openpalm 0.9.1 → 0.9.3

package/src/lib/docker.ts

@@ -0,0 +1,180 @@
+import { mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { defaultConfigHome, defaultStateHome } from './paths.ts';
+
+const REPO_OWNER = 'itlackey';
+const REPO_NAME = 'openpalm';
+
+/**
+ * Creates the full XDG directory tree required by the stack.
+ */
+export async function ensureDirectoryTree(
+  configHome: string,
+  dataHome: string,
+  stateHome: string,
+  workDir: string,
+): Promise<void> {
+  const dirs = [
+    configHome,
+    join(configHome, 'channels'),
+    join(configHome, 'assistant'),
+    join(configHome, 'automations'),
+    dataHome,
+    join(dataHome, 'admin'),
+    join(dataHome, 'memory'),
+    join(dataHome, 'assistant'),
+    join(dataHome, 'guardian'),
+    join(dataHome, 'caddy'),
+    join(dataHome, 'caddy', 'data'),
+    join(dataHome, 'caddy', 'config'),
+    join(dataHome, 'automations'),
+    join(dataHome, 'opencode'),
+    stateHome,
+    join(stateHome, 'artifacts'),
+    join(stateHome, 'audit'),
+    join(stateHome, 'artifacts', 'channels'),
+    join(stateHome, 'automations'),
+    join(stateHome, 'opencode'),
+    join(stateHome, 'bin'),
+    workDir,
+  ];
+
+  for (const dir of dirs) {
+    await mkdir(dir, { recursive: true });
+  }
+}
+
+/**
+ * Downloads an asset from a GitHub release, falling back to raw.githubusercontent.com.
+ */
+export async function fetchAsset(repoRef: string, filename: string): Promise<string> {
+  const releaseUrl = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${repoRef}/${filename}`;
+  const rawUrl = `https://raw.githubusercontent.com/${REPO_OWNER}/${REPO_NAME}/${repoRef}/assets/${filename}`;
+
+  const releaseResponse = await fetch(releaseUrl, { signal: AbortSignal.timeout(30000) });
+  if (releaseResponse.ok) {
+    return await releaseResponse.text();
+  }
+
+  const rawResponse = await fetch(rawUrl, { signal: AbortSignal.timeout(30000) });
+  if (rawResponse.ok) {
+    return await rawResponse.text();
+  }
+
+  throw new Error(`Failed to download ${filename} from ${repoRef}`);
+}
+
+/**
+ * Runs a `docker compose` command with inherited stdio. Throws on non-zero exit.
+ */
+export async function runDockerCompose(args: string[]): Promise<void> {
+  const proc = Bun.spawn(['docker', 'compose', ...args], {
+    stdout: 'inherit',
+    stderr: 'inherit',
+    stdin: 'inherit',
+  });
+  const code = await proc.exited;
+  if (code !== 0) {
+    throw new Error(`docker compose ${args.join(' ')} failed with exit code ${code}`);
+  }
+}
+
+/**
+ * Returns the standard compose flags for --project-name, -f, and --env-file.
+ */
+export function composeProjectArgs(): string[] {
+  const stateHome = defaultStateHome();
+  const configHome = defaultConfigHome();
+  return [
+    '--project-name',
+    'openpalm',
+    '-f',
+    join(stateHome, 'artifacts', 'docker-compose.yml'),
+    '--env-file',
+    join(configHome, 'secrets.env'),
+    '--env-file',
+    join(stateHome, 'artifacts', 'stack.env'),
+  ];
+}
+
+/**
+ * Ensures the opencode config and system config directories exist with defaults.
