palmier 0.9.6 → 0.9.8

package/palmier-server/server/src/nats-jwt.ts

@@ -1,299 +0,0 @@
-/**
- * NATS JWT/NKey utilities for decentralized authentication.
- *
- * NATS supports a decentralized auth model where authorization is embedded in
- * signed JWTs rather than managed in server config files. This means new hosts
- * can be onboarded without restarting or reconfiguring the NATS server.
- *
- * Key hierarchy:
- *
- *   Operator (root of trust)
- *     └─ signs Account JWT → embedded in NATS server config (one-time)
- *          └─ Account (runtime signing key, held by palmier-server)
- *               ├─ signs Host User JWTs → scoped to host.{id}.* subjects
- *               ├─ signs PWA User JWTs  → scoped to RPC + pairing subjects
- *               └─ signs Server User JWT → full access for relaying
- *
- * JWT format (NATS-specific, not standard JWT):
- *   Header:    {"typ":"JWT","alg":"ed25519-nkey"}
- *   Payload:   NATS claims (issuer, subject, permissions)
- *   Signature: Ed25519(header.payload, signing_key)
- *
- * Subject permission model:
- *
- *   | Role              | Publish                  | Subscribe              |
- *   |-------------------|--------------------------|------------------------|
- *   | Host (X)          | host-event.X.>, host.X.> | host.X.>, pair.*       |
- *   | PWA (pairing)     | pair.*                   | (none)                 |
- *   | PWA (connected X) | host.X.rpc.>             | host-event.X.>         |
- *   | Server            | > (full)                 | > (full)               |
- *
- * Request/reply inbox subjects (_INBOX.>) are allowed automatically via the
- * `resp` field in the JWT claims.
- */
-
-import { createOperator, createAccount, createUser, fromSeed, type KeyPair } from "nkeys.js";
-import crypto from "crypto";
-
-// ---------------------------------------------------------------------------
-// Base64url helpers
-// ---------------------------------------------------------------------------
-
-function base64urlEncode(data: Uint8Array): string {
-  return Buffer.from(data).toString("base64url");
-}
-
-function base64urlEncodeStr(str: string): string {
-  return Buffer.from(str, "utf-8").toString("base64url");
-}
-
-// ---------------------------------------------------------------------------
-// NKey seed ↔ string helpers
-// ---------------------------------------------------------------------------
-
-export function seedToString(seed: Uint8Array): string {
-  return new TextDecoder().decode(seed);
-}
-
-export function seedFromString(seed: string): Uint8Array {
-  return new TextEncoder().encode(seed);
-}
-
-// ---------------------------------------------------------------------------
-// JWT signing
-// ---------------------------------------------------------------------------
-
-/** Sign a NATS JWT: base64url(header).base64url(claims).base64url(ed25519_sig). */
-function signJwt(claims: Record<string, unknown>, signingKey: KeyPair): string {
-  const header = base64urlEncodeStr(JSON.stringify({ typ: "JWT", alg: "ed25519-nkey" }));
-  const payload = base64urlEncodeStr(JSON.stringify(claims));
-  const sigInput = new TextEncoder().encode(`${header}.${payload}`);
-  const signature = base64urlEncode(signingKey.sign(sigInput));
-  return `${header}.${payload}.${signature}`;
-}
-
-// ---------------------------------------------------------------------------
-// Account JWT
-// ---------------------------------------------------------------------------
-
