optimal-cli 1.0.0 → 1.1.0

package/lib/assets/index.ts

@@ -1,225 +0,0 @@
-/**
- * Asset tracking — manage digital infrastructure items
- * (domains, servers, API keys, services, repos).
- * Stores in the OptimalOS Supabase instance.
- */
-
-import { getSupabase } from '../supabase.js'
-
-// ── Types ────────────────────────────────────────────────────────────
-
-export type AssetType = 'domain' | 'server' | 'api_key' | 'service' | 'repo' | 'other'
-export type AssetStatus = 'active' | 'inactive' | 'expired' | 'pending'
-
-export interface Asset {
-  id: string
-  name: string
-  type: AssetType
-  status: AssetStatus
-  metadata: Record<string, unknown>
-  owner: string | null
-  expires_at: string | null
-  created_at: string
-  updated_at: string
-}
-
-export interface CreateAssetInput {
-  name: string
-  type: AssetType
-  status?: AssetStatus
-  metadata?: Record<string, unknown>
-  owner?: string
-  expires_at?: string
-}
-
-export interface UpdateAssetInput {
-  name?: string
-  type?: AssetType
-  status?: AssetStatus
-  metadata?: Record<string, unknown>
-  owner?: string
-  expires_at?: string | null
-}
-
-export interface AssetFilters {
-  type?: AssetType
-  status?: AssetStatus
-  owner?: string
-}
-
-export interface AssetUsageEvent {
-  id: string
-  asset_id: string
-  event: string
-  actor: string | null
-  metadata: Record<string, unknown>
-  created_at: string
-}
-
-// ── Supabase accessor ────────────────────────────────────────────────
-
-const sb = () => getSupabase('optimal')
-
-// ── CRUD operations ──────────────────────────────────────────────────
-
-/**
- * List assets, optionally filtered by type, status, or owner.
- */
-export async function listAssets(filters?: AssetFilters): Promise<Asset[]> {
-  let query = sb().from('assets').select('*')
-
-  if (filters?.type) query = query.eq('type', filters.type)
-  if (filters?.status) query = query.eq('status', filters.status)
-  if (filters?.owner) query = query.eq('owner', filters.owner)
-
-  const { data, error } = await query.order('updated_at', { ascending: false })
-  if (error) throw new Error(`Failed to list assets: ${error.message}`)
-  return (data ?? []) as Asset[]
-}
-
-/**
- * Create a new asset.
- */
-export async function createAsset(input: CreateAssetInput): Promise<Asset> {
-  const { data, error } = await sb()
-    .from('assets')
-    .insert({
-      name: input.name,
-      type: input.type,
-      status: input.status ?? 'active',
-      metadata: input.metadata ?? {},
-      owner: input.owner ?? null,
-      expires_at: input.expires_at ?? null,
-    })
-    .select()
-    .single()
-
-  if (error) throw new Error(`Failed to create asset: ${error.message}`)
-  return data as Asset
-}
-
-/**
- * Update an existing asset by ID.
- */
-export async function updateAsset(id: string, updates: UpdateAssetInput): Promise<Asset> {
-  const { data, error } = await sb()
-    .from('assets')
-    .update(updates)
-    .eq('id', id)
-    .select()
-    .single()
-
-  if (error) throw new Error(`Failed to update asset: ${error.message}`)
-  return data as Asset
-}
-
-/**
- * Get a single asset by ID.
- */
-export async function getAsset(id: string): Promise<Asset> {
-  const { data, error } = await sb()
-    .from('assets')
-    .select('*')
-    .eq('id', id)
-    .single()
-
-  if (error) throw new Error(`Asset not found: ${error.message}`)
-  return data as Asset
-}
-
-/**
- * Delete an asset by ID.
- */
-export async function deleteAsset(id: string): Promise<void> {
-  const { error } = await sb()
-    .from('assets')
-    .delete()
-    .eq('id', id)
-
-  if (error) throw new Error(`Failed to delete asset: ${error.message}`)
-}
-
-// ── Usage tracking ───────────────────────────────────────────────────
-
-/**
- * Log a usage event against an asset.
- */
-export async function trackAssetUsage(
-  assetId: string,
-  event: string,
-  actor?: string,
-  metadata?: Record<string, unknown>,
-): Promise<AssetUsageEvent> {
-  const { data, error } = await sb()
-    .from('asset_usage_log')
-    .insert({
-      asset_id: assetId,
-      event,
-      actor: actor ?? null,
-      metadata: metadata ?? {},
-    })
-    .select()
-    .single()
-
-  if (error) throw new Error(`Failed to track usage: ${error.message}`)
-  return data as AssetUsageEvent
-}
-
-/**
- * List usage events for a given asset.
