OmniRoute/scripts/bootstrap-env.mjs

#!/usr/bin/env node
/**
 * OmniRoute — Zero-Config Bootstrap
 *
 * Auto-generates required secrets (JWT_SECRET, STORAGE_ENCRYPTION_KEY) if
 * missing or empty, persists them to {DATA_DIR}/server.env so they survive
 * restarts, Docker volume remounts, and upgrades.
 *
 * Works across all deployment modes:
 *   - npm / CLI:  called from run-standalone.mjs and run-next.mjs
 *   - Docker:     same, secrets persisted in mounted volume
 *   - Electron:   called from main.js startup, persisted in userData
 *
 * Priority (lowest → highest):
 *   1. Auto-generated defaults
 *   2. {DATA_DIR}/server.env  (persisted on first boot)
 *   3. .env in CWD            (user overrides)
 *   4. process.env            (shell / Docker -e flags, highest priority)
 */

import { createHash, randomBytes } from "node:crypto";
import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
import { homedir } from "node:os";
import { join, resolve } from "node:path";

// ── OAuth secrets that are optional but warn if missing ─────────────────────
const OPTIONAL_OAUTH_SECRETS = [
  { key: "ANTIGRAVITY_OAUTH_CLIENT_SECRET", label: "Antigravity OAuth" },
  { key: "IFLOW_OAUTH_CLIENT_SECRET", label: "iFlow OAuth" },
  { key: "GEMINI_OAUTH_CLIENT_SECRET", label: "Gemini OAuth" },
];

// ── Resolve DATA_DIR (mirrors dataPaths.ts logic) ───────────────────────────
function resolveDataDir(overridePath) {
  if (overridePath) return resolve(overridePath);

  const configured = process.env.DATA_DIR?.trim();
  if (configured) return resolve(configured);

  if (process.platform === "win32") {
    const appData = process.env.APPDATA || join(homedir(), "AppData", "Roaming");
    return join(appData, "omniroute");
  }

  const xdg = process.env.XDG_CONFIG_HOME?.trim();
  if (xdg) return join(resolve(xdg), "omniroute");

  return join(homedir(), ".omniroute");
}

// ── Parse a simple KEY=VALUE env file ───────────────────────────────────────
function parseEnvFile(filePath) {
  if (!existsSync(filePath)) return {};
  const env = {};
  const lines = readFileSync(filePath, "utf8").split(/\r?\n/);
  for (const line of lines) {
    const trimmed = line.trim();
    if (!trimmed || trimmed.startsWith("#")) continue;
    const eqIdx = trimmed.indexOf("=");
    if (eqIdx < 1) continue;
    const key = trimmed.slice(0, eqIdx).trim();
    const val = trimmed.slice(eqIdx + 1).trim();
    env[key] = val;
  }
  return env;
}

// ── Write a simple KEY=VALUE env file ───────────────────────────────────────
function writeEnvFile(filePath, env) {
  const lines = [
    "# Auto-generated by OmniRoute bootstrap — do not delete",
    `# Created: ${new Date().toISOString()}`,
    "",
    ...Object.entries(env).map(([k, v]) => `${k}=${v}`),
    "",
  ];
  writeFileSync(filePath, lines.join("\n"), "utf8");
}

// ── Main bootstrap function ──────────────────────────────────────────────────
/**
 * @param {{ dataDirOverride?: string; quiet?: boolean }} options
 * @returns {Record<string, string>} merged env to pass to child process
 */
export function bootstrapEnv({ dataDirOverride, quiet = false } = {}) {
  const log = quiet ? () => {} : (msg) => process.stderr.write(`[bootstrap] ${msg}\n`);

  const dataDir = resolveDataDir(dataDirOverride);
  const serverEnvPath = join(dataDir, "server.env");
  const dotEnvPath = join(process.cwd(), ".env");

  // ── Layer 1: Load persisted server.env ────────────────────────────────────
  let persisted = parseEnvFile(serverEnvPath);

