npm - create-workframe - Versions diffs - 0.1.0 - Mend

create-workframe 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (415) hide show

package/scripts/security_audit.py ADDED Viewed

@@ -0,0 +1,156 @@
+#!/usr/bin/env python3
+"""Static security hygiene scan for the Workframe package source."""
+from __future__ import annotations
+import json
+import re
+from pathlib import Path
+ROOT = Path(__file__).resolve().parents[1]
+SECRET_PATTERNS = {
+    'aws_access_key': re.compile(r'AKIA[0-9A-Z]{16}'),
+    'github_pat': re.compile(r'ghp_[A-Za-z0-9]{36}'),
+    'slack_token': re.compile(r'xox[baprs]-[A-Za-z0-9-]{10,}'),
+    'telegram_bot_token': re.compile(r'\b\d{8,10}:[A-Za-z0-9_-]{35}\b'),
+    'discord_token': re.compile(r'[MN][A-Za-z\d]{23}\.[\w-]{6}\.[\w-]{27}'),
+    'private_key': re.compile(r'-----BEGIN (?:RSA|EC|OPENSSH|DSA|PGP|PRIVATE) KEY-----'),
+    'generic_secret_assignment': re.compile(r'(?i)(api[_-]?key|token|secret)\s*[:=]\s*["\']?[A-Za-z0-9_\-]{16,}'),
+}
+IGNORE_PARTS = {'.venv', '__pycache__', '.pytest_cache', 'node_modules'}
+REQUIRED_IGNORE_PATTERNS = [
+    'Agents/', '.env', '*.db', 'logs/', 'memories/', 'sessions/', 'kanban/',
+]
+INSTANCE_ARTIFACT_PATTERNS = [
+    re.compile(r'\buser_id\b', re.IGNORECASE),
+    re.compile(r'\bmessage_id\b', re.IGNORECASE),
+    re.compile(r'\bgateway_state\b', re.IGNORECASE),
+    re.compile(r'\bkanban\.db\b', re.IGNORECASE),
+]
+# Project-specific / PII-adjacent names — must not appear in publishable templates
+BANNED_TERM_PATTERNS = [
+    ('glitch', re.compile(r'\bglitch\b', re.IGNORECASE)),
+    ('zeta', re.compile(r'\bzeta\b', re.IGNORECASE)),
+    ('alan', re.compile(r'\balan\b', re.IGNORECASE)),
+]
+# Skip docs that document the ban itself
+BANNED_TERM_SKIP = {'security_audit.py'}
+def iter_files(root: Path):
+    for p in root.rglob('*'):
+        if not p.is_file():
+            continue
+        if any(part in IGNORE_PARTS for part in p.parts):
+            continue
+        yield p
+def scan_secrets():
+    findings = []
+    for p in iter_files(ROOT):
+        rel = p.relative_to(ROOT).as_posix()
+        text = p.read_text(errors='ignore')
+        for name, pattern in SECRET_PATTERNS.items():
+            for m in pattern.finditer(text):
+                findings.append({
+                    'severity': 'high',
+                    'type': 'secret_pattern',
+                    'rule': name,
+                    'file': rel,
+                    'excerpt': m.group(0)[:80],
+                })
+    return findings
+def scan_gitignore_coverage():
+    findings = []
+    gi = ROOT / '.gitignore'
+    if not gi.exists():
+        findings.append({
+            'severity': 'high',
+            'type': 'missing_gitignore',
+            'file': '.gitignore',
+            'rule': 'required file missing',
+        })
+        return findings
+    content = gi.read_text(errors='ignore')
+    for req in REQUIRED_IGNORE_PATTERNS:
+        if req not in content:
+            findings.append({
+                'severity': 'medium',
+                'type': 'gitignore_gap',
+                'file': '.gitignore',
+                'rule': f'missing pattern {req}',
+            })
+    return findings
+def scan_instance_artifacts():
+    findings = []
+    for p in iter_files(ROOT):
+        if p.name in {'.gitignore', '.dockerignore', '.npmignore'}:
+            continue
+        rel = p.relative_to(ROOT).as_posix()
+        text = p.read_text(errors='ignore')
+        for pattern in INSTANCE_ARTIFACT_PATTERNS:
+            for m in pattern.finditer(text):
+                findings.append({
+                    'severity': 'medium',
+                    'type': 'instance_artifact_reference',
+                    'file': rel,
+                    'rule': pattern.pattern,
+                    'excerpt': m.group(0),
+                })
+    return findings
+def scan_banned_terms():
+    findings = []
+    for p in iter_files(ROOT):
+        rel = p.relative_to(ROOT).as_posix()
+        if p.name in BANNED_TERM_SKIP:
+            continue
+        text = p.read_text(errors='ignore')
+        for term, pattern in BANNED_TERM_PATTERNS:
+            for m in pattern.finditer(text):
+                findings.append({
+                    'severity': 'medium',
+                    'type': 'banned_term',
+                    'rule': term,
+                    'file': rel,
+                    'excerpt': m.group(0),
+                })
+    return findings
+def main():
+    findings = []
+    findings.extend(scan_secrets())
+    findings.extend(scan_gitignore_coverage())
+    findings.extend(scan_instance_artifacts())
+    findings.extend(scan_banned_terms())
+    high = [f for f in findings if f['severity'] == 'high']
+    medium = [f for f in findings if f['severity'] == 'medium']
+    report = {
+        'root': str(ROOT),
+        'findings_total': len(findings),
+        'high': len(high),
+        'medium': len(medium),
+        'findings': findings,
+    }
+    print(json.dumps(report, indent=2))
+    raise SystemExit(1 if high else 0)
+if __name__ == '__main__':
+    main()

