openpalm 0.9.3 → 0.9.5

package/src/commands/uninstall.ts

@@ -1,12 +1,37 @@
 import { defineCommand } from 'citty';
-import { adminRequest } from '../lib/admin.ts';
+import { tryAdminRequest } from '../lib/admin.ts';
+import { runDockerCompose } from '../lib/docker.ts';
+import { ensureStagedState, fullComposeArgs } from '../lib/staging.ts';
 
 export default defineCommand({
   meta: {
     name: 'uninstall',
     description: 'Stop and remove the OpenPalm stack (preserves config and data)',
   },
-  async run() {
-    console.log(JSON.stringify(await adminRequest('/admin/uninstall', { method: 'POST' }), null, 2));
+  args: {
+    volumes: {
+      type: 'boolean',
+      description: 'Also remove Docker volumes',
+      default: false,
+    },
+  },
+  async run({ args }) {
+    // Try admin delegation first
+    const adminResult = await tryAdminRequest('/admin/uninstall', { method: 'POST' });
+    if (adminResult !== null) {
+      console.log(JSON.stringify(adminResult, null, 2));
+      return;
+    }
+
+    // Direct compose down — include admin profile to tear down all services
+    const state = await ensureStagedState();
+    const composeArgs = fullComposeArgs(state);
+    const downArgs = args.volumes ? ['down', '-v'] : ['down'];
+    await runDockerCompose([...composeArgs, '--profile', 'admin', ...downArgs]);
+
+    console.log('OpenPalm stack stopped and removed.');
+    if (!args.volumes) {
+      console.log('Config and data directories are preserved. Use --volumes to also remove Docker volumes.');
+    }
   },
 });

package/src/commands/update.ts

@@ -1,5 +1,7 @@
 import { defineCommand } from 'citty';
-import { adminRequest } from '../lib/admin.ts';
+import { tryAdminRequest } from '../lib/admin.ts';
+import { runDockerCompose } from '../lib/docker.ts';
+import { ensureStagedState, fullComposeArgs, buildManagedServiceNames } from '../lib/staging.ts';
 
 export default defineCommand({
   meta: {
@@ -7,6 +9,24 @@ export default defineCommand({
     description: 'Pull latest images and recreate containers',
   },
   async run() {
-    console.log(JSON.stringify(await adminRequest('/admin/containers/pull', { method: 'POST' }), null, 2));
+    // Try admin delegation first
+    const adminResult = await tryAdminRequest('/admin/containers/pull', { method: 'POST' });
+    if (adminResult !== null) {
+      console.log(JSON.stringify(adminResult, null, 2));
+      return;
+    }
+
+    // Direct compose: pull + recreate
+    const state = await ensureStagedState();
+    const composeArgs = fullComposeArgs(state);
+    const managedServices = buildManagedServiceNames(state);
+
+    console.log('Pulling latest images...');
+    await runDockerCompose([...composeArgs, 'pull', ...managedServices]);
+
+    console.log('Recreating containers...');
+    await runDockerCompose([...composeArgs, 'up', '-d', '--force-recreate', ...managedServices]);
+
+    console.log('Update complete.');
   },
 });

package/src/lib/admin.ts

@@ -5,7 +5,7 @@ export const ADMIN_URL = process.env.OPENPALM_ADMIN_API_URL || 'http://localhost
 /**
  * Returns true if the admin health endpoint is reachable.
  */
-export async function isStackRunning(): Promise<boolean> {
+export async function isAdminReachable(): Promise<boolean> {
   try {
     const response = await fetch(`${ADMIN_URL}/health`, {
       method: 'GET',
@@ -17,6 +17,11 @@ export async function isStackRunning(): Promise<boolean> {
   }
 }
 
+/**
+ * @deprecated Use isAdminReachable() instead. Kept for backward compatibility.
+ */
+export const isStackRunning = isAdminReachable;
+
 /**
  * Makes an authenticated request to the admin API.
  * Throws if the response is not ok.
@@ -53,13 +58,33 @@ export async function adminRequest(path: string, init?: RequestInit): Promise<un
   }
 }
 
