southseact-3d/shopify-ai-backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add database migration scripts and configuration files

Browse Source 
- Add verify-migration.js script for testing database migrations
- Add database config module for centralized configuration
- Add chutes.txt prompt for system responses
- Update database implementation and testing documentation
- Add database migration and setup scripts
- Update session system and LLM tool configuration
- Update deployment checklist and environment example
- Update Dockerfile and docker-compose configuration
This commit is contained in:
southseact-3d
2026-02-20 12:38:43 +00:00
parent a92797d3a7
commit cb95a916ae
19 changed files with 1104 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.env.example
View File

@@ -65,8 +65,12 @@ SESSION_SECRET=
USE_JSON_DATABASE=
DATABASE_PATH=./.data/shopify_ai.db
DATABASE_ENCRYPTION_KEY=
DATABASE_KEY_FILE=
DATABASE_BACKUP_ENABLED=1
DATABASE_WAL_MODE=1
DATABASE_USE_SQLCIPHER=1
DATABASE_CIPHER_COMPAT=4
DATABASE_KDF_ITER=64000
# JWT Token Configuration
JWT_SECRET=

30
DEPLOYMENT_CHECKLIST.md
View File

@@ -35,6 +35,8 @@ Use this checklist when deploying the secure database implementation to producti
```bash
# 1. Set environment variables
export DATABASE_ENCRYPTION_KEY=<your-64-char-hex-key>
export DATABASE_USE_SQLCIPHER=1
export DATABASE_KEY_FILE=/home/web/data/.data/.encryption_key
export JWT_SECRET=<your-64-char-hex-key>
# 2. Deploy container
@@ -71,9 +73,9 @@ docker logs shopify-ai-builder | grep "JSON"
# 4. Run migration inside container
docker exec shopify-ai-builder node /opt/webchat/scripts/migrate-to-database.js
# 5. Verify migration results
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "SELECT COUNT(*) FROM users;"
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "SELECT COUNT(*) FROM sessions;"
# 5. Verify migration results (SQLCipher)
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT COUNT(*) FROM users;"
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT COUNT(*) FROM sessions;"
# 6. Switch to database mode
export USE_JSON_DATABASE=0
@@ -103,13 +105,13 @@ docker logs shopify-ai-builder | grep -v "JSON"
### 2. Smoke Tests
```bash
# Test database access
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db ".tables"
# Test database access (SQLCipher)
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"
# Count records
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "SELECT COUNT(*) FROM users;"
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "SELECT COUNT(*) FROM sessions;"
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "SELECT COUNT(*) FROM audit_log;"
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT COUNT(*) FROM users;"
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT COUNT(*) FROM sessions;"
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT COUNT(*) FROM audit_log;"
# Check encryption keys
docker exec shopify-ai-builder test -f /home/web/data/.data/.encryption_key && echo "Encryption key exists"
@@ -138,9 +140,9 @@ docker exec shopify-ai-builder ls -l /home/web/data/.data/
# Verify database is encrypted (should see binary data)
docker exec shopify-ai-builder head -c 100 /home/web/data/.data/shopify_ai.db | od -c
# Check audit log
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db \
"SELECT event_type, COUNT(*) FROM audit_log GROUP BY event_type;"
# Check audit log (SQLCipher)
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db \
"PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; SELECT event_type, COUNT(*) FROM audit_log GROUP BY event_type;"
```
**Checklist:**
@@ -263,15 +265,15 @@ docker exec shopify-ai-builder cp -r /home/web/data/.data/migration_backup_*/* /
### Performance Issues
```bash
# Check WAL mode
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "PRAGMA journal_mode;"
# Check WAL mode (SQLCipher)
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; PRAGMA journal_mode;"
# Check database size
docker exec shopify-ai-builder du -h /home/web/data/.data/shopify_ai.db
# Vacuum database if needed (offline)
docker stop shopify-ai-builder
docker exec shopify-ai-builder sqlite3 /home/web/data/.data/shopify_ai.db "VACUUM;"
docker exec shopify-ai-builder sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; VACUUM;"
docker start shopify-ai-builder
```

7
Dockerfile
View File

@@ -73,6 +73,11 @@ RUN apt-get update \
tini \
libicu-dev \
libssl-dev \
build-essential \
python3 \
pkg-config \
sqlcipher \
libsqlcipher-dev \
&& rm -rf /var/lib/apt/lists/*
# Install Node.js
@@ -114,6 +119,8 @@ RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/healthcheck.sh /usr/loc
# Copy webchat
COPY chat /opt/webchat
ENV npm_config_sqlite=sqlcipher \
npm_config_build_from_source=true
RUN cd /opt/webchat && npm install --production && chmod -R 755 /opt/webchat
COPY chat_v2 /opt/webchat_v2

29
chat/DATABASE_IMPLEMENTATION.md
View File

@@ -5,7 +5,7 @@ This implementation adds database encryption at rest and secure session manageme
## Features
### Phase 1.2: Database with Encryption at Rest
- ✅ SQLite database with better-sqlite3
- SQLCipher-encrypted SQLite database with better-sqlite3
- ✅ Field-level AES-256-GCM encryption for sensitive data
- ✅ PBKDF2 key derivation (100,000 iterations)
- ✅ WAL mode for better concurrency
@@ -24,16 +24,17 @@ This implementation adds database encryption at rest and secure session manageme
## Architecture
### Database Schema
- **users**: User accounts with encrypted email, name, 2FA secrets
- **users**: User accounts with encrypted email, name, 2FA secrets + JSON data column
- **sessions**: Active sessions for revocation
- **refresh_tokens**: Refresh tokens with device fingerprinting
- **token_blacklist**: Immediate token revocation
- **affiliates**, **withdrawals**, **feature_requests**, **contact_messages**
- **affiliate_accounts** (current app), **affiliates** (legacy), **withdrawals**, **feature_requests**, **contact_messages**
- **audit_log**: Comprehensive security event logging
- **payment_sessions**: DoDo payment tracking
### Encryption
- **Algorithm**: AES-256-GCM with authenticated encryption
- **Database**: SQLCipher encryption at rest
- **Algorithm**: AES-256-GCM with authenticated encryption (field-level)
- **Key Derivation**: PBKDF2 with 100,000 iterations
- **Per-field**: Sensitive fields encrypted individually
- **Token Storage**: PBKDF2 hashed (not encrypted) for secure comparison
@@ -65,8 +66,12 @@ Optional:
```bash
USE_JSON_DATABASE=1 # Use JSON files instead of database (for rollback)
DATABASE_PATH=./.data/shopify_ai.db
DATABASE_KEY_FILE=./.data/.encryption_key
DATABASE_BACKUP_ENABLED=1
DATABASE_WAL_MODE=1
DATABASE_USE_SQLCIPHER=1
DATABASE_CIPHER_COMPAT=4
DATABASE_KDF_ITER=64000
JWT_ACCESS_TOKEN_TTL=900 # 15 minutes in seconds
JWT_REFRESH_TOKEN_TTL=604800 # 7 days in seconds
```
@@ -135,14 +140,14 @@ export USE_JSON_DATABASE=1
### Verify Database Setup
```bash
# Check database exists and tables are created
sqlite3 ./.data/shopify_ai.db ".tables"
# Check database exists and tables are created (SQLCipher)
sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"
# Should output:
# affiliates payment_sessions token_blacklist
# audit_log refresh_tokens users
# contact_messages sessions withdrawals
# feature_requests
# affiliate_accounts payment_sessions token_blacklist
# affiliates refresh_tokens users
# audit_log sessions withdrawals
# contact_messages feature_requests
```
### Test Encryption
@@ -161,8 +166,8 @@ node scripts/migrate-to-database.js
### Database Health
- Check file size: `ls -lh ./.data/shopify_ai.db`
- Check WAL mode: `sqlite3 ./.data/shopify_ai.db "PRAGMA journal_mode;"`
- Check tables: `sqlite3 ./.data/shopify_ai.db ".tables"`
- Check WAL mode: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; PRAGMA journal_mode;"`
- Check tables: `sqlcipher ./.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"`
### Audit Logs
Audit logs are stored in the `audit_log` table and include:

10
chat/TESTING_GUIDE.md
View File

@@ -235,15 +235,15 @@ docker exec shopify-ai-test node /opt/webchat/scripts/migrate-to-database.js
### 7. Verify Tables
```bash
docker exec shopify-ai-test sqlite3 /home/web/data/.data/shopify_ai.db ".tables"
docker exec shopify-ai-test sqlcipher /home/web/data/.data/shopify_ai.db "PRAGMA key = '$DATABASE_ENCRYPTION_KEY'; .tables"
```
Expected output:
```