package/scripts/select_agent_pack.py ADDED Viewed

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+import argparse
+import json
+from pathlib import Path
+DEFAULT = Path(__file__).resolve().parents[1] / 'shared' / 'WORKFRAME_AGENT_PACKS.json'
+def main():
+    ap = argparse.ArgumentParser(description='Print profiles for a Workframe starter pack')
+    ap.add_argument('pack', nargs='?', help='Pack name (vanilla/core/product/engineering/full)')
+    ap.add_argument('--list', action='store_true', help='List packs')
+    ap.add_argument('--file', default=str(DEFAULT), help='Path to WORKFRAME_AGENT_PACKS.json')
+    args = ap.parse_args()
+    data = json.loads(Path(args.file).read_text())
+    packs = data.get('packs', {})
+    if args.list or not args.pack:
+        for name, info in packs.items():
+            print(f"{name}: {info.get('description','')}")
+        return
+    pack = packs.get(args.pack)
+    if not pack:
+        raise SystemExit(f"Unknown pack: {args.pack}. Use --list")
+    for p in pack.get('profiles', []):
+        print(p)
+if __name__ == '__main__':
+    main()

package/scripts/set-compose-public-url.mjs ADDED Viewed

@@ -0,0 +1,92 @@
+#!/usr/bin/env node
+/**
+ * Set public URL keys in compose .env (APP_BASE_URL, WORKFRAME_PUBLIC_HOST, CORS, ALLOWED_HOSTS).
+ * HERMES_DASHBOARD_PUBLIC_URL is derived from APP_BASE_URL in docker-compose.yml.
+ * Usage: node set-compose-public-url.mjs https://dev.example.com [--env path/to/.env]
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+const args = process.argv.slice(2);
+if (args.includes('--self-check')) {
+  function normalizePublicUrl(raw) {
+    let u = String(raw || '').trim();
+    if (!u) throw new Error('url required');
+    if (!/^https?:\/\//i.test(u)) u = `https://${u}`;
+    const parsed = new URL(u);
+    if (!parsed.hostname) throw new Error('invalid hostname');
+    return `https://${parsed.hostname}`;
+  }
+  if (normalizePublicUrl('dev.example.com') !== 'https://dev.example.com') {
+    throw new Error('normalizePublicUrl failed');
+  }
+  console.log('self-check ok');
+  process.exit(0);
+}
+const envFlag = args.indexOf('--env');
+let envPath =
+  envFlag >= 0 ? args[envFlag + 1] : path.join(path.dirname(fileURLToPath(import.meta.url)), '../../infra/compose/workframe/.env');
+const urlArg = args.find((a) => !a.startsWith('--') && a !== envPath);
+if (!urlArg?.trim()) {
+  console.error('Usage: node set-compose-public-url.mjs <https://host> [--env path/to/.env]');
+  process.exit(1);
+}
+function normalizePublicUrl(raw) {
+  let u = String(raw || '').trim();
+  if (!u) throw new Error('url required');
+  if (!/^https?:\/\//i.test(u)) u = `https://${u}`;
+  const parsed = new URL(u);
+  if (!parsed.hostname) throw new Error('invalid hostname');
+  return `https://${parsed.hostname}`;
+}
+function hostnameFromUrl(url) {
+  return new URL(url).hostname;
+}
+function setKv(text, key, val) {
+  const line = `${key}=${val}`;
+  const re = new RegExp(`^${key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}=.*$`, 'm');
+  if (re.test(text)) return text.replace(re, line);
+  return `${text}${text.endsWith('\n') || !text ? '' : '\n'}${line}\n`;
+}
+const publicUrl = normalizePublicUrl(urlArg);
+const host = hostnameFromUrl(publicUrl);
+if (!fs.existsSync(envPath)) {
+  const example = `${envPath}.example`;
+  if (fs.existsSync(example)) {
+    fs.mkdirSync(path.dirname(envPath), { recursive: true });
+    fs.copyFileSync(example, envPath);
+    console.log(`Created ${envPath} from example`);
+  } else {
+    throw new Error(`Missing env file: ${envPath}`);
+  }
+}
+let text = fs.readFileSync(envPath, 'utf8');
+text = setKv(text, 'APP_BASE_URL', publicUrl);
+text = setKv(text, 'WORKFRAME_PUBLIC_HOST', host);
+text = setKv(text, 'ALLOWED_HOSTS', host);
+text = setKv(text, 'CORS_ALLOW_ORIGIN', publicUrl);
+fs.writeFileSync(envPath, text);
+console.log(
+  JSON.stringify(
+    {
+      ok: true,
+      env: envPath,
+      app_base_url: publicUrl,
+      hermes_dashboard_public_url: `${publicUrl}/hermes-dashboard`,
+      host,
+    },
+    null,
+    2,
+  ),
+);

