flow_application/

settings.rs

use parking_lot::RwLock;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::PathBuf;
use std::sync::Arc;
use thiserror::Error;

#[derive(Debug, Error)]
pub enum SettingsError {
    #[error(transparent)]
    Io(#[from] std::io::Error),
    #[error(transparent)]
    Json(#[from] serde_json::Error),
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Settings {
    /// Master toggle for cloud-AI nodes. Defaults to false - Flow's posture is
    /// zero-egress local inference. Cloud AI is an explicit, opt-in carve-out
    /// (see docs/adr/0004-cloud-ai-carve-out.md).
    #[serde(default)]
    pub allow_cloud_ai: bool,

    /// Master toggle for the local OpenAI-compatible provider (on-device
    /// inference server: Ollama / LM Studio / llama.cpp). Defaults to true -
    /// a localhost call is not network egress, so it stays usable even with
    /// `allow_cloud_ai` off. The `local` provider is still subject to the
    /// per-provider `providers_enabled` map.
    #[serde(default = "default_allow_local_ai")]
    pub allow_local_ai: bool,

    /// Base address of the local OpenAI-compatible server. Stored as an
    /// origin (e.g. `http://127.0.0.1:1234`); the runtime appends
    /// `/v1/chat/completions` (and `/v1/models` for discovery). A fully
    /// qualified URL is also accepted and normalised. Defaults to LM
    /// Studio's address.
    #[serde(default = "default_local_ai_base_url")]
    pub local_ai_base_url: Option<String>,

    /// Path to the `llama-server` (llama.cpp) binary flow-studio launches to
    /// host an LLM locally. None until the user configures it (or a bundled
    /// sidecar is added in a later phase).
    #[serde(default)]
    pub llama_server_binary: Option<String>,

    /// Path to the LLM the managed server should load. Set by the
    /// Model Hub when a downloaded LLM is selected as active.
    #[serde(default)]
    pub llama_server_model: Option<String>,

    /// Per-model `llama-server` load parameters (the Model Hub "Load settings"
    /// panel), keyed by catalog model id. Each model remembers its own config.
    #[serde(default)]
    pub llama_params: HashMap<String, crate::llm_server::LlamaParams>,

    /// Model ids discovered from the local server's `/v1/models`, cached so
    /// the node inspector's model dropdown can offer them without a live
    /// probe. Populated by the Settings "Test connection" action; empty
    /// until then (the provider's static default is used as a fallback).
    #[serde(default)]
    pub local_ai_models: Vec<String>,

    /// Per-provider enable map. Even when `allow_cloud_ai` is true, individual
    /// providers can be disabled here.
    #[serde(default = "default_providers_enabled")]
    pub providers_enabled: HashMap<String, bool>,

    /// UI theme. `"dark"`, `"light"`, or `"dark-projector"` - passed to
    /// Precision's `setTheme` at startup and on toggle. Defaults to `"dark"`
    /// to match Flow Studio's design language.
    #[serde(default = "default_theme")]
    pub theme: String,

    /// Per-step destructive-action confirmation gate (roadmap E1). When on,
    /// a run pauses before any node that performs a destructive operation
    /// (file delete, `rm`, `git push`, …) and asks the user to confirm or
    /// cancel. Defaults to `true` - a safe default the user can opt out of.
    #[serde(default = "default_confirm_destructive")]
    pub confirm_destructive: bool,

    /// Master switch for the background scheduler. Defaults on so persisted
    /// timers keep firing unless the user explicitly pauses scheduling.
    #[serde(default = "default_scheduler_enabled")]
    pub scheduler_enabled: bool,

    /// Poll interval in seconds for desktop/server scheduler loops.
    #[serde(default = "default_scheduler_poll_secs")]
    pub scheduler_poll_secs: u64,