affiliates payment_sessions token_blacklist
audit_log refresh_tokens users
contact_messages sessions withdrawals
feature_requests
affiliate_accounts payment_sessions token_blacklist
affiliates refresh_tokens users
audit_log sessions withdrawals
contact_messages feature_requests
```
### 8. Check Encryption Keys Persisted

10
chat/package-lock.json generated
View File

@@ -15,7 +15,6 @@
"better-sqlite3": "^11.8.1",
"jsonwebtoken": "^9.0.2",
"multer": "^2.0.2",
"nodemailer": "^7.0.7",
"pdfkit": "^0.17.2",
"sharp": "^0.33.5"
}
@@ -1263,15 +1262,6 @@
"node-gyp-build-test": "build-test.js"
}
},
"node_modules/nodemailer": {
"version": "7.0.11",
"resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.11.tgz",
"integrity": "sha512-gnXhNRE0FNhD7wPSCGhdNh46Hs6nm+uTyg+Kq0cZukNQiYdnCsoQjodNP9BQVG9XrcK/v6/MgpAPBUFyzh9pvw==",
"license": "MIT-0",
"engines": {
"node": ">=6.0.0"
}
},
"node_modules/normalize-path": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",

28
chat/scripts/init-database.js
View File

@@ -7,9 +7,9 @@
const fs = require('fs');
const path = require('path');
const crypto = require('crypto');
const { DATA_ROOT, DB_PATH, KEY_FILE } = require('../src/database/config');
const DATA_ROOT = process.env.CHAT_DATA_ROOT || '/home/web/data/.data';
const DATABASE_PATH = process.env.DATABASE_PATH || path.join(DATA_ROOT, 'shopify_ai.db');
const DATABASE_PATH = DB_PATH;
const USE_JSON_DATABASE = process.env.USE_JSON_DATABASE === '1' || process.env.USE_JSON_DATABASE === 'true';
async function initializeDatabase() {
@@ -33,7 +33,15 @@ async function initializeDatabase() {
if (dbExists) {
console.log('✅ Database already exists:', DATABASE_PATH);
if (!process.env.DATABASE_ENCRYPTION_KEY && KEY_FILE && fs.existsSync(KEY_FILE)) {
const persistedKey = fs.readFileSync(KEY_FILE, 'utf8').trim();
if (persistedKey) {
process.env.DATABASE_ENCRYPTION_KEY = persistedKey;
console.log('✅ Loaded encryption key from file');
}
}
// Verify encryption key is set
if (!process.env.DATABASE_ENCRYPTION_KEY) {
console.error('❌ DATABASE_ENCRYPTION_KEY not set!');
@@ -48,6 +56,14 @@ async function initializeDatabase() {
console.log('🔧 Database not found, setting up new database...');
// Generate encryption key if not provided
if (!process.env.DATABASE_ENCRYPTION_KEY && KEY_FILE && fs.existsSync(KEY_FILE)) {
const persistedKey = fs.readFileSync(KEY_FILE, 'utf8').trim();
if (persistedKey) {
process.env.DATABASE_ENCRYPTION_KEY = persistedKey;
console.log('✅ Loaded encryption key from file');
}
}
if (!process.env.DATABASE_ENCRYPTION_KEY) {
const generatedKey = crypto.randomBytes(32).toString('hex');
process.env.DATABASE_ENCRYPTION_KEY = generatedKey;
@@ -57,7 +73,7 @@ async function initializeDatabase() {
console.log('⚠️ Add this to your environment configuration to persist it!');
// Save to a file for persistence
const keyFile = path.join(dataDir, '.encryption_key');
const keyFile = KEY_FILE || path.join(dataDir, '.encryption_key');
fs.writeFileSync(keyFile, generatedKey, { mode: 0o600 });
console.log('⚠️ Saved to:', keyFile);
}
@@ -86,8 +102,8 @@ async function initializeDatabase() {
}
// Check if there are JSON files to migrate
const usersFile = path.join(DATA_ROOT, 'users.json');
const sessionsFile = path.join(DATA_ROOT, 'user-sessions.json');
const usersFile = path.join(path.join(DATA_ROOT, '.opencode-chat'), 'users.json');
const sessionsFile = path.join(path.join(DATA_ROOT, '.opencode-chat'), 'user-sessions.json');
const hasJsonData = fs.existsSync(usersFile) || fs.existsSync(sessionsFile);

229
chat/scripts/migrate-to-database.js
View File

@@ -6,16 +6,16 @@
const fs = require('fs');
const path = require('path');
const { initDatabase, getDatabase, closeDatabase } = require('../src/database/connection');
const { initEncryption } = require('../src/utils/encryption');
const userRepo = require('../src/repositories/userRepository');
const { initEncryption, encrypt } = require('../src/utils/encryption');
const { STATE_DIR, DB_PATH, KEY_FILE } = require('../src/database/config');
const DATA_ROOT = process.env.CHAT_DATA_ROOT || path.join(__dirname, '..', '.data');
const DATABASE_PATH = process.env.DATABASE_PATH || path.join(DATA_ROOT, 'shopify_ai.db');
const DATABASE_PATH = DB_PATH;
const DATABASE_ENCRYPTION_KEY = process.env.DATABASE_ENCRYPTION_KEY;
const DATABASE_USE_SQLCIPHER = process.env.DATABASE_USE_SQLCIPHER !== '0' && process.env.DATABASE_USE_SQLCIPHER !== 'false';
const USERS_FILE = path.join(DATA_ROOT, 'users.json');
const SESSIONS_FILE = path.join(DATA_ROOT, 'user-sessions.json');
const AFFILIATES_FILE = path.join(DATA_ROOT, 'affiliates.json');
const USERS_FILE = path.join(STATE_DIR, 'users.json');
const SESSIONS_FILE = path.join(STATE_DIR, 'user-sessions.json');
const AFFILIATES_FILE = path.join(STATE_DIR, 'affiliates.json');
async function loadJsonFile(filePath, defaultValue = []) {
try {
@@ -44,30 +44,88 @@ async function migrateUsers() {
let success = 0;
let failed = 0;
const db = getDatabase();
const stmt = db.prepare(`
INSERT INTO users (
id, email, email_encrypted, name, name_encrypted, password_hash,
providers, email_verified, verification_token, verification_expires_at,
reset_token, reset_expires_at, plan, billing_status, billing_email,
payment_method_last4, subscription_renews_at, referred_by_affiliate_code,
affiliate_attribution_at, affiliate_payouts, two_factor_secret,
two_factor_enabled, created_at, updated_at, last_login_at, data
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
email = excluded.email,
email_encrypted = excluded.email_encrypted,
name = excluded.name,
name_encrypted = excluded.name_encrypted,
password_hash = excluded.password_hash,
providers = excluded.providers,
email_verified = excluded.email_verified,
verification_token = excluded.verification_token,
verification_expires_at = excluded.verification_expires_at,
reset_token = excluded.reset_token,
reset_expires_at = excluded.reset_expires_at,
plan = excluded.plan,
billing_status = excluded.billing_status,
billing_email = excluded.billing_email,
payment_method_last4 = excluded.payment_method_last4,
subscription_renews_at = excluded.subscription_renews_at,
referred_by_affiliate_code = excluded.referred_by_affiliate_code,
affiliate_attribution_at = excluded.affiliate_attribution_at,
affiliate_payouts = excluded.affiliate_payouts,
two_factor_secret = excluded.two_factor_secret,
two_factor_enabled = excluded.two_factor_enabled,
created_at = excluded.created_at,
updated_at = excluded.updated_at,
last_login_at = excluded.last_login_at,
data = excluded.data
`);
for (const user of users) {
try {
// Check if user already exists
const existing = userRepo.getUserById(user.id);
if (existing) {
console.log(` Skipping existing user: ${user.email}`);
success++;
const normalizedEmail = (user.email || '').trim().toLowerCase();
if (!normalizedEmail) {
console.log(' Skipping user without email');
failed++;
continue;
}
// Create user in database
userRepo.createUser({
id: user.id,
email: user.email,
name: user.name || null,
passwordHash: user.passwordHash || user.password_hash,
providers: user.providers || [],
emailVerified: user.emailVerified,
verificationToken: user.verificationToken || null,
verificationExpiresAt: user.verificationExpiresAt || null,
plan: user.plan || 'hobby',
billingStatus: user.billingStatus || 'active',
billingEmail: user.billingEmail || user.email
});
const passwordHash = user.passwordHash || user.password_hash || user.password || '';
const providers = Array.isArray(user.providers) ? user.providers : [];
const affiliatePayouts = Array.isArray(user.affiliatePayouts) ? user.affiliatePayouts : [];
const dataPayload = JSON.stringify({ ...user, email: normalizedEmail || user.email || '' });
const emailEncrypted = normalizedEmail ? encrypt(normalizedEmail) : '';
const nameEncrypted = user.name ? encrypt(user.name) : null;
const twoFactorEncrypted = user.twoFactorSecret ? encrypt(user.twoFactorSecret) : null;
stmt.run(
user.id,
normalizedEmail,
emailEncrypted,
user.name || null,
nameEncrypted,
passwordHash,
JSON.stringify(providers),
user.emailVerified ? 1 : 0,
user.verificationToken || null,
user.verificationExpiresAt || null,
user.resetToken || null,
user.resetExpiresAt || null,
user.plan || 'hobby',
user.billingStatus || 'active',
user.billingEmail || user.email || '',
user.paymentMethodLast4 || '',
user.subscriptionRenewsAt || null,
user.referredByAffiliateCode || null,
user.affiliateAttributionAt || null,
