nemoris 0.1.0

package/src/memory/write-policy.js

@@ -0,0 +1,36 @@
+export function evaluateDurableWrite(candidate, policy, writesThisRun = 0) {
+  const reasons = [];
+
+  if (!policy?.allow_durable_writes) {
+    reasons.push("durable writes disabled");
+  }
+
+  if (policy?.max_writes_per_run != null && writesThisRun >= policy.max_writes_per_run) {
+    reasons.push("write budget exhausted");
+  }
+
+  const category = candidate.category || "unknown";
+  const allowed = policy?.categories?.allowed;
+  const blocked = policy?.categories?.blocked || [];
+
+  if (Array.isArray(allowed) && !allowed.includes(category)) {
+    reasons.push(`category not allowed: ${category}`);
+  }
+
+  if (blocked.includes(category)) {
+    reasons.push(`category blocked: ${category}`);
+  }
+
+  if (policy?.require_source_reference && (!candidate.sourceRefs || candidate.sourceRefs.length === 0)) {
+    reasons.push("source reference required");
+  }
+
+  if (policy?.require_write_reason && !candidate.reason) {
+    reasons.push("write reason required");
+  }
+
+  return {
+    accepted: reasons.length === 0,
+    reasons
+  };
+}

package/src/onboarding/aliases.js

@@ -0,0 +1,33 @@
+/**
+ * CLI command alias resolver.
+ *
+ * resolveAlias(command, args) returns the resolved args array for known
+ * aliases, or null for unknown commands.
+ *
+ * Real command handlers in cli-main.js now own start/stop/logs/restart.
+ * This alias layer only maps legacy convenience shorthands.
+ */
+
+/**
+ * @param {string} command
+ * @param {string[]} args
+ * @returns {string[] | null}
+ */
+export function resolveAlias(command, args) {
+  switch (command) {
+    case "status":
+      return ["runtime-status"];
+
+    case "run": {
+      const [jobName, ...rest] = args;
+      if (!jobName) return ["execute-job", "provider"];
+      return ["execute-job", jobName, "provider", ...rest];
+    }
+
+    case "runs":
+      return ["review-runs", "10"];
+
+    default:
+      return null;
+  }
+}

