smart-home-engine 1.0.10 → 1.1.0

package/src/lib/ssh-deploy.js

@@ -0,0 +1,216 @@
+'use strict';
+
+/**
+ * ssh-deploy.js — SSH/SFTP file deployment helper for remote broker management.
+ *
+ * Uses the `ssh2` npm package for SFTP uploads and remote command execution.
+ * SSH keypair generation delegates to the `ssh-keygen` CLI tool.
+ *
+ * Usage:
+ *   const ssh = require('./ssh-deploy');
+ *   await ssh.uploadFile(sshConfig, localPath, remotePath);
+ *   const { stdout } = await ssh.runCommand(sshConfig, 'sudo systemctl reload mosquitto');
+ *   const pubkey = await ssh.generateKeypair(identityFile);
+ */
+
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const execFileAsync = promisify(execFile);
+
+// ssh2 is an optional dependency — only loaded when needed
+let _ssh2 = null;
+function getSsh2() {
+    if (!_ssh2) {
+        try {
+            _ssh2 = require('ssh2');
+        } catch {
+            throw new Error('ssh2 package not installed — run: npm install ssh2');
+        }
+    }
+    return _ssh2;
+}
+
+function expandHome(p) {
+    if (typeof p === 'string' && (p.startsWith('~/') || p === '~')) {
+        return path.join(os.homedir(), p.slice(2));
+    }
+    return p;
+}
+
+/**
+ * Build ssh2 connection options from she broker.ssh config.
+ * @param {object} sshConfig - config.broker.ssh
+ */
+function buildConnectOpts(sshConfig) {
+    const identityFile = expandHome(sshConfig.identityFile || '~/.she/broker_id_ed25519');
+    let privateKey;
+    try {
+        privateKey = fs.readFileSync(identityFile);
+    } catch (err) {
+        throw new Error(`Cannot read SSH identity file ${identityFile}: ${err.message}`);
+    }
+
+    return {
+        host: sshConfig.host,
+        port: sshConfig.port || 22,
+        username: sshConfig.user || 'she',
+        privateKey,
+        readyTimeout: 10000,
+        keepaliveInterval: 0,
+    };
+}
+
+/**
+ * Connect to the remote host, execute a command, and return stdout/stderr.
+ * @param {object} sshConfig - config.broker.ssh
+ * @param {string} command
+ * @returns {Promise<{ stdout: string, stderr: string }>}
+ */
+function runCommand(sshConfig, command) {
+    const { Client } = getSsh2();
+    const opts = buildConnectOpts(sshConfig);
+
+    return new Promise((resolve, reject) => {
+        const conn = new Client();
+        let stdout = '';
+        let stderr = '';
+
+        conn.on('ready', () => {
+            conn.exec(command, (err, stream) => {
+                if (err) {
+                    conn.end();
+                    return reject(err);
+                }
+                stream.on('close', (code) => {
+                    conn.end();
+                    if (code !== 0) {
+                        reject(new Error(`Remote command exited ${code}: ${stderr.trim() || stdout.trim()}`));
+                    } else {
+                        resolve({ stdout: stdout.trim(), stderr: stderr.trim() });
+                    }
+                });
+                stream.on('data', (d) => {
+                    stdout += d.toString();
+                });
+                stream.stderr.on('data', (d) => {
+                    stderr += d.toString();
+                });
+            });
+        });
+
+        conn.on('error', reject);
+        conn.connect(opts);
+    });
+}
+
+/**
+ * Upload a local file to the remote host via SFTP.
+ * @param {object} sshConfig
+ * @param {string} localPath
+ * @param {string} remotePath
+ */
+function uploadFile(sshConfig, localPath, remotePath) {
+    const { Client } = getSsh2();
+    const opts = buildConnectOpts(sshConfig);
+
+    return new Promise((resolve, reject) => {
+        const conn = new Client();
+        conn.on('ready', () => {
+            conn.sftp((err, sftp) => {
+                if (err) {
+                    conn.end();
+                    return reject(err);
+                }
+                sftp.fastPut(localPath, remotePath, (err2) => {
+                    conn.end();
+                    if (err2) reject(err2);
+                    else resolve();
+                });
+            });
+        });
+        conn.on('error', reject);
+        conn.connect(opts);
+    });
+}
+
+/**
+ * Upload a string as file content to the remote host.
+ * @param {object} sshConfig
+ * @param {string} content
+ * @param {string} remotePath
+ */
+async function uploadContent(sshConfig, content, remotePath) {
+    // Write to a temp file, then SFTP upload, then delete temp
+    const tmp = path.join(os.tmpdir(), `she-ssh-${Date.now()}.tmp`);
+    fs.writeFileSync(tmp, content, 'utf8');
+    try {
+        await uploadFile(sshConfig, tmp, remotePath);
+    } finally {
+        try {
+            fs.unlinkSync(tmp);
+        } catch {
+            /* ignore */
+        }
+    }
+}
+
+/**
+ * Test SSH connectivity. Resolves to { ok: true } on success, or throws.
+ * @param {object} sshConfig
+ */
+function testConnection(sshConfig) {
+    return runCommand(sshConfig, 'echo ok').then(() => ({ ok: true }));
+}
+
+/**
+ * Generate an Ed25519 SSH keypair using the system ssh-keygen binary.
+ * @param {string} identityFile - path for the private key (e.g. ~/.she/broker_id_ed25519)
+ * @returns {Promise<string>} the public key text
+ */
+async function generateKeypair(identityFile) {
+    const expandedPath = expandHome(identityFile || '~/.she/broker_id_ed25519');
+    const dir = path.dirname(expandedPath);
+    fs.mkdirSync(dir, { recursive: true });
+
+    // Remove existing key if present
+    try {
+        fs.unlinkSync(expandedPath);
+    } catch {
+        /* ok */
+    }
+    try {
+        fs.unlinkSync(expandedPath + '.pub');
+    } catch {
+        /* ok */
+    }
+
+    await execFileAsync(
+        'ssh-keygen',
+        [
+            '-t',
+            'ed25519',
+            '-f',
+            expandedPath,
+            '-N',
+            '', // no passphrase
+            '-C',
+            'she-broker',
+        ],
+        { timeout: 15000 },
+    );
+
+    try {
+        fs.chmodSync(expandedPath, 0o600);
+    } catch {
+        /* ignore */
+    }
+
+    const pubkey = fs.readFileSync(expandedPath + '.pub', 'utf8');
+    return pubkey.trim();
+}
+
+module.exports = { runCommand, uploadFile, uploadContent, testConnection, generateKeypair };