- */
-export async function listAssetUsage(assetId: string, limit = 50): Promise<AssetUsageEvent[]> {
-  const { data, error } = await sb()
-    .from('asset_usage_log')
-    .select('*')
-    .eq('asset_id', assetId)
-    .order('created_at', { ascending: false })
-    .limit(limit)
-
-  if (error) throw new Error(`Failed to list usage: ${error.message}`)
-  return (data ?? []) as AssetUsageEvent[]
-}
-
-// ── Formatting ───────────────────────────────────────────────────────
-
-const TYPE_LABELS: Record<AssetType, string> = {
-  domain: 'Domain',
-  server: 'Server',
-  api_key: 'API Key',
-  service: 'Service',
-  repo: 'Repo',
-  other: 'Other',
-}
-
-/**
- * Format assets into a table string for CLI display.
- */
-export function formatAssetTable(assets: Asset[]): string {
-  if (assets.length === 0) return 'No assets found.'
-
-  const headers = ['Type', 'Status', 'Name', 'Owner', 'Expires']
-  const rows = assets.map(a => [
-    TYPE_LABELS[a.type] ?? a.type,
-    a.status,
-    a.name.length > 35 ? a.name.slice(0, 32) + '...' : a.name,
-    a.owner ?? '-',
-    a.expires_at ? a.expires_at.slice(0, 10) : '-',
-  ])
-
-  // Compute column widths
-  const widths = headers.map((h, i) => {
-    let max = h.length
-    for (const row of rows) {
-      if ((row[i]?.length ?? 0) > max) max = row[i].length
-    }
-    return max
-  })
-
-  const sep = '+-' + widths.map(w => '-'.repeat(w)).join('-+-') + '-+'
-  const headerRow = '| ' + headers.map((h, i) => h.padEnd(widths[i])).join(' | ') + ' |'
-  const bodyRows = rows.map(row =>
-    '| ' + row.map((cell, i) => (cell ?? '').padEnd(widths[i])).join(' | ') + ' |'
-  )
-
-  return [sep, headerRow, sep, ...bodyRows, sep, `\nTotal: ${assets.length} assets`].join('\n')
-}

package/lib/assets.ts

@@ -1,124 +0,0 @@
-import { createClient, SupabaseClient } from '@supabase/supabase-js'
-import { readFileSync, readdirSync, statSync, existsSync } from 'node:fs'
-import { join, basename } from 'node:path'
-import { homedir } from 'node:os'
-import { createHash, randomBytes, createCipheriv, createDecipheriv } from 'node:crypto'
-
-const CONFIG_DIR = join(homedir(), '.openclaw')
-const SKILLS_DIR = join(CONFIG_DIR, 'skills')
-const PLUGINS_DIR = join(CONFIG_DIR, 'plugins')
-const WORKSPACE_DIR = join(homedir(), '.openclaw', 'workspace')
-
-const ALGORITHM = 'aes-256-gcm'
-
-function getSupabase(): SupabaseClient {
-  const url = process.env.OPTIMAL_SUPABASE_URL
-  const key = process.env.OPTIMAL_SUPABASE_SERVICE_KEY
-  if (!url || !key) throw new Error('OPTIMAL_SUPABASE_URL and OPTIMAL_SUPABASE_SERVICE_KEY required')
-  return createClient(url, key)
-}
-
-function hashContent(content: string): string {
-  return createHash('sha256').update(content).digest('hex')
-}
-
-export interface ScannedAsset {
-  type: 'skill' | 'cli' | 'cron' | 'repo' | 'env' | 'ssh_key' | 'plugin'
-  name: string
-  version?: string
-  path: string
-  hash: string
-  content?: string
-  metadata: Record<string, unknown>
-}
-
-export function scanSkills(): ScannedAsset[] {
-  const assets: ScannedAsset[] = []
-  if (!existsSync(SKILLS_DIR)) return assets
-  for (const dir of readdirSync(SKILLS_DIR)) {
-    const skillPath = join(SKILLS_DIR, dir)
-    if (!statSync(skillPath).isDirectory()) continue
-    const skillFile = join(skillPath, 'SKILL.md')
-    if (existsSync(skillFile)) {
-      const content = readFileSync(skillFile, 'utf-8')
-      assets.push({ type: 'skill', name: dir, path: skillFile, hash: hashContent(content), content, metadata: {} })
-    }
-  }
-  return assets
-}
-