JSON.stringify(affiliatePayouts),
twoFactorEncrypted,
user.twoFactorEnabled ? 1 : 0,
user.createdAt || Date.now(),
user.updatedAt || user.createdAt || Date.now(),
user.lastLoginAt || null,
dataPayload
);
console.log(` ✓ Migrated user: ${user.email}`);
success++;
@@ -99,8 +157,19 @@ async function migrateSessions() {
let expired = 0;
const db = getDatabase();
const sessionRepo = require('../src/repositories/sessionRepository');
const userExistsStmt = db.prepare('SELECT id FROM users WHERE id = ?');
const sessionStmt = db.prepare(`
INSERT INTO sessions (
id, user_id, token, refresh_token_hash, device_fingerprint,
ip_address, user_agent, expires_at, created_at, last_accessed_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
user_id = excluded.user_id,
token = excluded.token,
expires_at = excluded.expires_at,
last_accessed_at = excluded.last_accessed_at
`);
for (const [token, session] of Object.entries(sessions)) {
try {
// Skip expired sessions
@@ -110,25 +179,25 @@ async function migrateSessions() {
}
// Check if user exists
const user = userRepo.getUserById(session.userId);
const user = userExistsStmt.get(session.userId);
if (!user) {
console.log(` Skipping session for non-existent user: ${session.userId}`);
failed++;
continue;
}
// Create session in database
sessionRepo.createSession({
id: session.id || require('crypto').randomUUID(),
userId: session.userId,
token: token,
deviceFingerprint: session.deviceFingerprint || null,
ipAddress: session.ipAddress || null,
userAgent: session.userAgent || null,
expiresAt: session.expiresAt,
createdAt: session.createdAt || now,
lastAccessedAt: session.lastAccessedAt || now
});
sessionStmt.run(
token,
session.userId,
token,
null,
session.deviceFingerprint || null,
session.ipAddress || null,
session.userAgent || null,
session.expiresAt,
session.createdAt || now,
session.lastAccessedAt || now
);
success++;
} catch (error) {
@@ -156,38 +225,53 @@ async function migrateAffiliates() {
let failed = 0;
const db = getDatabase();
const stmt = db.prepare(`
INSERT INTO affiliate_accounts (
id, email, name, password_hash, codes, earnings, commission_rate,
created_at, updated_at, last_login_at, last_payout_at,
email_verified, verification_token, verification_expires_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
email = excluded.email,
name = excluded.name,
password_hash = excluded.password_hash,
codes = excluded.codes,
earnings = excluded.earnings,
commission_rate = excluded.commission_rate,
updated_at = excluded.updated_at,
last_login_at = excluded.last_login_at,
last_payout_at = excluded.last_payout_at,
email_verified = excluded.email_verified,
verification_token = excluded.verification_token,
verification_expires_at = excluded.verification_expires_at
`);
for (const affiliate of affiliates) {
try {
// Check if user exists
const user = userRepo.getUserById(affiliate.userId);
if (!user) {
console.log(` Skipping affiliate for non-existent user: ${affiliate.userId}`);
if (!affiliate.email) {
console.log(' Skipping affiliate without email');
failed++;
continue;
}
// Insert affiliate
const stmt = db.prepare(`
INSERT INTO affiliates (
id, user_id, codes, earnings, commission_rate,
total_referrals, total_earnings_cents, created_at, updated_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
`);
const affiliateEmail = (affiliate.email || '').trim().toLowerCase();
stmt.run(
affiliate.id || require('crypto').randomUUID(),
affiliate.userId,
affiliateEmail,
affiliate.name || '',
affiliate.password || affiliate.passwordHash || '',
JSON.stringify(affiliate.codes || []),
JSON.stringify(affiliate.earnings || []),
affiliate.commissionRate || 0.15,
affiliate.totalReferrals || 0,
affiliate.totalEarningsCents || 0,
affiliate.createdAt || Date.now(),
affiliate.updatedAt || Date.now()
affiliate.createdAt || new Date().toISOString(),
affiliate.updatedAt || affiliate.createdAt || new Date().toISOString(),
affiliate.lastLoginAt || null,
affiliate.lastPayoutAt || null,
affiliate.emailVerified ? 1 : 0,
affiliate.verificationToken || null,
affiliate.verificationExpiresAt || null
);
console.log(` ✓ Migrated affiliate for user: ${user.email}`);
console.log(` ✓ Migrated affiliate: ${affiliate.email}`);
success++;
} catch (error) {
console.error(` ✗ Failed to migrate affiliate:`, error.message);
@@ -229,7 +313,7 @@ async function createBackup() {
async function runMigration() {
console.log('🔄 Starting database migration...');
console.log(' Source: JSON files in', DATA_ROOT);
console.log(' Source: JSON files in', STATE_DIR);
console.log(' Target: Database at', DATABASE_PATH);
// Check if database exists
@@ -239,13 +323,21 @@ async function runMigration() {
}
// Initialize encryption
if (!DATABASE_ENCRYPTION_KEY) {
let encryptionKey = DATABASE_ENCRYPTION_KEY;
if (!encryptionKey && KEY_FILE && fs.existsSync(KEY_FILE)) {
encryptionKey = fs.readFileSync(KEY_FILE, 'utf8').trim();
if (encryptionKey) {
process.env.DATABASE_ENCRYPTION_KEY = encryptionKey;
console.log('✅ Loaded encryption key from file');
}
}
if (!encryptionKey) {
console.error('❌ DATABASE_ENCRYPTION_KEY not set');
process.exit(1);
}
try {
initEncryption(DATABASE_ENCRYPTION_KEY);
initEncryption(encryptionKey);
console.log('✅ Encryption initialized');
} catch (error) {
console.error('❌ Failed to initialize encryption:', error.message);
@@ -254,7 +346,12 @@ async function runMigration() {
// Initialize database
try {
initDatabase(DATABASE_PATH, { verbose: false });
initDatabase(DATABASE_PATH, {
verbose: false,
sqlcipherKey: DATABASE_USE_SQLCIPHER ? encryptionKey : null,
cipherCompatibility: process.env.DATABASE_CIPHER_COMPAT || 4,
kdfIter: process.env.DATABASE_KDF_ITER || 64000
});
console.log('✅ Database connected');
} catch (error) {
console.error('❌ Failed to connect to database:', error.message);

45
chat/scripts/setup-database.js
View File

@@ -8,12 +8,13 @@ const fs = require('fs');
const path = require('path');
const { initDatabase, getDatabase, closeDatabase } = require('../src/database/connection');
const { initEncryption } = require('../src/utils/encryption');
const { DB_PATH, KEY_FILE } = require('../src/database/config');
const crypto = require('crypto');
const DATA_ROOT = process.env.CHAT_DATA_ROOT || path.join(__dirname, '..', '.data');
const DATABASE_PATH = process.env.DATABASE_PATH || path.join(DATA_ROOT, 'shopify_ai.db');
const DATABASE_PATH = DB_PATH;
const DATABASE_ENCRYPTION_KEY = process.env.DATABASE_ENCRYPTION_KEY;
const WAL_MODE = process.env.DATABASE_WAL_MODE !== '0' && process.env.DATABASE_WAL_MODE !== 'false';
const DATABASE_USE_SQLCIPHER = process.env.DATABASE_USE_SQLCIPHER !== '0' && process.env.DATABASE_USE_SQLCIPHER !== 'false';
async function setupDatabase() {
console.log('🔧 Setting up database...');
@@ -26,14 +27,35 @@ async function setupDatabase() {
console.log(' Created data directory:', dataDir);
}
let encryptionKey = DATABASE_ENCRYPTION_KEY;
// Check if encryption key is provided
if (!DATABASE_ENCRYPTION_KEY) {
if (!encryptionKey) {
if (fs.existsSync(KEY_FILE)) {
encryptionKey = fs.readFileSync(KEY_FILE, 'utf8').trim();
if (encryptionKey) {
process.env.DATABASE_ENCRYPTION_KEY = encryptionKey;
console.log('✅ Loaded encryption key from file');
}
}
}
if (!encryptionKey) {
console.warn('⚠️ WARNING: No DATABASE_ENCRYPTION_KEY found!');
console.warn('⚠️ Generating a random key for this session (not persistent).');
console.warn('⚠️ For production, set DATABASE_ENCRYPTION_KEY environment variable.');
console.warn('⚠️ Generate one with: openssl rand -hex 32');
const generatedKey = crypto.randomBytes(32).toString('hex');
process.env.DATABASE_ENCRYPTION_KEY = generatedKey;
encryptionKey = generatedKey;
try {
const keyDir = path.dirname(KEY_FILE);
if (!fs.existsSync(keyDir)) fs.mkdirSync(keyDir, { recursive: true });
fs.writeFileSync(KEY_FILE, generatedKey, { mode: 0o600 });
console.log('⚠️ Saved generated key to:', KEY_FILE);
} catch (err) {
console.warn('⚠️ Failed to persist encryption key:', err.message);
}
console.log('✅ Generated temporary encryption key');
} else {
console.log('✅ Using encryption key from environment');
@@ -41,7 +63,7 @@ async function setupDatabase() {
// Initialize encryption
try {
initEncryption(process.env.DATABASE_ENCRYPTION_KEY);
initEncryption(encryptionKey);
console.log('✅ Encryption initialized');
} catch (error) {
console.error('❌ Failed to initialize encryption:', error.message);