-/** Create an Operator JWT (self-signed). Used in the NATS server `operator` field. */
-export function createOperatorJwt(operatorSeed: string): string {
-  const operatorKp = fromSeed(seedFromString(operatorSeed));
-  const claims = {
-    jti: crypto.randomUUID().replace(/-/g, ""),
-    iat: Math.floor(Date.now() / 1000),
-    iss: operatorKp.getPublicKey(),
-    name: "palmier-operator",
-    sub: operatorKp.getPublicKey(),
-    nats: {
-      type: "operator",
-      version: 2,
-    },
-  };
-  const jwt = signJwt(claims, operatorKp);
-  operatorKp.clear();
-  return jwt;
-}
-
-/** Create an Account JWT signed by the operator. Embedded in NATS server config. */
-export function createAccountJwt(operatorSeed: string, accountPublicKey: string): string {
-  const operatorKp = fromSeed(seedFromString(operatorSeed));
-  const claims = {
-    jti: crypto.randomUUID().replace(/-/g, ""),
-    iat: Math.floor(Date.now() / 1000),
-    iss: operatorKp.getPublicKey(),
-    name: "palmier",
-    sub: accountPublicKey,
-    nats: {
-      limits: {
-        subs: -1,
-        data: -1,
-        payload: -1,
-        imports: -1,
-        exports: -1,
-        wildcards: true,
-        conn: -1,
-        leaf: -1,
-      },
-      type: "account",
-      version: 2,
-    },
-  };
-  const jwt = signJwt(claims, operatorKp);
-  operatorKp.clear();
-  return jwt;
-}
-
-// ---------------------------------------------------------------------------
-// User JWT (generic)
-// ---------------------------------------------------------------------------
-
-interface UserPermissions {
-  pub: { allow: string[] };
-  sub: { allow: string[] };
-}
-
-/**
- * Create a User JWT signed by the account key.
- * _INBOX.> is added to subscribe permissions so request/reply works.
- * Unlimited values (-1) for subs/data/payload mean no artificial caps.
- */
-function createUserJwt(
-  accountSeed: string,
-  userPublicKey: string,
-  name: string,
-  permissions: UserPermissions,
-): string {
-  const accountKp = fromSeed(seedFromString(accountSeed));
-  const claims = {
-    jti: crypto.randomUUID().replace(/-/g, ""),
-    iat: Math.floor(Date.now() / 1000),
-    iss: accountKp.getPublicKey(),
-    name,
-    sub: userPublicKey,
-    nats: {
-      pub: { allow: [...permissions.pub.allow, "_INBOX.>"] },
-      sub: { allow: [...permissions.sub.allow, "_INBOX.>"] },
-      subs: -1,
-      data: -1,
-      payload: -1,
-      type: "user",
-      version: 2,
-    },
-  };
-  const jwt = signJwt(claims, accountKp);
-  accountKp.clear();
-  return jwt;
-}
-
-// ---------------------------------------------------------------------------
-// Role-specific JWT generators
-// ---------------------------------------------------------------------------
-
-export interface NatsCredentials {
-  jwt: string;
-  nkeySeed: string;
-}
-
-/**
- * Create credentials for a host daemon, scoped to the host's own subjects.
- *
- * A host with id X can only:
- *   - Publish to: host-event.X.> (task events), host.X.> (FCM requests, push)
- *   - Subscribe to: host.X.> (RPC, device responses), pair.* (during pairing)
- *
- * It cannot access any other host's subjects.
- */
-export function createHostCredentials(accountSeed: string, hostId: string): NatsCredentials {
-  const userKp = createUser();
-  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `host-${hostId}`, {
-    pub: { allow: [`host-event.${hostId}.>`, `host.${hostId}.>`] },
-    sub: { allow: [`host.${hostId}.>`, "pair.*"] },
-  });
-  const nkeySeed = seedToString(userKp.getSeed());