    /// Safety cap on auto-accepted fixes in one autonomous run - the single
    /// budget shared by the backend convergence loop (`agentic_run_loop`) and
    /// the frontend monitor auto-fix loop, so neither path hardcodes its own
    /// (roadmap E1). Defaults to [`crate::MAX_AGENTIC_ITERATIONS`].
    #[serde(default = "default_max_agentic_iterations")]
    pub max_agentic_iterations: u32,

    /// Wall-clock ceiling (seconds) for one autonomous convergence run
    /// (`agentic_run_loop`); `0` = unlimited (only the iteration cap bounds
    /// the loop). The loop stops starting new iterations once this elapses
    /// (roadmap E1 autonomous run budgets).
    #[serde(default = "default_max_agentic_seconds")]
    pub max_agentic_seconds: u32,

    /// Cumulative token ceiling for one autonomous convergence run - the sum of
    /// input+output tokens across the executed flows' AI nodes; `0` = unlimited.
    /// The loop stops starting new iterations once it's exceeded (roadmap E1
    /// autonomous run budgets).
    #[serde(default = "default_max_agentic_tokens")]
    pub max_agentic_tokens: u32,
}

fn default_providers_enabled() -> HashMap<String, bool> {
    let mut m = HashMap::new();
    m.insert("claude".into(), true);
    m.insert("openai".into(), true);
    m.insert("gemini".into(), true);
    m.insert("nvidia".into(), true);
    m.insert("deepseek".into(), true);
    m.insert("local".into(), true);
    m
}

fn default_max_agentic_iterations() -> u32 {
    crate::MAX_AGENTIC_ITERATIONS
}

fn default_max_agentic_seconds() -> u32 {
    0
}

fn default_max_agentic_tokens() -> u32 {
    0
}

fn default_allow_local_ai() -> bool {
    true
}

fn default_local_ai_base_url() -> Option<String> {
    // No external default. The base URL is owned by the managed local LLM
    // server: set when a model is Loaded in the Model Hub, cleared on Stop.
    None
}

fn default_theme() -> String {
    "dark".into()
}

fn default_confirm_destructive() -> bool {
    true
}

fn default_scheduler_enabled() -> bool {
    true
}

fn default_scheduler_poll_secs() -> u64 {
    30
}

impl Default for Settings {
    fn default() -> Self {
        Self {
            allow_cloud_ai: false,
            allow_local_ai: default_allow_local_ai(),
            local_ai_base_url: default_local_ai_base_url(),
            llama_server_binary: None,
            llama_server_model: None,
            llama_params: HashMap::new(),
            local_ai_models: Vec::new(),
            providers_enabled: default_providers_enabled(),
            theme: default_theme(),
            confirm_destructive: default_confirm_destructive(),
            scheduler_enabled: default_scheduler_enabled(),
            scheduler_poll_secs: default_scheduler_poll_secs(),
            max_agentic_iterations: default_max_agentic_iterations(),
            max_agentic_seconds: default_max_agentic_seconds(),
            max_agentic_tokens: default_max_agentic_tokens(),
        }
    }
}

#[derive(Clone)]
pub struct SettingsStore {
    path: Option<PathBuf>,
    inner: Arc<RwLock<Settings>>,
}

impl SettingsStore {
    pub fn open(path: PathBuf) -> Self {
        let inner = match std::fs::read_to_string(&path) {
            Ok(body) => serde_json::from_str::<Settings>(&body).unwrap_or_default(),
            Err(_) => Settings::default(),
        };
        Self {
            path: Some(path),
            inner: Arc::new(RwLock::new(inner)),
        }
    }

    pub fn in_memory() -> Self {
        Self {
            path: None,
            inner: Arc::new(RwLock::new(Settings::default())),
        }
    }

    pub fn snapshot(&self) -> Settings {
        self.inner.read().clone()
    }

    pub fn allow_cloud_ai(&self) -> bool {
        self.inner.read().allow_cloud_ai
    }

    pub fn allow_local_ai(&self) -> bool {
        self.inner.read().allow_local_ai
    }

