False)
|
|
57
|
+
|
|
58
|
+
def test_primary_cold_start_configures_and_restarts_gateway(self) -> None:
|
|
59
|
+
api = _load_api()
|
|
60
|
+
with patch.object(api, "resolve_hermes_profile", return_value="workframe-agent"), patch.object(
|
|
61
|
+
api, "_primary_profile", return_value="workframe-agent"
|
|
62
|
+
), patch.object(api, "_profile_api_port", return_value=8642), patch.object(
|
|
63
|
+
api, "_profile_api_healthy", return_value=False
|
|
64
|
+
), patch.object(
|
|
65
|
+
api, "_configure_profile_api", return_value=(True, "ok", 8642)
|
|
66
|
+
) as configure, patch.object(api, "_restart_stack_gateway", return_value={"ok": True}) as restart, patch.object(
|
|
67
|
+
api, "_wait_profile_api_healthy", return_value=True
|
|
68
|
+
) as wait:
|
|
69
|
+
out = api.ensure_profile_api("workframe-agent", "user-1", "ws-1")
|
|
70
|
+
configure.assert_called_once_with("workframe-agent")
|
|
71
|
+
restart.assert_called_once()
|
|
72
|
+
wait.assert_called_once_with("workframe-agent")
|
|
73
|
+
self.assertTrue(out.get("started"))
|
|
74
|
+
|
|
75
|
+
|
|
76
|
+
if __name__ == "__main__":
|
|
77
|
+
unittest.main()
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
"""Compose and deployment-mode guards for gateway control-plane isolation."""
|
|
2
|
+
|
|
3
|
+
from __future__ import annotations
|
|
4
|
+
|
|
5
|
+
import re
|
|
6
|
+
import unittest
|
|
7
|
+
from pathlib import Path
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
COMPOSE_PATH = (
|
|
11
|
+
Path(__file__).resolve().parents[3] / "infra" / "compose" / "workframe" / "docker-compose.yml"
|
|
12
|
+
)
|
|
13
|
+
PUBLIC_COMPOSE_PATH = COMPOSE_PATH.parent / "docker-compose.public.yml"
|
|
14
|
+
|
|
15
|
+
# ponytail: substring match — catches ZK_AUTH_HMAC_KEY, WORKFRAME_SUPERVISOR_TOKEN, etc.
|
|
16
|
+
FORBIDDEN_GATEWAY_ENV_MARKERS = (
|
|
17
|
+
"WORKFRAME_SUPERVISOR_TOKEN",
|
|
18
|
+
"WORKFRAME_API_TOKEN",
|
|
19
|
+
"ZK_AUTH_",
|
|
20
|
+
"SMTP_PASS",
|
|
21
|
+
"WORKFRAME_GITHUB_OAUTH_CLIENT_SECRET",
|
|
22
|
+
)
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
def _service_block(compose_text: str, service: str) -> str:
|
|
26
|
+
match = re.search(rf"^ {re.escape(service)}:\n", compose_text, re.MULTILINE)
|
|
27
|
+
if not match:
|
|
28
|
+
raise AssertionError(f"service {service!r} not found in compose")
|
|
29
|
+
start = match.start()
|
|
30
|
+
tail = compose_text[start + 1 :]
|
|
31
|
+
next_svc = re.search(r"^ [a-z0-9-]+:\n", tail, re.MULTILINE)
|
|
32
|
+
end = start + 1 + (next_svc.start() if next_svc else len(tail))
|
|
33
|
+
return compose_text[start:end]
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
class GatewayComposeSecurityTests(unittest.TestCase):
|
|
37
|
+
@classmethod
|
|
38
|
+
def setUpClass(cls) -> None:
|
|
39
|
+
cls.compose_text = COMPOSE_PATH.read_text(encoding="utf-8")
|
|
40
|
+
cls.gateway_block = _service_block(cls.compose_text, "gateway")
|
|
41
|
+
cls.api_block = _service_block(cls.compose_text, "workframe-api")
|
|
42
|
+
cls.supervisor_block = _service_block(cls.compose_text, "workframe-supervisor")
|
|
43
|
+
|
|
44
|
+
def test_gateway_has_no_env_file(self) -> None:
|
|
45
|
+
self.assertNotIn("env_file:", self.gateway_block)
|
|
46
|
+
|
|
47
|
+
def test_gateway_not_on_control_net(self) -> None:
|
|
48
|
+
self.assertIn("workframe-net", self.gateway_block)
|
|
49
|
+
self.assertNotIn("control-net", self.gateway_block)
|
|
50
|
+
|
|
51
|
+
def test_supervisor_only_on_control_net(self) -> None:
|
|
52
|
+
self.assertIn("control-net", self.supervisor_block)
|
|
53
|
+
self.assertNotIn("workframe-net", self.supervisor_block)
|
|
54
|
+
|
|
55
|
+
def test_api_on_both_networks(self) -> None:
|
|
56
|
+
self.assertIn("workframe-net", self.api_block)
|
|
57
|
+
self.assertIn("control-net", self.api_block)
|
|
58
|
+
|
|
59
|
+
def test_gateway_environment_has_no_control_secrets(self) -> None:
|
|
60
|
+
env_section = re.search(r"environment:\n((?: - .+\n)+)", self.gateway_block)
|
|
61
|
+
self.assertIsNotNone(env_section, "gateway environment block missing")
|
|
62
|
+
env_lines = env_section.group(1) if env_section else ""
|
|
63
|
+
for marker in FORBIDDEN_GATEWAY_ENV_MARKERS:
|
|
64
|
+
self.assertNotIn(marker, env_lines, f"gateway env must not reference {marker}")
|
|
65
|
+
|
|
66
|
+
def test_gateway_mounts_proxy_token_volume_not_api_data(self) -> None:
|
|
67
|
+
self.assertIn("workframe-proxy-token:/run/workframe-proxy", self.gateway_block)
|
|
68
|
+
self.assertNotIn("workframe-api-data", self.gateway_block)
|
|
69
|
+
|
|
70
|
+
def test_public_overlay_api_has_no_docker_sock(self) -> None:
|
|
71
|
+
public_text = PUBLIC_COMPOSE_PATH.read_text(encoding="utf-8")
|
|
72
|
+
api_block = _service_block(public_text, "workframe-api")
|
|
73
|
+
self.assertNotIn("/var/run/docker.sock", api_block)
|
|
74
|
+
self.assertNotIn(":/project", api_block)
|
|
75
|
+
|
|
76
|
+
|
|
77
|
+
class HermesDashboardGateTests(unittest.TestCase):
|
|
78
|
+
def test_public_mode_denies_member(self) -> None:
|
|
79
|
+
import server
|
|
80
|
+
from unittest.mock import patch
|
|
81
|
+
|
|
82
|
+
handler = type("H", (), {"auth_user": "u1", "auth_role": "member"})()
|
|
83
|
+
with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"), patch.object(
|
|
84
|
+
server, "DEV_LOCAL_UNSAFE", False
|
|
85
|
+
):
|
|
86
|
+
self.assertEqual(server._hermes_dashboard_gate_status(handler), 403)
|
|
87
|
+
|
|
88
|
+
def test_public_mode_allows_admin(self) -> None:
|
|
89
|
+
import server
|
|
90
|
+
from unittest.mock import patch
|
|
91
|
+
|
|
92
|
+
handler = type("H", (), {"auth_user": "u1", "auth_role": "admin"})()
|
|
93
|
+
with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"), patch.object(
|
|
94
|
+
server, "DEV_LOCAL_UNSAFE", False
|
|
95
|
+
):
|
|
96
|
+
self.assertEqual(server._hermes_dashboard_gate_status(handler), 204)
|
|
97
|
+
|
|
98
|
+
def test_single_user_local_allows_anonymous(self) -> None:
|
|
99
|
+
import server
|
|
100
|
+
from unittest.mock import patch
|
|
101
|
+
|
|
102
|
+
handler = type("H", (), {"auth_user": "", "auth_role": ""})()
|
|
103
|
+
with patch.object(server, "DEPLOYMENT_MODE", "single_user_local"):
|
|
104
|
+
self.assertEqual(server._hermes_dashboard_gate_status(handler), 204)
|
|
105
|
+
|
|
106
|
+
|
|
107
|
+