+ */
+export async function ensureOpenCodeConfig(configHome: string): Promise<void> {
+  const opencodeDir = join(configHome, 'assistant');
+  const configFile = join(opencodeDir, 'opencode.json');
+  if (!(await Bun.file(configFile).exists())) {
+    await Bun.write(configFile, '{\n  "$schema": "https://opencode.ai/config.json"\n}\n');
+  }
+  await mkdir(join(opencodeDir, 'tools'), { recursive: true });
+  await mkdir(join(opencodeDir, 'plugins'), { recursive: true });
+  await mkdir(join(opencodeDir, 'skills'), { recursive: true });
+}
+
+async function writeIfChanged(path: string, content: string): Promise<void> {
+  const file = Bun.file(path);
+  if (await file.exists()) {
+    const existing = await file.text();
+    if (existing === content) {
+      return;
+    }
+  }
+  await Bun.write(path, content);
+}
+
+export async function ensureOpenCodeSystemConfig(dataHome: string): Promise<void> {
+  const opencodeSystemDir = join(dataHome, 'assistant');
+  await mkdir(opencodeSystemDir, { recursive: true });
+
+  const systemConfig = join(opencodeSystemDir, 'opencode.jsonc');
+  const systemConfigContent =
+    JSON.stringify(
+      {
+        "$schema": "https://opencode.ai/config.json",
+        "plugin": ["@openpalm/assistant-tools", "akm-opencode"],
+        "permission": {
+          "read": {
+            "/home/opencode/.local/share/opencode/auth.json": "deny",
+            "/home/opencode/.local/share/opencode/mcp-auth.json": "deny"
+          }
+        }
+      },
+      null,
+      2,
+    ) + "\n";
+  await writeIfChanged(systemConfig, systemConfigContent);
+
+  const agentsFile = join(opencodeSystemDir, 'AGENTS.md');
+  // import.meta.dir = packages/cli/src/lib/ → need 4 levels up to reach repo root
+  const assetsAgentsPath = join(import.meta.dir, '..', '..', '..', '..', 'assets', 'AGENTS.md');
+  let agentsContent: string;
+  if (await Bun.file(assetsAgentsPath).exists()) {
+    agentsContent = await Bun.file(assetsAgentsPath).text();
+  } else {
+    agentsContent =
+      '# OpenPalm Assistant\n\n' +
+      'This file defines the assistant persona.\n' +
+      'It is seeded by the CLI on first install and managed by the admin on subsequent updates.\n';
+  }
+  await writeIfChanged(agentsFile, agentsContent);
+}
+
+/**
+ * Opens a URL in the user's default browser. Best-effort, never throws.
+ */
+export async function openBrowser(url: string): Promise<void> {
+  const platform = process.platform;
+  try {
+    if (platform === 'darwin') {
+      Bun.spawn(['open', url], { stdout: 'ignore', stderr: 'ignore' });
+      return;
+    }
+    if (platform === 'win32') {
+      Bun.spawn(['cmd', '/c', 'start', url], { stdout: 'ignore', stderr: 'ignore' });
+      return;
+    }
+    Bun.spawn(['xdg-open', url], { stdout: 'ignore', stderr: 'ignore' });
+  } catch {
+    // Best effort
+  }
+}

package/src/lib/env.ts

@@ -0,0 +1,196 @@
+import { basename, dirname, join } from 'node:path';
+import { defaultConfigHome, defaultDockerSock } from './paths.ts';
+
+const EXPORT_ENV_PREFIX = 'export ';
+
+/**
+ * Loads the admin token from environment variables or secrets.env file.
+ * Checks OPENPALM_ADMIN_TOKEN first, then ADMIN_TOKEN (legacy), then reads from
+ * CONFIG_HOME/secrets.env. Returns empty string if no token is found.
+ */
+export async function loadAdminToken(): Promise<string> {
+  if (process.env.OPENPALM_ADMIN_TOKEN) {
+    return process.env.OPENPALM_ADMIN_TOKEN;
+  }
+
+  if (process.env.ADMIN_TOKEN) {
+    return process.env.ADMIN_TOKEN;
+  }
+
+  const configHome = defaultConfigHome();
+  const secretsPaths = [join(configHome, 'secrets.env')];
+  if (basename(configHome) === 'openpalm') {
+    secretsPaths.push(join(dirname(configHome), 'secrets.env'));
+  }
+
+  for (const secretsPath of secretsPaths) {
+    const token = await readTokenFromFile(secretsPath, 'OPENPALM_ADMIN_TOKEN');
+    if (token) return token;
+    const legacyToken = await readTokenFromFile(secretsPath, 'ADMIN_TOKEN');
+    if (legacyToken) return legacyToken;
+  }
+
+  return '';
+}
+
+/**
+ * Reads a specific key from an env file. Handles `export` prefix and quoted values.