-export function scanPlugins(): ScannedAsset[] {
-  const assets: ScannedAsset[] = []
-  if (!existsSync(PLUGINS_DIR)) return assets
-  for (const dir of readdirSync(PLUGINS_DIR)) {
-    const pluginPath = join(PLUGINS_DIR, dir)
-    if (!statSync(pluginPath).isDirectory()) continue
-    assets.push({ type: 'plugin', name: dir, path: pluginPath, hash: hashContent(dir), metadata: {} })
-  }
-  return assets
-}
-
-export function scanCLIs(): ScannedAsset[] {
-  const assets: ScannedAsset[] = []
-  const knownCLIs = ['vercel', 'supabase', 'gh', 'openclaw']
-  for (const cli of knownCLIs) {
-    try {
-      const { execSync } = require('node:child_process')
-      const version = execSync(`${cli} --version 2>/dev/null || echo ""`).toString().trim()
-      if (version) {
-        assets.push({ type: 'cli', name: cli, version: version.slice(0, 20), path: '', hash: hashContent(version), metadata: {} })
-      }
-    } catch {}
-  }
-  return assets
-}
-
-export function scanRepos(): ScannedAsset[] {
-  const assets: ScannedAsset[] = []
-  if (!existsSync(WORKSPACE_DIR)) return assets
-  for (const dir of readdirSync(WORKSPACE_DIR)) {
-    const repoPath = join(WORKSPACE_DIR, dir)
-    if (!statSync(repoPath).isDirectory()) continue
-    if (existsSync(join(repoPath, '.git'))) {
-      assets.push({ type: 'repo', name: dir, path: repoPath, hash: '', metadata: {} })
-    }
-  }
-  return assets
-}
-
-export function scanAllAssets(): ScannedAsset[] {
-  return [...scanSkills(), ...scanPlugins(), ...scanCLIs(), ...scanRepos()]
-}
-
-export async function pushAssets(agentName: string): Promise<{ pushed: number; updated: number }> {
-  const supabase = getSupabase()
-  const assets = scanAllAssets()
-  let pushed = 0, updated = 0
-  for (const asset of assets) {
-    const { data: existing } = await supabase.from('agent_assets').select('id, asset_hash').eq('agent_name', agentName).eq('asset_type', asset.type).eq('asset_name', asset.name).single()
-    if (existing) {
-      if (existing.asset_hash !== asset.hash) {
-        await supabase.from('agent_assets').update({ asset_version: asset.version, asset_path: asset.path, asset_hash: asset.hash, content: asset.content, metadata: asset.metadata, updated_at: new Date().toISOString() }).eq('id', existing.id)
-        updated++
-      }
-    } else {
-      await supabase.from('agent_assets').insert({ agent_name: agentName, asset_type: asset.type, asset_name: asset.name, asset_version: asset.version, asset_path: asset.path, asset_hash: asset.hash, content: asset.content, metadata: asset.metadata })
-      pushed++
-    }
-  }
-  return { pushed, updated }
-}
-
-export async function listAssets(agentName?: string): Promise<any[]> {
-  const supabase = getSupabase()
-  let query = supabase.from('agent_assets').select('*')
-  if (agentName) query = query.eq('agent_name', agentName)
-  const { data } = await query.order('updated_at', { ascending: false })
-  return data || []
-}
-
-export async function getInventory(): Promise<any[]> {
-  const supabase = getSupabase()
-  const { data } = await supabase.from('agent_inventory').select('*')
-  return data || []
-}

package/lib/auth/index.ts

@@ -1,189 +0,0 @@
-/**
- * Auth module — ported from optimalOS Supabase auth patterns.
- *
- * OptimalOS uses three client tiers:
- *   1. Browser client  (anon key + cookie session)  — N/A for CLI
- *   2. Server client   (anon key + SSR cookies)      — N/A for CLI
- *   3. Admin client    (service_role key, no session) — primary CLI path
- *
- * In a headless CLI context there are no cookies or browser sessions.
