npm - create-workframe - Versions diffs - 0.1.0 - Mend

create-workframe 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (415) hide show

package/workframe-api/updates.py ADDED Viewed

@@ -0,0 +1,417 @@
+"""Admin stack updates — version checks + safe in-place apply (preserves runtime/DB)."""
+from __future__ import annotations
+import json
+import os
+import re
+import subprocess
+import urllib.error
+import urllib.parse
+import urllib.request
+from pathlib import Path
+from typing import Any
+HERMES_IMAGE = os.environ.get("WORKFRAME_HERMES_IMAGE", "nousresearch/hermes-agent")
+HERMES_TAG = os.environ.get("WORKFRAME_HERMES_TAG", "latest")
+NPM_PACKAGE = os.environ.get("WORKFRAME_NPM_PACKAGE", "create-workframe")
+RELEASES_URL = str(os.environ.get("WORKFRAME_RELEASES_URL", "")).strip()
+DOCKER_SOCK = os.environ.get("DOCKER_SOCK", "/var/run/docker.sock")
+GATEWAY_CONTAINER = os.environ.get("WORKFRAME_GATEWAY_CONTAINER", "workframe-gateway")
+API_VERSION = str(os.environ.get("WORKFRAME_API_VERSION", "")).strip()
+def _version_tuple(raw: str) -> tuple[int, ...]:
+    text = re.sub(r"^workframe-api-", "", str(raw or "").strip())
+    nums: list[int] = []
+    for part in re.split(r"[.+_-]", text):
+        if part.isdigit():
+            nums.append(int(part))
+        elif nums:
+            break
+    return tuple(nums)
+def _version_lt(current: str, latest: str) -> bool:
+    cur = str(current or "").strip()
+    lat = str(latest or "").strip()
+    if not lat:
+        return False
+    if not cur:
+        return True
+    return _version_tuple(cur) < _version_tuple(lat)
+def _http_json(url: str, timeout: float = 12.0) -> dict[str, Any]:
+    req = urllib.request.Request(url, headers={"Accept": "application/json", "User-Agent": "workframe-api"})
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        data = json.loads(resp.read().decode("utf-8"))
+    return data if isinstance(data, dict) else {}
+def _npm_latest_version() -> str:
+    data = _http_json(f"https://registry.npmjs.org/{urllib.parse.quote(NPM_PACKAGE)}/latest")
+    return str(data.get("version") or "").strip()
+def _docker_hub_digest(repo: str, tag: str) -> str:
+    url = f"https://hub.docker.com/v2/repositories/{repo}/tags/{urllib.parse.quote(tag)}"
+    data = _http_json(url)
+    # ponytail: tag digest matches docker pull :tag RepoDigests; images[0] may be arm64 on multi-arch repos
+    top = str(data.get("digest") or "").strip()
+    if top:
+        return top
+    for entry in data.get("images") or []:
+        if not isinstance(entry, dict) or not entry.get("digest"):
+            continue
+        if entry.get("architecture") == "amd64" and entry.get("os") == "linux":
+            return str(entry["digest"]).strip()
+    for entry in data.get("images") or []:
+        if isinstance(entry, dict) and entry.get("digest"):
+            return str(entry["digest"]).strip()
+    return ""
+def _docker_sock_request(method: str, path: str, body: bytes | None = None) -> tuple[int, Any]:
+    import http.client
+    import socket as pysocket
+    if not Path(DOCKER_SOCK).exists():
+        return 0, {"error": "docker_socket_missing"}
+    conn = http.client.HTTPConnection("localhost", timeout=120)
+    conn.sock = pysocket.socket(pysocket.AF_UNIX, pysocket.SOCK_STREAM)
+    conn.sock.connect(DOCKER_SOCK)
+    headers = {"Content-Type": "application/json"} if body else {}
+    conn.request(method, path, body=body, headers=headers)
+    resp = conn.getresponse()
+    raw = resp.read()
+    conn.close()
+    if not raw:
+        return resp.status, {}
+    try:
+        return resp.status, json.loads(raw.decode("utf-8"))
+    except json.JSONDecodeError:
+        return resp.status, raw.decode("utf-8", errors="replace")
+def _container_image_digest(name: str) -> tuple[str, str]:
+    status, data = _docker_sock_request("GET", f"/containers/{name}/json")
+    if status != 200 or not isinstance(data, dict):
+        return "", ""
+    image_id = str(data.get("Image") or "")
+    ist, idata = _docker_sock_request("GET", f"/images/{image_id}/json")
+    digest = ""
+    ref = HERMES_IMAGE
+    if ist == 200 and isinstance(idata, dict):