+/**
+ * Try to delegate an operation to the admin API.
+ * Returns the result if admin is reachable and has a valid token.
+ * Returns null if admin is unreachable or no token is available.
+ * Attempts the request directly — no separate health check round-trip.
+ */
+export async function tryAdminRequest(path: string, init?: RequestInit): Promise<unknown | null> {
+  const token = await loadAdminToken();
+  if (!token) return null;
+
+  try {
+    return await adminRequest(path, {
+      ...init,
+      signal: init?.signal ?? AbortSignal.timeout(10_000),
+    });
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Waits for the admin health endpoint to become healthy (up to 120s).
  */
 export async function waitForAdminHealthy(): Promise<void> {
   const started = Date.now();
   while (Date.now() - started < 120_000) {
-    if (await isStackRunning()) {
+    if (await isAdminReachable()) {
       return;
     }
     await Bun.sleep(3000);

package/src/lib/docker.ts

@@ -1,45 +1,28 @@
 import { mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
-import { defaultConfigHome, defaultStateHome } from './paths.ts';
+import { ensureXdgDirs } from '@openpalm/lib';
 
 const REPO_OWNER = 'itlackey';
 const REPO_NAME = 'openpalm';
 
 /**
  * Creates the full XDG directory tree required by the stack.
+ * Delegates to @openpalm/lib for core dirs, then adds CLI-specific extras.
  */
 export async function ensureDirectoryTree(
-  configHome: string,
-  dataHome: string,
+  _configHome: string,
+  _dataHome: string,
   stateHome: string,
   workDir: string,
 ): Promise<void> {
-  const dirs = [
-    configHome,
-    join(configHome, 'channels'),
-    join(configHome, 'assistant'),
-    join(configHome, 'automations'),
-    dataHome,
-    join(dataHome, 'admin'),
-    join(dataHome, 'memory'),
-    join(dataHome, 'assistant'),
-    join(dataHome, 'guardian'),
-    join(dataHome, 'caddy'),
-    join(dataHome, 'caddy', 'data'),
-    join(dataHome, 'caddy', 'config'),
-    join(dataHome, 'automations'),
-    join(dataHome, 'opencode'),
-    stateHome,
-    join(stateHome, 'artifacts'),
-    join(stateHome, 'audit'),
-    join(stateHome, 'artifacts', 'channels'),
-    join(stateHome, 'automations'),
-    join(stateHome, 'opencode'),
+  // Core XDG dirs (CONFIG_HOME, DATA_HOME, STATE_HOME subtrees)
+  ensureXdgDirs();
+
+  // CLI-specific extras not in lib
+  for (const dir of [
     join(stateHome, 'bin'),
     workDir,
-  ];
-
-  for (const dir of dirs) {
+  ]) {
     await mkdir(dir, { recursive: true });
   }
 }
@@ -80,84 +63,28 @@ export async function runDockerCompose(args: string[]): Promise<void> {
 }
 
 /**
- * Returns the standard compose flags for --project-name, -f, and --env-file.
- */
-export function composeProjectArgs(): string[] {
-  const stateHome = defaultStateHome();
-  const configHome = defaultConfigHome();
-  return [
-    '--project-name',
-    'openpalm',
-    '-f',
-    join(stateHome, 'artifacts', 'docker-compose.yml'),
-    '--env-file',
-    join(configHome, 'secrets.env'),
-    '--env-file',
-    join(stateHome, 'artifacts', 'stack.env'),
-  ];
-}
-
-/**
- * Ensures the opencode config and system config directories exist with defaults.
+ * Runs a `docker compose` command and captures stdout as a string.
+ * Throws on non-zero exit.
  */
-export async function ensureOpenCodeConfig(configHome: string): Promise<void> {
-  const opencodeDir = join(configHome, 'assistant');
-  const configFile = join(opencodeDir, 'opencode.json');
-  if (!(await Bun.file(configFile).exists())) {
-    await Bun.write(configFile, '{\n  "$schema": "https://opencode.ai/config.json"\n}\n');
-  }
-  await mkdir(join(opencodeDir, 'tools'), { recursive: true });
-  await mkdir(join(opencodeDir, 'plugins'), { recursive: true });
-  await mkdir(join(opencodeDir, 'skills'), { recursive: true });
-}
-
-async function writeIfChanged(path: string, content: string): Promise<void> {
-  const file = Bun.file(path);
-  if (await file.exists()) {
-    const existing = await file.text();
-    if (existing === content) {
-      return;
-    }
+export async function runDockerComposeCapture(args: string[]): Promise<string> {
+  const proc = Bun.spawn(['docker', 'compose', ...args], {
+    stdout: 'pipe',
+    stderr: 'inherit',
+    stdin: 'inherit',
+  });
+  const output = await new Response(proc.stdout).text();
+  const code = await proc.exited;
+  if (code !== 0) {
+    throw new Error(`docker compose ${args.join(' ')} failed with exit code ${code}`);
   }
-  await Bun.write(path, content);
+  return output;
 }
 
