openpalm 0.10.2 → 0.11.0-beta.2

package/src/commands/scan.ts

@@ -1,47 +1,81 @@
 import { defineCommand } from 'citty';
 import { join } from 'node:path';
-import { rm } from 'node:fs/promises';
-import { resolveVaultDir } from '@openpalm/lib';
-import { ensureVarlock, prepareVarlockDir } from '../lib/varlock.ts';
+import { existsSync } from 'node:fs';
+import { resolveStackDir } from '@openpalm/lib';
+import { parseEnvFile, isSensitiveEnvKey } from '@openpalm/lib';
 
+/**
+ * `openpalm scan` — list sensitive env keys that carry a non-empty value
+ * in the live vault env files. Replaces the varlock-based scanner; the
+ * canonical inventory now lives in `akm vault` and the operator-managed
+ * `.env` files. Exits non-zero only on filesystem errors, never on the
+ * mere presence of secrets (that is the expected state).
+ *
+ * Output formats:
+ *   --format json    (default) machine-readable JSON
+ *                    { "files": [{ "path": "...", "keys": [{ "name": "...", "set": true }] }] }
+ *   --format human   grouped, one line per key:
+ *                    # /path/to/file.env
+ *                      KEY_NAME    set
+ */
 export default defineCommand({
   meta: {
     name: 'scan',
-    description: 'Scan codebase for leaked secrets (requires local user.env)',
+    description: 'List vault env keys whose name matches the secret pattern (_TOKEN/_SECRET/_KEY/_PASSWORD/_HMAC)',
   },
-  async run() {
-    const vaultDir = resolveVaultDir();
-
-    const schemaPath = join(vaultDir, 'user', 'user.env.schema');
-    const envPath = join(vaultDir, 'user', 'user.env');
-
-    if (!(await Bun.file(schemaPath).exists())) {
-      console.error(
-        `Error: vault/user/user.env.schema not found at ${schemaPath}.\nRun 'openpalm install' first.`,
-      );
-      process.exit(1);
+  args: {
+    format: {
+      type: 'string',
+      description: 'Output format: json (default) or human',
+      default: 'json',
+    },
+  },
+  async run({ args }) {
+    const format = String(args.format ?? 'json').toLowerCase();
+    if (format !== 'json' && format !== 'human') {
+      console.error(`Unknown --format value: ${args.format}. Expected 'json' or 'human'.`);
+      process.exit(2);
     }
 
-    if (!(await Bun.file(envPath).exists())) {
-      console.error(
-        `Error: user.env not found at ${envPath}.\nRun 'openpalm install' first.`,
-      );
-      process.exit(1);
-    }
+    const stackDir = resolveStackDir();
+    const targets = [
+      join(stackDir, 'stack.env'),
+      join(stackDir, 'guardian.env'),
+    ];
 
-    const varlockBin = await ensureVarlock();
+    type FileResult = { path: string; keys: Array<{ name: string; set: boolean }> };
+    const results: FileResult[] = [];
 
-    const tmpDir = await prepareVarlockDir(schemaPath, envPath);
-    let exitCode = 1;
-    try {
-      const proc = Bun.spawn([varlockBin, 'scan', '--path', `${tmpDir}/`], {
-        stdout: 'inherit',
-        stderr: 'inherit',
+    for (const path of targets) {
+      if (!existsSync(path)) continue;
+      const parsed = parseEnvFile(path);
+      const sensitive = Object.keys(parsed)
+        .filter((k) => isSensitiveEnvKey(k))
+        .sort();
+      if (sensitive.length === 0) continue;
+      results.push({
+        path,
+        keys: sensitive.map((name) => ({
+          name,
+          set: typeof parsed[name] === 'string' && parsed[name].length > 0,
+        })),
       });
-      exitCode = await proc.exited;
-    } finally {
-      await rm(tmpDir, { recursive: true, force: true });
     }
-    process.exit(exitCode);
+
+    if (format === 'json') {
+      console.log(JSON.stringify({ files: results }));
+    } else {
+      if (results.length === 0) {
+        console.log('No vault env files found. Run `openpalm install` first.');
+      } else {
+        for (const file of results) {
+          console.log(`# ${file.path}`);
+          for (const key of file.keys) {
+            console.log(`  ${key.name}\t${key.set ? 'set' : 'empty'}`);
+          }
+        }
+      }
+    }
+    process.exit(0);
   },
 });