    pub fn local_ai_base_url(&self) -> Option<String> {
        // Treat an empty string as unset, so the Stop path (which patches the
        // URL to "") reads as "no managed server running".
        self.inner
            .read()
            .local_ai_base_url
            .clone()
            .filter(|s| !s.trim().is_empty())
    }

    pub fn local_ai_models(&self) -> Vec<String> {
        self.inner.read().local_ai_models.clone()
    }

    pub fn llama_server_binary(&self) -> Option<String> {
        self.inner.read().llama_server_binary.clone()
    }

    pub fn llama_server_model(&self) -> Option<String> {
        self.inner.read().llama_server_model.clone()
    }

    pub fn provider_enabled(&self, name: &str) -> bool {
        self.inner
            .read()
            .providers_enabled
            .get(name)
            .copied()
            .unwrap_or(true)
    }

    pub fn theme(&self) -> String {
        self.inner.read().theme.clone()
    }

    pub fn confirm_destructive(&self) -> bool {
        self.inner.read().confirm_destructive
    }

    pub fn scheduler_enabled(&self) -> bool {
        self.inner.read().scheduler_enabled
    }

    pub fn scheduler_poll_secs(&self) -> u64 {
        self.inner
            .read()
            .scheduler_poll_secs
            .clamp(5, 24 * 60 * 60)
    }

    pub fn max_agentic_iterations(&self) -> u32 {
        self.inner.read().max_agentic_iterations.clamp(1, 50)
    }

    /// Wall-clock ceiling in seconds for one autonomous run; `0` = unlimited.
    /// Clamped to 24h.
    pub fn max_agentic_seconds(&self) -> u32 {
        self.inner.read().max_agentic_seconds.min(24 * 60 * 60)
    }

    /// Cumulative token ceiling for one autonomous run; `0` = unlimited.
    pub fn max_agentic_tokens(&self) -> u32 {
        self.inner.read().max_agentic_tokens
    }

    pub fn update(&self, patch: SettingsPatch) -> Result<Settings, SettingsError> {
        let mut guard = self.inner.write();
        if let Some(v) = patch.allow_cloud_ai {
            guard.allow_cloud_ai = v;
        }
        if let Some(v) = patch.allow_local_ai {
            guard.allow_local_ai = v;
        }
        if let Some(u) = patch.local_ai_base_url {
            guard.local_ai_base_url = Some(u);
        }
        if let Some(models) = patch.local_ai_models {
            guard.local_ai_models = models;
        }
        if let Some(b) = patch.llama_server_binary {
            guard.llama_server_binary = Some(b);
        }
        if let Some(m) = patch.llama_server_model {
            guard.llama_server_model = Some(m);
        }
        if let Some(map) = patch.llama_params {
            for (k, v) in map {
                guard.llama_params.insert(k, v);
            }
        }
        if let Some(map) = patch.providers_enabled {
            for (k, v) in map {
                guard.providers_enabled.insert(k, v);
            }
        }
        if let Some(t) = patch.theme {
            guard.theme = t;
        }
        if let Some(v) = patch.confirm_destructive {
            guard.confirm_destructive = v;
        }
        if let Some(v) = patch.scheduler_enabled {
            guard.scheduler_enabled = v;
        }
        if let Some(v) = patch.scheduler_poll_secs {
            guard.scheduler_poll_secs = v.clamp(5, 24 * 60 * 60);
        }
        if let Some(v) = patch.max_agentic_iterations {
            guard.max_agentic_iterations = v.clamp(1, 50);
        }
        if let Some(v) = patch.max_agentic_seconds {
            guard.max_agentic_seconds = v.min(24 * 60 * 60);
        }
        if let Some(v) = patch.max_agentic_tokens {
            guard.max_agentic_tokens = v;
        }
        let snapshot = guard.clone();
        drop(guard);