+ */
+async function readTokenFromFile(secretsPath: string, key: string): Promise<string | null> {
+  try {
+    const text = await Bun.file(secretsPath).text();
+    for (const rawLine of text.split('\n')) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith('#')) continue;
+      const lineWithoutExportPrefix = line.startsWith(EXPORT_ENV_PREFIX)
+        ? line.slice(EXPORT_ENV_PREFIX.length).trimStart()
+        : line;
+      const [lineKey, ...rest] = lineWithoutExportPrefix.split('=');
+      if (lineKey !== key) continue;
+      const value = unwrapQuotedEnvValue(rest.join('=').trim());
+      if (!value) return null;
+      return value;
+    }
+  } catch {
+    // Best effort only.
+  }
+
+  return null;
+}
+
+export function unwrapQuotedEnvValue(value: string): string {
+  const isDoubleQuoted = value.startsWith('"') && value.endsWith('"');
+  const isSingleQuoted = value.startsWith('\'') && value.endsWith('\'');
+  if ((isDoubleQuoted || isSingleQuoted) && value.length >= 2) {
+    return value.slice(1, -1);
+  }
+
+  return value;
+}
+
+/**
+ * Upserts a key=value pair in env file content. If the key exists, replaces the line;
+ * otherwise appends a new line.
+ */
+export function upsertEnvValue(content: string, key: string, value: string): string {
+  const escapedKey = key.replace(/[|\\{}()[\]^$+*?.-]/g, '\\$&');
+  const pattern = new RegExp(`^((?:export\\s+)?)${escapedKey}=.*$`, 'm');
+  if (pattern.test(content)) {
+    // Preserve the `export ` prefix if the original line had one
+    return content.replace(pattern, `$1${key}=${value}`);
+  }
+
+  const line = `${key}=${value}`;
+  const suffix = content.endsWith('\n') || content.length === 0 ? '' : '\n';
+  return `${content}${suffix}${line}\n`;
+}
+
+export const RELEASE_TAG_REGEX = /^v?\d+\.\d+\.\d+(?:[-+](?:[0-9A-Za-z]+(?:\.[0-9A-Za-z]+)*))?$/;
+
+/**
+ * Normalizes a repository ref to an image tag. Returns null for non-release refs.
+ * E.g. "0.9.0" → "v0.9.0", "v0.9.0" → "v0.9.0", "main" → null.
+ */
+export function resolveRequestedImageTag(repoRef: string): string | null {
+  const trimmed = repoRef.trim();
+  if (!trimmed || trimmed === 'main') return null;
+  if (!RELEASE_TAG_REGEX.test(trimmed)) return null;
+  return trimmed.startsWith('v') ? trimmed : `v${trimmed}`;
+}
+
+/**
+ * Reconciles the OPENPALM_IMAGE_TAG value in stack.env content.
+ */
+export function reconcileStackEnvImageTag(
+  content: string,
+  repoRef: string,
+  explicitImageTag?: string,
+): string {
+  const desiredImageTag = explicitImageTag || resolveRequestedImageTag(repoRef);
+  if (!desiredImageTag) return content;
+  return upsertEnvValue(content, 'OPENPALM_IMAGE_TAG', desiredImageTag);
+}
+
+/**
+ * Seeds secrets.env with initial template.
+ * Uses `export` prefix so the file can be sourced in a shell and is still
+ * compatible with Docker Compose v2 `env_file`.
+ * Uses OPENPALM_ADMIN_TOKEN as the canonical variable name with a
+ * commented-out legacy ADMIN_TOKEN alias for backward compatibility.