package/src/commands/service.ts

@@ -1,6 +1,7 @@
 import { defineCommand } from 'citty';
+import { buildManagedServices } from '@openpalm/lib';
 import { ensureValidState } from '../lib/cli-state.ts';
-import { buildManagedServiceNames, runComposeWithPreflight, runComposeReadOnly } from '../lib/cli-compose.ts';
+import { runComposeWithPreflight, runComposeReadOnly } from '../lib/cli-compose.ts';
 import { runLogsAction } from './logs.ts';
 import { runStartAction } from './start.ts';
 import { runStopAction } from './stop.ts';
@@ -41,8 +42,8 @@ const logsCmd = defineCommand({
 const updateCmd = defineCommand({
   meta: { name: 'update', description: 'Pull latest images' },
   async run() {
-    const state = await ensureValidState();
-    const managedServices = await buildManagedServiceNames(state);
+    const state = ensureValidState();
+    const managedServices = await buildManagedServices(state);
     console.log('Pulling latest images...');
     await runComposeWithPreflight(state, ['pull', ...managedServices]);
     console.log('Recreating containers...');
@@ -54,7 +55,7 @@ const updateCmd = defineCommand({
 const statusCmd = defineCommand({
   meta: { name: 'status', description: 'Show container status' },
   async run() {
-    const state = await ensureValidState();
+    const state = ensureValidState();
     await runComposeReadOnly(state, ['ps', '--format', 'table']);
   },
 });

package/src/commands/start.ts

@@ -1,6 +1,7 @@
 import { defineCommand } from 'citty';
+import { buildManagedServices } from '@openpalm/lib';
 import { ensureValidState } from '../lib/cli-state.ts';
-import { buildManagedServiceNames, runComposeWithPreflight } from '../lib/cli-compose.ts';
+import { runComposeWithPreflight } from '../lib/cli-compose.ts';
 
 export default defineCommand({
   meta: {
@@ -25,14 +26,14 @@ export async function runStartAction(
 ): Promise<void> {
   if (services.length === 0) {
     // Stage artifacts and start all managed services (admin included if enabled)
-    const state = await ensureValidState();
-    const managedServices = await buildManagedServiceNames(state);
+    const state = ensureValidState();
+    const managedServices = await buildManagedServices(state);
     await runComposeWithPreflight(state, ['up', '-d', ...managedServices]);
     return;
   }
 
   // Start specific services
-  const state = await ensureValidState();
+  const state = ensureValidState();
   for (const service of services) {
     await runComposeWithPreflight(state, ['up', '-d', service]);
   }

package/src/commands/status.ts

@@ -8,7 +8,7 @@ export default defineCommand({
     description: 'Show container status',
   },
   async run() {
-    const state = await ensureValidState();
+    const state = ensureValidState();
     await runComposeReadOnly(state, ['ps', '--format', 'table']);
   },
 });

package/src/commands/stop.ts

@@ -22,14 +22,12 @@ export default defineCommand({
 
 export async function runStopAction(services: string[]): Promise<void> {
   if (services.length === 0) {
-    // Compose file list includes admin.yml when admin is enabled,
-    // so `down` tears down all services including admin/socket-proxy.
-    const state = await ensureValidState();
+    const state = ensureValidState();
     await runComposeWithPreflight(state, ['down']);
     return;
   }
 
-  const state = await ensureValidState();
+  const state = ensureValidState();
   for (const service of services) {
     await runComposeWithPreflight(state, ['stop', service]);
   }

package/src/commands/uninstall.ts

@@ -2,7 +2,7 @@ import { defineCommand } from 'citty';
 import { rmSync } from 'node:fs';
 import { ensureValidState } from '../lib/cli-state.ts';
 import { runComposeWithPreflight } from '../lib/cli-compose.ts';
-import { resolveConfigDir, resolveDataDir, resolveLogsDir, resolveVaultDir } from '@openpalm/lib';
+import { resolveConfigDir, resolveStateDir, resolveStashDir, resolveWorkspaceDir } from '@openpalm/lib';
 
 export default defineCommand({
   meta: {
@@ -22,14 +22,12 @@ export default defineCommand({
     },
   },
   async run({ args }) {
-    // Compose file list includes admin.yml when admin is enabled,
-    // so `down` tears down all services including admin/socket-proxy.
-    const state = await ensureValidState();
+    const state = ensureValidState();
     const downArgs = args.volumes || args.purge ? ['down', '-v'] : ['down'];
     await runComposeWithPreflight(state, downArgs);
 