+        digests = idata.get("RepoDigests") or []
+        if digests:
+            digest = str(digests[0]).split("@")[-1]
+        tags = idata.get("RepoTags") or []
+        if tags:
+            ref = str(tags[0])
+    return digest, ref
+def _read_installed_workframe_version(project_root: Path) -> dict[str, str]:
+    out = {"api": API_VERSION, "package": "", "manifest_generator": ""}
+    manifest = project_root / "workframe-manifest.json"
+    if manifest.is_file():
+        try:
+            data = json.loads(manifest.read_text(encoding="utf-8"))
+            out["package"] = str(data.get("package_version") or "")
+            out["manifest_generator"] = str(data.get("generator") or "")
+        except Exception:  # noqa: BLE001
+            pass
+    if not out["api"]:
+        try:
+            import server as _server  # noqa: WPS433
+            out["api"] = str(getattr(_server, "VERSION", ""))
+        except Exception:  # noqa: BLE001
+            pass
+    if not out["package"]:
+        out["package"] = out["api"]
+    return out
+def _compose_dir() -> Path:
+    for raw in (
+        os.environ.get("WORKFRAME_HOST_COMPOSE_DIR", ""),
+        os.environ.get("WORKFRAME_COMPOSE_DIR", ""),
+        os.environ.get("WORKFRAME_PROJECT_ROOT", ""),
+        "/compose",
+        "/project",
+    ):
+        p = Path(str(raw or "").strip())
+        if p.is_dir() and (p / "docker-compose.yml").is_file():
+            return p
+    return Path(".")
+def _project_root() -> Path:
+    for raw in (os.environ.get("WORKFRAME_PROJECT_ROOT", ""), "/project", os.environ.get("WORKFRAME_COMPOSE_DIR", "")):
+        p = Path(str(raw or "").strip())
+        if p.is_dir() and (p / "workframe-manifest.json").is_file():
+            return p
+    for raw in (os.environ.get("WORKFRAME_PROJECT_ROOT", ""), "/project", os.environ.get("WORKFRAME_COMPOSE_DIR", "")):
+        p = Path(str(raw or "").strip())
+        if p.is_dir() and (p / "docker-compose.yml").is_file():
+            return p
+    return _compose_dir()
+def _script_path(name: str) -> Path | None:
+    roots = [
+        Path(f"/opt/install/scripts/{name}"),
+        Path(f"/opt/install/scripts/workframe/{name}"),
+    ]
+    mode = str(os.environ.get("WORKFRAME_DEPLOYMENT_MODE") or "trusted_team").strip().lower()
+    if mode == "single_user_local":
+        roots.extend(
+            [
+                _project_root() / "scripts" / "workframe" / name,
+                _project_root() / "scripts" / name,
+            ],
+        )
+    for path in roots:
+        if path.is_file():
+            return path
+    return None
+def _host_compose_ready() -> bool:
+    host_raw = str(os.environ.get("WORKFRAME_HOST_COMPOSE_DIR", "")).strip()
+    if not host_raw:
+        return False
+    host = Path(host_raw)
+    if host.is_dir() and (host / "docker-compose.yml").is_file():
+        return True
+    # ponytail: Windows host paths are not visible inside the API container — trust /compose mount
+    compose = _compose_dir()
+    return compose.joinpath("docker-compose.yml").is_file()
+def _docker_apply_ready() -> tuple[bool, str | None]:
+    if not Path(DOCKER_SOCK).exists():
+        return False, "Docker socket is not available to the API container."
+    if not _compose_dir().joinpath("docker-compose.yml").is_file():
+        return False, "docker-compose.yml was not found for this stack."
+    if not _host_compose_ready():
+        return False, (
+            "Set WORKFRAME_HOST_COMPOSE_DIR to the host compose folder so updates run on the Docker host."
+        )
+    return True, None
+def _product_state(*, update_available: bool, can_update: bool) -> str:
+    if update_available and can_update:
+        return "available"
+    if update_available:
+        return "blocked"
+    return "current"
+def parse_hermes_version_output(text: str) -> str:
+    """Extract semver from `hermes --version` stdout."""
+    match = re.search(r"Hermes Agent v(\d+\.\d+\.\d+)", str(text or ""))
+    return match.group(1) if match else ""
+def _read_hermes_agent_version() -> str:
+    """Native Hermes semver via gateway exec (lazy import avoids server load cycle)."""