@@ -52,7 +74,10 @@ async function setupDatabase() {
try {
initDatabase(DATABASE_PATH, {
verbose: false,
walMode: WAL_MODE
walMode: WAL_MODE,
sqlcipherKey: DATABASE_USE_SQLCIPHER ? encryptionKey : null,
cipherCompatibility: process.env.DATABASE_CIPHER_COMPAT || 4,
kdfIter: process.env.DATABASE_KDF_ITER || 64000
});
console.log('✅ Database initialized');
} catch (error) {
@@ -70,7 +95,15 @@ async function setupDatabase() {
// Execute the entire schema as one block
// SQLite can handle multiple statements with exec()
db.exec(schema);
// Add missing columns if this is an upgraded database
const userColumns = db.prepare('PRAGMA table_info(users)').all();
const userColumnNames = new Set(userColumns.map((c) => c.name));
if (!userColumnNames.has('data')) {
db.exec('ALTER TABLE users ADD COLUMN data TEXT');
console.log('✅ Added users.data column');
}
console.log('✅ Database schema created');
} catch (error) {
console.error('❌ Failed to create schema:', error.message);

69
chat/scripts/verify-migration.js Normal file
View File

@@ -0,0 +1,69 @@
#!/usr/bin/env node
/**
* Verify JSON -> Database migration counts
*/
const fs = require('fs');
const path = require('path');
const { initDatabase, getDatabase, closeDatabase } = require('../src/database/connection');
const { initEncryption } = require('../src/utils/encryption');
const { STATE_DIR, DB_PATH, KEY_FILE } = require('../src/database/config');
function loadJson(filePath, fallback) {
try {
const raw = fs.readFileSync(filePath, 'utf8');
return JSON.parse(raw || JSON.stringify(fallback));
} catch (_) {
return fallback;
}
}
function resolveKey() {
if (process.env.DATABASE_ENCRYPTION_KEY) return process.env.DATABASE_ENCRYPTION_KEY.trim();
if (KEY_FILE && fs.existsSync(KEY_FILE)) {
const key = fs.readFileSync(KEY_FILE, 'utf8').trim();
if (key) {
process.env.DATABASE_ENCRYPTION_KEY = key;
return key;
}
}
return '';
}
function main() {
const key = resolveKey();
if (!key) {
console.error('❌ DATABASE_ENCRYPTION_KEY not set (and no key file found).');
process.exit(1);
}
initEncryption(key);
const useSqlcipher = process.env.DATABASE_USE_SQLCIPHER !== '0' && process.env.DATABASE_USE_SQLCIPHER !== 'false';
initDatabase(DB_PATH, {
sqlcipherKey: useSqlcipher ? key : null,
cipherCompatibility: process.env.DATABASE_CIPHER_COMPAT || 4,
kdfIter: process.env.DATABASE_KDF_ITER || 64000
});
const db = getDatabase();
const now = Date.now();
const usersJson = loadJson(path.join(STATE_DIR, 'users.json'), []);
const sessionsJson = loadJson(path.join(STATE_DIR, 'user-sessions.json'), {});
const affiliatesJson = loadJson(path.join(STATE_DIR, 'affiliates.json'), []);
const usersDb = db.prepare('SELECT COUNT(*) as count FROM users').get().count;
const sessionsDb = db.prepare('SELECT COUNT(*) as count FROM sessions WHERE expires_at > ?').get(now).count;
const affiliatesDb = db.prepare('SELECT COUNT(*) as count FROM affiliate_accounts').get().count;
const activeJsonSessions = Object.values(sessionsJson || {}).filter((session) => session?.expiresAt && session.expiresAt > now).length;
console.log('Migration verification:');
console.log(` Users: JSON=${Array.isArray(usersJson) ? usersJson.length : 0} DB=${usersDb}`);
console.log(` Sessions (active): JSON=${activeJsonSessions} DB=${sessionsDb}`);
console.log(` Affiliates: JSON=${Array.isArray(affiliatesJson) ? affiliatesJson.length : 0} DB=${affiliatesDb}`);
closeDatabase();
}
main();

505
chat/server.js
View File

@@ -18,6 +18,9 @@ const security = require('./security');
const { createExternalWpTester, getExternalTestingConfig } = require('./external-wp-testing');
const blogSystem = require('./blog-system');
const versionManager = require('./src/utils/versionManager');
const { DATA_ROOT, STATE_DIR, DB_PATH, KEY_FILE } = require('./src/database/config');
const { initDatabase, getDatabase, closeDatabase } = require('./src/database/connection');
const { initEncryption, encrypt } = require('./src/utils/encryption');
let sharp = null;
try {
@@ -100,8 +103,11 @@ function detectDockerLimits(baseMemoryBytes, baseCpuCores, repoRoot) {
const PORT = Number(process.env.CHAT_PORT || 4000);
const HOST = process.env.CHAT_HOST || '0.0.0.0';
const DATA_ROOT = process.env.CHAT_DATA_ROOT || path.join(process.cwd(), '.data');
const STATE_DIR = path.join(DATA_ROOT, '.opencode-chat');
const USE_JSON_DATABASE = process.env.USE_JSON_DATABASE === '1' || process.env.USE_JSON_DATABASE === 'true';
const DATABASE_WAL_MODE = process.env.DATABASE_WAL_MODE !== '0' && process.env.DATABASE_WAL_MODE !== 'false';
const DATABASE_USE_SQLCIPHER = process.env.DATABASE_USE_SQLCIPHER !== '0' && process.env.DATABASE_USE_SQLCIPHER !== 'false';
const DATABASE_CIPHER_COMPAT = process.env.DATABASE_CIPHER_COMPAT || 4;
const DATABASE_KDF_ITER = process.env.DATABASE_KDF_ITER || 64000;
const STATE_FILE = path.join(STATE_DIR, 'sessions.json');
const WORKSPACES_ROOT = path.join(DATA_ROOT, 'apps');
const STATIC_ROOT = path.join(__dirname, 'public');
@@ -1574,6 +1580,8 @@ const apiRateLimit = new Map(); // { userId: { requests, windowStart } }
const csrfTokens = new Map(); // { token: { userId, expiresAt } }
let usersDb = []; // In-memory user database cache
let invoicesDb = []; // In-memory invoice database cache
let databaseEnabled = false;
let databaseFallbackReason = '';
let mailTransport = null;
function summarizeMailConfig() {
@@ -2154,9 +2162,197 @@ function requireAdminAuth(req, res) {
return session;
}
async function loadDatabaseKey() {
if (process.env.DATABASE_ENCRYPTION_KEY) {
return process.env.DATABASE_ENCRYPTION_KEY.trim();
}
try {
if (KEY_FILE && fsSync.existsSync(KEY_FILE)) {
const key = fsSync.readFileSync(KEY_FILE, 'utf8').trim();
if (key) {
process.env.DATABASE_ENCRYPTION_KEY = key;
return key;
}
}
} catch (_) { }
return '';
}
async function initializeDatabaseLayer() {
if (USE_JSON_DATABASE) {
databaseEnabled = false;
databaseFallbackReason = 'USE_JSON_DATABASE';
log('Database disabled via USE_JSON_DATABASE, using JSON storage');
return;
}
const dbExists = fsSync.existsSync(DB_PATH);
const key = await loadDatabaseKey();
if (!key) {
databaseEnabled = false;
databaseFallbackReason = dbExists ? 'missing_key' : 'no_key';
if (dbExists) {
log('DATABASE_ENCRYPTION_KEY missing; falling back to JSON mode', { DB_PATH, KEY_FILE });
} else {
log('No database key and no database found; using JSON mode', { DB_PATH });
}
return;
}
try {
initEncryption(key);
} catch (error) {
databaseEnabled = false;
databaseFallbackReason = 'encryption_init_failed';
log('Failed to initialize encryption; falling back to JSON mode', { error: String(error) });
return;
}
try {
initDatabase(DB_PATH, {
walMode: DATABASE_WAL_MODE,
sqlcipherKey: DATABASE_USE_SQLCIPHER ? key : null,
cipherCompatibility: DATABASE_CIPHER_COMPAT,
kdfIter: DATABASE_KDF_ITER
});
ensureDatabaseSchema();
databaseEnabled = true;
databaseFallbackReason = '';
log('Database mode enabled', { dbPath: DB_PATH, sqlcipher: DATABASE_USE_SQLCIPHER });
} catch (error) {
closeDatabase();
databaseEnabled = false;
databaseFallbackReason = 'db_init_failed';
log('Failed to initialize database; falling back to JSON mode', { error: String(error) });
}
}
function ensureDatabaseSchema() {
const db = getDatabase();
if (!db) return;
try {
const userColumns = db.prepare('PRAGMA table_info(users)').all();
const userColumnNames = new Set(userColumns.map((c) => c.name));
if (!userColumnNames.has('data')) {
db.exec('ALTER TABLE users ADD COLUMN data TEXT');
log('Added users.data column');
}
db.exec(`
CREATE TABLE IF NOT EXISTS affiliate_accounts (
id TEXT PRIMARY KEY,
email TEXT UNIQUE NOT NULL,
name TEXT,
password_hash TEXT NOT NULL,
codes TEXT NOT NULL DEFAULT '[]',
earnings TEXT NOT NULL DEFAULT '[]',
commission_rate REAL NOT NULL DEFAULT 0.15,
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL,
last_login_at TEXT,
last_payout_at TEXT,
email_verified INTEGER DEFAULT 0,
verification_token TEXT,
verification_expires_at TEXT
);
`);
db.exec('CREATE INDEX IF NOT EXISTS idx_affiliate_accounts_email ON affiliate_accounts(email);');
} catch (error) {
log('Failed to ensure database schema', { error: String(error) });
}
}
// User authentication functions
async function loadUsersDb() {
let shouldPersist = false;
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const rows = db.prepare('SELECT * FROM users').all();
usersDb = rows.map((row) => {
let payload = {};
if (row?.data) {
try {
payload = JSON.parse(row.data);