-export async function ensureOpenCodeSystemConfig(dataHome: string): Promise<void> {
-  const opencodeSystemDir = join(dataHome, 'assistant');
-  await mkdir(opencodeSystemDir, { recursive: true });
-
-  const systemConfig = join(opencodeSystemDir, 'opencode.jsonc');
-  const systemConfigContent =
-    JSON.stringify(
-      {
-        "$schema": "https://opencode.ai/config.json",
-        "plugin": ["@openpalm/assistant-tools", "akm-opencode"],
-        "permission": {
-          "read": {
-            "/home/opencode/.local/share/opencode/auth.json": "deny",
-            "/home/opencode/.local/share/opencode/mcp-auth.json": "deny"
-          }
-        }
-      },
-      null,
-      2,
-    ) + "\n";
-  await writeIfChanged(systemConfig, systemConfigContent);
+// composeProjectArgs() removed — use fullComposeArgs(state) from staging.ts instead.
+// That function builds the correct file list including channel overlays and staged env files.
 
-  const agentsFile = join(opencodeSystemDir, 'AGENTS.md');
-  // import.meta.dir = packages/cli/src/lib/ → need 4 levels up to reach repo root
-  const assetsAgentsPath = join(import.meta.dir, '..', '..', '..', '..', 'assets', 'AGENTS.md');
-  let agentsContent: string;
-  if (await Bun.file(assetsAgentsPath).exists()) {
-    agentsContent = await Bun.file(assetsAgentsPath).text();
-  } else {
-    agentsContent =
-      '# OpenPalm Assistant\n\n' +
-      'This file defines the assistant persona.\n' +
-      'It is seeded by the CLI on first install and managed by the admin on subsequent updates.\n';
-  }
-  await writeIfChanged(agentsFile, agentsContent);
-}
+// ensureOpenCodeConfig and ensureOpenCodeSystemConfig are imported from @openpalm/lib.
+// See packages/lib/src/control-plane/secrets.ts and core-assets.ts.
 
 /**
  * Opens a URL in the user's default browser. Best-effort, never throws.

package/src/lib/paths.ts

@@ -1,32 +1,22 @@
+/**
+ * Path resolution — re-exports from @openpalm/lib with CLI-specific additions.
+ */
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import {
+  resolveConfigHome,
+  resolveDataHome,
+  resolveStateHome,
+} from '@openpalm/lib';
 
 export const IS_WINDOWS = process.platform === 'win32';
 
-export function defaultConfigHome(): string {
-  if (process.env.OPENPALM_CONFIG_HOME) return process.env.OPENPALM_CONFIG_HOME;
-  if (IS_WINDOWS) {
-    return join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'openpalm');
-  }
-  return join(homedir(), '.config', 'openpalm');
-}
-
-export function defaultDataHome(): string {
-  if (process.env.OPENPALM_DATA_HOME) return process.env.OPENPALM_DATA_HOME;
-  if (IS_WINDOWS) {
-    return join(process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'), 'openpalm', 'data');
-  }
-  return join(homedir(), '.local', 'share', 'openpalm');
-}
-
-export function defaultStateHome(): string {
-  if (process.env.OPENPALM_STATE_HOME) return process.env.OPENPALM_STATE_HOME;
-  if (IS_WINDOWS) {
-    return join(process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'), 'openpalm', 'state');
-  }
-  return join(homedir(), '.local', 'state', 'openpalm');
-}
+// Re-export lib's XDG resolvers under CLI's existing names
+export { resolveConfigHome as defaultConfigHome };
+export { resolveDataHome as defaultDataHome };
+export { resolveStateHome as defaultStateHome };
 
+// CLI-specific paths (not in lib)
 export function defaultDockerSock(): string {
   if (process.env.OPENPALM_DOCKER_SOCK) return process.env.OPENPALM_DOCKER_SOCK;
   return IS_WINDOWS ? '//./pipe/docker_engine' : '/var/run/docker.sock';