class PublicDeploymentValidationTests(unittest.TestCase):
|
|
108
|
+
def test_public_mode_requires_https_and_smtp(self) -> None:
|
|
109
|
+
import server
|
|
110
|
+
from unittest.mock import patch
|
|
111
|
+
|
|
112
|
+
with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"), patch.object(
|
|
113
|
+
server, "DEV_LOCAL_UNSAFE", False
|
|
114
|
+
), patch.object(server, "SECURE_MODE", True), patch.object(
|
|
115
|
+
server, "_supervisor_ready", return_value=True
|
|
116
|
+
), patch.object(server, "_install_window_open", return_value=False), patch.object(
|
|
117
|
+
server, "APP_BASE_URL", "http://insecure.example"
|
|
118
|
+
), patch.dict(
|
|
119
|
+
"os.environ",
|
|
120
|
+
{
|
|
121
|
+
"ZK_AUTH_HMAC_KEY": "a",
|
|
122
|
+
"ZK_AUTH_ENCRYPTION_KEY": "b",
|
|
123
|
+
"ZK_AUTH_SESSION_SECRET": "c",
|
|
124
|
+
"WORKFRAME_API_TOKEN": "d",
|
|
125
|
+
"SMTP_HOST": "",
|
|
126
|
+
},
|
|
127
|
+
clear=False,
|
|
128
|
+
):
|
|
129
|
+
errors = server._deployment_security_errors()
|
|
130
|
+
self.assertTrue(any("APP_BASE_URL" in e for e in errors))
|
|
131
|
+
self.assertTrue(any("SMTP_HOST" in e for e in errors))
|
|
132
|
+
self.assertTrue(any("WORKFRAME_PROXY_TOKEN" in e for e in errors))
|
|
133
|
+
|
|
134
|
+
|
|
135
|
+
if __name__ == "__main__":
|
|
136
|
+
unittest.main()
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
"""Install-window host/origin gate — setup must not require ALLOWED_HOSTS to match yet."""
|
|
2
|
+
|
|
3
|
+
from __future__ import annotations
|
|
4
|
+
|
|
5
|
+
import unittest
|
|
6
|
+
from unittest import mock
|
|
7
|
+
|
|
8
|
+
import server
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
class InstallSecureHostTests(unittest.TestCase):
|
|
12
|
+
def setUp(self) -> None:
|
|
13
|
+
self._old_hosts = server.ALLOWED_HOSTS
|
|
14
|
+
self._old_dev = server.DEV_LOCAL_UNSAFE
|
|
15
|
+
server.DEV_LOCAL_UNSAFE = False
|
|
16
|
+
server.ALLOWED_HOSTS = ["dev.example.com"]
|
|
17
|
+
|
|
18
|
+
def tearDown(self) -> None:
|
|
19
|
+
server.ALLOWED_HOSTS = self._old_hosts
|
|
20
|
+
server.DEV_LOCAL_UNSAFE = self._old_dev
|
|
21
|
+
|
|
22
|
+
def test_allowed_hosts_unions_loopback_when_configured(self) -> None:
|
|
23
|
+
hosts = server._allowed_hosts()
|
|
24
|
+
self.assertIn("dev.example.com", hosts)
|
|
25
|
+
self.assertIn("127.0.0.1", hosts)
|
|
26
|
+
|
|
27
|
+
def test_install_stack_patch_ok_during_install_window_via_tunnel(self) -> None:
|
|
28
|
+
headers = {"Host": "127.0.0.1:28644", "Origin": "http://127.0.0.1:28644"}
|
|
29
|
+
with mock.patch.object(server, "_install_window_open", return_value=True):
|
|
30
|
+
self.assertTrue(server._secure_host_origin_ok("PATCH", "/api/install/stack", headers))
|
|
31
|
+
|
|
32
|
+
def test_install_stack_patch_denied_after_install_window(self) -> None:
|
|
33
|
+
headers = {"Host": "evil.test", "Origin": "http://evil.test"}
|
|
34
|
+
with mock.patch.object(server, "_install_window_open", return_value=False):
|
|
35
|
+
self.assertFalse(server._secure_host_origin_ok("PATCH", "/api/install/stack", headers))
|
|
36
|
+
|
|
37
|
+
|
|
38
|
+
if __name__ == "__main__":
|
|
39
|
+
unittest.main()
|