-  userKp.clear();
-  return { jwt, nkeySeed };
-}
-
-/**
- * Create pairing-only credentials for the PWA. Used during the pairing flow
- * before the PWA knows which host it will connect to.
- *
- * Minimal permissions:
- *   - Publish to: pair.* (send pairing request)
- *   - Subscribe to: (none — reply inbox handled by `resp`)
- */
-export function createPairingCredentials(accountSeed: string): NatsCredentials {
-  const userKp = createUser();
-  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "pwa-pairing", {
-    pub: { allow: ["pair.*"] },
-    sub: { allow: [] },
-  });
-  const nkeySeed = seedToString(userKp.getSeed());
-  userKp.clear();
-  return { jwt, nkeySeed };
-}
-
-/**
- * Create host-scoped credentials for a PWA client after pairing.
- *
- * Scoped to a single host:
- *   - Publish to: host.{hostId}.rpc.> (send RPC to paired host)
- *   - Subscribe to: host-event.{hostId}.> (receive task events from paired host)
- *
- * A PWA client cannot see events or send RPC to any other host.
- */
-export function createPwaCredentials(accountSeed: string, hostId: string): NatsCredentials {
-  const userKp = createUser();
-  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `pwa-${hostId}`, {
-    pub: { allow: [`host.${hostId}.rpc.>`] },
-    sub: { allow: [`host-event.${hostId}.>`] },
-  });
-  const nkeySeed = seedToString(userKp.getSeed());
-  userKp.clear();
-  return { jwt, nkeySeed };
-}
-
-/**
- * Create credentials for the palmier server itself (full access for relaying).
- */
-export function createServerCredentials(accountSeed: string): NatsCredentials {
-  const userKp = createUser();
-  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "server", {
-    pub: { allow: [">"] },
-    sub: { allow: [">"] },
-  });
-  const nkeySeed = seedToString(userKp.getSeed());
-  userKp.clear();
-  return { jwt, nkeySeed };
-}
-
-// ---------------------------------------------------------------------------
-// Setup: generate operator + account keys and NATS config
-// ---------------------------------------------------------------------------
-
-export interface NatsSetupResult {
-  operatorSeed: string;
-  operatorPublicKey: string;
-  accountSeed: string;
-  accountPublicKey: string;
-  operatorJwt: string;
-  accountJwt: string;
-  natsConfig: string;
-}
-
-/**
- * Generate all keys and the NATS server config snippet for JWT auth.
- * Run once during initial deployment, then store seeds as env vars.
- *
- * The `operator` field in nats.conf requires a full JWT (not a public key) —
- * NATS treats non-JWT strings as file paths.
- */
-export function generateNatsSetup(): NatsSetupResult {
-  const operatorKp = createOperator();
-  const accountKp = createAccount();
-
-  const operatorSeed = seedToString(operatorKp.getSeed());
-  const operatorPublicKey = operatorKp.getPublicKey();
-  const accountSeed = seedToString(accountKp.getSeed());
-  const accountPublicKey = accountKp.getPublicKey();
-
-  const operatorJwt = createOperatorJwt(operatorSeed);
-  const accountJwt = createAccountJwt(operatorSeed, accountPublicKey);
-
-  const natsConfig = [
-    `# NATS JWT auth configuration`,
-    `# Generated by palmier nats-setup`,
-    ``,
-    `operator: ${operatorJwt}`,
-    `resolver: MEMORY`,
-    `resolver_preload: {`,
-    `  ${accountPublicKey}: ${accountJwt}`,
-    `}`,
-  ].join("\n");
-
-  operatorKp.clear();
-  accountKp.clear();
-
-  return { operatorSeed, operatorPublicKey, accountSeed, accountPublicKey, operatorJwt, accountJwt, natsConfig };
-}

