refactor: split RunID into RunUUID and ID, compute workspace dynamically, improve error handling

Author: j3ssie

HACKING.md

@@ -23,113 +23,43 @@ This document describes the technical architecture and development practices for
 ## Project Structure
 
 ```
-osmedeus-ng/
-├── cmd/
-│   └── osmedeus/
-│       └── main.go              # Application entry point
-├── internal/                    # Private packages
-│   ├── config/                  # Configuration management
-│   │   ├── config.go            # Config loading and defaults
-│   │   ├── settings.go          # Settings struct definitions
-│   │   └── secrets.go           # Secret management
-│   ├── core/                    # Core types and interfaces
-│   │   ├── workflow.go          # Workflow and RunnerConfig structs
-│   │   ├── step.go              # Step definition
-│   │   ├── trigger.go           # Trigger types and events
-│   │   ├── types.go             # Status types, constants
-│   │   ├── context.go           # Execution context
-│   │   └── constants.go         # Project metadata
-│   ├── parser/                  # Workflow parsing
-│   │   ├── parser.go            # YAML parser
-│   │   ├── loader.go            # Workflow loader with caching
-│   │   └── validator.go         # Workflow validation
-│   ├── executor/                # Workflow execution
-│   │   ├── executor.go          # Main executor
-│   │   ├── dispatcher.go        # Step dispatcher
-│   │   ├── bash_executor.go     # Bash step handler
-│   │   ├── function_executor.go # Function step handler
-│   │   ├── foreach_executor.go  # Foreach step handler
-│   │   ├── parallel_executor.go # Parallel step handler
-│   │   ├── remote_bash_executor.go # Remote-bash step handler
-│   │   ├── http_executor.go     # HTTP request handler
-│   │   └── llm_executor.go      # LLM step handler
-│   ├── runner/                  # Execution environments
-│   │   ├── runner.go            # Runner interface
-│   │   ├── host_runner.go       # Local execution
-│   │   ├── docker_runner.go     # Docker execution
-│   │   └── ssh_runner.go        # SSH remote execution
-│   ├── template/                # Template rendering
-│   │   ├── engine.go            # Template engine
-│   │   ├── generators.go        # Value generators
-│   │   └── context.go           # Template context
-│   ├── functions/               # Utility functions
-│   │   ├── registry.go          # Function registry
-│   │   ├── goja_runtime.go      # JavaScript runtime (Goja VM)
-│   │   ├── file_functions.go    # File operations
-│   │   ├── string_functions.go  # String operations
-│   │   ├── util_functions.go    # Utility functions
-│   │   ├── event_functions.go   # Event generation functions
-│   │   └── jq.go                # JSON query functions
-│   ├── scheduler/               # Trigger scheduling
-│   │   └── scheduler.go         # Cron, event, watch triggers
-│   ├── database/                # Data persistence
-│   │   ├── database.go          # Connection management
-│   │   ├── models.go            # Data models
-│   │   ├── jsonl.go             # JSONL import/export
-│   │   └── repository/          # Data access layer
-│   ├── heuristics/              # Target analysis
-│   │   ├── heuristics.go        # Target type detection
-│   │   ├── url.go               # URL parsing
-│   │   └── domain.go            # Domain analysis
-│   ├── linter/                  # Workflow linting
-│   │   ├── linter.go            # Main linter logic
-│   │   ├── rules.go             # Linting rules (built-in variables, etc.)
-│   │   ├── formatter.go         # Output formatters (pretty, JSON, GitHub)
-│   │   ├── ast.go               # Workflow AST for position tracking
-│   │   └── types.go             # Linter types and severity levels
-│   ├── workspace/               # Workspace management
-│   │   └── workspace.go         # Workspace creation
-│   ├── snapshot/                # Workspace snapshots
-│   │   └── snapshot.go          # Export/import ZIP archives
-│   ├── installer/               # Binary installation
-│   │   ├── installer.go         # Core installer logic
-│   │   ├── nix.go               # Nix package manager support
-│   │   └── registry.go          # Binary registry management
-│   ├── state/                   # Run state export
-│   │   ├── export.go            # State export functionality
-│   │   └── types.go             # State types
-│   ├── updater/                 # Self-update functionality
-│   │   ├── updater.go           # Update logic
-│   │   └── github_source.go     # GitHub releases source
-│   ├── terminal/                # Terminal UI
-│   │   ├── printer.go           # Output formatting
-│   │   ├── colors.go            # ANSI colors
-│   │   ├── symbols.go           # Unicode symbols
-│   │   ├── spinner.go           # Loading spinners
-│   │   └── table.go             # Table rendering
-│   └── logger/                  # Structured logging
-│       └── logger.go            # Zap logger wrapper
-├── pkg/                         # Public packages
-│   ├── cli/                     # CLI commands
-│   │   ├── root.go              # Root command
-│   │   ├── run.go               # Run command (scan)
-│   │   ├── workflow.go          # Workflow command
-│   │   ├── function.go          # Function command (with bulk processing)
-│   │   ├── db.go                # Database CLI command
-│   │   └── server.go            # Server command
-│   └── server/                  # REST API
-│       ├── server.go            # Server setup
-│       ├── handlers/            # Request handlers
-│       └── middleware/          # Auth middleware (JWT, API Key)
-├── test/                        # Test suites
-│   ├── e2e/                     # E2E CLI tests
-│   ├── integration/             # Integration tests
-│   └── testdata/
-│       ├── workflows/           # Test workflow fixtures
-│       └── complex-workflows/   # Complex workflow examples
-└── build/                       # Build artifacts
-    ├── docker/                  # Docker files
-    └── DEPLOYMENT.md            # Deployment guide
+osmedeus/
+├── cmd/osmedeus/           # Application entry point
+├── internal/               # Private packages
+│   ├── client/             # Remote API client
+│   ├── config/             # Configuration management
+│   ├── console/            # Console output capture
+│   ├── core/               # Core types (Workflow, Step, Trigger, etc.)
+│   ├── database/           # SQLite/PostgreSQL via Bun ORM
+│   ├── distributed/        # Distributed execution (master/worker)
+│   ├── executor/           # Workflow execution engine
+│   ├── functions/          # Utility functions (Goja JS runtime)
+│   ├── heuristics/         # Target type detection
+│   ├── installer/          # Binary installation (direct/Nix)
+│   ├── linter/             # Workflow linting and validation
+│   ├── logger/             # Structured logging (Zap)
+│   ├── parser/             # YAML parsing and caching
+│   ├── runner/             # Execution environments (host/docker/ssh)
+│   ├── scheduler/          # Trigger scheduling (cron/event/watch)
+│   ├── snapshot/           # Workspace export/import
+│   ├── state/              # Run state export
+│   ├── template/           # {{Variable}} interpolation engine
+│   ├── terminal/           # Terminal UI (colors, tables, spinners)
+│   ├── updater/            # Self-update via GitHub releases
+│   └── workspace/          # Workspace management
+├── lib/                    # Shared library utilities
+├── pkg/                    # Public packages
+│   ├── cli/                # Cobra CLI commands
+│   └── server/             # Fiber REST API server
+│       ├── handlers/       # Request handlers
+│       └── middleware/     # Auth middleware (JWT, API Key)
+├── public/                 # Public assets (examples, presets, UI)
+├── test/                   # Test suites
+│   ├── e2e/                # E2E CLI tests
+│   ├── integration/        # Integration tests
+│   └── testdata/           # Test workflow fixtures
+├── docs/                   # API documentation
+└── build/                  # Build artifacts and Docker files
 ```
 