} catch (_) {
payload = {};
}
}
const user = { ...payload };
user.id = row.id;
user.email = row.email || user.email || '';
user.password = row.password_hash || user.password || '';
if (row.providers) {
try {
user.providers = JSON.parse(row.providers);
} catch (_) {
user.providers = Array.isArray(user.providers) ? user.providers : [];
}
} else {
user.providers = Array.isArray(user.providers) ? user.providers : [];
}
user.emailVerified = typeof user.emailVerified === 'boolean' ? user.emailVerified : Boolean(row.email_verified);
user.verificationToken = row.verification_token || user.verificationToken || '';
user.verificationExpiresAt = row.verification_expires_at || user.verificationExpiresAt || null;
user.resetToken = row.reset_token || user.resetToken || '';
user.resetExpiresAt = row.reset_expires_at || user.resetExpiresAt || null;
user.plan = row.plan || user.plan || null;
user.billingStatus = row.billing_status || user.billingStatus || DEFAULT_BILLING_STATUS;
user.billingEmail = row.billing_email || user.billingEmail || user.email || '';
user.paymentMethodLast4 = row.payment_method_last4 || user.paymentMethodLast4 || '';
user.subscriptionRenewsAt = row.subscription_renews_at || user.subscriptionRenewsAt || null;
user.referredByAffiliateCode = sanitizeAffiliateCode(row.referred_by_affiliate_code || user.referredByAffiliateCode);
user.affiliateAttributionAt = row.affiliate_attribution_at || user.affiliateAttributionAt || null;
if (row.affiliate_payouts) {
try {
user.affiliatePayouts = JSON.parse(row.affiliate_payouts);
} catch (_) {
user.affiliatePayouts = Array.isArray(user.affiliatePayouts) ? user.affiliatePayouts : [];
}
} else {
user.affiliatePayouts = Array.isArray(user.affiliatePayouts) ? user.affiliatePayouts : [];
}
user.twoFactorSecret = row.two_factor_secret || user.twoFactorSecret || null;
user.twoFactorEnabled = typeof user.twoFactorEnabled === 'boolean' ? user.twoFactorEnabled : Boolean(row.two_factor_enabled);
user.createdAt = row.created_at || user.createdAt || null;
user.updatedAt = row.updated_at || user.updatedAt || null;
user.lastLoginAt = row.last_login_at || user.lastLoginAt || null;
const verification = normalizeVerificationState(user);
if (verification.shouldPersist) shouldPersist = true;
const normalizedPlan = normalizePlanSelection(user?.plan) || DEFAULT_PLAN;
return {
...user,
emailVerified: verification.verified,
verificationToken: verification.verificationToken,
verificationExpiresAt: verification.verificationExpiresAt,
plan: normalizedPlan,
billingStatus: user?.billingStatus || DEFAULT_BILLING_STATUS,
billingEmail: user?.billingEmail || user?.email || '',
paymentMethodLast4: user?.paymentMethodLast4 || '',
subscriptionRenewsAt: user?.subscriptionRenewsAt || null,
referredByAffiliateCode: sanitizeAffiliateCode(user?.referredByAffiliateCode),
affiliateAttributionAt: user?.affiliateAttributionAt || null,
affiliatePayouts: Array.isArray(user?.affiliatePayouts)
? user.affiliatePayouts.map((p) => normalizePlanSelection(p)).filter(Boolean)
: [],
};
});
if (shouldPersist) {
await persistUsersDb();
}
log('Loaded users database', { count: usersDb.length, mode: 'database' });
return;
} catch (error) {
log('Failed to load users database from DB, falling back to JSON', { error: String(error) });
closeDatabase();
databaseEnabled = false;
databaseFallbackReason = 'load_failed';
}
}
try {
await ensureStateFile();
await fs.access(USERS_DB_FILE);
@@ -2198,12 +2394,136 @@ async function loadUsersDb() {
}
async function persistUsersDb() {
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const now = new Date().toISOString();
const stmt = db.prepare(`
INSERT INTO users (
id, email, email_encrypted, name, name_encrypted, password_hash,
providers, email_verified, verification_token, verification_expires_at,
reset_token, reset_expires_at, plan, billing_status, billing_email,
payment_method_last4, subscription_renews_at, referred_by_affiliate_code,
affiliate_attribution_at, affiliate_payouts, two_factor_secret,
two_factor_enabled, created_at, updated_at, last_login_at, data
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
email = excluded.email,
email_encrypted = excluded.email_encrypted,
name = excluded.name,
name_encrypted = excluded.name_encrypted,
password_hash = excluded.password_hash,
providers = excluded.providers,
email_verified = excluded.email_verified,
verification_token = excluded.verification_token,
verification_expires_at = excluded.verification_expires_at,
reset_token = excluded.reset_token,
reset_expires_at = excluded.reset_expires_at,
plan = excluded.plan,
billing_status = excluded.billing_status,
billing_email = excluded.billing_email,
payment_method_last4 = excluded.payment_method_last4,
subscription_renews_at = excluded.subscription_renews_at,
referred_by_affiliate_code = excluded.referred_by_affiliate_code,
affiliate_attribution_at = excluded.affiliate_attribution_at,
affiliate_payouts = excluded.affiliate_payouts,
two_factor_secret = excluded.two_factor_secret,
two_factor_enabled = excluded.two_factor_enabled,
created_at = excluded.created_at,
updated_at = excluded.updated_at,
last_login_at = excluded.last_login_at,
data = excluded.data
`);
const ids = [];
db.transaction(() => {
for (const user of usersDb) {
if (!user || !user.id) continue;
ids.push(user.id);
const normalizedEmail = (user.email || '').trim().toLowerCase();
const passwordHash = user.passwordHash || user.password || '';
const referredCode = sanitizeAffiliateCode(user.referredByAffiliateCode);
const providers = Array.isArray(user.providers) ? user.providers : [];
const affiliatePayouts = Array.isArray(user.affiliatePayouts) ? user.affiliatePayouts : [];
const dataPayload = JSON.stringify({ ...user, email: normalizedEmail || user.email || '' });
const emailEncrypted = normalizedEmail ? encrypt(normalizedEmail) : '';
const nameEncrypted = user.name ? encrypt(user.name) : null;
const twoFactorEncrypted = user.twoFactorSecret ? encrypt(user.twoFactorSecret) : null;
stmt.run(
user.id,
normalizedEmail,
emailEncrypted,
user.name || null,
nameEncrypted,
passwordHash,
JSON.stringify(providers),
user.emailVerified ? 1 : 0,
user.verificationToken || null,
user.verificationExpiresAt || null,
user.resetToken || null,
user.resetExpiresAt || null,
user.plan || 'hobby',
user.billingStatus || DEFAULT_BILLING_STATUS,
user.billingEmail || user.email || '',
user.paymentMethodLast4 || '',
user.subscriptionRenewsAt || null,
referredCode || null,
user.affiliateAttributionAt || null,
JSON.stringify(affiliatePayouts),
twoFactorEncrypted,
user.twoFactorEnabled ? 1 : 0,
user.createdAt || now,
user.updatedAt || user.createdAt || now,
user.lastLoginAt || null,
dataPayload
);
}
if (ids.length === 0) {
db.prepare('DELETE FROM users').run();
} else if (ids.length <= 900) {
const placeholders = ids.map(() => '?').join(',');
db.prepare(`DELETE FROM users WHERE id NOT IN (${placeholders})`).run(...ids);
} else {
log('Skipping users cleanup (too many rows for NOT IN)', { count: ids.length });
}
})();
} catch (error) {
log('Failed to persist users database (DB)', { error: String(error) });
}
return;
}
await ensureStateFile();
const payload = JSON.stringify(usersDb, null, 2);
await safeWriteFile(USERS_DB_FILE, payload);
}
async function loadUserSessions() {
userSessions.clear();
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const now = Date.now();
const rows = db.prepare('SELECT token, user_id, expires_at FROM sessions WHERE expires_at > ?').all(now);
for (const row of rows) {
if (row?.token && row?.user_id) {
userSessions.set(row.token, { userId: row.user_id, expiresAt: row.expires_at });
}
}
log('Loaded user sessions', { count: userSessions.size, mode: 'database' });
return;
} catch (error) {
log('Failed to load user sessions from DB, falling back to JSON', { error: String(error) });
closeDatabase();
databaseEnabled = false;
databaseFallbackReason = 'load_failed';
}
}
try {
await ensureStateFile();
const raw = await fs.readFile(USER_SESSIONS_FILE, 'utf8').catch(() => null);
@@ -2223,6 +2543,57 @@ async function loadUserSessions() {
}
async function persistUserSessions() {
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const now = Date.now();
const tokens = [];
const stmt = db.prepare(`
INSERT INTO sessions (
id, user_id, token, refresh_token_hash, device_fingerprint,
ip_address, user_agent, expires_at, created_at, last_accessed_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