package/src/sandbox/broker-sandbox.js

@@ -0,0 +1,113 @@
+'use strict';
+
+/**
+ * broker sandbox module — adds she.broker.* to every script context.
+ *
+ * Loaded automatically by loadSandbox() in index.js (all *.js files in
+ * src/sandbox/ are scanned). If dynsec is not configured, she.broker is still
+ * defined but every method rejects with a descriptive error so scripts can
+ * detect the situation gracefully.
+ *
+ * she.broker API:
+ *   she.broker.createUser(username, password)          → Promise
+ *   she.broker.deleteUser(username)                    → Promise
+ *   she.broker.setPassword(username, password)         → Promise
+ *   she.broker.listUsers()                             → Promise<User[]>
+ *   she.broker.getUser(username)                       → Promise<User>
+ *   she.broker.createRole(rolename)                    → Promise
+ *   she.broker.deleteRole(rolename)                    → Promise
+ *   she.broker.listRoles()                             → Promise<Role[]>
+ *   she.broker.getRole(rolename)                       → Promise<Role>
+ *   she.broker.addACL(rolename, {type, topic, allow})  → Promise
+ *   she.broker.removeACL(rolename, {type, topic})      → Promise
+ *   she.broker.assignRole(username, rolename)          → Promise
+ *   she.broker.revokeRole(username, rolename)          → Promise
+ *   she.broker.createGroup(groupname)                  → Promise
+ *   she.broker.deleteGroup(groupname)                  → Promise
+ *   she.broker.listGroups()                            → Promise<Group[]>
+ *   she.broker.addToGroup(username, groupname)         → Promise
+ *   she.broker.removeFromGroup(username, groupname)    → Promise
+ *   she.broker.assignRoleToGroup(groupname, rolename)  → Promise
+ *
+ * ACL types (dynsec):
+ *   'publishClientSend' | 'publishClientReceive' |
+ *   'subscribeLiteral'  | 'subscribePattern'     |
+ *   'unsubscribeLiteral'| 'unsubscribePattern'
+ */
+
+const dynsec = require('../lib/dynsec');
+
+module.exports = function (she) {
+    she.broker = {
+        // ── Users ──────────────────────────────────────────────────────────────
+        createUser(username, password) {
+            return dynsec.createClient(username, password);
+        },
+        deleteUser(username) {
+            return dynsec.deleteClient(username);
+        },
+        setPassword(username, password) {
+            return dynsec.setClientPassword(username, password);
+        },
+        listUsers() {
+            return dynsec.listClients(/* verbose= */ true);
+        },
+        getUser(username) {
+            return dynsec.getClient(username);
+        },
+
+        // ── Roles ──────────────────────────────────────────────────────────────
+        createRole(rolename) {
+            return dynsec.createRole(rolename);
+        },
+        deleteRole(rolename) {
+            return dynsec.deleteRole(rolename);
+        },
+        listRoles() {
+            return dynsec.listRoles(/* verbose= */ true);
+        },
+        getRole(rolename) {
+            return dynsec.getRole(rolename);
+        },
+        /**
+         * Add an ACL rule to a role.
+         * @param {string} rolename
+         * @param {{ type: string, topic: string, allow: boolean }} acl
+         */
+        addACL(rolename, { type, topic, allow }) {
+            return dynsec.addRoleACL(rolename, type, topic, allow);
+        },
+        removeACL(rolename, { type, topic }) {
+            return dynsec.removeRoleACL(rolename, type, topic);
+        },
+
+        // ── Role ↔ user assignment ─────────────────────────────────────────────
+        assignRole(username, rolename) {
+            return dynsec.addClientRole(username, rolename);
+        },
+        revokeRole(username, rolename) {
+            return dynsec.removeClientRole(username, rolename);
+        },
+
+        // ── Groups ─────────────────────────────────────────────────────────────
+        createGroup(groupname) {
+            return dynsec.createGroup(groupname);
+        },
+        deleteGroup(groupname) {
+            return dynsec.deleteGroup(groupname);
+        },
+        listGroups() {
+            return dynsec.listGroups(/* verbose= */ true);
+        },
+        addToGroup(username, groupname) {
+            // dynsec groups are addressed by group; client is the arg
+            return dynsec.addGroupClient(groupname, username);
+        },
+        removeFromGroup(username, groupname) {
+            return dynsec.removeGroupClient(groupname, username);
+        },
+        assignRoleToGroup(groupname, rolename) {
+            return dynsec.addGroupRole(groupname, rolename);
+        },
+    };
+};