+    try:
+        import server as _server  # noqa: WPS433
+        return _server._hermes_agent_version()
+    except Exception:  # noqa: BLE001
+        return ""
+def _releases_manifest() -> dict[str, Any]:
+    if not RELEASES_URL:
+        return {}
+    try:
+        return _http_json(RELEASES_URL)
+    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
+        return {}
+def updates_available(*, desktop_version: str = "", hermes_agent_version: str = "") -> dict[str, Any]:
+    compose_dir = _compose_dir()
+    project_root = _project_root()
+    docker_ok = Path(DOCKER_SOCK).exists()
+    installed = _read_installed_workframe_version(project_root)
+    npm_latest = ""
+    try:
+        npm_latest = _npm_latest_version()
+    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError, KeyError):
+        pass
+    releases = _releases_manifest()
+    workframe_latest = str(releases.get("workframe") or releases.get("create_workframe") or npm_latest or "")
+    desktop_latest = str(releases.get("desktop") or os.environ.get("WORKFRAME_DESKTOP_LATEST", "0.1.0"))
+    installed_pkg = installed.get("package") or installed.get("api") or ""
+    workframe_update = bool(workframe_latest and _version_lt(installed_pkg, workframe_latest))
+    hermes_digest, hermes_ref = _container_image_digest(GATEWAY_CONTAINER)
+    hermes_tag = hermes_ref.rsplit(":", 1)[-1] if hermes_ref and ":" in hermes_ref else HERMES_TAG
+    hermes_latest_digest = ""
+    try:
+        hermes_latest_digest = _docker_hub_digest(HERMES_IMAGE, HERMES_TAG)
+    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError, KeyError):
+        pass
+    hermes_update = bool(
+        docker_ok
+        and hermes_latest_digest
+        and hermes_digest
+        and hermes_digest != hermes_latest_digest,
+    )
+    desktop_installed = str(desktop_version or "").strip()
+    desktop_update = bool(desktop_latest and desktop_installed and _version_lt(desktop_installed, desktop_latest))
+    digest_short = hermes_latest_digest
+    if len(digest_short) > 28:
+        digest_short = digest_short[:28] + "…"
+    docker_apply_ok, docker_apply_reason = _docker_apply_ready()
+    hermes_script_ok = _script_path("apply-update-hermes.sh") is not None
+    workframe_script_ok = _script_path("apply-update-workframe.sh") is not None
+    hermes_can_update = bool(docker_apply_ok and hermes_script_ok)
+    workframe_can_update = bool(docker_apply_ok and workframe_script_ok)
+    hermes_reason = docker_apply_reason
+    if not hermes_reason and hermes_update and not hermes_script_ok:
+        hermes_reason = "Hermes update script is missing from this install."
+    workframe_reason = docker_apply_reason
+    if not workframe_reason and workframe_update and not workframe_script_ok:
+        workframe_reason = "Workframe update script is missing from this install."
+    if not workframe_reason and workframe_update and not workframe_latest:
+        workframe_reason = "No published npm release to update to yet."
+    agent_version = str(hermes_agent_version or "").strip() or _read_hermes_agent_version()
+    hermes_current = agent_version or hermes_tag
+    return {
+        "ok": True,
+        "docker_available": docker_ok,
+        "compose_dir": str(compose_dir),
+        "project_root": str(project_root),
+        "workframe": {
+            "current": installed_pkg,
+            "latest": workframe_latest,
+            "update_available": workframe_update,
+            "can_update": workframe_can_update,
+            "state": _product_state(update_available=workframe_update, can_update=workframe_can_update),
+            "reason": workframe_reason,
+            "update_mode": "docker-compose-rebuild",
+            "install_kind": "docker",
+            "components": ["ui", "api", "supervisor"],
+        },
+        "hermes": {
+            "current": hermes_current,
+            "agent_version": agent_version,
+            "image_tag": hermes_tag,
+            "latest": "",
+            "current_image": hermes_ref,
+            "current_digest": hermes_digest[:28] + "…" if len(hermes_digest) > 28 else hermes_digest,
+            "latest_digest": digest_short,
