openpalm 0.9.2 → 0.9.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openpalm",
-  "version": "0.9.2",
+  "version": "0.9.4",
   "type": "module",
   "license": "MPL-2.0",
   "description": "OpenPalm CLI — install and manage a self-hosted OpenPalm stack",
@@ -22,5 +22,8 @@
     "build:darwin-arm64": "bun build src/main.ts --compile --target=bun-darwin-arm64 --outfile dist/openpalm-cli-darwin-arm64",
     "build:windows-x64": "bun build src/main.ts --compile --target=bun-windows-x64 --outfile dist/openpalm-cli-windows-x64.exe",
     "build:windows-arm64": "bun build src/main.ts --compile --target=bun-windows-arm64 --outfile dist/openpalm-cli-windows-arm64.exe"
+  },
+  "dependencies": {
+    "citty": "^0.2.1"
   }
 }

package/src/commands/install.ts

@@ -0,0 +1,170 @@
+import { defineCommand } from 'citty';
+import { join } from 'node:path';
+import { rm } from 'node:fs/promises';
+import cliPkg from '../../package.json' with { type: 'json' };
+import { defaultConfigHome, defaultDataHome, defaultStateHome, defaultWorkDir } from '../lib/paths.ts';
+import { ensureSecrets, ensureStackEnv } from '../lib/env.ts';
+import { ADMIN_URL, isStackRunning, adminRequest, waitForAdminHealthy } from '../lib/admin.ts';
+import { ensureDirectoryTree, fetchAsset, runDockerCompose, composeProjectArgs, ensureOpenCodeConfig, ensureOpenCodeSystemConfig, openBrowser } from '../lib/docker.ts';
+import { ensureVarlock, prepareVarlockDir } from '../lib/varlock.ts';
+import { detectHostInfo } from '../lib/host-info.ts';
+import { loadAdminToken } from '../lib/env.ts';
+
+const DEFAULT_INSTALL_REF = cliPkg.version ? `v${cliPkg.version}` : 'main';
+
+export default defineCommand({
+  meta: {
+    name: 'install',
+    description: 'Bootstrap XDG dirs, download assets, start admin + docker-socket-proxy, open setup wizard',
+  },
+  args: {
+    force: {
+      type: 'boolean',
+      description: 'Skip "already installed" check',
+      default: false,
+    },
+    version: {
+      type: 'string',
+      description: 'Install specific release ref (default: current CLI version)',
+      default: DEFAULT_INSTALL_REF,
+    },
+    start: {
+      type: 'boolean',
+      description: 'Start services after install (use --no-start to skip)',
+      default: true,
+    },
+    open: {
+      type: 'boolean',
+      description: 'Open browser after install (use --no-open to skip)',
+      default: true,
+    },
+  },
+  async run({ args }) {
+    // If the stack is already running AND we have a valid admin token,
+    // delegate to the admin API. Otherwise fall through to bootstrap.
+    if (await isStackRunning()) {
+      const token = await loadAdminToken();
+      if (token) {
+        console.log(JSON.stringify(await adminRequest('/admin/install', { method: 'POST' }), null, 2));
+        return;
+      }
+      // No token available — fall through to bootstrap install which doesn't need auth.
+      console.warn('Stack is running but no admin token is configured. Proceeding with bootstrap install.');
+    }
+
+    await bootstrapInstall({
+      force: args.force,
+      version: args.version,
+      noStart: !args.start,
+      noOpen: !args.open,
+    });
+  },
+});
+
+type InstallOptions = {
+  force: boolean;
+  version: string;
+  noStart: boolean;
+  noOpen: boolean;
+};
+
+export async function bootstrapInstall(options: InstallOptions): Promise<void> {
+  if (!Bun.which('docker')) {
+    throw new Error('Docker is not installed. Install Docker first: https://docs.docker.com/get-docker/');
+  }
+
+  const dockerInfo = Bun.spawn(['docker', 'info'], { stdout: 'ignore', stderr: 'ignore' });
+  if ((await dockerInfo.exited) !== 0) {
+    throw new Error('Docker is not running (or current user lacks permission). Start Docker and retry.');
+  }
+
+  const composeVersion = Bun.spawn(['docker', 'compose', 'version'], { stdout: 'ignore', stderr: 'ignore' });
+  if ((await composeVersion.exited) !== 0) {
+    throw new Error('Docker Compose v2 is required. Install it: https://docs.docker.com/compose/install/');
+  }
+
+  const configHome = defaultConfigHome();
+  const dataHome = defaultDataHome();