 ## Architecture Overview
@@ -574,7 +504,7 @@ func (e *Executor) injectBuiltinVariables(cfg *config.Config, params map[string]
     execCtx.SetVariable("Target", params["target"])
     execCtx.SetVariable("Output", filepath.Join(workspacesPath, targetSpace))
     execCtx.SetVariable("threads", threads)
-    execCtx.SetVariable("TaskID", execCtx.RunID)
+    execCtx.SetVariable("RunUUID", execCtx.RunUUID)
     // ... more variables
 }
 ```
@@ -846,7 +776,7 @@ The linter recognizes all runtime-injected variables to avoid false positives. T
 
 **Output Variables**: `Output`, `output`, `Workspace`, `workspace`
 
-**Metadata Variables**: `Version`, `TaskID`, `TaskDate`, `TimeStamp`, `Today`, `RandomString`
+**Metadata Variables**: `Version`, `RunUUID`, `TaskDate`, `TimeStamp`, `Today`, `RandomString`
 
 **Heuristic Variables**: `TargetType`, `TargetRootDomain`, `TargetTLD`, `Org`, `TargetHost`, `TargetPort`, etc.
 
@@ -935,7 +865,7 @@ type Run struct {
     Target         string
     Params         map[string]string
     Status         string    // "pending", "running", "completed", "failed"
-    WorkspacePath  string
+    Workspace      string    // Logical workspace name (same as TargetSpace)
     StartedAt      time.Time
     CompletedAt    time.Time
     ErrorMessage   string

docs/api/README.md

@@ -10,7 +10,11 @@ The Osmedeus API provides a RESTful interface for managing security automation w
 
 ## Authentication
 
-Most API endpoints require JWT authentication. First, obtain a token via the login endpoint, then include it in subsequent requests using the `Authorization: Bearer <token>` header.
+Most API endpoints require authentication. Two methods are supported:
+
+1. **JWT Token**: Obtain a token via the login endpoint, then include it in requests using the `Authorization: Bearer <token>` header.
+
+2. **API Key**: Use a static API key via the `x-osm-api-key` header. Configure in `~/osmedeus-base/osm-settings.yaml` under `server.auth_api_key`.
 
 See [Authentication](authentication.md) for details.
 
@@ -28,6 +32,7 @@ See [Authentication](authentication.md) for details.
 | [Assets](assets.md) | View discovered assets |
 | [Vulnerabilities](vulnerabilities.md) | View and manage vulnerabilities |
 | [Event Logs](event-logs.md) | View execution event logs |
+| [Step Results](steps.md) | Query step execution results |
 | [Functions](functions.md) | Execute and list utility functions |
 | [System Statistics](system.md) | Get aggregated system stats |
 | [Settings](settings.md) | Manage server configuration |

docs/api/authentication.md

@@ -97,6 +97,53 @@ curl http://localhost:8002/osm/api/workflows \
 }
 ```
 