+ */
+export async function ensureSecrets(configHome: string): Promise<void> {
+  const secretsPath = join(configHome, 'secrets.env');
+  if (await Bun.file(secretsPath).exists()) {
+    return;
+  }
+
+  const userId = process.env.USER || process.env.LOGNAME || process.env.USERNAME || 'default_user';
+  const content = `# OpenPalm Secrets — generated by openpalm install
+# All values are configured via the setup wizard.
+# This file is compatible with both \`source secrets.env\` and Docker Compose env_file.
+
+export OPENPALM_ADMIN_TOKEN=
+# Legacy alias — only needed if your compose file still references ADMIN_TOKEN:
+# export ADMIN_TOKEN=
+
+# LLM provider keys (configure at least one via the setup wizard)
+export OPENAI_API_KEY=
+export OPENAI_BASE_URL=
+# export ANTHROPIC_API_KEY=
+# export GROQ_API_KEY=
+# export MISTRAL_API_KEY=
+# export GOOGLE_API_KEY=
+
+# Memory
+export MEMORY_USER_ID=${userId}
+`;
+
+  await Bun.write(secretsPath, content);
+}
+
+/**
+ * Creates or updates the stack.env bootstrap file.
+ */
+export async function ensureStackEnv(
+  configHome: string,
+  dataHome: string,
+  stateHome: string,
+  workDir: string,
+  repoRef: string,
+): Promise<void> {
+  const dataStackEnv = join(dataHome, 'stack.env');
+  const stagedStackEnv = join(stateHome, 'artifacts', 'stack.env');
+  const explicitImageTag = process.env.OPENPALM_IMAGE_TAG;
+  const hasExplicitImageTag = explicitImageTag !== undefined && explicitImageTag !== '';
+  if (!(await Bun.file(dataStackEnv).exists())) {
+    const defaultImageTag = hasExplicitImageTag
+      ? explicitImageTag
+      : (resolveRequestedImageTag(repoRef) || 'latest');
+    const content = `# OpenPalm Stack Bootstrap — system-managed, do not edit
+OPENPALM_CONFIG_HOME=${configHome}
+OPENPALM_DATA_HOME=${dataHome}
+OPENPALM_STATE_HOME=${stateHome}
+OPENPALM_WORK_DIR=${workDir}
+OPENPALM_UID=${process.getuid?.() ?? 1000}
+OPENPALM_GID=${process.getgid?.() ?? 1000}
+OPENPALM_DOCKER_SOCK=${defaultDockerSock()}
+OPENPALM_IMAGE_NAMESPACE=${process.env.OPENPALM_IMAGE_NAMESPACE || 'openpalm'}
+OPENPALM_IMAGE_TAG=${defaultImageTag}
+`;
+    await Bun.write(dataStackEnv, content);
+  } else {
+    const current = await Bun.file(dataStackEnv).text();
+    const reconciled = reconcileStackEnvImageTag(
+      current,
+      repoRef,
+      hasExplicitImageTag ? explicitImageTag : undefined,
+    );
+    if (reconciled !== current) {
+      await Bun.write(dataStackEnv, reconciled);
+    }
+  }
+  await Bun.write(stagedStackEnv, Bun.file(dataStackEnv));
+
+  const stateSecrets = join(stateHome, 'artifacts', 'secrets.env');
+  await Bun.write(stateSecrets, Bun.file(join(configHome, 'secrets.env')));
+}

package/src/lib/host-info.ts

@@ -0,0 +1,47 @@
+export interface HostInfo {
+  platform: string;
+  arch: string;
+  docker: { available: boolean; running: boolean };
+  ollama: { running: boolean; url: string };
+  lmstudio: { running: boolean; url: string };
+  llamacpp: { running: boolean; url: string };
+  timestamp: string;
+}
+
+/**
+ * Detects host system information including platform, Docker availability,
+ * and local AI service endpoints.