+  const stateHome = defaultStateHome();
+  const workDir = defaultWorkDir();
+
+  const secretsPath = join(configHome, 'secrets.env');
+  const updateMode = await Bun.file(secretsPath).exists();
+  if (updateMode && !options.force) {
+    throw new Error('OpenPalm appears to already be installed. Re-run install with --force to continue.');
+  }
+
+  await ensureDirectoryTree(configHome, dataHome, stateHome, workDir);
+
+  // Detect host system info (non-fatal)
+  try {
+    const hostInfo = await detectHostInfo();
+    await Bun.write(join(dataHome, 'host.json'), JSON.stringify(hostInfo, null, 2) + '\n');
+  } catch {
+    // Host detection failure is non-fatal
+  }
+
+  const composeContent = await fetchAsset(options.version, 'docker-compose.yml');
+  const caddyContent = await fetchAsset(options.version, 'Caddyfile');
+  await Bun.write(join(dataHome, 'docker-compose.yml'), composeContent);
+  await Bun.write(join(dataHome, 'caddy', 'Caddyfile'), caddyContent);
+  await Bun.write(join(stateHome, 'artifacts', 'docker-compose.yml'), composeContent);
+  await Bun.write(join(stateHome, 'artifacts', 'Caddyfile'), caddyContent);
+
+  const secretsSchemaContent = await fetchAsset(options.version, 'secrets.env.schema');
+  const stackSchemaContent = await fetchAsset(options.version, 'stack.env.schema');
+  await Bun.write(join(stateHome, 'artifacts', 'secrets.env.schema'), secretsSchemaContent);
+  await Bun.write(join(stateHome, 'artifacts', 'stack.env.schema'), stackSchemaContent);
+
+  await ensureSecrets(configHome);
+  await ensureStackEnv(configHome, dataHome, stateHome, workDir, options.version);
+  await ensureOpenCodeConfig(configHome);
+  await ensureOpenCodeSystemConfig(dataHome);
+
+  // Non-fatal validation
+  try {
+    const varlockBin = await ensureVarlock(stateHome);
+    const schemaPath = join(stateHome, 'artifacts', 'secrets.env.schema');
+    const envPath = join(configHome, 'secrets.env');
+    if (await Bun.file(schemaPath).exists()) {
+      const tmpDir = await prepareVarlockDir(schemaPath, envPath);
+      try {
+        const proc = Bun.spawn([varlockBin, 'load', '--path', `${tmpDir}/`], {
+          stdout: 'ignore',
+          stderr: 'ignore',
+        });
+        const code = await proc.exited;
+        if (code === 0) {
+          console.log('Configuration validated.');
+        } else {
+          console.warn('Configuration has validation warnings (non-fatal on first install).');
+        }
+      } finally {
+        await rm(tmpDir, { recursive: true, force: true });
+      }
+    }
+  } catch {
+    // Varlock install/execution failures are non-fatal during install
+  }
+
+  if (options.noStart) {
+    console.log('OpenPalm files prepared. Run `openpalm start` to start services.');
+    return;
+  }
+
+  await runDockerCompose([
+    ...composeProjectArgs(),
+    'up',
+    '-d',
+    'docker-socket-proxy',
+    'admin',
+  ]);
+
+  await waitForAdminHealthy();
+  const targetUrl = updateMode ? `${ADMIN_URL}/` : `${ADMIN_URL}/setup`;
+  if (!options.noOpen) {
+    await openBrowser(targetUrl);
+  }
+
+  console.log(JSON.stringify({ ok: true, mode: updateMode ? 'update' : 'install', url: targetUrl }, null, 2));
+}

package/src/commands/logs.ts

@@ -0,0 +1,36 @@
+import { defineCommand } from 'citty';
+import { composeProjectArgs } from '../lib/docker.ts';
+
+export async function runLogsAction(services: string[]): Promise<void> {
+  const composeArgs = [
+    'compose',
+    ...composeProjectArgs(),
+    'logs',
+    '--tail',
+    '100',
+    ...services,
+  ];
+
+  const proc = Bun.spawn(['docker', ...composeArgs], { stdout: 'inherit', stderr: 'inherit', stdin: 'inherit' });
+  const exitCode = await proc.exited;
+  if (exitCode !== 0) {
+    throw new Error(`Docker compose logs command failed (exit code ${exitCode})`);
+  }
+}
+
+export default defineCommand({
+  meta: {
+    name: 'logs',
+    description: 'Tail last 100 log lines for services',
+  },
+  args: {
+    services: {
+      type: 'positional',
+      description: 'Service names (omit for all)',
+      required: false,
+    },
+  },
+  async run({ args }) {
+    await runLogsAction(args._ ?? []);
+  },
+});