  // ── Layer 2: Load .env from CWD (user overrides, higher priority) ─────────
  const dotEnv = parseEnvFile(dotEnvPath);

  // ── Merge: persisted < .env < process.env ─────────────────────────────────
  const merged = { ...persisted, ...dotEnv, ...process.env };

  // ── Auto-generate required secrets ────────────────────────────────────────
  let needsPersist = false;

  if (!merged.JWT_SECRET?.trim()) {
    persisted.JWT_SECRET = randomBytes(64).toString("hex");
    merged.JWT_SECRET = persisted.JWT_SECRET;
    needsPersist = true;
    log("✨ JWT_SECRET auto-generated (first run)");
  }

  if (!merged.STORAGE_ENCRYPTION_KEY?.trim()) {
    persisted.STORAGE_ENCRYPTION_KEY = randomBytes(32).toString("hex");
    merged.STORAGE_ENCRYPTION_KEY = persisted.STORAGE_ENCRYPTION_KEY;
    needsPersist = true;
    log("✨ STORAGE_ENCRYPTION_KEY auto-generated (first run)");
  }

  if (!merged.STORAGE_ENCRYPTION_KEY_VERSION?.trim()) {
    persisted.STORAGE_ENCRYPTION_KEY_VERSION = "v1";
    merged.STORAGE_ENCRYPTION_KEY_VERSION = persisted.STORAGE_ENCRYPTION_KEY_VERSION;
    needsPersist = true;
  }

  if (!merged.API_KEY_SECRET?.trim()) {
    persisted.API_KEY_SECRET = randomBytes(32).toString("hex");
    merged.API_KEY_SECRET = persisted.API_KEY_SECRET;
    needsPersist = true;
    log("✨ API_KEY_SECRET auto-generated (first run)");
  }

  // ── Persist new secrets ────────────────────────────────────────────────────
  if (needsPersist) {
    try {
      mkdirSync(dataDir, { recursive: true });
      // Only persist keys that we auto-generated (not .env or process.env vals)
      writeEnvFile(serverEnvPath, persisted);
      log(`📁 Secrets persisted to: ${serverEnvPath}`);
    } catch (e) {
      log(`⚠️  Could not persist secrets to ${serverEnvPath}: ${e.message}`);
    }
  }

  // ── Mark as bootstrapped ───────────────────────────────────────────────────
  if (needsPersist) {
    merged.OMNIROUTE_BOOTSTRAPPED = "true";
  }

  // ── Warn about missing optional OAuth secrets ──────────────────────────────
  const missingOauth = OPTIONAL_OAUTH_SECRETS.filter(({ key }) => !merged[key]?.trim());
  if (missingOauth.length > 0) {
    log("ℹ️  The following OAuth integrations are not configured:");
    for (const { key, label } of missingOauth) {
      log(`   • ${label} (${key}) — set in .env or ${serverEnvPath}`);
    }
    log("   These providers will not work until configured.");
  }

  // ── Warn about default password ────────────────────────────────────────────
  if (merged.INITIAL_PASSWORD === "CHANGEME" || !merged.INITIAL_PASSWORD?.trim()) {
    log("⚠️  INITIAL_PASSWORD is not set — using default 'CHANGEME'. Change it in Settings!");
  }

  return merged;
}

// ── CLI usage: node scripts/bootstrap-env.mjs ──────────────────────────────
if (process.argv[1] && process.argv[1].endsWith("bootstrap-env.mjs")) {
  const env = bootstrapEnv();
  process.stderr.write(`[bootstrap] Done. DATA_DIR resolved to: ${resolveDataDir()}\n`);
  process.stderr.write(`[bootstrap] JWT_SECRET length: ${env.JWT_SECRET?.length ?? 0}\n`);
  process.stderr.write(
    `[bootstrap] STORAGE_ENCRYPTION_KEY length: ${env.STORAGE_ENCRYPTION_KEY?.length ?? 0}\n`
  );
}