+ */
+export async function detectHostInfo(): Promise<HostInfo> {
+  const dockerAvailable = Boolean(Bun.which('docker'));
+  let dockerRunning = false;
+  if (dockerAvailable) {
+    const proc = Bun.spawn(['docker', 'info'], { stdout: 'ignore', stderr: 'ignore' });
+    dockerRunning = (await proc.exited) === 0;
+  }
+
+  async function probeHttp(url: string): Promise<boolean> {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(2000) });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+
+  const [ollamaRunning, lmstudioRunning, llamacppRunning] = await Promise.all([
+    probeHttp('http://localhost:11434/api/tags'),
+    probeHttp('http://localhost:1234/v1/models'),
+    probeHttp('http://localhost:8080/health'),
+  ]);
+
+  return {
+    platform: process.platform,
+    arch: process.arch,
+    docker: { available: dockerAvailable, running: dockerRunning },
+    ollama: { running: ollamaRunning, url: 'http://localhost:11434' },
+    lmstudio: { running: lmstudioRunning, url: 'http://localhost:1234' },
+    llamacpp: { running: llamacppRunning, url: 'http://localhost:8080' },
+    timestamp: new Date().toISOString(),
+  };
+}

package/src/lib/paths.ts

@@ -0,0 +1,37 @@
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+export const IS_WINDOWS = process.platform === 'win32';
+
+export function defaultConfigHome(): string {
+  if (process.env.OPENPALM_CONFIG_HOME) return process.env.OPENPALM_CONFIG_HOME;
+  if (IS_WINDOWS) {
+    return join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'openpalm');
+  }
+  return join(homedir(), '.config', 'openpalm');
+}
+
+export function defaultDataHome(): string {
+  if (process.env.OPENPALM_DATA_HOME) return process.env.OPENPALM_DATA_HOME;
+  if (IS_WINDOWS) {
+    return join(process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'), 'openpalm', 'data');
+  }
+  return join(homedir(), '.local', 'share', 'openpalm');
+}
+
+export function defaultStateHome(): string {
+  if (process.env.OPENPALM_STATE_HOME) return process.env.OPENPALM_STATE_HOME;
+  if (IS_WINDOWS) {
+    return join(process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'), 'openpalm', 'state');
+  }
+  return join(homedir(), '.local', 'state', 'openpalm');
+}
+
+export function defaultDockerSock(): string {
+  if (process.env.OPENPALM_DOCKER_SOCK) return process.env.OPENPALM_DOCKER_SOCK;
+  return IS_WINDOWS ? '//./pipe/docker_engine' : '/var/run/docker.sock';
+}
+
+export function defaultWorkDir(): string {
+  return process.env.OPENPALM_WORK_DIR || join(homedir(), 'openpalm');
+}

package/src/lib/varlock.ts

@@ -0,0 +1,124 @@
+import { copyFile, mkdir, mkdtemp, unlink } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+const VARLOCK_VERSION = '0.4.0';
+
+const VARLOCK_CHECKSUMS: Record<string, string> = {
+  'varlock-linux-x64.tar.gz': '820295b271cece2679b2b9701b5285ce39354fc2f35797365fa36c70125f51ab',
+  'varlock-linux-arm64.tar.gz': 'e830baaa901b6389ecf281bdd2449bfaf7586e91fd3a7a038ec06f78e6fa92f8',
+  'varlock-macos-x64.tar.gz': 'e6abf0d97da8ff7c98b0e9044a8b71f48fbf74a0d7bfc2543a81575a07b7a03b',
+  'varlock-macos-arm64.tar.gz': '228e4c2666b9fa50a83a8713a848e7a0f0044d7fd7c9d441d43e6ebccad2f4a3',
+};
+
+function varlockArtifactName(): string {
+  const platformMap: Record<string, string> = {
+    linux: 'linux',
+    darwin: 'macos',
+  };
+  const archMap: Record<string, string> = {
+    x64: 'x64',
+    arm64: 'arm64',
+  };
+
+  const os = platformMap[process.platform];
+  const arch = archMap[process.arch];
+
+  if (!os || !arch) {
+    throw new Error(
+      `Unsupported platform/arch for varlock: ${process.platform}/${process.arch}. ` +
+        `Supported: linux/x64, linux/arm64, darwin/x64, darwin/arm64.`,
+    );
+  }
+
+  return `varlock-${os}-${arch}.tar.gz`;
+}
+
+/**
+ * Co-locate a schema and env file in a temp directory so varlock can discover them.
