Keysat
974c3eb07d
Five providers behind one streaming abstraction:
- claude (Anthropic)
- openai (api.openai.com)
- openai-compatible (any base URL — OpenRouter / LiteLLM /
vLLM / Together / your own gateway)
- gemini (Google)
- ollama (self-hosted; no key; LAN URL like
http://ollama.embassy:11434)
The "self-hosted Ollama on Start9" angle is the killer use case —
configure Settings → AI integration with the LAN URL of your Ollama
service and no API keys ever leave your network.
Architecture
- lib/ai/types.ts LLMProvider streaming interface
- lib/ai/sse.ts shared SSE + NDJSON line iterators
- lib/ai/providers/*.ts 5 implementations + factory
- lib/ai/programSchema.ts Zod schema + JSON-schema-for-prompt +
parseAIProgram with markdown-fence
stripping and balanced-brace JSON
extraction
- lib/ai/apply.ts materializes parsed AIProgram into
Program tree (validates exerciseIds,
rejects unresolved nulls, atomic
transaction, sets aiGenerated=true)
Schema
- UserPreferences gets aiProvider/aiModel/aiBaseUrl/aiApiKey
(plaintext — same threat model as the rest of /data). Dead
enableClaudeAI/claudeApiKey columns from v1.0.0:1-7 stay as
no-op fields.
- AIPromptTemplate (userId nullable; userId=NULL = built-in)
- AIGeneration (raw response + parsed program + status +
appliedProgramId + token counts)
- All compat-ALTER'd in docker_entrypoint.sh on first boot.
API
- POST /api/ai/generate SSE streaming: emits
generation/text/usage/complete
events; persists AIGeneration
row up front so failures show
in history too
- POST /api/ai/apply takes user-edited AIProgram,
creates Program, marks
generation as applied
- GET /api/ai/templates built-ins + this user's own
- POST /api/ai/templates create user-owned template
- PATCH /api/ai/templates/[id] edit; built-ins admin-only
- DELETE /api/ai/templates/[id] delete; built-ins admin-only
- GET /api/ai/generations list (paginated)
- GET /api/ai/generations/[id] full row
- DELETE /api/ai/generations/[id] delete one (Program survives)
- GET /api/ai/config returns aiKeyConfigured flag,
never plaintext key
- POST /api/ai/config update provider config
- DELETE /api/admin/ai/generations admin-only "clear all" with
optional userId / olderThanDays
UI
- Settings → AI integration provider/model/URL/key form;
plaintext key warning visible
- /main/ai hub page with cards
- /main/ai/generate template picker + textarea +
live SSE stream + cancel +
ProgramPreview with inline
unknown-exercise resolver +
apply button + redirect to
the new Program
- /main/ai/templates list + create + edit + delete;
per-row "show prompt" expand;
built-in delete warns about
reconcile re-creation
- /main/ai/history list + delete; status badges;
link to applied Program
- Nav: "AI" entry between Programs and Exercises (Sparkles icon)
Built-in templates
- prisma/aiTemplates.seed.json: 5 starter templates (hypertrophy /
strength / endurance / recovery / custom)
- prisma/ensurePromptTemplates.cjs: per-boot reconcile,
INSERT-or-UPDATE keyed on (userId IS NULL AND name=...);
user-created templates never touched
Tests
- tests/ai-programSchema.test.ts: extractJson + parseAIProgram
edge cases (markdown fences, balanced braces, malformed JSON,
Zod shape rejection, unresolved-exerciseId tolerance)
- tests/ai-apply.test.ts: materializes valid AIProgram, rejects
cross-user exerciseIds, rejects unresolved exercises, honors
isActive flag
- tests/routes-ai-templates.test.ts: built-in vs user permissions,
cross-user template isolation, /api/ai/config plaintext-key safety,
provider enum validation
- 123 tests across 14 files, all passing.
No data migration. Existing /data is augmented with the new columns
+ tables only.
Proof of Work
Self-hosted multi-user workout planner and logger. Plan training cycles, log daily workouts, search your history, and curate a shared exercise library across everyone on the instance. Distributed as a StartOS 0.4 sideload package.
Repo layout
proof-of-work/ Next.js app (TypeScript, Prisma + SQLite, Tailwind, PWA)
start9/0.4/ StartOS 0.4 package wrapper (manifest, Dockerfile,
entrypoint, version graph, change-credentials action)
Everything else is generated at build time.
Local development
cd proof-of-work
npm install
npx prisma generate # important after schema changes
npx prisma db push # create the dev DB at prisma/data/app.db
npm run db:seed # ONLY seeds the InstanceSettings singleton — no admin
npm run dev # http://localhost:3000
For local dev you'll need to create an admin manually since the
StartOS action isn't available — easiest is npx tsx a one-off
script, or just open Prisma Studio (npm run db:studio) and add a
User row with isAdmin: true + a bcrypt hash you generate with
node -e 'require("bcrypt").hash("yourpassword", 10).then(console.log)'.
Multi-user
Fresh installs ship with no admin user on purpose — the operator
must run the StartOS Action Set admin credentials (Services → Proof
of Work → Actions) before anyone can log in. This eliminates the
default-credentials footgun.
Once the admin exists, they can open sign-ups for additional users:
- In-app: log in as admin -> Settings -> Instance Settings -> Allow new sign-ups.
- StartOS: Services -> Proof of Work -> Actions -> Set new signups.
Both write to the same InstanceSettings row; either path works.
When sign-ups are open, anyone reaching the URL can create an account at
/auth/signup. New users start with no admin privileges and are
automatically seeded the full curated exercise library.
Building the StartOS package
See start9/0.4/DEPLOY_040.md for the full deployment / cutover guide. Short version:
cd start9/0.4
npm ci
make clean
make x86 # produces proof-of-work_x86_64.s9pk
make install # sideload to the host in ~/.startos/config.yaml
Curated exercise library
proof-of-work/prisma/exercises.seed.json is the canonical library
shipped to every install. It seeds fresh installs (via prisma/seed.ts)
and is re-applied on every boot to existing installs (via
docker_entrypoint.sh + ensureExerciseLibrary.cjs) so updates flow to
all users on package upgrade.
Refresh the JSON from the maintainer's live host:
./start9/0.4/refresh_seed.sh <ssh-target> # pull a fresh /data snapshot
cd proof-of-work && npm run sync-library # extract Exercise table -> JSON
git diff prisma/exercises.seed.json
The system is additive only — removing an exercise from the JSON does
not delete it from existing installs (users may have logged sets against
it). Users' own custom exercises (isCustom = true) are never touched.
Privacy
start9/0.4/seed/data/app.db is your live /data snapshot. It contains
real workout history and a bcrypt'd password hash. The top-level
.gitignore keeps it out of git; do NOT commit it to any public repo.