package/src/commands/restart.ts

@@ -0,0 +1,43 @@
+import { defineCommand } from 'citty';
+import { adminRequest, getServiceNames } from '../lib/admin.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'restart',
+    description: 'Restart services (all or named)',
+  },
+  args: {
+    services: {
+      type: 'positional',
+      description: 'Service names to restart (omit for all)',
+      required: false,
+    },
+  },
+  async run({ args }) {
+    const services = args._ ?? [];
+    await runRestartAction(services);
+  },
+});
+
+export async function runRestartAction(services: string[]): Promise<void> {
+  if (services.length === 0) {
+    const status = await adminRequest('/admin/containers/list');
+    const serviceNames = getServiceNames(status);
+    for (const service of serviceNames) {
+      const result = await adminRequest('/admin/containers/restart', {
+        method: 'POST',
+        body: JSON.stringify({ service }),
+      });
+      console.log(JSON.stringify(result, null, 2));
+    }
+    return;
+  }
+
+  for (const service of services) {
+    const result = await adminRequest('/admin/containers/restart', {
+      method: 'POST',
+      body: JSON.stringify({ service }),
+    });
+    console.log(JSON.stringify(result, null, 2));
+  }
+}

package/src/commands/scan.ts

@@ -0,0 +1,48 @@
+import { defineCommand } from 'citty';
+import { join } from 'node:path';
+import { rm } from 'node:fs/promises';
+import { defaultConfigHome, defaultStateHome } from '../lib/paths.ts';
+import { ensureVarlock, prepareVarlockDir } from '../lib/varlock.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'scan',
+    description: 'Scan codebase for leaked secrets (requires local secrets.env)',
+  },
+  async run() {
+    const stateHome = defaultStateHome();
+    const configHome = defaultConfigHome();
+
+    const schemaPath = join(stateHome, 'artifacts', 'secrets.env.schema');
+    const envPath = join(configHome, 'secrets.env');
+
+    if (!(await Bun.file(schemaPath).exists())) {
+      console.error(
+        `Error: secrets.env.schema not found at ${schemaPath}.\nRun 'openpalm install' first to stage schema files.`,
+      );
+      process.exit(1);
+    }
+
+    if (!(await Bun.file(envPath).exists())) {
+      console.error(
+        `Error: secrets.env not found at ${envPath}.\nRun 'openpalm install' first.`,
+      );
+      process.exit(1);
+    }
+
+    const varlockBin = await ensureVarlock(stateHome);
+
+    const tmpDir = await prepareVarlockDir(schemaPath, envPath);
+    let exitCode = 1;
+    try {
+      const proc = Bun.spawn([varlockBin, 'scan', '--path', `${tmpDir}/`], {
+        stdout: 'inherit',
+        stderr: 'inherit',
+      });
+      exitCode = await proc.exited;
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+    process.exit(exitCode);
+  },
+});

package/src/commands/service.ts

@@ -0,0 +1,67 @@
+import { defineCommand } from 'citty';
+import { adminRequest } from '../lib/admin.ts';
+import { runLogsAction } from './logs.ts';
+import { runStartAction } from './start.ts';
+import { runStopAction } from './stop.ts';
+import { runRestartAction } from './restart.ts';
+
+const startCmd = defineCommand({
+  meta: { name: 'start', description: 'Start services' },
+  args: {
+    services: { type: 'positional', description: 'Service names', required: false },
+  },
+  async run({ args }) { await runStartAction(args._ ?? []); },
+});
+
+const stopCmd = defineCommand({
+  meta: { name: 'stop', description: 'Stop services' },
+  args: {
+    services: { type: 'positional', description: 'Service names', required: false },
+  },
+  async run({ args }) { await runStopAction(args._ ?? []); },
+});
+
+const restartCmd = defineCommand({
+  meta: { name: 'restart', description: 'Restart services' },
+  args: {
+    services: { type: 'positional', description: 'Service names', required: false },
+  },
+  async run({ args }) { await runRestartAction(args._ ?? []); },
+});
+
+const logsCmd = defineCommand({
+  meta: { name: 'logs', description: 'View service logs' },
+  args: {
+    services: { type: 'positional', description: 'Service names', required: false },
+  },
+  async run({ args }) { await runLogsAction(args._ ?? []); },
+});
+
+const updateCmd = defineCommand({
+  meta: { name: 'update', description: 'Pull latest images' },
+  async run() {
+    console.log(JSON.stringify(await adminRequest('/admin/containers/pull', { method: 'POST' }), null, 2));
+  },
+});
+
+const statusCmd = defineCommand({
+  meta: { name: 'status', description: 'Show container status' },
+  async run() {
+    console.log(JSON.stringify(await adminRequest('/admin/containers/list'), null, 2));
+  },
+});
+
+export default defineCommand({
+  meta: {
+    name: 'service',
+    description: 'Service lifecycle operations (start|stop|restart|logs|update|status)',
+  },
+  subCommands: {
+    start: startCmd,
+    stop: stopCmd,
+    restart: restartCmd,
+    logs: logsCmd,
+    update: updateCmd,
+    status: statusCmd,
+  },
+});

