openpalm 0.9.1 → 0.9.2

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "openpalm",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "type": "module",
   "license": "MPL-2.0",
   "description": "OpenPalm CLI — install and manage a self-hosted OpenPalm stack",
-    "repository": {
+  "repository": {
     "type": "git",
     "url": "https://github.com/itlackey/openpalm.git",
     "directory": "packages/cli"

package/src/main.test.ts

@@ -40,6 +40,8 @@ describe('cli main', () => {
   const originalDataHome = process.env.OPENPALM_DATA_HOME;
   const originalStateHome = process.env.OPENPALM_STATE_HOME;
   const originalWorkDir = process.env.OPENPALM_WORK_DIR;
+  const originalAdminToken = process.env.ADMIN_TOKEN;
+  const originalOpenPalmAdminToken = process.env.OPENPALM_ADMIN_TOKEN;
 
   afterEach(() => {
     globalThis.fetch = originalFetch;
@@ -49,6 +51,8 @@ describe('cli main', () => {
     process.env.OPENPALM_DATA_HOME = originalDataHome;
     process.env.OPENPALM_STATE_HOME = originalStateHome;
     process.env.OPENPALM_WORK_DIR = originalWorkDir;
+    process.env.ADMIN_TOKEN = originalAdminToken;
+    process.env.OPENPALM_ADMIN_TOKEN = originalOpenPalmAdminToken;
   });
 
   it('calls containers pull for update', async () => {
@@ -64,6 +68,51 @@ describe('cli main', () => {
     expect(calls).toEqual(['http://localhost:8100/admin/containers/pull']);
   });
 
+  it('uses ADMIN_TOKEN from the environment for admin requests', async () => {
+    const adminTokens: string[] = [];
+    process.env.ADMIN_TOKEN = 'env-admin-token';
+    delete process.env.OPENPALM_ADMIN_TOKEN;
+
+    globalThis.fetch = mock(async (_input: string | URL, init?: RequestInit) => {
+      const headers = new Headers(init?.headers);
+      adminTokens.push(headers.get('X-Admin-Token') ?? '');
+      return new Response('{"ok":true}', { status: 200 });
+    }) as typeof fetch;
+    console.log = mock(() => {}) as typeof console.log;
+
+    await main(['update']);
+
+    expect(adminTokens).toEqual(['env-admin-token']);
+  });
+
+  it('falls back to the legacy parent secrets.env for admin requests', async () => {
+    const base = mkdtempSync(join(tmpdir(), 'openpalm-config-'));
+    const configHome = join(base, 'openpalm');
+    const adminTokens: string[] = [];
+
+    mkdirSync(configHome, { recursive: true });
+    writeFileSync(join(configHome, 'secrets.env'), 'ADMIN_TOKEN=\n');
+    writeFileSync(join(base, 'secrets.env'), 'export ADMIN_TOKEN="legacy-admin-token"\n');
+
+    process.env.OPENPALM_CONFIG_HOME = configHome;
+    delete process.env.ADMIN_TOKEN;
+    delete process.env.OPENPALM_ADMIN_TOKEN;
+
+    globalThis.fetch = mock(async (_input: string | URL, init?: RequestInit) => {
+      const headers = new Headers(init?.headers);
+      adminTokens.push(headers.get('X-Admin-Token') ?? '');
+      return new Response('{"ok":true}', { status: 200 });
+    }) as typeof fetch;
+    console.log = mock(() => {}) as typeof console.log;
+
+    try {
+      await main(['update']);
+      expect(adminTokens).toEqual(['legacy-admin-token']);
+    } finally {
+      rmSync(base, { recursive: true, force: true });
+    }
+  });
+
   it('calls admin install when stack is already running', async () => {
     const calls: string[] = [];
     globalThis.fetch = mock(async (input: string | URL) => {

package/src/main.ts

@@ -1,12 +1,13 @@
 #!/usr/bin/env bun
 import { homedir, tmpdir } from 'node:os';
-import { join } from 'node:path';
+import { basename, dirname, join } from 'node:path';
 import { mkdir, unlink, copyFile, mkdtemp, rm } from 'node:fs/promises';
 import cliPkg from '../package.json' with { type: 'json' };
 
 const ADMIN_URL = process.env.OPENPALM_ADMIN_API_URL || 'http://localhost:8100';
 const REPO_OWNER = 'itlackey';
 const REPO_NAME = 'openpalm';
+const EXPORT_ENV_PREFIX = 'export ';
 
 const IS_WINDOWS = process.platform === 'win32';
 
@@ -134,25 +135,54 @@ async function loadAdminToken(): Promise<string> {
     return process.env.OPENPALM_ADMIN_TOKEN;
   }
 
-  const secretsPath = join(defaultConfigHome(), 'secrets.env');
+  if (process.env.ADMIN_TOKEN) {
+    return process.env.ADMIN_TOKEN;
+  }
+
+  const configHome = defaultConfigHome();
+  const secretsPaths = [join(configHome, 'secrets.env')];
+  if (basename(configHome) === 'openpalm') {
+    secretsPaths.push(join(dirname(configHome), 'secrets.env'));
+  }
+
+  for (const secretsPath of secretsPaths) {
+    const token = await readAdminTokenFromFile(secretsPath);
+    if (token) return token;
+  }
+
+  return '';
+}
+
+async function readAdminTokenFromFile(secretsPath: string): Promise<string | null> {
   try {
     const text = await Bun.file(secretsPath).text();
-    for (const line of text.split('\n')) {
+    for (const rawLine of text.split('\n')) {
+      const line = rawLine.trim();
       if (!line || line.startsWith('#')) continue;
-      const [key, ...rest] = line.split('=');
-      if (key === 'ADMIN_TOKEN') {
-        const value = rest.join('=').trim();
-        if (value.startsWith('"') && value.endsWith('"') && value.length >= 2) {
-          return value.slice(1, -1);
-        }
-        return value;
-      }
+      const lineWithoutExportPrefix = line.startsWith(EXPORT_ENV_PREFIX)
+        ? line.slice(EXPORT_ENV_PREFIX.length).trimStart()
+        : line;
+      const [key, ...rest] = lineWithoutExportPrefix.split('=');
+      if (key !== 'ADMIN_TOKEN') continue;
+      const value = unwrapQuotedEnvValue(rest.join('=').trim());
+      if (!value) return null;
+      return value;
     }
   } catch {
     // Best effort only.
   }
 
-  return '';
+  return null;
+}
+
+function unwrapQuotedEnvValue(value: string): string {
+  const isDoubleQuoted = value.startsWith('"') && value.endsWith('"');
+  const isSingleQuoted = value.startsWith('\'') && value.endsWith('\'');
+  if ((isDoubleQuoted || isSingleQuoted) && value.length >= 2) {
+    return value.slice(1, -1);
+  }
+
+  return value;
 }
 
 async function adminRequest(path: string, init?: RequestInit): Promise<unknown> {