+ */
+export async function prepareVarlockDir(schemaPath: string, envPath: string): Promise<string> {
+  const dir = await mkdtemp(join(tmpdir(), 'varlock-'));
+  await copyFile(schemaPath, join(dir, '.env.schema'));
+  await copyFile(envPath, join(dir, '.env'));
+  return dir;
+}
+
+/**
+ * Downloads varlock binary and caches it in STATE_HOME/bin/.
+ * Skips download if binary already exists.
+ */
+export async function ensureVarlock(stateHome: string): Promise<string> {
+  const binDir = join(stateHome, 'bin');
+  const varlockBin = join(binDir, 'varlock');
+
+  if (await Bun.file(varlockBin).exists()) {
+    return varlockBin;
+  }
+
+  await mkdir(binDir, { recursive: true });
+
+  const artifact = varlockArtifactName();
+  const expectedHash = VARLOCK_CHECKSUMS[artifact];
+  if (!expectedHash) {
+    throw new Error(
+      `No SHA-256 checksum on record for ${artifact}. ` +
+        `Cannot verify download integrity.`,
+    );
+  }
+
+  const tarballUrl = `https://github.com/dmno-dev/varlock/releases/download/varlock%40${VARLOCK_VERSION}/${artifact}`;
+  const tarballPath = join(binDir, 'varlock.tar.gz');
+
+  const downloadProc = Bun.spawn(
+    ['curl', '-fsSL', '--retry', '5', '--retry-delay', '10', '--retry-all-errors', tarballUrl, '-o', tarballPath],
+    {
+      env: { ...process.env, HOME: process.env.HOME ?? '' },
+      stdout: 'inherit',
+      stderr: 'inherit',
+    },
+  );
+  const downloadCode = await downloadProc.exited;
+  if (downloadCode !== 0) {
+    throw new Error(`Failed to download varlock tarball (curl exited with code ${downloadCode})`);
+  }
+
+  const hasher = new Bun.CryptoHasher('sha256');
+  hasher.update(await Bun.file(tarballPath).arrayBuffer());
+  const actualHash = hasher.digest('hex');
+  if (actualHash !== expectedHash) {
+    try { await unlink(tarballPath); } catch { /* best effort */ }
+    throw new Error(
+      `varlock tarball SHA-256 verification failed — download may be corrupted.\n` +
+        `  Expected: ${expectedHash}\n` +
+        `  Actual:   ${actualHash}`,
+    );
+  }
+
+  const extractProc = Bun.spawn(
+    ['tar', 'xzf', tarballPath, '--strip-components=1', '-C', binDir],
+    {
+      env: { ...process.env, HOME: process.env.HOME ?? '' },
+      stdout: 'inherit',
+      stderr: 'inherit',
+    },
+  );
+  const extractCode = await extractProc.exited;
+  if (extractCode !== 0) {
+    throw new Error(`Failed to extract varlock tarball (tar exited with code ${extractCode})`);
+  }
+
+  try { await unlink(tarballPath); } catch { /* best effort */ }
+
+  const chmodProc = Bun.spawn(['chmod', '+x', varlockBin]);
+  const chmodCode = await chmodProc.exited;
+  if (chmodCode !== 0) {
+    throw new Error(`chmod +x failed for varlock binary (exit code ${chmodCode})`);
+  }
+
+  if (!(await Bun.file(varlockBin).exists())) {
+    throw new Error(`varlock binary not found at ${varlockBin} after install`);
+  }
+
+  return varlockBin;
+}