package/src/onboarding/auth/api-key.js

@@ -0,0 +1,224 @@
+/**
+ * Auth handlers: API key detection, validation, .env writing, and provider resolution.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { buildAnthropicAuthHeaders } from "../../providers/anthropic.js";
+import { resolveInstallDir } from "../../auth/auth-profiles.js";
+
+// Env var names for each provider
+const ENV_VAR_MAP = {
+  anthropic: ["NEMORIS_ANTHROPIC_API_KEY", "ANTHROPIC_API_KEY"],
+  openai: ["NEMORIS_OPENAI_API_KEY", "OPENAI_API_KEY"],
+  openrouter: ["OPENROUTER_API_KEY"],
+};
+
+// Default paths to search for .env files (in priority order)
+function defaultSearchPaths() {
+  const installDir = resolveInstallDir();
+  return [
+    path.join(installDir, ".env"),
+    path.join(os.homedir(), ".nemoris", ".env"),
+    path.join(os.homedir(), ".openclaw", ".env"),
+  ];
+}
+
+/**
+ * Parse a .env file into a key/value map.
+ * Handles lines of the form KEY=value, ignoring comments and blank lines.
+ *
+ * @param {string} filePath
+ * @returns {Record<string, string>}
+ */
+function parseEnvFile(filePath) {
+  try {
+    const content = fs.readFileSync(filePath, "utf8");
+    const result = {};
+    for (const line of content.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx === -1) continue;
+      const key = trimmed.slice(0, eqIdx).trim();
+      const value = trimmed.slice(eqIdx + 1).trim();
+      if (key) result[key] = value;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Detect existing API keys from environment variables and optional .env file search paths.
+ * Environment variables take priority over file values.
+ *
+ * @param {object} [options]
+ * @param {string[]} [options.searchPaths] - Ordered list of .env file paths to check
+ * @returns {{ anthropic: string|null, openai: string|null, openrouter: string|null }}
+ */
+export function detectExistingKeys({ searchPaths } = {}) {
+  const paths = searchPaths ?? defaultSearchPaths();
+  const fileEnv = {};
+  for (let i = paths.length - 1; i >= 0; i--) {
+    const parsed = parseEnvFile(paths[i]);
+    Object.assign(fileEnv, parsed);
+  }
+
+  const result = {};
+  for (const [provider, envVars] of Object.entries(ENV_VAR_MAP)) {
+    result[provider] = null;
+    for (const envVar of envVars) {
+      const value = process.env[envVar] || fileEnv[envVar] || null;
+      if (value) {
+        result[provider] = value;
+        break;
+      }
+    }
+  }
+  return result;
+}
+
+export function validateApiKeyFormat(provider, key) {
+  const token = String(key || "").trim();
+  if (!token) {
+    return { ok: false, error: "missing token" };
+  }
+
+  const rules = {
+    anthropic: {
+      prefixes: ["sk-ant-oat-", "sk-ant-api-", "sk-ant-"],
+      minLength: 16,
+      label: "Anthropic token"
+    },
+    openai: {
+      prefixes: ["sk-"],
+      minLength: 12,
+      label: "OpenAI API key"
+    },
+    openrouter: {
+      prefixes: ["sk-or-"],
+      minLength: 12,
+      label: "OpenRouter API key"
+    }
+  };
+
+  const rule = rules[provider];
+  if (!rule) {
+    return { ok: true };
+  }
+
+  if (!rule.prefixes.some((prefix) => token.startsWith(prefix))) {
+    return {
+      ok: false,
+      error: `${rule.label} must start with ${rule.prefixes.join(" or ")}`
+    };
+  }
+
+  if (token.length < rule.minLength) {
+    return {
+      ok: false,
+      error: `${rule.label} looks too short`
+    };
+  }
+
+  return { ok: true };
+}
+
+/**
+ * Validate an API key against a provider's health endpoint.
+ * Ollama is not validated here (no auth needed) — use ollama-detect.js instead.
+ *
+ * @param {"anthropic"|"openai"|"openrouter"} provider
+ * @param {string} key
+ * @param {object} [options]
+ * @param {Function} [options.fetchImpl]
+ * @returns {Promise<{ ok: boolean, status?: number, error?: string }>}
+ */
+export async function validateApiKey(provider, key, options = {}) {
+  if (provider === "ollama") {
+    return { ok: true };
+  }
+
+  const fetch = options.fetchImpl || globalThis.fetch;
+  const providerTargets = {
+    anthropic: {
+      url: "https://api.anthropic.com/v1/messages/count_tokens",
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...buildAnthropicAuthHeaders(key)
+      },
+      body: JSON.stringify({
+        model: "claude-haiku-4-5",
+        messages: [{ role: "user", content: "ping" }]
+      })
+    },
+    openai: {
+      url: "https://api.openai.com/v1/models",
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${key}`
+      }
+    },
+    openrouter: {
+      url: "https://openrouter.ai/api/v1/models",
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${key}`
+      }
+    }
+  };
+
+  const target = providerTargets[provider];
+  if (!target) {
+    throw new Error(`Unknown provider: ${provider}`);
+  }
+
+  try {
+    const response = await fetch(target.url, {
+      method: target.method,
+      headers: target.headers,
+      body: target.body,
+      signal: AbortSignal.timeout(10000)
+    });
+    return {
+      ok: response.ok,
+      status: response.status
+    };
+  } catch (error) {
+    return { ok: false, error: error.message };
+  }
+}
+
+/**
+ * Write or merge keys into an .env file at installDir/.env.
+ * Existing keys not being overwritten are preserved.
+ *
+ * @param {string} installDir - Directory where .env will be written
+ * @param {Record<string, string>} keys - Key/value pairs to write
+ */
+export function writeEnvFile(installDir, keys) {
+  const envPath = path.join(installDir, ".env");
+  const existing = parseEnvFile(envPath);
+  const merged = { ...existing, ...keys };
+  const lines = Object.entries(merged).map(([k, v]) => `${k}=${v}`);
+  fs.writeFileSync(envPath, lines.join("\n") + "\n", { encoding: "utf8", mode: 0o600 });
+}
+
+/**
+ * Determine which provider IDs to generate TOML configs for based on available keys.
+ *
+ * @param {{ anthropic?: string|null, openrouter?: string|null, openai?: string|null, ollama?: boolean }} keys
+ * @returns {string[]} Array of provider IDs (e.g. ["anthropic", "openrouter", "ollama"])
+ */
+export function resolveProviders(keys) {
+  const providers = [];
+  if (keys.anthropic) providers.push("anthropic");
+  if (keys.openrouter) providers.push("openrouter");
+  if (keys.openai) providers.push("openai");
+  if (keys.ollama) providers.push("ollama");
+  return providers;
+}