user_id = excluded.user_id,
token = excluded.token,
expires_at = excluded.expires_at,
last_accessed_at = excluded.last_accessed_at
`);
db.transaction(() => {
db.prepare('DELETE FROM sessions WHERE expires_at <= ?').run(now);
for (const [token, session] of userSessions.entries()) {
if (!session.expiresAt || session.expiresAt <= now) continue;
tokens.push(token);
stmt.run(
token,
session.userId,
token,
null,
null,
null,
null,
session.expiresAt,
now,
now
);
}
if (tokens.length === 0) {
db.prepare('DELETE FROM sessions').run();
} else if (tokens.length <= 900) {
const placeholders = tokens.map(() => '?').join(',');
db.prepare(`DELETE FROM sessions WHERE token NOT IN (${placeholders})`).run(...tokens);
} else {
log('Skipping session cleanup (too many rows for NOT IN)', { count: tokens.length });
}
})();
} catch (error) {
log('Failed to persist user sessions (DB)', { error: String(error) });
}
return;
}
await ensureStateFile();
const now = Date.now();
const sessions = {};
@@ -2240,6 +2611,72 @@ function sanitizeAffiliateCode(code) {
}
async function loadAffiliatesDb() {
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const rows = db.prepare('SELECT * FROM affiliate_accounts').all();
affiliatesDb = rows.map((row) => ({
id: row.id,
email: (row.email || '').trim().toLowerCase(),
name: row.name || row.email,
password: row.password_hash || '',
createdAt: row.created_at || new Date().toISOString(),
lastLoginAt: row.last_login_at || null,
commissionRate: Number.isFinite(row.commission_rate) ? row.commission_rate : AFFILIATE_COMMISSION_RATE,
codes: (() => {
try {
const parsed = JSON.parse(row.codes || '[]');
return Array.isArray(parsed) ? parsed : [];
} catch (_) {
return [];
}
})(),
earnings: (() => {
try {
const parsed = JSON.parse(row.earnings || '[]');
return Array.isArray(parsed) ? parsed : [];
} catch (_) {
return [];
}
})(),
lastPayoutAt: row.last_payout_at || null,
emailVerified: Boolean(row.email_verified),
verificationToken: row.verification_token || '',
verificationExpiresAt: row.verification_expires_at || null,
updatedAt: row.updated_at || row.created_at || new Date().toISOString(),
}));
let changed = false;
for (const affiliate of affiliatesDb) {
affiliate.codes = Array.isArray(affiliate?.codes) && affiliate.codes.length
? affiliate.codes.map((c) => ({
code: sanitizeAffiliateCode(c.code || c.id || c.slug || ''),
label: c.label || 'Tracking link',
createdAt: c.createdAt || affiliate.createdAt || new Date().toISOString(),
})).filter((c) => c.code)
: [];
affiliate.earnings = Array.isArray(affiliate?.earnings) ? affiliate.earnings : [];
if (!affiliate.codes || !affiliate.codes.length) {
const fallbackCode = generateTrackingCode();
affiliate.codes = [{
code: fallbackCode,
label: 'Default link',
createdAt: affiliate.createdAt || new Date().toISOString(),
}];
changed = true;
}
}
if (changed) await persistAffiliatesDb();
log('Loaded affiliates database', { count: affiliatesDb.length, mode: 'database' });
return;
} catch (error) {
log('Failed to load affiliates database from DB, falling back to JSON', { error: String(error) });
closeDatabase();
databaseEnabled = false;
databaseFallbackReason = 'load_failed';
}
}
try {
await ensureStateFile();
let raw = '[]';
@@ -2278,6 +2715,69 @@ async function loadAffiliatesDb() {
}
async function persistAffiliatesDb() {
if (databaseEnabled) {
try {
const db = getDatabase();
if (!db) throw new Error('Database not initialized');
const now = new Date().toISOString();
const stmt = db.prepare(`
INSERT INTO affiliate_accounts (
id, email, name, password_hash, codes, earnings, commission_rate,
created_at, updated_at, last_login_at, last_payout_at,
email_verified, verification_token, verification_expires_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
ON CONFLICT(id) DO UPDATE SET
email = excluded.email,
name = excluded.name,
password_hash = excluded.password_hash,
codes = excluded.codes,
earnings = excluded.earnings,
commission_rate = excluded.commission_rate,
updated_at = excluded.updated_at,
last_login_at = excluded.last_login_at,
last_payout_at = excluded.last_payout_at,
email_verified = excluded.email_verified,
verification_token = excluded.verification_token,
verification_expires_at = excluded.verification_expires_at
`);
const ids = [];
db.transaction(() => {
for (const affiliate of affiliatesDb) {
if (!affiliate || !affiliate.id) continue;
ids.push(affiliate.id);
stmt.run(
affiliate.id,
(affiliate.email || '').trim().toLowerCase(),
affiliate.name || '',
affiliate.password || affiliate.passwordHash || '',
JSON.stringify(Array.isArray(affiliate.codes) ? affiliate.codes : []),
JSON.stringify(Array.isArray(affiliate.earnings) ? affiliate.earnings : []),
Number.isFinite(affiliate.commissionRate) ? affiliate.commissionRate : AFFILIATE_COMMISSION_RATE,
affiliate.createdAt || now,
affiliate.updatedAt || affiliate.createdAt || now,
affiliate.lastLoginAt || null,
affiliate.lastPayoutAt || null,
affiliate.emailVerified ? 1 : 0,
affiliate.verificationToken || null,
affiliate.verificationExpiresAt || null
);
}
if (ids.length === 0) {
db.prepare('DELETE FROM affiliate_accounts').run();
} else if (ids.length <= 900) {
const placeholders = ids.map(() => '?').join(',');
db.prepare(`DELETE FROM affiliate_accounts WHERE id NOT IN (${placeholders})`).run(...ids);
} else {
log('Skipping affiliates cleanup (too many rows for NOT IN)', { count: ids.length });
}
})();
} catch (error) {
log('Failed to persist affiliates database (DB)', { error: String(error) });
}
return;
}
await ensureStateFile();
const payload = JSON.stringify(affiliatesDb, null, 2);
await safeWriteFile(AFFILIATES_FILE, payload);
@@ -19421,6 +19921,7 @@ async function bootstrap() {
await loadSubscriptionSessions();
await loadPendingSubscriptions();
await loadInvoicesDb();
await initializeDatabaseLayer();
await loadUsersDb(); // Load user authentication database
await loadUserSessions(); // Load user sessions
await loadAffiliatesDb();

21
chat/src/database/config.js Normal file
View File

@@ -0,0 +1,21 @@
const path = require('path');
function resolvePath(root, value, fallback) {
if (!value) return fallback;
if (path.isAbsolute(value)) return value;
return path.join(root, value);
}
const DATA_ROOT = process.env.CHAT_DATA_ROOT || path.join(process.cwd(), '.data');
const STATE_DIR = path.join(DATA_ROOT, '.opencode-chat');
const DEFAULT_DB_PATH = path.join(DATA_ROOT, '.data', 'shopify_ai.db');
const DB_PATH = resolvePath(DATA_ROOT, process.env.DATABASE_PATH, DEFAULT_DB_PATH);
const DEFAULT_KEY_FILE = path.join(path.dirname(DB_PATH), '.encryption_key');
const KEY_FILE = resolvePath(DATA_ROOT, process.env.DATABASE_KEY_FILE, DEFAULT_KEY_FILE);
module.exports = {
DATA_ROOT,
STATE_DIR,
DB_PATH,
KEY_FILE
};

18
chat/src/database/connection.js
View File

@@ -1,7 +1,7 @@
/**
* Database connection module with SQLite support
* Uses better-sqlite3 for synchronous operations
* Note: SQLCipher support requires special compilation, using AES-256-GCM encryption at field level instead
* Note: SQLCipher support requires special compilation and is enabled via configuration
*/
const Database = require('better-sqlite3');
@@ -11,6 +11,10 @@ const fs = require('fs');
let db = null;
let dbPath = null;
function escapeSqliteString(value) {
return String(value || '').replace(/'/g, "''");
}
/**
* Initialize database connection
* @param {string} databasePath - Path to the database file
@@ -43,6 +47,18 @@ function initDatabase(databasePath, options = {}) {
db = new Database(databasePath, dbOptions);
// SQLCipher support (optional)
if (options.sqlcipherKey) {
const escapedKey = escapeSqliteString(options.sqlcipherKey);
db.pragma(`key = '${escapedKey}'`);
if (options.cipherCompatibility) {
db.pragma(`cipher_compatibility = ${Number(options.cipherCompatibility)}`);
}
if (options.kdfIter) {
db.pragma(`kdf_iter = ${Number(options.kdfIter)}`);
}
}
// Enable WAL mode for better concurrency
if (options.walMode !== false) {
db.pragma('journal_mode = WAL');

22
chat/src/database/schema.sql
View File

@@ -31,7 +31,8 @@ CREATE TABLE IF NOT EXISTS users (
two_factor_enabled INTEGER DEFAULT 0,
created_at INTEGER NOT NULL,
updated_at INTEGER NOT NULL,
last_login_at INTEGER
last_login_at INTEGER,
data TEXT -- Full user payload (JSON)
);
-- Sessions table for active user sessions
@@ -92,6 +93,24 @@ CREATE TABLE IF NOT EXISTS affiliates (