package/palmier-server/server/src/nats-setup.ts

@@ -1,48 +0,0 @@
-/**
- * One-time setup script for NATS JWT authentication.
- *
- * Run this once when deploying Palmier for the first time (or when rotating keys).
- * It generates the cryptographic keys and config needed for NATS to enforce
- * per-host subject isolation.
- *
- * Usage:
- *   cd server && pnpm nats-setup
- *
- * What it generates:
- *
- *   Operator NKey pair
- *     └─ Signs the Account JWT (one-time). Store the seed securely as a backup —
- *        you only need it again if you regenerate the account JWT.
- *
- *   Account NKey pair
- *     └─ Signs User JWTs at runtime. The server uses NATS_ACCOUNT_SEED to create
- *        scoped credentials for each host (during registration) and each PWA session.
- *
- *   Account JWT
- *     └─ Embedded in the NATS server config (resolver_preload). Tells the NATS server
- *        to trust User JWTs signed by this account key.
- *
- *   NATS config snippet
- *     └─ Drop-in replacement for the authorization block in nats.conf.
- *
- * See PRODUCTION.md for the full deployment flow.
- */
-
-import { generateNatsSetup } from "./nats-jwt.js";
-
-const setup = generateNatsSetup();
-
-console.log("=== NATS JWT Auth Setup ===\n");
-
-console.log("NATS_ACCOUNT_SEED (add to server/.env):\n");
-console.log(`  ${setup.accountSeed}\n`);
-
-console.log("nats.conf auth section (replace any existing auth block):\n");
-console.log(setup.natsConfig);
-console.log();
-
-console.log("Keys (store securely, do not commit):\n");
-console.log(`  Operator seed:       ${setup.operatorSeed}`);
-console.log(`  Operator public key: ${setup.operatorPublicKey}`);
-console.log(`  Account seed:        ${setup.accountSeed}`);
-console.log(`  Account public key:  ${setup.accountPublicKey}`);

package/palmier-server/server/src/nats.ts

@@ -1,33 +0,0 @@
-import { connect, jwtAuthenticator, NatsConnection } from "nats";
-import { createServerCredentials, seedFromString } from "./nats-jwt.js";
-
-let nc: NatsConnection | null = null;
-
-export async function connectNats(): Promise<NatsConnection> {
-  if (nc) return nc;
-
-  const url = process.env.NATS_URL || "nats://localhost:4222";
-  const accountSeed = process.env.NATS_ACCOUNT_SEED;
-
-  if (!accountSeed) {
-    throw new Error("NATS_ACCOUNT_SEED is required for JWT auth");
-  }
-
-  // Generate server credentials with full access
-  const creds = createServerCredentials(accountSeed);
-
-  nc = await connect({
-    servers: url,
-    authenticator: jwtAuthenticator(creds.jwt, seedFromString(creds.nkeySeed)),
-  });
-
-  console.log(`Connected to NATS at ${url} (JWT auth)`);
-  return nc;
-}
-
-export async function getNatsConnection(): Promise<NatsConnection> {
-  if (!nc) {
-    return connectNats();
-  }
-  return nc;
-}

package/palmier-server/server/src/notify.ts

@@ -1,34 +0,0 @@
-import { sendPushToClients } from "./push.js";
-import { sendFcmToClients } from "./fcm.js";
-
-export interface NotificationPayload {
-  type: string;
-  host_id: string;
-  title?: string;
-  body?: string;
-  task_id?: string;
-  session_id?: string;
-  run_id?: string;
-  result_file?: string;
-  agent_name?: string;
-}
-
-function stringifyPayload(payload: NotificationPayload): Record<string, string> {
-  const result: Record<string, string> = {};
-  for (const [key, value] of Object.entries(payload)) {
-    if (value !== undefined && value !== null) {
-      result[key] = String(value);
-    }
-  }
-  return result;
-}
-
-export async function notifyClients(
-  hostId: string,
-  payload: NotificationPayload
-): Promise<void> {
-  await Promise.allSettled([
-    sendPushToClients(hostId, payload),
-    sendFcmToClients(hostId, stringifyPayload(payload)),
-  ]);
-}