package/src/onboarding/auth/ollama-detect.js

@@ -0,0 +1,42 @@
+/**
+ * Ollama local instance detection.
+ * Probes localhost:11434/api/tags and returns model list metadata.
+ */
+
+import { inspectOutboundUrl, OUTBOUND_ADDRESS_POLICY } from "../../security/ssrf-check.js";
+
+/**
+ * Detect a running Ollama instance and enumerate available models.
+ *
+ * @param {object} [options]
+ * @param {Function} [options.fetchImpl] - Injectable fetch implementation (defaults to globalThis.fetch)
+ * @param {Function} [options.lookupImpl] - Injectable DNS lookup used for loopback verification
+ * @returns {Promise<{ ok: boolean, modelCount: number, models: string[] }>}
+ */
+export async function detectOllama({ fetchImpl, lookupImpl } = {}) {
+  const fetch = fetchImpl || globalThis.fetch;
+  const baseUrl = process.env.OLLAMA_HOST || "http://localhost:11434";
+  const url = `${baseUrl}/api/tags`;
+
+  try {
+    const inspection = await inspectOutboundUrl(url, {
+      lookupImpl,
+      addressPolicy: OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK,
+      loopbackOnlyMessage: `Ollama base URL must resolve to loopback only; refusing ${url}.`,
+    });
+    if (!inspection.ok) {
+      return { ok: false, modelCount: 0, models: [], error: inspection.reason };
+    }
+    const response = await fetch(url);
+    if (!response.ok) {
+      return { ok: false, modelCount: 0, models: [] };
+    }
+    const data = await response.json();
+    const models = Array.isArray(data?.models)
+      ? data.models.map((m) => m?.name || m?.model || null).filter(Boolean)
+      : [];
+    return { ok: true, modelCount: models.length, models };
+  } catch {
+    return { ok: false, modelCount: 0, models: [] };
+  }
+}

package/src/onboarding/clack-prompter.js

@@ -0,0 +1,77 @@
+import * as p from "@clack/prompts";
+
+export class SetupCancelledError extends Error {
+  constructor(message = "Setup cancelled.") {
+    super(message);
+    this.name = "SetupCancelledError";
+  }
+}
+
+function guardCancel(value) {
+  if (p.isCancel(value)) {
+    p.cancel("Setup cancelled.");
+    throw new SetupCancelledError();
+  }
+  return value;
+}
+
+function normalizeOptions(options = []) {
+  return options.map((option) => ({
+    value: option.value,
+    label: option.label,
+    ...(option.hint ? { hint: option.hint } : {}),
+  }));
+}
+
+export function createClackPrompter() {
+  return {
+    intro(message) {
+      p.intro(message);
+    },
+    outro(message) {
+      p.outro(message);
+    },
+    cancel(message = "Setup cancelled.") {
+      p.cancel(message);
+    },
+    note(message, title) {
+      p.note(message, title);
+    },
+    async confirm({ message, initialValue = false }) {
+      return guardCancel(await p.confirm({ message, initialValue }));
+    },
+    async select({ message, options, initialValue }) {
+      return guardCancel(await p.select({
+        message,
+        options: normalizeOptions(options),
+        initialValue,
+      }));
+    },
+    async multiselect({ message, options, initialValues = [], required = false }) {
+      const value = guardCancel(await p.multiselect({
+        message,
+        options: normalizeOptions(options),
+        initialValues,
+        required,
+      }));
+      return Array.isArray(value) ? value : [];
+    },
+    async text({ message, placeholder, initialValue, validate }) {
+      return guardCancel(await p.text({
+        message,
+        placeholder,
+        initialValue,
+        validate,
+      }));
+    },
+    async password({ message, validate }) {
+      return guardCancel(await p.password({
+        message,
+        validate,
+      }));
+    },
+    spinner() {
+      return p.spinner();
+    },
+  };
+}