package/scripts/setup-stack-secrets.sh ADDED Viewed

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Append production stack secrets to a Workframe .env (idempotent).
+# Usage: bash scripts/workframe/setup-stack-secrets.sh path/to/.env
+set -euo pipefail
+ENV_FILE="${1:-/workspace/.env}"
+append_if_missing() {
+  local key="$1"
+  local value="$2"
+  local comment="${3:-}"
+  if [[ -f "$ENV_FILE" ]] && grep -q "^${key}=" "$ENV_FILE"; then
+    echo "${key} already exists in ${ENV_FILE}"
+    return 0
+  fi
+  mkdir -p "$(dirname "$ENV_FILE")"
+  {
+    [[ -n "$comment" ]] && printf '\n# %s\n' "$comment"
+    printf '%s=%s\n' "$key" "$value"
+  } >>"$ENV_FILE"
+  echo "${key} generated and appended to ${ENV_FILE}"
+}
+rand_hex() {
+  openssl rand -hex 32 2>/dev/null || python3 - <<'PY'
+import secrets
+print(secrets.token_hex(32))
+PY
+}
+rand_b64() {
+  python3 - <<'PY'
+import base64, os
+print(base64.b64encode(os.urandom(32)).decode())
+PY
+}
+rand_proxy() {
+  python3 - <<'PY'
+import secrets
+print(secrets.token_urlsafe(32))
+PY
+}
+append_if_missing WORKFRAME_SUPERVISOR_TOKEN "${WORKFRAME_SUPERVISOR_TOKEN:-$(rand_hex)}" \
+  "Workframe supervisor token. Keep this secret."
+append_if_missing WORKFRAME_PROXY_TOKEN "${WORKFRAME_PROXY_TOKEN:-$(rand_proxy)}" \
+  "Internal LLM/action proxy secret — gateway + API must match."
+append_if_missing WORKFRAME_VAULT_KEK "${WORKFRAME_VAULT_KEK:-$(rand_b64)}" \
+  "Credential vault KEK (32-byte base64). Required for public_multi_user."