     if (args.purge) {
-      const dirs = [resolveConfigDir(), resolveDataDir(), resolveLogsDir(), resolveVaultDir()];
+      const dirs = [resolveConfigDir(), resolveStateDir(), resolveStashDir(), resolveWorkspaceDir()];
       for (const dir of dirs) {
         console.log(`Removing ${dir}`);
         rmSync(dir, { recursive: true, force: true });

package/src/commands/update.ts

@@ -1,5 +1,5 @@
 import { defineCommand } from 'citty';
-import { performUpgrade } from '@openpalm/lib';
+import { performUpgrade, checkAndUpdateUiBuild } from '@openpalm/lib';
 import { ensureValidState } from '../lib/cli-state.ts';
 
 export default defineCommand({
@@ -13,7 +13,7 @@ export default defineCommand({
 });
 
 export async function runUpgradeAction(): Promise<void> {
-  const state = await ensureValidState();
+  const state = ensureValidState();
 
   console.log('Upgrading stack...');
   const result = await performUpgrade(state);
@@ -21,5 +21,22 @@ export async function runUpgradeAction(): Promise<void> {
   if (result.assetsUpdated.length > 0) {
     console.log(`Assets updated: ${result.assetsUpdated.join(', ')}`);
   }
+
+  // Check for a newer UI build on GitHub and install it if available.
+  // Passes the pre-upgrade image tag as the reference version so any newer
+  // release (including the one just upgraded to) triggers a download.
+  // Existing state/ui/ is backed up to state/backups/ui-{timestamp}/ before
+  // replacement. Non-fatal — existing build remains on any error.
+  const currentUiVersion = state.imageTag ?? '0.0.0';
+  console.log('Checking for UI build update...');
+  const uiResult = await checkAndUpdateUiBuild(currentUiVersion, state.stateDir);
+  if (uiResult.updated) {
+    console.log(`UI build updated to v${uiResult.latestVersion}.`);
+  } else if (uiResult.error) {
+    console.warn(`Warning: UI build update skipped — ${uiResult.error}. Existing build still active.`);
+  } else {
+    console.log(`UI build is current (v${uiResult.latestVersion}).`);
+  }
+
   console.log('Update complete.');
 }

package/src/commands/validate.ts

@@ -1,46 +1,28 @@
-import { defineCommand } from 'citty';
-import { join } from 'node:path';
-import { rm } from 'node:fs/promises';
-import { resolveVaultDir } from '@openpalm/lib';
-import { ensureVarlock, prepareVarlockDir } from '../lib/varlock.ts';
+import { defineCommand } from "citty";
+import { createState, validateProposedState } from "@openpalm/lib";
 
 export default defineCommand({
   meta: {
-    name: 'validate',
-    description: 'Validate configuration against schema',
+    name: "validate",
+    description: "Validate environment configuration (key presence + non-empty required slots)",
   },
   async run() {
-    const vaultDir = resolveVaultDir();
+    // Use createState() directly — validateProposedState only needs vaultDir,
+    // not the resolved compose artifacts ensureValidState() would pull in.
+    const state = createState();
+    const result = await validateProposedState(state);
 
-    const primarySchema = join(vaultDir, 'user', 'user.env.schema');
-    const envPath = join(vaultDir, 'user', 'user.env');
-
-    if (!(await Bun.file(primarySchema).exists())) {
-      console.error(
-        `Error: vault/user/user.env.schema not found at ${primarySchema}.\nRun 'openpalm install' first.`,
-      );
-      process.exit(1);
+    for (const warning of result.warnings) {
+      console.warn(warning);
     }
-
-    if (!(await Bun.file(envPath).exists())) {
-      console.error(
-        `Error: user.env not found at ${envPath}.\nRun 'openpalm install' first.`,
-      );
-      process.exit(1);
+    for (const err of result.errors) {
+      console.error(err);
     }
 
-    const varlockBin = await ensureVarlock();
-    const tmpDir = await prepareVarlockDir(primarySchema, envPath);
-    let exitCode = 1;
-    try {
-      const proc = Bun.spawn(
-        [varlockBin, 'load', '--path', `${tmpDir}/`],
-        { stdout: 'inherit', stderr: 'inherit' },
-      );
-      exitCode = await proc.exited;
-    } finally {
-      await rm(tmpDir, { recursive: true, force: true });
+    if (result.ok) {
+      console.log("Configuration OK.");
+      process.exit(0);
     }
-    process.exit(exitCode);
+    process.exit(1);
   },
 });