npm - omegon - Versions diffs - 0.6.19 → 0.6.21 - Mend

omegon 0.6.19 → 0.6.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/extensions/01-auth/auth.ts +74 -0
package/extensions/bootstrap/deps.ts +82 -2
package/extensions/bootstrap/index.ts +9 -0
package/package.json +1 -1

package/extensions/01-auth/auth.ts CHANGED Viewed

@@ -317,6 +317,79 @@ const ociProvider: AuthProvider = {
 	},
 };
+const vaultProvider: AuthProvider = {
+	id: "vault",
+	name: "Vault",
+	cli: "vault",
+	tokenEnvVar: "VAULT_TOKEN",
+	refreshCommand: "vault login",
+	async check(pi, signal) {
+		// 1. Check CLI is installed
+		const which = await pi.exec("which", ["vault"], { signal, timeout: 3_000 });
+		if (which.code !== 0) {
+			return { provider: this.id, status: "missing", detail: "vault CLI not installed" };
+		}
+		// 2. Check VAULT_ADDR is configured — without it, no meaningful check is possible
+		const addr = process.env["VAULT_ADDR"];
+		if (!addr) {
+			return {
+				provider: this.id,
+				status: "none",
+				detail: "VAULT_ADDR not set",
+				refresh: this.refreshCommand,
+				secretHint: "VAULT_ADDR",
+			};
+		}
+		// 3. Run vault token lookup — read-only, returns token metadata (never the token itself)
+		// VAULT_TOKEN is read by the vault CLI from the environment; we never access it directly.
+		const result = await pi.exec("vault", ["token", "lookup", "-format=json"], { signal, timeout: 10_000 });
+		if (result.code === 0) {
+			try {
+				const data = JSON.parse(result.stdout.trim());
+				const tokenData = data?.data ?? {};
+				// Extract safe metadata — policies and expiry only, never the token value
+				const policies: string[] = tokenData.policies ?? [];
+				const displayName: string = tokenData.display_name ?? "";
+				const expireTime: string = tokenData.expire_time ?? "";
+				// Build a human-readable detail string
+				const parts: string[] = [];
+				if (displayName) parts.push(displayName);
+				if (policies.length > 0) parts.push(`policies: ${policies.filter(p => p !== "default").join(", ") || "default"}`);
+				if (expireTime) parts.push(`expires: ${expireTime.split("T")[0]}`);
+				else parts.push("no expiry");
+				return {
+					provider: this.id,
+					status: "ok",
+					detail: parts.join(" · ") || "authenticated",
+					refresh: this.refreshCommand,
+				};
+			} catch {
+				// JSON parse failed but command succeeded — still authenticated
+				return { provider: this.id, status: "ok", detail: "authenticated", refresh: this.refreshCommand };
+			}
+		}
+		// 4. Diagnose failure — truncate to 300 chars, never log token values
+		const output = (result.stdout + "\n" + result.stderr).trim();
+		const diag = diagnoseError(output);
+		return {
+			provider: this.id,
+			status: diag.status,
+			detail: `${addr} — ${diag.reason}`,
+			error: output.slice(0, 300),
+			refresh: this.refreshCommand,
+			secretHint: "VAULT_TOKEN",
+		};
+	},
+};
 // ─── Provider Registry ───────────────────────────────────────────
 /** All providers, ordered by typical check priority. */
@@ -327,6 +400,7 @@ export const ALL_PROVIDERS: AuthProvider[] = [
 	awsProvider,
 	kubernetesProvider,
 	ociProvider,
+	vaultProvider,
 ];
 export function findProvider(idOrName: string): AuthProvider | undefined {