package/scripts/sync-canonical-to-package.mjs ADDED Viewed

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+/**
+ * Copy canonical Workframe BFF into create-workframe package tree before npm pack.
+ * Run from ProjectX root: node packages/create-workframe/scripts/sync-canonical-to-package.mjs
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PKG_ROOT = path.resolve(__dirname, '..');
+const PROJECTX_ROOT = path.resolve(PKG_ROOT, '../..');
+const CANONICAL_API = path.join(PROJECTX_ROOT, 'services/workframe-api');
+const PKG_API = path.join(PKG_ROOT, 'workframe-api');
+const CANONICAL_SUPERVISOR = path.join(PROJECTX_ROOT, 'services/workframe-supervisor');
+const PKG_SUPERVISOR = path.join(PKG_ROOT, 'workframe-supervisor');
+const SKIP_DIRS = new Set([
+  'data',
+  '__pycache__',
+  '.pytest_cache',
+  '.venv',
+  'node_modules',
+]);
+const SKIP_FILES = new Set([
+  'board.db',
+  'workframe.db',
+  'auth.db',
+  'fix_crlf.py',
+  'insert_endpoints.py',
+]);
+function shouldSkip(name, isDir) {
+  if (SKIP_DIRS.has(name)) return true;
+  if (!isDir && SKIP_FILES.has(name)) return true;
+  if (!isDir && name.endsWith('.pyc')) return true;
+  return false;
+}
+function copyTree(src, dst) {
+  if (!fs.existsSync(src)) throw new Error(`Missing canonical source: ${src}`);
+  fs.rmSync(dst, { recursive: true, force: true });
+  fs.mkdirSync(dst, { recursive: true });
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    if (shouldSkip(entry.name, entry.isDirectory())) continue;
+    const from = path.join(src, entry.name);
+    const to = path.join(dst, entry.name);
+    if (entry.isDirectory()) copyTree(from, to);
+    else fs.copyFileSync(from, to);
+  }
+}
+function removeIfExists(p) {
+  if (fs.existsSync(p)) fs.rmSync(p, { recursive: true, force: true });
+}
+console.log(`Sync canonical BFF: ${CANONICAL_API} -> ${PKG_API}`);
+copyTree(CANONICAL_API, PKG_API);
+console.log(`Sync canonical supervisor: ${CANONICAL_SUPERVISOR} -> ${PKG_SUPERVISOR}`);
+copyTree(CANONICAL_SUPERVISOR, PKG_SUPERVISOR);
+const dataDir = path.join(PKG_API, 'data');
+fs.mkdirSync(dataDir, { recursive: true });
+const gitkeep = path.join(dataDir, '.gitkeep');
+if (!fs.existsSync(gitkeep)) fs.writeFileSync(gitkeep, '');
+const catalogSrc = path.join(CANONICAL_API, 'data', 'avatar-catalog.json');
+const catalogDst = path.join(PKG_API, 'data', 'avatar-catalog.json');
+if (fs.existsSync(catalogSrc)) {
+  fs.mkdirSync(path.dirname(catalogDst), { recursive: true });
+  fs.copyFileSync(catalogSrc, catalogDst);
+}
+for (const name of ['user-avatar-catalog.json', 'logo-catalog.json']) {
+  const src = path.join(CANONICAL_API, 'data', name);
+  const dst = path.join(PKG_API, 'data', name);
+  if (fs.existsSync(src)) {
+    fs.mkdirSync(path.dirname(dst), { recursive: true });
+    fs.copyFileSync(src, dst);
+  }
+}
+const missionControl = path.join(PKG_ROOT, 'mission-control');
+removeIfExists(missionControl);
+console.log('Removed deprecated mission-control from package tree');
+const uiSrcMirror = path.join(PKG_ROOT, 'workframe-ui', 'src');
+removeIfExists(uiSrcMirror);
+console.log('Removed stale workframe-ui/src mirror (canonical UI is apps/web)');
+const applyScripts = [
+  'apply-update-hermes.sh',
+  'apply-update-workframe.sh',
+  'restart-gateway-hermes.sh',
+  'compose-docker-host.sh',
+  'setup-stack-secrets.sh',
+  'bootstrap-workspace-link.sh',
+  'verify-public-deploy.sh',
+  'fix-zk-encryption-key.sh',
+  'set-compose-public-url.mjs',
+  'ensure-compose-host-paths.mjs',
+];
+for (const name of applyScripts) {
+  const src = path.join(PROJECTX_ROOT, 'scripts/workframe', name);
+  const dst = path.join(PKG_ROOT, 'scripts', name);
+  if (!fs.existsSync(src)) throw new Error(`Missing apply script: ${src}`);
+  fs.mkdirSync(path.dirname(dst), { recursive: true });
+  fs.copyFileSync(src, dst);
+  console.log(`Synced ${name} -> package/scripts/`);
+}
+const publicDeploySrc = path.join(PROJECTX_ROOT, 'infra/compose/workframe/PUBLIC_DEPLOY.md');
+const publicDeployDst = path.join(PKG_ROOT, 'docs/PUBLIC_DEPLOY.md');
+if (fs.existsSync(publicDeploySrc)) {
+  fs.mkdirSync(path.dirname(publicDeployDst), { recursive: true });
+  fs.copyFileSync(publicDeploySrc, publicDeployDst);
+  console.log('Synced PUBLIC_DEPLOY.md -> package/docs/');
+}
+for (const name of ['LICENSE', 'NOTICE', 'SECURITY.md']) {
+  const src = path.join(PROJECTX_ROOT, name);
+  const dst = path.join(PKG_ROOT, name);
+  if (!fs.existsSync(src)) throw new Error(`Missing publish file: ${src}`);
+  fs.copyFileSync(src, dst);
+  console.log(`Synced ${name} -> package/`);
+}
+const uiStale = [
+  'components.json',
+  'eslint.config.js',
+  'index.html',
+  'package.json',
+  'README.md',
+  'tsconfig.app.json',
+  'tsconfig.json',
+  'tsconfig.node.json',
+  'vite.config.ts',
+  'scripts',
+];
+for (const name of uiStale) {
+  removeIfExists(path.join(PKG_ROOT, 'workframe-ui', name));
+}
+console.log('Canonical sync complete. Run bundle-workframe-ui.mjs next.');