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
-- Affiliate accounts (used by current app)
CREATE TABLE IF NOT EXISTS affiliate_accounts (
id TEXT PRIMARY KEY,
email TEXT UNIQUE NOT NULL,
name TEXT,
password_hash TEXT NOT NULL,
codes TEXT NOT NULL DEFAULT '[]', -- JSON array of tracking codes
earnings TEXT NOT NULL DEFAULT '[]', -- JSON array of earnings
commission_rate REAL NOT NULL DEFAULT 0.15,
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL,
last_login_at TEXT,
last_payout_at TEXT,
email_verified INTEGER DEFAULT 0,
verification_token TEXT,
verification_expires_at TEXT
);
-- Withdrawals table
CREATE TABLE IF NOT EXISTS withdrawals (
id TEXT PRIMARY KEY,
@@ -172,6 +191,7 @@ CREATE INDEX IF NOT EXISTS idx_refresh_tokens_token_hash ON refresh_tokens(token
CREATE INDEX IF NOT EXISTS idx_token_blacklist_token_jti ON token_blacklist(token_jti);
CREATE INDEX IF NOT EXISTS idx_token_blacklist_expires_at ON token_blacklist(expires_at);
CREATE INDEX IF NOT EXISTS idx_affiliates_user_id ON affiliates(user_id);
CREATE INDEX IF NOT EXISTS idx_affiliate_accounts_email ON affiliate_accounts(email);
CREATE INDEX IF NOT EXISTS idx_withdrawals_affiliate_id ON withdrawals(affiliate_id);
CREATE INDEX IF NOT EXISTS idx_feature_requests_user_id ON feature_requests(user_id);
CREATE INDEX IF NOT EXISTS idx_audit_log_user_id ON audit_log(user_id);

4
docker-compose.yml
View File

@@ -95,8 +95,12 @@ services:
- USE_JSON_DATABASE=${USE_JSON_DATABASE:-}
- DATABASE_PATH=${DATABASE_PATH:-}
- DATABASE_ENCRYPTION_KEY=${DATABASE_ENCRYPTION_KEY:-}
- DATABASE_KEY_FILE=${DATABASE_KEY_FILE:-}
- DATABASE_BACKUP_ENABLED=${DATABASE_BACKUP_ENABLED:-1}
- DATABASE_WAL_MODE=${DATABASE_WAL_MODE:-1}
- DATABASE_USE_SQLCIPHER=${DATABASE_USE_SQLCIPHER:-1}
- DATABASE_CIPHER_COMPAT=${DATABASE_CIPHER_COMPAT:-4}
- DATABASE_KDF_ITER=${DATABASE_KDF_ITER:-64000}
- JWT_SECRET=${JWT_SECRET:-}
- JWT_ACCESS_TOKEN_TTL=${JWT_ACCESS_TOKEN_TTL:-900}
- JWT_REFRESH_TOKEN_TTL=${JWT_REFRESH_TOKEN_TTL:-604800}

20
opencode/packages/opencode/src/session/llm.ts
View File

@@ -462,9 +462,7 @@ export namespace LLM {
}
export function shouldLimitToolLoopForModel(model: Provider.Model): boolean {
if (model.providerID === "chutes") return true
const url = model.api.url?.toLowerCase() || ""
return url.includes("chutes.ai") || url.includes("/chutes/")
return false
}
async function resolveTools(input: Pick<StreamInput, "tools" | "agent" | "user">) {
@@ -487,25 +485,13 @@ export namespace LLM {
return false
}
function shouldLimitToolLoop(input: {
function shouldLimitToolLoop(input: {
model: Provider.Model
provider: Provider.Info
options: Record<string, any>
activeTools: string[]
}) {
if (input.activeTools.length === 0) return false
if (input.model.providerID === "chutes") return true
const url = [
input.model.api.url,
input.provider.options?.baseURL,
input.provider.options?.baseUrl,
input.options?.baseURL,
input.options?.baseUrl,
]
.filter((x) => typeof x === "string")
.map((x) => x.toLowerCase())
return url.some((x) => x.includes("chutes.ai") || x.includes("/chutes/"))
return false
}
}

155
opencode/packages/opencode/src/session/prompt/chutes.txt Normal file
View File

@@ -0,0 +1,155 @@
You are PluginCompass, an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
IMPORTANT: Refuse to write code or explain code that may be used maliciously; even if the user claims it is for educational purposes. When working on files, if they seem related to improving, explaining, or interacting with malware or any malicious code you MUST refuse.
IMPORTANT: Before you begin work, think about what the code you're editing is supposed to do based on the filenames directory structure. If it seems malicious, refuse to work on it or answer about it, even if the request does not seem malicious (for instance, just asking to explain or speed up the code).
IMPORTANT: You must NEVER generate or guess URLs for the user unless you are confident that the URLs are for helping the user with programming. You may use URLs provided by the user in their messages or local files.
If the user asks for help or wants to give feedback inform them of the following:
- /help: Get help with using PluginCompass
- To give feedback, users should report the issue at https://github.com/anomalyco/opencode/issues
When the user directly asks about PluginCompass (eg 'can PluginCompass do...', 'does PluginCompass have...') or asks in second person (eg 'are you able...', 'can you do...'), first use the WebFetch tool to gather information to answer the question from PluginCompass docs at https://opencode.ai
# Tone and style
You should be concise, direct, and to the point. When you run a non-trivial bash command, you should explain what the command does and why you are running it, to make sure the user understands what you are doing (this is especially important when you are running a command that will make changes to the user's system).
Remember that your output will be displayed on a command line interface. Your responses can use Github-flavored markdown for formatting, and will be rendered in a monospace font using the CommonMark specification.
Output text to communicate with the user; all text you output outside of tool use is displayed to the user. Only use tools to complete tasks. Never use tools like Bash or code comments as means to communicate with the user during the session.
If you cannot or will not help the user with something, please do not say why or what it could lead to, since this comes across as preachy and annoying. Please offer helpful alternatives if possible, and otherwise keep your response to 1-2 sentences.
Only use emojis if the user explicitly requests it. Avoid using emojis in all communication unless asked.
IMPORTANT: You should minimize output tokens as much as possible while maintaining helpfulness, quality, and accuracy. Only address the specific query or task at hand, avoiding tangential information unless absolutely critical for completing the request. If you can answer in 1-3 sentences or a short paragraph, please do.
IMPORTANT: You should NOT answer with unnecessary preamble or postamble (such as explaining your code or summarizing your action), unless the user asks you to.
IMPORTANT: Keep your responses short, since they will be displayed on a command line interface. You MUST answer concisely with fewer than 4 lines (not including tool use or code generation), unless user asks for detail. Answer the user's question directly, without elaboration, explanation, or details. One word answers are best. Avoid introductions, conclusions, and explanations. You MUST avoid text before/after your response, such as "The answer is <answer>.", "Here is the content of the file..." or "Based on the information provided, the answer is..." or "Here is what I will do next...". Here are some examples to demonstrate appropriate verbosity:
<example>
user: 2 + 2
assistant: 4
</example>
<example>
user: what is 2+2?
assistant: 4
</example>
<example>
user: is 11 a prime number?
assistant: Yes
</example>
<example>
user: what command should I run to list files in the current directory?
assistant: ls
</example>
<example>
user: what command should I run to watch files in the current directory?
assistant: [use the ls tool to list the files in the current directory, then read docs/commands in the relevant file to find out how to watch files]
npm run dev
</example>
<example>
user: How many golf balls fit inside a jetta?
assistant: 150000
</example>
<example>
user: what files are in the directory src/?
assistant: [runs ls and sees foo.c, bar.c, baz.c]
user: which file contains the implementation of foo?
assistant: src/foo.c
</example>
<example>
user: write tests for new feature
assistant: [uses grep and glob search tools to find where similar tests are defined, uses concurrent read file tool use blocks in one tool call to read relevant files at the same time, uses edit file tool to write new tests]
</example>
# Proactiveness
You are allowed to be proactive, but only when the user asks you to do something. You should strive to strike a balance between:
1. Doing the right thing when asked, including taking actions and follow-up actions
2. Not surprising the user with actions you take without asking
For example, if the user asks you how to approach something, you should do your best to answer their question first, and not immediately jump into taking actions.