+## API Key Authentication
+
+As an alternative to JWT tokens, you can authenticate using a static API key via the `x-osm-api-key` header. This is useful for scripts, CI/CD pipelines, or integrations where managing JWT token refresh is impractical.
+
+### Configuration
+
+API key authentication is configured in `~/osmedeus-base/osm-settings.yaml`:
+
+```yaml
+server:
+  # Enable API key authentication (default: true)
+  enabled_auth_api: true
+  # API key for x-osm-api-key header authentication
+  # A random 32-character key is generated on first run
+  auth_api_key: "your-api-key-here"
+```
+
+### Using the API Key
+
+Include the API key in requests using the `x-osm-api-key` header:
+
+```bash
+# Store API key in environment variable
+export OSM_API_KEY="your-api-key-here"
+
+# Use in API requests
+curl http://localhost:8002/osm/api/workflows \
+  -H "x-osm-api-key: $OSM_API_KEY"
+```
+
+### Error Response
+
+**401 Unauthorized** - Invalid or missing API key:
+```json
+{
+  "error": true,
+  "message": "Invalid or missing API key"
+}
+```
+
+### Notes
+
+- API key authentication takes priority over JWT when enabled
+- A random 32-character API key is automatically generated on first server start
+- The API key is stored in plain text in the settings file; ensure appropriate file permissions
+- Empty, whitespace-only, or placeholder values (`null`, `undefined`, `nil`) are rejected
+
 ## Disabling Authentication
 