package/src/lib/staging.ts

@@ -0,0 +1,72 @@
+/**
+ * CLI-side staging pipeline for Docker Compose operations.
+ *
+ * Delegates to @openpalm/lib for all control-plane logic. The CLI
+ * uses FilesystemAssetProvider (reads from DATA_HOME) and
+ * FilesystemRegistryProvider (reads from registry dir).
+ */
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import {
+  createState,
+  stageArtifacts,
+  persistArtifacts,
+  buildComposeFileList,
+  buildManagedServices,
+  buildEnvFiles,
+  FilesystemAssetProvider,
+} from '@openpalm/lib';
+import type { ControlPlaneState } from '@openpalm/lib';
+import { defaultDataHome } from './paths.ts';
+
+/**
+ * Ensure all artifacts are staged from CONFIG_HOME/DATA_HOME to STATE_HOME.
+ *
+ * This is the CLI-side equivalent of the admin's staging pipeline.
+ * It uses FilesystemAssetProvider (reads core assets from DATA_HOME,
+ * persisted by the install command) rather than Vite bundle imports.
+ *
+ * Returns a ControlPlaneState usable with fullComposeArgs().
+ */
+export async function ensureStagedState(): Promise<ControlPlaneState> {
+  const dataDir = defaultDataHome();
+
+  // Verify DATA_HOME has core assets (populated by `openpalm install`)
+  if (!existsSync(join(dataDir, 'docker-compose.yml'))) {
+    throw new Error(
+      `Core assets not found in ${dataDir}. Run 'openpalm install' first.`,
+    );
+  }
+
+  const assets = new FilesystemAssetProvider(dataDir);
+
+  const state = createState();
+  state.artifacts = stageArtifacts(state, assets);
+  persistArtifacts(state, assets);
+
+  return state;
+}
+
+/**
+ * Build the full list of docker compose CLI arguments for a given state.
+ *
+ * Returns: ['--project-name', 'openpalm', '-f', '...', '--env-file', '...']
+ */
+export function fullComposeArgs(state: ControlPlaneState): string[] {
+  const files = buildComposeFileList(state);
+  const envFiles = buildEnvFiles(state);
+
+  return [
+    '--project-name',
+    'openpalm',
+    ...files.flatMap((f) => ['-f', f]),
+    ...envFiles.filter((f) => existsSync(f)).flatMap((f) => ['--env-file', f]),
+  ];
+}
+
+/**
+ * Build the list of managed service names (used for targeted `up` commands).
+ */
+export function buildManagedServiceNames(state: ControlPlaneState): string[] {
+  return buildManagedServices(state);
+}

package/src/lib/varlock.ts

@@ -116,6 +116,14 @@ export async function ensureVarlock(stateHome: string): Promise<string> {
     throw new Error(`chmod +x failed for varlock binary (exit code ${chmodCode})`);
   }
 
+  // macOS: clear quarantine flag and ad-hoc codesign so Gatekeeper does not kill the binary
+  if (process.platform === 'darwin') {
+    const xattr = Bun.spawn(['xattr', '-cr', varlockBin], { stdout: 'ignore', stderr: 'ignore' });
+    await xattr.exited;
+    const codesign = Bun.spawn(['codesign', '--force', '--sign', '-', varlockBin], { stdout: 'ignore', stderr: 'ignore' });
+    await codesign.exited;
+  }
+
   if (!(await Bun.file(varlockBin).exists())) {
     throw new Error(`varlock binary not found at ${varlockBin} after install`);
   }

package/src/main.test.ts

@@ -57,7 +57,7 @@ describe('cli main', () => {
     process.env.OPENPALM_ADMIN_TOKEN = originalOpenPalmAdminToken;
   });
 
-  it('calls containers pull for update', async () => {
+  it('calls containers pull for update (via admin when reachable)', async () => {
     const calls: string[] = [];
     process.env.OPENPALM_ADMIN_TOKEN = 'test-token';
     globalThis.fetch = mock(async (input: string | URL) => {
@@ -68,7 +68,10 @@ describe('cli main', () => {
 
     await main(['update']);
 
-    expect(calls).toEqual(['http://localhost:8100/admin/containers/pull']);
+    // tryAdminRequest attempts directly — no separate health check
+    expect(calls).toEqual([
+      'http://localhost:8100/admin/containers/pull',
+    ]);
   });
 
   it('uses ADMIN_TOKEN from the environment for admin requests', async () => {
@@ -85,6 +88,7 @@ describe('cli main', () => {
 
     await main(['update']);
 
+    // Direct request — single call with token header
     expect(adminTokens).toEqual(['env-admin-token']);
   });
 
@@ -110,6 +114,7 @@ describe('cli main', () => {
 
     try {
       await main(['update']);
+      // Direct request — single call with legacy token
       expect(adminTokens).toEqual(['legacy-admin-token']);
     } finally {
       rmSync(base, { recursive: true, force: true });