        if let Some(path) = &self.path {
            if let Some(parent) = path.parent() {
                let _ = std::fs::create_dir_all(parent);
            }
            std::fs::write(path, serde_json::to_string_pretty(&snapshot)?)?;
        }
        Ok(snapshot)
    }
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct SettingsPatch {
    pub allow_cloud_ai: Option<bool>,
    pub allow_local_ai: Option<bool>,
    pub local_ai_base_url: Option<String>,
    pub local_ai_models: Option<Vec<String>>,
    pub llama_server_binary: Option<String>,
    pub llama_server_model: Option<String>,
    pub llama_params: Option<HashMap<String, crate::llm_server::LlamaParams>>,
    pub providers_enabled: Option<HashMap<String, bool>>,
    pub theme: Option<String>,
    pub confirm_destructive: Option<bool>,
    pub scheduler_enabled: Option<bool>,
    pub scheduler_poll_secs: Option<u64>,
    pub max_agentic_iterations: Option<u32>,
    pub max_agentic_seconds: Option<u32>,
    pub max_agentic_tokens: Option<u32>,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn default_is_zero_egress() {
        let s = Settings::default();
        assert!(!s.allow_cloud_ai);
    }

    #[test]
    fn default_theme_is_dark() {
        assert_eq!(Settings::default().theme, "dark");
    }

    #[test]
    fn update_theme_persists() {
        let store = SettingsStore::in_memory();
        store
            .update(SettingsPatch {
                theme: Some("light".into()),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.theme(), "light");
    }

    #[test]
    fn max_agentic_iterations_defaults_and_clamps() {
        let store = SettingsStore::in_memory();
        assert_eq!(store.max_agentic_iterations(), crate::MAX_AGENTIC_ITERATIONS);
        // 0 clamps up to 1 so autonomy can't be silently disabled.
        store
            .update(SettingsPatch {
                max_agentic_iterations: Some(0),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.max_agentic_iterations(), 1);
        store
            .update(SettingsPatch {
                max_agentic_iterations: Some(12),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.max_agentic_iterations(), 12);
    }

    #[test]
    fn max_agentic_seconds_defaults_unlimited_and_clamps() {
        let store = SettingsStore::in_memory();
        assert_eq!(store.max_agentic_seconds(), 0); // unlimited by default
        store
            .update(SettingsPatch {
                max_agentic_seconds: Some(120),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.max_agentic_seconds(), 120);
        store
            .update(SettingsPatch {
                max_agentic_seconds: Some(999_999),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.max_agentic_seconds(), 24 * 60 * 60); // clamped to 24h
    }

    #[test]
    fn max_agentic_tokens_defaults_unlimited() {
        let store = SettingsStore::in_memory();
        assert_eq!(store.max_agentic_tokens(), 0); // unlimited by default
        store
            .update(SettingsPatch {
                max_agentic_tokens: Some(50_000),
                ..Default::default()
            })
            .unwrap();
        assert_eq!(store.max_agentic_tokens(), 50_000);
    }

    #[test]
    fn update_persists_to_disk_when_path_set() {
        let tmp = std::env::temp_dir().join(format!("flow-settings-{}.json", uuid::Uuid::new_v4()));
        let store = SettingsStore::open(tmp.clone());
        store
            .update(SettingsPatch {
                allow_cloud_ai: Some(true),
                ..Default::default()
            })
            .unwrap();
        let body = std::fs::read_to_string(&tmp).unwrap();
        assert!(body.contains("\"allow_cloud_ai\": true"));
        let _ = std::fs::remove_file(&tmp);
    }

    #[test]
    fn provider_enabled_defaults_to_true_for_unknown_names() {
        let store = SettingsStore::in_memory();
        assert!(store.provider_enabled("custom"));
    }

    #[test]
    fn update_can_disable_a_provider() {
        let store = SettingsStore::in_memory();
        let mut patch = HashMap::new();
        patch.insert("openai".into(), false);
        store
            .update(SettingsPatch {
                allow_cloud_ai: Some(true),
                providers_enabled: Some(patch),
                ..Default::default()
            })
            .unwrap();
        assert!(!store.provider_enabled("openai"));
        assert!(store.provider_enabled("claude"));
    }
}