package/src/commands/start.ts

@@ -0,0 +1,48 @@
+import { defineCommand } from 'citty';
+import { adminRequest, isStackRunning } from '../lib/admin.ts';
+import { loadAdminToken } from '../lib/env.ts';
+import { runDockerCompose, composeProjectArgs } from '../lib/docker.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'start',
+    description: 'Start services (all or named)',
+  },
+  args: {
+    services: {
+      type: 'positional',
+      description: 'Service names to start (omit for all)',
+      required: false,
+    },
+  },
+  async run({ args }) {
+    const services = args._ ?? [];
+    await runStartAction(services);
+  },
+});
+
+export async function runStartAction(services: string[]): Promise<void> {
+  if (services.length === 0) {
+    // If admin is reachable and we have a token, use the admin API.
+    // Otherwise fall back to docker compose up directly — this handles
+    // the fresh-install case where no token exists yet.
+    const running = await isStackRunning();
+    const token = await loadAdminToken();
+    if (running && token) {
+      console.log(JSON.stringify(await adminRequest('/admin/install', { method: 'POST' }), null, 2));
+      return;
+    }
+
+    // Direct docker compose — works without auth
+    await runDockerCompose([...composeProjectArgs(), 'up', '-d']);
+    return;
+  }
+
+  for (const service of services) {
+    const result = await adminRequest('/admin/containers/up', {
+      method: 'POST',
+      body: JSON.stringify({ service }),
+    });
+    console.log(JSON.stringify(result, null, 2));
+  }
+}

package/src/commands/status.ts

@@ -0,0 +1,12 @@
+import { defineCommand } from 'citty';
+import { adminRequest } from '../lib/admin.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'status',
+    description: 'Show container status',
+  },
+  async run() {
+    console.log(JSON.stringify(await adminRequest('/admin/containers/list'), null, 2));
+  },
+});

package/src/commands/stop.ts

@@ -0,0 +1,45 @@
+import { defineCommand } from 'citty';
+import { adminRequest, isStackRunning } from '../lib/admin.ts';
+import { loadAdminToken } from '../lib/env.ts';
+import { runDockerCompose, composeProjectArgs } from '../lib/docker.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'stop',
+    description: 'Stop services (all or named)',
+  },
+  args: {
+    services: {
+      type: 'positional',
+      description: 'Service names to stop (omit for all)',
+      required: false,
+    },
+  },
+  async run({ args }) {
+    const services = args._ ?? [];
+    await runStopAction(services);
+  },
+});
+
+export async function runStopAction(services: string[]): Promise<void> {
+  if (services.length === 0) {
+    const running = await isStackRunning();
+    const token = await loadAdminToken();
+    if (running && token) {
+      console.log(JSON.stringify(await adminRequest('/admin/uninstall', { method: 'POST' }), null, 2));
+      return;
+    }
+
+    // Direct docker compose — works without auth
+    await runDockerCompose([...composeProjectArgs(), 'down']);
+    return;
+  }
+
+  for (const service of services) {
+    const result = await adminRequest('/admin/containers/down', {
+      method: 'POST',
+      body: JSON.stringify({ service }),
+    });
+    console.log(JSON.stringify(result, null, 2));
+  }
+}

package/src/commands/uninstall.ts

@@ -0,0 +1,12 @@
+import { defineCommand } from 'citty';
+import { adminRequest } from '../lib/admin.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'uninstall',
+    description: 'Stop and remove the OpenPalm stack (preserves config and data)',
+  },
+  async run() {
+    console.log(JSON.stringify(await adminRequest('/admin/uninstall', { method: 'POST' }), null, 2));
+  },
+});

