feat: harden enterprise control plane

scripts/install-local-launchagent.sh

@@ -1,32 +1,118 @@
 #!/bin/zsh
 set -euo pipefail
 
-PLIST_SOURCE="/Users/kris/code/boss/deployment/launchd/com.hyzq.boss.local-agent.plist"
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+PLIST_SOURCE="$ROOT_DIR/deployment/launchd/com.hyzq.boss.local-agent.plist"
 PLIST_TARGET="$HOME/Library/LaunchAgents/com.hyzq.boss.local-agent.plist"
-BRIDGE_PLIST_SOURCE="/Users/kris/code/boss/deployment/launchd/com.hyzq.boss.codex-desktop-bridge.plist"
+BRIDGE_PLIST_SOURCE="$ROOT_DIR/deployment/launchd/com.hyzq.boss.codex-desktop-bridge.plist"
 BRIDGE_PLIST_TARGET="$HOME/Library/LaunchAgents/com.hyzq.boss.codex-desktop-bridge.plist"
-CONFIG_PATH="${1:-/Users/kris/code/boss/local-agent/config.cloud.json}"
+CONFIG_SOURCE_ARG="${1:-}"
 
-if [[ "$CONFIG_PATH" != /* ]]; then
-  CONFIG_PATH="/Users/kris/code/boss/${CONFIG_PATH}"
+config_has_device_identity() {
+  python3 - "$1" <<'PY'
+import json
+from pathlib import Path
+import sys
+
+try:
+    config = json.loads(Path(sys.argv[1]).read_text())
+except Exception:
+    raise SystemExit(1)
+raise SystemExit(0 if config.get("deviceId") and config.get("token") else 1)
+PY
+}
+
+resolve_default_config_source() {
+  local ACTIVE_CONFIG_PATH=""
+  local default_config_path="$ROOT_DIR/local-agent/config.cloud.json"
+
+  if [[ -f "$PLIST_TARGET" ]]; then
+    ACTIVE_CONFIG_PATH="$(/usr/libexec/PlistBuddy -c 'Print :ProgramArguments:2' "$PLIST_TARGET" 2>/dev/null || true)"
+    if [[ -n "$ACTIVE_CONFIG_PATH" && "$ACTIVE_CONFIG_PATH" == "$ROOT_DIR/local-agent/"*.json && -f "$ACTIVE_CONFIG_PATH" ]]; then
+      printf '%s\n' "$ACTIVE_CONFIG_PATH"
+      return 0
+    fi
+  fi
+
+  local custom_config=""
+  local custom_name=""
+  for custom_config in "$ROOT_DIR"/local-agent/config*.json(N); do
+    custom_name="$(basename "$custom_config")"
+    case "$custom_name" in
+      config.installed.json|config.cloud.json|config.example.json)
+        continue
+        ;;
+    esac
+    if config_has_device_identity "$custom_config"; then
+      printf '%s\n' "$custom_config"
+      return 0
+    fi
+  done
+
+  if [[ -f "$ROOT_DIR/local-agent/config.installed.json" ]]; then
+    printf '%s\n' "$ROOT_DIR/local-agent/config.installed.json"
+    return 0
+  fi
+
+  printf '%s\n' "$default_config_path"
+}
+
+if [[ -n "$CONFIG_SOURCE_ARG" ]]; then
+  CONFIG_SOURCE_PATH="$CONFIG_SOURCE_ARG"
+else
+  CONFIG_SOURCE_PATH="$(resolve_default_config_source)"
 fi
 
-if [[ ! -f "$CONFIG_PATH" ]]; then
-  echo "Config file not found: $CONFIG_PATH" >&2
+if [[ "$CONFIG_SOURCE_PATH" != /* ]]; then
+  CONFIG_SOURCE_PATH="$ROOT_DIR/${CONFIG_SOURCE_PATH}"
+fi
+
+if [[ ! -f "$CONFIG_SOURCE_PATH" ]]; then
+  echo "Config file not found: $CONFIG_SOURCE_PATH" >&2
   exit 1
 fi
 
+CONFIG_PATH="$ROOT_DIR/local-agent/config.installed.json"
+python3 - <<'PY' "$CONFIG_SOURCE_PATH" "$CONFIG_PATH" "$ROOT_DIR"
+import json
+from pathlib import Path
+import sys
+
+source_path = Path(sys.argv[1])
+target_path = Path(sys.argv[2])
+root_dir = sys.argv[3]
+config = json.loads(source_path.read_text())
+for key in (
+    "masterAgentWorkdir",
+    "codexAppServerWorkdir",
+    "codexComputerUseWorkdir",
+    "browserControlWorkdir",
+    "computerUseWorkdir",
+    "codexDesktopRefreshWorkdir",
+    "omxWorkdir",
+):
+    config[key] = root_dir
+target_path.write_text(json.dumps(config, ensure_ascii=False, indent=2) + "\n")
+PY
+
 mkdir -p "$HOME/Library/LaunchAgents"
 cp "$BRIDGE_PLIST_SOURCE" "$BRIDGE_PLIST_TARGET"
 cp "$PLIST_SOURCE" "$PLIST_TARGET"
-python3 - <<'PY' "$PLIST_TARGET" "$CONFIG_PATH"
+python3 - <<'PY' "$PLIST_TARGET" "$BRIDGE_PLIST_TARGET" "$CONFIG_PATH" "$ROOT_DIR"
 from pathlib import Path
 import sys
 
-plist_path = Path(sys.argv[1])
-config_path = sys.argv[2]
-text = plist_path.read_text()
-plist_path.write_text(text.replace("__BOSS_AGENT_CONFIG__", config_path))
+local_plist_path = Path(sys.argv[1])
+bridge_plist_path = Path(sys.argv[2])
+config_path = sys.argv[3]
+root_dir = sys.argv[4]
+for plist_path in (local_plist_path, bridge_plist_path):
+    text = plist_path.read_text()
+    text = text.replace("__BOSS_AGENT_CONFIG__", config_path)
+    text = text.replace("__BOSS_AGENT_ROOT__", root_dir)
+    # Keep older generated plists installable if a package contains a pre-placeholder file.
+    text = text.replace("/Users/kris/code/boss", root_dir)
+    plist_path.write_text(text)
 PY
 plutil -lint "$PLIST_TARGET" >/dev/null
 plutil -lint "$BRIDGE_PLIST_TARGET" >/dev/null