- * Auth reduces to two modes:
- *   - Service-role access  (bot / automation operations)
- *   - User-scoped access   (pass an access_token obtained externally)
- *
- * Environment variables (defined in .env):
- *   OPTIMAL_SUPABASE_URL          — Supabase project URL
- *   OPTIMAL_SUPABASE_SERVICE_KEY  — service_role secret
- */
-
-import { createClient, type SupabaseClient } from '@supabase/supabase-js'
-import 'dotenv/config'
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-/** Describes how the current invocation is authenticated. */
-export interface AuthContext {
-  /** 'service' when using service_role key, 'user' when using a user JWT */
-  mode: 'service' | 'user'
-  /** The Supabase client for this context */
-  client: SupabaseClient
-  /** User ID (only set when mode === 'user') */
-  userId?: string
-  /** User email (only set when mode === 'user' and resolvable) */
-  email?: string
-}
-
-/** Minimal session shape returned by getSession(). */
-export interface Session {
-  accessToken: string
-  user: {
-    id: string
-    email?: string
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Internal helpers
-// ---------------------------------------------------------------------------
-
-function envOrThrow(name: string): string {
-  const value = process.env[name]
-  if (!value) {
-    throw new Error(`Missing required environment variable: ${name}`)
-  }
-  return value
-}
-
-/** Singleton service-role client (matches optimalOS admin.ts pattern). */
-let _serviceClient: SupabaseClient | null = null
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Return a service-role Supabase client.
- *
- * Mirrors optimalOS `createAdminClient()` from lib/supabase/admin.ts:
- *   - Uses SUPABASE_SERVICE_ROLE_KEY
- *   - persistSession: false, autoRefreshToken: false
- *   - Singleton — safe to call repeatedly
- */
-export function getServiceClient(): SupabaseClient {
-  if (_serviceClient) return _serviceClient
-
-  const url = envOrThrow('OPTIMAL_SUPABASE_URL')
-  const key = envOrThrow('OPTIMAL_SUPABASE_SERVICE_KEY')
-
-  _serviceClient = createClient(url, key, {
-    auth: {
-      persistSession: false,
-      autoRefreshToken: false,
-    },
-  })
-
-  return _serviceClient
-}
-
-/**
- * Return a user-scoped Supabase client authenticated with the given JWT.
- *
- * This is the CLI equivalent of optimalOS browser/server clients that carry
- * a user session via cookies. The caller is responsible for obtaining the
- * access token (e.g., via `supabase login`, OAuth device flow, or env var).
- *
- * A new client is created on every call — callers should cache if needed.
- */
-export function getUserClient(accessToken: string): SupabaseClient {
-  const url = envOrThrow('OPTIMAL_SUPABASE_URL')
-
-  // Use service key as the initial key — the global auth header override
-  // ensures all requests are scoped to the user's JWT instead.
-  const anonOrServiceKey = process.env.OPTIMAL_SUPABASE_ANON_KEY
-    ?? envOrThrow('OPTIMAL_SUPABASE_SERVICE_KEY')
-
-  return createClient(url, anonOrServiceKey, {
-    global: {
-      headers: { Authorization: `Bearer ${accessToken}` },
-    },
-    auth: {
-      persistSession: false,
-      autoRefreshToken: false,
-    },
-  })
-}
-
-/**
- * Attempt to retrieve the current session.
- *
- * In the CLI there is no implicit cookie jar. A session exists only when:
- *   1. OPTIMAL_ACCESS_TOKEN env var is set (user JWT), or
- *   2. A future `optimal login` command has cached a token locally.
- *
- * Returns null if no user session is available (service-role only mode).
- */
-export async function getSession(): Promise<Session | null> {
-  const token = process.env.OPTIMAL_ACCESS_TOKEN
-  if (!token) return null
-
-  try {
-    const client = getUserClient(token)
-    const { data: { user }, error } = await client.auth.getUser(token)
-
-    if (error || !user) return null
-
-    return {
-      accessToken: token,
-      user: {
-        id: user.id,
-        email: user.email,
-      },
-    }
-  } catch {
-    return null
-  }
-}
-
-/**
- * Guard that throws if no user session is present.
- *
- * Use at the top of CLI commands that require a logged-in user:
- *
- *   const session = await requireAuth()
- *   // session.user.id is guaranteed
- */
-export async function requireAuth(): Promise<Session> {
-  const session = await getSession()
-  if (!session) {
-    throw new Error(
-      'Authentication required. Set OPTIMAL_ACCESS_TOKEN or run `optimal login`.',
-    )
-  }
-  return session
-}
-
-/**
- * Build an AuthContext describing the current invocation's auth state.
- *
- * Prefers user-scoped auth when OPTIMAL_ACCESS_TOKEN is set;
- * falls back to service-role.
- */
-export async function resolveAuthContext(): Promise<AuthContext> {
-  const session = await getSession()
-
-  if (session) {
-    return {
-      mode: 'user',
-      client: getUserClient(session.accessToken),
-      userId: session.user.id,
-      email: session.user.email,
-    }
-  }
-
-  return {
-    mode: 'service',
-    client: getServiceClient(),
-  }
-}