package/palmier-server/server/src/push.ts

@@ -1,68 +0,0 @@
-import webPush from "web-push";
-import { pool } from "./db.js";
-
-let configured = false;
-
-function ensureConfigured(): void {
-  if (configured) return;
-
-  const publicKey = process.env.VAPID_PUBLIC_KEY;
-  const privateKey = process.env.VAPID_PRIVATE_KEY;
-  const mailto = process.env.VAPID_MAILTO || "mailto:admin@example.com";
-
-  if (!publicKey || !privateKey) {
-    console.warn("VAPID keys not configured. Web Push will not work.");
-    return;
-  }
-
-  webPush.setVapidDetails(mailto, publicKey, privateKey);
-  configured = true;
-}
-
-export async function sendPushToClients(
-  hostId: string,
-  payload: object | string
-): Promise<void> {
-  ensureConfigured();
-  if (!configured) {
-    console.warn("[Push] VAPID not configured, skipping push for host", hostId);
-    return;
-  }
-
-  const result = await pool.query(
-    "SELECT endpoint, p256dh, auth FROM push_subscriptions WHERE host_id = $1",
-    [hostId]
-  );
-
-  const body = typeof payload === "string" ? payload : JSON.stringify(payload);
-
-  const sendPromises = result.rows.map(async (row) => {
-    const subscription: webPush.PushSubscription = {
-      endpoint: row.endpoint,
-      keys: {
-        p256dh: row.p256dh,
-        auth: row.auth,
-      },
-    };
-
-    try {
-      await webPush.sendNotification(subscription, body);
-    } catch (err: any) {
-      if (err.statusCode === 410 || err.statusCode === 404) {
-        // Subscription expired or invalid, remove it
-        await pool.query(
-          "DELETE FROM push_subscriptions WHERE host_id = $1 AND endpoint = $2",
-          [hostId, row.endpoint]
-        );
-        console.log(`Removed stale push subscription for host ${hostId}`);
-      } else {
-        console.error(
-          `Failed to send push to ${row.endpoint}:`,
-          err.message
-        );
-      }
-    }
-  });
-
-  await Promise.allSettled(sendPromises);
-}

package/palmier-server/server/src/routes/device.ts

@@ -1,224 +0,0 @@
-import { Router, Request, Response } from "express";
-import type { Router as RouterType } from "express";
-import { getNatsConnection } from "../nats.js";
-import { StringCodec } from "nats";
-
-const router: RouterType = Router();
-
-// POST /api/device/notifications - Receive a notification from Android, relay to host via NATS
-router.post("/notifications", async (req: Request, res: Response) => {
-  try {
-    const { hostId, notification } = req.body;
-
-    if (!hostId || !notification?.id) {
-      res.status(400).json({ error: "hostId and notification with id are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.device.notifications`,
-      sc.encode(JSON.stringify(notification)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device notification relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/sms - Receive an SMS from Android, relay to host via NATS
-router.post("/sms", async (req: Request, res: Response) => {
-  try {
-    const { hostId, sms } = req.body;
-
-    if (!hostId || !sms?.id) {
-      res.status(400).json({ error: "hostId and sms with id are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.device.sms`,
-      sc.encode(JSON.stringify(sms)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device SMS relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/contacts-response - Receive contacts response from Android, relay to host via NATS
-router.post("/contacts-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.contacts.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device contacts response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/calendar-response - Receive calendar response from Android, relay to host via NATS
-router.post("/calendar-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.calendar.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device calendar response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/sms-response - Receive SMS send response from Android, relay to host via NATS
-router.post("/sms-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.sms.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device SMS response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/alarm-response - Receive alarm response from Android, relay to host via NATS
-router.post("/alarm-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.alarm.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device alarm response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/battery-response - Receive battery response from Android, relay to host via NATS
-router.post("/battery-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.battery.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device battery response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/ringer-response - Receive ringer mode response from Android, relay to host via NATS
-router.post("/ringer-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.ringer.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device ringer response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-// POST /api/device/email-response - Receive email response from Android, relay to host via NATS
-router.post("/email-response", async (req: Request, res: Response) => {
-  try {
-    const { requestId, hostId, result } = req.body;
-
-    if (!requestId || !hostId) {
-      res.status(400).json({ error: "requestId and hostId are required" });
-      return;
-    }
-
-    const conn = await getNatsConnection();
-    const sc = StringCodec();
-    conn.publish(
-      `host.${hostId}.email.${requestId}`,
-      sc.encode(JSON.stringify(result)),
-    );
-
-    res.json({ ok: true });
-  } catch (err) {
-    console.error("Device email response relay error:", err);
-    res.status(500).json({ error: "Internal server error" });
-  }
-});
-
-export default router;