package/src/sandbox/stdlib.js

@@ -161,10 +161,7 @@ module.exports = function (she, ctx = {}) {
             if (!signal) {
                 const ac = new AbortController();
                 signal = ac.signal;
-                timer = setTimeout(
-                    () => ac.abort(new Error(`she.http.fetch timed out after ${TIMEOUT_MS / 1000}s`)),
-                    TIMEOUT_MS,
-                );
+                timer = setTimeout(() => ac.abort(new Error(`she.http.fetch timed out after ${TIMEOUT_MS / 1000}s`)), TIMEOUT_MS);
             }
             return fetch(url, { ...options, signal })
                 .then((r) => {

package/src/web/ai-api.js

@@ -449,7 +449,7 @@ router.post('/prompt', (req, res) => {
 router.post('/chat', async (req, res) => {
     const ai = readAiConfig(req.app.locals.configPath);
     const { messages = [], currentScript, currentView, currentDoc, context = {}, modelOverride, extraFiles } = req.body || {};
-    const effectiveModel = (modelOverride && typeof modelOverride === 'string') ? modelOverride : ai?.model;
+    const effectiveModel = modelOverride && typeof modelOverride === 'string' ? modelOverride : ai?.model;
     if (!ai?.provider || !effectiveModel) {
         return res.status(400).json({ error: 'AI provider not configured. Set ai.provider and ai.model in Config.' });
     }
@@ -480,7 +480,7 @@ router.post('/chat', async (req, res) => {
 router.post('/chat/stream', async (req, res) => {
     const ai = readAiConfig(req.app.locals.configPath);
     const { messages = [], currentScript, currentView, currentDoc, context = {}, modelOverride, extraFiles } = req.body || {};
-    const effectiveModel = (modelOverride && typeof modelOverride === 'string') ? modelOverride : ai?.model;
+    const effectiveModel = modelOverride && typeof modelOverride === 'string' ? modelOverride : ai?.model;
     if (!ai?.provider || !effectiveModel) {
         return res.status(400).json({ error: 'AI provider not configured. Set ai.provider and ai.model in Config.' });
     }
@@ -553,15 +553,21 @@ router.get('/conversations', (req, res) => {
     ensureAiDir();
     let list = [];
     try {
-        const files = fs.readdirSync(AI_DIR).filter(f => f.endsWith('.json'));
-        list = files.map(f => {
-            try {
-                const data = JSON.parse(fs.readFileSync(path.join(AI_DIR, f), 'utf8'));
-                return { id: data.id, title: data.title || data.id, updatedAt: data.updatedAt || 0 };
-            } catch { return null; }
-        }).filter(Boolean);
+        const files = fs.readdirSync(AI_DIR).filter((f) => f.endsWith('.json'));
+        list = files
+            .map((f) => {
+                try {
+                    const data = JSON.parse(fs.readFileSync(path.join(AI_DIR, f), 'utf8'));
+                    return { id: data.id, title: data.title || data.id, updatedAt: data.updatedAt || 0 };
+                } catch {
+                    return null;
+                }
+            })
+            .filter(Boolean);
         list.sort((a, b) => b.updatedAt - a.updatedAt);
-    } catch { /* empty dir */ }
+    } catch {
+        /* empty dir */
+    }
     res.json(list);
 });
 
@@ -593,7 +599,11 @@ router.put('/conversations/:id', (req, res) => {
 router.delete('/conversations/:id', (req, res) => {
     const p = convPath(req.params.id);
     if (!p) return res.status(400).json({ error: 'invalid id' });
-    try { fs.unlinkSync(p); } catch { /* already gone */ }
+    try {
+        fs.unlinkSync(p);
+    } catch {
+        /* already gone */
+    }
     res.json({ ok: true });
 });