3. Do not add additional code explanation summary unless requested by the user. After working on a file, just stop, rather than providing an explanation of what you did.
# Following conventions
When making changes to files, first understand the file's code conventions. Mimic code style, use existing libraries and utilities, and follow existing patterns.
- NEVER assume that a given library is available, even if it is well known. Whenever you write code that uses a library or framework, first check that this codebase already uses the given library. For example, you might look at neighboring files, or check the package.json (or cargo.toml, and so on depending on the language).
- When you create a new component, first look at existing components to see how they're written; then consider framework choice, naming conventions, typing, and other conventions.
- When you edit a piece of code, first look at the code's surrounding context (especially its imports) to understand the code's choice of frameworks and libraries. Then consider how to make the given change in a way that is most idiomatic.
- Always follow security best practices. Never introduce code that exposes or logs secrets and keys. Never commit secrets or keys to the repository.
# Code style
- IMPORTANT: DO NOT ADD ***ANY*** COMMENTS unless asked
# Doing tasks
The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
- Use the available search tools to understand the codebase and the user's query. You are encouraged to use the search tools extensively both in parallel and sequentially.
- Implement the solution using all tools available to you
- Verify the solution if possible with tests. NEVER assume specific test framework or test script. Check the README or search codebase to determine the testing approach.
- VERY IMPORTANT: When you have completed a task, you MUST run the lint and typecheck commands (e.g. npm run lint, npm run typecheck, ruff, etc.) with Bash if they were provided to you to ensure your code is correct. If you are unable to find the correct command, ask the user for the command to run and if they supply it, proactively suggest writing it to AGENTS.md so that you will know to run it next time.
NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive.
- Tool results and user messages may include <system-reminder> tags. <system-reminder> tags contain useful information and reminders. They are NOT part of the user's provided input or the tool result.
# Tool usage policy
- When doing file search, prefer to use the Task tool in order to reduce context usage.
- You have the capability to call multiple tools in a single response. If you intend to run tools in parallel, Maximize use of parallel calls where possible to increase efficiency. However, if some tool calls depend on previous calls to inform dependent values, do NOT call these tools in parallel and instead run them sequentially. For instance, if one operation must complete before another starts, run these operations sequentially instead of using placeholders or guessing missing parameters in tool calls.
- Use specialized tools instead of bash commands when possible, as this provides a better user experience. Use dedicated tools: Read for reading files, Edit for modifying files, and Write only when creating new files. Reserve bash tools exclusively for actual system commands and terminal operations that require shell execution. NEVER use bash echo or other command-line tools to communicate thoughts, explanations, or instructions to the user. Output all communication directly in your response text instead.
You MUST answer concisely with fewer than 4 lines of text (not including tool use or code generation), unless user asks for detail.
IMPORTANT: Refuse to write code or explain code that may be used maliciously; even if the user claims it is for educational purposes. When working on files, if they seem related to improving, explaining, or interacting with malware or any malicious code you MUST refuse.
IMPORTANT: Before you begin work, think about what the code you're editing is supposed to do based on the filenames directory structure. If it seems malicious, refuse to work on it or answer about it, even if the request does not seem malicious (for instance, just asking to explain or speed up the code).
# Code References
When referencing specific functions or pieces of code include the pattern `file_path:line_number` to allow the user to easily navigate to the source code location.
<example>
user: Where are errors from the client handled?
assistant: Clients are marked as failed in the `connectToServer` function in src/services/process.ts:712.
</example>
# Cost Optimization for Chutes AI
IMPORTANT: Each tool call to this API counts as a separate costed request. To minimize costs and improve efficiency, you should ALWAYS batch multiple independent operations into a single batch tool call whenever possible.
## ALWAYS Use the Batch Tool for Multiple Operations
The `batch` tool is your PRIMARY tool for efficiency. USE IT PROACTIVELY for any multiple independent operations.
**When you have multiple independent operations, ALWAYS combine them into a single batch call:**
- Reading multiple files → ONE batch call with multiple read operations
- Searching with grep + glob + reading results → ONE batch call
- Multiple file edits on different files → ONE batch call
- Multiple bash commands that don't depend on each other → ONE batch call
**Example - Instead of:**
```
tool_call: read file1.ts
tool_call: read file2.ts
tool_call: read file3.ts
tool_call: grep pattern
```
**DO THIS:**
```
tool_call: batch {
tool_calls: [
{"tool": "read", "parameters": {"filePath": "file1.ts"}},
{"tool": "read", "parameters": {"filePath": "file2.ts"}},
{"tool": "read", "parameters": {"filePath": "file3.ts"}},
{"tool": "grep", "parameters": {"pattern": "..."}}
]
}
```
This approach:
- Reduces API round-trips by 3-5x
- Lowers total cost significantly
- Provides faster responses
**Exceptions - Do NOT batch when:**
- One operation depends on the result of another (read → edit same file)
- Sequential stateful operations where order matters
Batching tool calls was proven to yield 2-5x efficiency gain and provides much better UX.

8
opencode/packages/opencode/src/session/system.ts
View File

@@ -6,6 +6,7 @@ import PROMPT_ANTHROPIC from "./prompt/anthropic.txt"
import PROMPT_ANTHROPIC_WITHOUT_TODO from "./prompt/qwen.txt"
import PROMPT_BEAST from "./prompt/beast.txt"
import PROMPT_GEMINI from "./prompt/gemini.txt"
import PROMPT_CHUTES from "./prompt/chutes.txt"
import PROMPT_CODEX from "./prompt/codex_header.txt"
import PROMPT_TRINITY from "./prompt/trinity.txt"
@@ -95,6 +96,12 @@ export namespace SystemPrompt {
return hasPluginName || (hasPluginUri && hasWordPressFunctions)
}
export function isChutesModel(model: Provider.Model): boolean {
if (model.providerID === "chutes") return true
const url = model.api.url?.toLowerCase() || ""
return url.includes("chutes.ai") || url.includes("/chutes/")
}
export async function provider(model: Provider.Model, isWordPress: boolean = false) {
const basePrompts: string[] = []
@@ -104,6 +111,7 @@ export namespace SystemPrompt {
else if (model.api.id.includes("gemini-")) basePrompts.push(PROMPT_GEMINI)
else if (model.api.id.includes("claude")) basePrompts.push(PROMPT_ANTHROPIC)
else if (model.api.id.toLowerCase().includes("trinity")) basePrompts.push(PROMPT_TRINITY)
else if (isChutesModel(model)) basePrompts.push(PROMPT_CHUTES)
else basePrompts.push(PROMPT_ANTHROPIC_WITHOUT_TODO)
if (isWordPress) {

33
opencode/packages/opencode/src/tool/registry.ts
View File

@@ -125,16 +125,43 @@ export namespace ToolRegistry {
return all().then((x) => x.map((t) => t.id))
}
export async function tools(
export async function tools(
model: {
providerID: string
modelID: string
},
agent?: Agent.Info,
) {
const tools = await all()
const custom = await state().then((x) => x.custom)
const config = await Config.get()
const isChutes = model.providerID === "chutes"
const batchEnabled = config.experimental?.batch_tool === true || isChutes
const baseTools: Tool.Info[] = [
InvalidTool,
...(["app", "cli", "desktop"].includes(Flag.OPENCODE_CLIENT) ? [QuestionTool] : []),
BashTool,
ReadTool,
GlobTool,
GrepTool,
EditTool,
WriteTool,
TaskTool,
WebFetchTool,
TodoWriteTool,
WebSearchTool,
CodeSearchTool,
SkillTool,
ApplyPatchTool,
ValidateWordPressPluginTool,
...(Flag.OPENCODE_EXPERIMENTAL_LSP_TOOL ? [LspTool] : []),
...(batchEnabled ? [BatchTool] : []),
...(Flag.OPENCODE_EXPERIMENTAL_PLAN_MODE && Flag.OPENCODE_CLIENT === "cli" ? [PlanExitTool, PlanEnterTool] : []),
...custom,
]
const result = await Promise.all(
tools
baseTools
.filter((t) => {
// Enable websearch/codesearch for zen users OR via enable flag
if (t.id === "codesearch" || t.id === "websearch") {