 Authentication can be disabled by starting the server with the `--no-auth` flag:

docs/api/steps.md

@@ -0,0 +1,138 @@
+# Step Results
+
+## List Step Results
+
+Get a paginated list of step execution results with optional filtering.
+
+**List all step results:**
+```bash
+curl http://localhost:8002/osm/api/step-results \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**With pagination:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?offset=0&limit=50" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Filter by workspace:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?workspace=example_com" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Filter by status:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?status=completed" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Filter by step type:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?step_type=bash" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Filter by run ID:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?run_id=123" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Multiple filters:**
+```bash
+curl "http://localhost:8002/osm/api/step-results?workspace=example_com&status=completed&limit=100" \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Query Parameters:**
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `workspace` | string | Filter by workspace name |
+| `status` | string | Filter by status (pending, running, completed, failed) |
+| `step_type` | string | Filter by step type (bash, function, foreach, parallel-steps, remote-bash, http, llm) |
+| `run_id` | int | Filter by run ID |
+| `offset` | int | Pagination offset (default: 0) |
+| `limit` | int | Maximum records to return (default: 20, max: 10000) |
+
+**Response:**
+```json
+{
+  "data": [
+    {
+      "id": 1,
+      "run_id": 123,
+      "step_name": "run-subfinder",
+      "step_type": "bash",
+      "status": "completed",
+      "command": "subfinder -d example.com -o {{Output}}/subdomains.txt",
+      "output": "Found 150 subdomains",
+      "error": "",
+      "started_at": "2025-01-15T10:00:00Z",
+      "completed_at": "2025-01-15T10:01:30Z",
+      "duration_ms": 90000,
+      "created_at": "2025-01-15T10:00:00Z",
+      "updated_at": "2025-01-15T10:01:30Z"
+    },
+    {
+      "id": 2,
+      "run_id": 123,
+      "step_name": "run-httpx",
+      "step_type": "bash",
+      "status": "completed",
+      "command": "httpx -l {{Output}}/subdomains.txt -o {{Output}}/httpx.txt",
+      "output": "Probed 150 hosts, 120 alive",
+      "error": "",
+      "started_at": "2025-01-15T10:01:30Z",
+      "completed_at": "2025-01-15T10:03:00Z",
+      "duration_ms": 90000,
+      "created_at": "2025-01-15T10:01:30Z",
+      "updated_at": "2025-01-15T10:03:00Z"
+    },
+    {
+      "id": 3,
+      "run_id": 124,
+      "step_name": "process-results",
+      "step_type": "function",
+      "status": "completed",
+      "command": "",
+      "output": "true",
+      "error": "",
+      "started_at": "2025-01-15T11:00:00Z",
+      "completed_at": "2025-01-15T11:00:01Z",
+      "duration_ms": 1000,
+      "created_at": "2025-01-15T11:00:00Z",
+      "updated_at": "2025-01-15T11:00:01Z"
+    }
+  ],
+  "pagination": {
+    "total": 250,
+    "offset": 0,
+    "limit": 20
+  }
+}
+```
+
+**Step Status Values:**
+
+| Status | Description |
+|--------|-------------|
+| `pending` | Step is queued but not yet started |
+| `running` | Step is currently executing |
+| `completed` | Step finished successfully |
+| `failed` | Step failed with an error |
+| `skipped` | Step was skipped (pre_condition not met) |
+
+**Step Types:**
+
+| Type | Description |
+|------|-------------|
+| `bash` | Shell command execution |
+| `function` | Utility function execution |
+| `foreach` | Loop over input items |
+| `parallel-steps` | Execute steps in parallel |
+| `remote-bash` | Remote command execution (Docker/SSH) |
+| `http` | HTTP request step |
+| `llm` | LLM/AI step |