package/src/commands/update.ts

@@ -0,0 +1,12 @@
+import { defineCommand } from 'citty';
+import { adminRequest } from '../lib/admin.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'update',
+    description: 'Pull latest images and recreate containers',
+  },
+  async run() {
+    console.log(JSON.stringify(await adminRequest('/admin/containers/pull', { method: 'POST' }), null, 2));
+  },
+});

package/src/commands/validate.ts

@@ -0,0 +1,47 @@
+import { defineCommand } from 'citty';
+import { join } from 'node:path';
+import { rm } from 'node:fs/promises';
+import { defaultConfigHome, defaultStateHome } from '../lib/paths.ts';
+import { ensureVarlock, prepareVarlockDir } from '../lib/varlock.ts';
+
+export default defineCommand({
+  meta: {
+    name: 'validate',
+    description: 'Validate configuration against schema',
+  },
+  async run() {
+    const stateHome = defaultStateHome();
+    const configHome = defaultConfigHome();
+
+    const primarySchema = join(stateHome, 'artifacts', 'secrets.env.schema');
+    const envPath = join(configHome, 'secrets.env');
+
+    if (!(await Bun.file(primarySchema).exists())) {
+      console.error(
+        `Error: secrets.env.schema not found at ${primarySchema}.\nRun 'openpalm install' first to stage schema files.`,
+      );
+      process.exit(1);
+    }
+
+    if (!(await Bun.file(envPath).exists())) {
+      console.error(
+        `Error: secrets.env not found at ${envPath}.\nRun 'openpalm install' first.`,
+      );
+      process.exit(1);
+    }
+
+    const varlockBin = await ensureVarlock(stateHome);
+    const tmpDir = await prepareVarlockDir(primarySchema, envPath);
+    let exitCode = 1;
+    try {
+      const proc = Bun.spawn(
+        [varlockBin, 'load', '--path', `${tmpDir}/`],
+        { stdout: 'inherit', stderr: 'inherit' },
+      );
+      exitCode = await proc.exited;
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+    process.exit(exitCode);
+  },
+});

package/src/lib/admin.ts

@@ -0,0 +1,82 @@
+import { loadAdminToken } from './env.ts';
+
+export const ADMIN_URL = process.env.OPENPALM_ADMIN_API_URL || 'http://localhost:8100';
+
+/**
+ * Returns true if the admin health endpoint is reachable.
+ */
+export async function isStackRunning(): Promise<boolean> {
+  try {
+    const response = await fetch(`${ADMIN_URL}/health`, {
+      method: 'GET',
+      signal: AbortSignal.timeout(2000),
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Makes an authenticated request to the admin API.
+ * Throws if the response is not ok.
+ */
+export async function adminRequest(path: string, init?: RequestInit): Promise<unknown> {
+  const token = await loadAdminToken();
+  if (!token) {
+    throw new Error(
+      'No admin token found. Set OPENPALM_ADMIN_TOKEN in your environment or ' +
+      `configure it in secrets.env via the setup wizard (${ADMIN_URL}/setup).`,
+    );
+  }
+  const response = await fetch(`${ADMIN_URL}${path}`, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      'X-Requested-By': 'cli',
+      'X-Admin-Token': token,
+      ...init?.headers,
+    },
+    signal: init?.signal ?? AbortSignal.timeout(120_000),
+  });
+
+  const text = await response.text();
+  if (!response.ok) {
+    throw new Error(text || `${response.status} ${response.statusText}`);
+  }
+
+  if (!text) return { ok: true };
+  try {
+    return JSON.parse(text) as unknown;
+  } catch {
+    return text;
+  }
+}
+
+/**
+ * Waits for the admin health endpoint to become healthy (up to 120s).
+ */
+export async function waitForAdminHealthy(): Promise<void> {
+  const started = Date.now();
+  while (Date.now() - started < 120_000) {
+    if (await isStackRunning()) {
+      return;
+    }
+    await Bun.sleep(3000);
+  }
+  throw new Error('Admin did not become healthy within 120 seconds');
+}
+
+/**
+ * Extracts service names from an admin containers/list response.
+ */
+export function getServiceNames(status: unknown): string[] {
+  if (!status || typeof status !== 'object' || !('containers' in status)) {
+    return [];
+  }
+  const containers = (status as { containers?: unknown }).containers;
+  if (!containers || typeof containers !== 'object') {
+    return [];
+  }
+  return Object.keys(containers as Record<string, unknown>);
+}