+            "image": f"{HERMES_IMAGE}:{HERMES_TAG}",
+            "update_available": hermes_update,
+            "can_update": hermes_can_update,
+            "state": _product_state(update_available=hermes_update, can_update=hermes_can_update),
+            "reason": hermes_reason,
+            "update_mode": "docker-compose-pull",
+            "install_kind": "docker",
+            "can_restart_gateway": bool(docker_apply_ok and _script_path("restart-gateway-hermes.sh") is not None),
+        },
+        "desktop": {
+            "current": desktop_installed,
+            "latest": desktop_latest,
+            "update_available": desktop_update,
+            "can_update": False,
+            "state": "available" if desktop_update else "current",
+            "reason": "Desktop updates are distributed separately from the Docker stack.",
+            "update_mode": "manual-download",
+            "install_kind": "desktop",
+            "download_url": str(releases.get("desktop_download_url") or ""),
+        },
+    }
+def apply_update(target: str) -> dict[str, Any]:
+    if os.environ.get("WORKFRAME_ENABLE_ADMIN_UPDATES") != "1":
+        raise ValueError("admin_updates_disabled")
+    target = str(target or "all").strip().lower()
+    if target not in {"hermes", "workframe", "all"}:
+        raise ValueError("invalid_update_target")
+    if not Path(DOCKER_SOCK).exists():
+        raise ValueError("docker_unavailable")
+    scripts: list[str] = []
+    if target in {"hermes", "all"}:
+        script = _script_path("apply-update-hermes.sh")
+        if not script:
+            raise ValueError("update_script_missing:hermes")
+        scripts.append(str(script))
+    if target in {"workframe", "all"}:
+        script = _script_path("apply-update-workframe.sh")
+        if not script:
+            raise ValueError("update_script_missing:workframe")
+        scripts.append(str(script))
+    env = os.environ.copy()
+    env.setdefault("WORKFRAME_COMPOSE_DIR", str(_compose_dir()))
+    env.setdefault("WORKFRAME_PROJECT_ROOT", str(_project_root()))
+    logs: list[str] = []
+    for script in scripts:
+        proc = subprocess.run(
+            ["bash", script],
+            capture_output=True,
+            text=True,
+            timeout=900,
+            env=env,
+            cwd=env["WORKFRAME_COMPOSE_DIR"],
+        )
+        logs.append(f"=== {script} (exit {proc.returncode}) ===\n{proc.stdout}\n{proc.stderr}")
+        if proc.returncode != 0:
+            raise ValueError(f"update_failed:{Path(script).name}")
+    return {"ok": True, "target": target, "log": "\n".join(logs)[-12000:]}
+def restart_gateway() -> dict[str, Any]:
+    if os.environ.get("WORKFRAME_ENABLE_ADMIN_UPDATES") != "1":
+        raise ValueError("admin_updates_disabled")
+    if not Path(DOCKER_SOCK).exists():
+        raise ValueError("docker_unavailable")
+    docker_apply_ok, docker_apply_reason = _docker_apply_ready()
+    if not docker_apply_ok:
+        raise ValueError(str(docker_apply_reason or "docker_apply_unavailable"))
+    script = _script_path("restart-gateway-hermes.sh")
+    if not script:
+        raise ValueError("restart_script_missing:gateway")
+    env = os.environ.copy()
+    env.setdefault("WORKFRAME_COMPOSE_DIR", str(_compose_dir()))
+    env.setdefault("WORKFRAME_PROJECT_ROOT", str(_project_root()))
+    proc = subprocess.run(
+        ["bash", str(script)],
+        capture_output=True,
+        text=True,
+        timeout=300,
+        env=env,
+        cwd=env["WORKFRAME_COMPOSE_DIR"],
+    )
+    log = f"=== {script} (exit {proc.returncode}) ===\n{proc.stdout}\n{proc.stderr}"
+    if proc.returncode != 0:
+        raise ValueError("restart_failed:gateway")
+    return {"ok": True, "target": "gateway", "log": log[-12000:]}
+if __name__ == "__main__":
+    assert _version_lt("0.1.0", "0.1.1")
+    assert not _version_lt("0.1.0", "0.1.0")
+    assert parse_hermes_version_output("Hermes Agent v0.17.0 (2026.6.19)") == "0.17.0"
+    print("updates module ok")

package/workframe-api/vault_kek.py ADDED Viewed

@@ -0,0 +1,159 @@
+"""Vault master key (KEK) — in-memory only; separate from ZK_AUTH_ENCRYPTION_KEY."""