package/extensions/bootstrap/deps.ts CHANGED Viewed

@@ -31,6 +31,12 @@ export interface Dep {
 	url?: string;
 	/** Dep IDs that must be installed first */
 	requires?: string[];
+	/**
+	 * Optional preflight check. If it returns a string, that string is a
+	 * blocking message shown to the operator explaining what they need to do
+	 * manually before this dep can be installed. Return undefined if ready.
+	 */
+	preflight?: () => string | undefined;
 }
 export interface InstallOption {
@@ -53,6 +59,12 @@ function ensureToolPaths(): void {
 		"/nix/var/nix/profiles/default/bin",
 		join(home, ".nix-profile", "bin"),
 		join(home, ".cargo", "bin"),
+		// Linuxbrew
+		"/home/linuxbrew/.linuxbrew/bin",
+		join(home, ".linuxbrew", "bin"),
+		// macOS Homebrew
+		"/opt/homebrew/bin",
+		"/usr/local/bin",
 	];
 	const current = process.env.PATH ?? "";
 	const parts = current.split(":");
@@ -63,6 +75,52 @@ function ensureToolPaths(): void {
 }
 ensureToolPaths();
+/** Detect ostree-based immutable Linux (Bazzite, Silverblue, Kinoite, Bluefin, etc.) */
+function isOstree(): boolean {
+	if (process.platform !== "linux") return false;
+	try {
+		execSync("which rpm-ostree", { stdio: "ignore" });
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+ * On Fedora 42+ ostree systems, `/` is read-only by default (composefs).
+ * Nix needs to create `/nix` which requires `root.transient = true` in the
+ * ostree prepare-root config. Returns blocking instructions if not ready.
+ */
+function checkOstreeReadyForNix(): string | undefined {
+	// If /nix already exists, we're good (previous install or already configured)
+	if (existsSync("/nix")) return undefined;
+	// Check if root.transient is enabled
+	try {
+		const conf = execSync("cat /etc/ostree/prepare-root.conf 2>/dev/null", { encoding: "utf-8" });
+		if (/transient\s*=\s*true/i.test(conf)) return undefined;
+	} catch { /* file doesn't exist */ }
+	return [
+		"⚠️  Your system has a read-only root filesystem (ostree/composefs).",
+		"Nix needs `/nix` to exist, which requires enabling root.transient.",
+		"",
+		"Run these commands in your terminal, then reboot and run /bootstrap again:",
+		"",
+		"```",
+		"sudo tee /etc/ostree/prepare-root.conf <<'EOL'",
+		"[composefs]",
+		"enabled = yes",
+		"[root]",
+		"transient = true",
+		"EOL",
+		"",
+		"sudo rpm-ostree initramfs-etc --track=/etc/ostree/prepare-root.conf",
+		"systemctl reboot",
+		"```",
+	].join("\n");
+}
 function hasCmd(cmd: string): boolean {
 	try {
 		execSync(`which ${cmd}`, { stdio: "ignore" });
@@ -105,10 +163,19 @@ export const DEPS: Dep[] = [
 		tier: "core",
 		check: () => hasCmd("nix"),
 		install: [
-			// --no-confirm: headless (stdin is closed)
-			{ platform: "any", cmd: "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm" },
+			// Immutable ostree-based Linux (Bazzite, Silverblue, Bluefin, etc.)
+			// needs root.transient enabled and --persistence=/var/lib/nix so the
+			// nix store lives on a writable partition. The upstream installer uses
+			// the ostree planner automatically when it detects ostree.
+			{ platform: "linux", cmd: isOstree()
+				? "curl -sSfL https://install.determinate.systems/nix | sh -s -- install --no-confirm --persistence=/var/lib/nix"
+				: "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm" },
+			{ platform: "darwin", cmd: "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm" },
 		],
 		url: "https://zero-to-nix.com",
+		// On ostree systems, root.transient must be enabled first for /nix to be created.
+		// preflight returns instructions if the system isn't ready.
+		preflight: isOstree() ? checkOstreeReadyForNix : undefined,
 	},
 	{
 		id: "ollama",
@@ -138,6 +205,19 @@ export const DEPS: Dep[] = [
 	},
 	// --- Recommended: common workflows ---
+	{
+		id: "vault",
+		name: "Vault CLI",
+		purpose: "HashiCorp Vault authentication status checking and secret management",
+		usedBy: ["01-auth"],
+		tier: "optional",
+		check: () => hasCmd("vault"),
+		requires: ["nix"],
+		install: [
+			{ platform: "any", cmd: "nix profile install nixpkgs#vault" },
+		],
+		url: "https://developer.hashicorp.com/vault/install",
+	},
 	{
 		id: "gh",
 		name: "GitHub CLI",

package/extensions/bootstrap/index.ts CHANGED Viewed

@@ -1075,6 +1075,15 @@ async function installDeps(ctx: CommandContext, deps: DepStatus[]): Promise<void
 		const { dep } = sorted[i];
 		const step = `[${i + 1}/${total}]`;
+		// Preflight check — some deps need manual system prep before install
+		if (dep.preflight) {
+			const blocker = dep.preflight();
+			if (blocker) {
+				ctx.ui.notify(`\n${step} 🛑 ${dep.name} — manual setup required:\n\n${blocker}`);
+				continue;
+			}
+		}
 		// Check prerequisites — re-verify availability live (not from stale array)
 		if (dep.requires?.length) {
 			const unmet = dep.requires.filter((reqId) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "omegon",
-	"version": "0.6.19",
+	"version": "0.6.21",
 	"description": "Omegon — an opinionated distribution of pi (by Mario Zechner) with extensions for lifecycle management, memory, orchestration, and visualization",
 	"bin": {
 		"omegon": "bin/omegon.mjs",