+from __future__ import annotations
+import base64
+import hashlib
+import json
+import os
+import secrets
+from pathlib import Path
+from typing import Any
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+DATA_DIR = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data"))
+VAULT_KEK_FILE = DATA_DIR / ".vault_kek"
+META_TABLE = "vault_meta"
+_KEK: bytes | None = None
+_PBKDF2_ROUNDS = 200_000
+def _b64e(raw: bytes) -> str:
+    return base64.b64encode(raw).decode("ascii")
+def _b64d(value: str) -> bytes:
+    raw = base64.b64decode(str(value or "").strip())
+    if len(raw) != 32:
+        raise ValueError("vault KEK must be 32 bytes")
+    return raw
+def _derive_wrap_key(passphrase: str, salt: bytes) -> bytes:
+    phrase = str(passphrase or "")
+    if len(phrase) < 12:
+        raise ValueError("passphrase must be at least 12 characters")
+    return hashlib.pbkdf2_hmac("sha256", phrase.encode("utf-8"), salt, _PBKDF2_ROUNDS, dklen=32)
+def _aes_gcm_encrypt(key: bytes, plaintext: bytes) -> dict[str, str]:
+    iv = os.urandom(12)
+    ct = AESGCM(key).encrypt(iv, plaintext, None)
+    return {
+        "v": 1,
+        "alg": "AES-256-GCM",
+        "iv": _b64e(iv),
+        "tag": _b64e(ct[-16:]),
+        "ciphertext": _b64e(ct[:-16]),
+    }
+def _aes_gcm_decrypt(key: bytes, payload: dict[str, Any]) -> bytes:
+    if int(payload.get("v") or 0) != 1 or str(payload.get("alg") or "") != "AES-256-GCM":
+        raise ValueError("unsupported wrap payload")
+    iv = base64.b64decode(str(payload["iv"]))
+    tag = base64.b64decode(str(payload["tag"]))
+    ct = base64.b64decode(str(payload["ciphertext"]))
+    return AESGCM(key).decrypt(iv, ct + tag, None)
+def kek_in_memory() -> bool:
+    return _KEK is not None
+def get_kek() -> bytes:
+    if _KEK is None:
+        raise RuntimeError("vault_sealed")
+    return _KEK
+def set_kek(raw: bytes) -> None:
+    global _KEK
+    if len(raw) != 32:
+        raise ValueError("KEK must be 32 bytes")
+    _KEK = bytes(raw)
+def clear_kek() -> None:
+    global _KEK
+    _KEK = None
+def load_kek_from_env() -> bool:
+    raw = os.environ.get("WORKFRAME_VAULT_KEK", "").strip()
+    if not raw:
+        return False
+    set_kek(_b64d(raw))
+    return True
+def load_kek_from_file() -> bool:
+    if not VAULT_KEK_FILE.is_file():
+        return False
+    try:
+        text = VAULT_KEK_FILE.read_text(encoding="utf-8").strip()
+        payload = json.loads(text) if text.startswith("{") else {"key": text}
+        key_b64 = str(payload.get("key") or text).strip()
+        set_kek(_b64d(key_b64))
+        return True
+    except Exception:
+        return False
+def persist_kek_file() -> None:
+    """Persist in-memory KEK for single-tenant bootstrap (chmod 600)."""
+    if _KEK is None:
+        return
+    DATA_DIR.mkdir(parents=True, exist_ok=True)
+    VAULT_KEK_FILE.write_text(
+        json.dumps({"v": 1, "key": _b64e(_KEK)}),
+        encoding="utf-8",
+    )
+    try:
+        os.chmod(VAULT_KEK_FILE, 0o600)
+    except OSError:
+        pass
+def generate_and_persist_kek() -> bytes:
+    set_kek(os.urandom(32))
+    persist_kek_file()
+    return get_kek()
+def wrap_kek_for_passphrase(passphrase: str) -> tuple[str, str]:
+    """Return (salt_b64, wrapped_kek_json) for vault_meta."""
+    if _KEK is None:
+        raise RuntimeError("vault_sealed")
+    salt = os.urandom(16)
+    wrap_key = _derive_wrap_key(passphrase, salt)
+    wrapped = _aes_gcm_encrypt(wrap_key, _KEK)
+    return _b64e(salt), json.dumps(wrapped)
+def unwrap_kek_from_passphrase(passphrase: str, salt_b64: str, wrapped_json: str) -> bytes:
+    salt = base64.b64decode(str(salt_b64 or "").strip())
+    wrap_key = _derive_wrap_key(passphrase, salt)
+    payload = json.loads(wrapped_json)
+    return _aes_gcm_decrypt(wrap_key, payload)
+def unseal_for_tests() -> None:
+    """Tests: deterministic KEK without touching disk."""
+    seed = os.environ.get("WORKFRAME_VAULT_KEK", "").strip()
+    if seed:
+        set_kek(_b64d(seed))
+        return
+    set_kek(hashlib.sha256(b"workframe-test-vault-kek").digest())
+if __name__ == "__main__":
+    generate_and_persist_kek()
+    assert kek_in_memory()
+    salt, wrapped = wrap_kek_for_passphrase("test-passphrase-12")
+    clear_kek()
+    set_kek(unwrap_kek_from_passphrase("test-passphrase-12", salt, wrapped))
+    assert kek_in_memory()
+    print("vault_kek ok")