kward 0.66.0

data/lib/kward/rpc/auth_manager.rb

@@ -0,0 +1,265 @@
+require "securerandom"
+require "thread"
+require_relative "../auth/github_oauth"
+require_relative "../auth/openai_oauth"
+require_relative "../model/client"
+require_relative "config_manager"
+
+module Kward
+  module RPC
+    class AuthManager
+      Login = Struct.new(:id, :oauth, :pkce, :state, :server, :redirect_uri, :status, :error, :thread, keyword_init: true)
+
+      def initialize(server:, oauth_factory: -> { OpenAIOAuth.new }, github_oauth_factory: -> { GithubOAuth.new }, config_manager: ConfigManager.new)
+        @server = server
+        @oauth_factory = oauth_factory
+        @github_oauth_factory = github_oauth_factory
+        @config_manager = config_manager
+        @logins = {}
+        @mutex = Mutex.new
+      end
+
+      def status
+        oauth = @oauth_factory.call
+        config = stored_config
+        {
+          openaiOAuth: oauth.logged_in?,
+          openaiAccountId: oauth.respond_to?(:account_id) ? oauth.account_id : nil,
+          openrouterApiKey: !ENV["OPENROUTER_API_KEY"].to_s.empty? || !config["openrouter_api_key"].to_s.empty?,
+          openaiAccessToken: !ENV["OPENAI_ACCESS_TOKEN"].to_s.empty?,
+          githubOAuth: @github_oauth_factory.call.logged_in?
+        }
+      rescue StandardError => e
+        { openaiOAuth: false, error: e.message }
+      end
+
+      def providers
+        { providers: [openai_provider, openrouter_provider, github_provider] }
+      end
+
+      def login_with_api_key(provider_id:, api_key:)
+        provider_id = provider_id.to_s
+        @config_manager.set_api_key(provider_id, api_key)
+        { providerId: provider_id, message: "Saved API key for #{provider_name(provider_id)}." }
+      end
+
+      def logout_provider(provider_id:)
+        provider_id = provider_id.to_s
+        case provider_id
+        when "openai"
+          logout_openai
+          { providerId: provider_id, message: "Logged out of OpenAI." }
+        when "openrouter"
+          @config_manager.delete_key("openrouter_api_key")
+          { providerId: provider_id, message: "Logged out of OpenRouter." }
+        else
+          raise "Unsupported auth provider: #{provider_id}"
+        end
+      end
+
+      def login_with_oauth(provider_id:, timeout_seconds: 120)
+        provider_id = provider_id.to_s
+        case provider_id
+        when "openai"
+          start_openai_login(timeout_seconds: timeout_seconds)
+        when "github"
+          raise "GitHub OAuth is supported in the CLI with `ruby lib/main.rb login github`, but RPC browser login is not implemented yet."
+        else
+          raise "Unsupported OAuth provider: #{provider_id}"
+        end
+      end
+
+      def start_openai_login(timeout_seconds: 120)
+        oauth = @oauth_factory.call
+        flow = oauth.start_login_flow
+        pkce = flow.fetch(:pkce)
+        state = flow.fetch(:state)
+        server = flow.fetch(:server)
+        redirect_uri = flow.fetch(:redirect_uri)
+        url = flow.fetch(:authorization_url)
+        login = Login.new(
+          id: SecureRandom.uuid,
+          oauth: oauth,
+          pkce: pkce,
+          state: state,
+          server: server,
+          redirect_uri: redirect_uri,
+          status: "pending"
+        )
+        @mutex.synchronize { @logins[login.id] = login }
+        login.thread = Thread.new { wait_for_callback(login, timeout_seconds: timeout_seconds.to_i <= 0 ? 120 : timeout_seconds.to_i) }
+        { providerId: "openai", loginId: login.id, authorizationUrl: url, redirectUri: redirect_uri, status: login.status }
+      end
+
+      def submit_openai_code(login_id:, code:)
+        login = fetch_login(login_id)
+        raise "Login is not pending" unless login.status == "pending"
+
+        code = login.oauth.authorization_code_from(code.to_s, expected_state: login.state)
+        complete_login(login, code)
+        login_payload(login)
+      end
+
+      def login_status(login_id:)
+        login_payload(fetch_login(login_id))
+      end
+
+      private
+
+      def fetch_login(login_id)
+        @mutex.synchronize { @logins[login_id.to_s] } || raise("Unknown login: #{login_id}")
+      end
+
+      def stored_config
+        @config_manager.read(redacted: false)
+      rescue StandardError
+        {}
+      end
+
+      def openai_provider
+        oauth = @oauth_factory.call
+        env_configured = !ENV["OPENAI_ACCESS_TOKEN"].to_s.empty?
+        stored_configured = oauth.logged_in?
+        provider = {
+          id: "openai",
+          name: "OpenAI",
+          authType: "oauth",
+          configured: env_configured || stored_configured,
+          storedCredentialType: "oauth",
+          canLogout: stored_configured,
+          usesCallbackServer: true
+        }
+        provider[:source] = env_configured ? "environment" : "stored" if provider[:configured]
+        provider[:label] = provider[:configured] ? "Signed in" : "Not signed in"
+        provider
+      rescue StandardError
+        {
+          id: "openai",
+          name: "OpenAI",
+          authType: "oauth",
+          configured: !ENV["OPENAI_ACCESS_TOKEN"].to_s.empty?,
+          source: (!ENV["OPENAI_ACCESS_TOKEN"].to_s.empty? ? "environment" : nil),
+          label: (!ENV["OPENAI_ACCESS_TOKEN"].to_s.empty? ? "Signed in" : "Not signed in"),
+          storedCredentialType: "oauth",
+          canLogout: false,
+          usesCallbackServer: true
+        }.compact
+      end
+
+      def openrouter_provider
+        config = stored_config
+        env_configured = !ENV["OPENROUTER_API_KEY"].to_s.empty?
+        stored_configured = !config["openrouter_api_key"].to_s.empty?
+        provider = {
+          id: "openrouter",
+          name: "OpenRouter",
+          authType: "api_key",
+          configured: env_configured || stored_configured,
+          canLogout: stored_configured
+        }
+        provider[:source] = env_configured ? "environment" : "stored" if provider[:configured]
+        provider[:storedCredentialType] = "api_key" if stored_configured
+        provider[:label] = provider[:configured] ? "API key configured" : "API key not configured"
+        provider
+      end
+
+      def github_provider
+        oauth = @github_oauth_factory.call
+        env_configured = !ENV["COPILOT_GITHUB_TOKEN"].to_s.empty?
+        stored_configured = oauth.logged_in? && !env_configured
+        provider = {
+          id: "github",
+          name: "GitHub",
+          authType: "oauth",
+          configured: env_configured || stored_configured,
+          storedCredentialType: "oauth",
+          canLogout: false,
+          usesCallbackServer: false,
+          supported: false,
+          reason: "GitHub OAuth is available in the CLI for Copilot scaffolding; RPC login is not implemented yet."
+        }
+        provider[:source] = env_configured ? "environment" : "stored" if provider[:configured]
+        provider[:label] = provider[:configured] ? "Signed in" : "Not signed in"
+        provider
+      rescue StandardError
+        {
+          id: "github",
+          name: "GitHub",
+          authType: "oauth",
+          configured: false,
+          label: "Not signed in",
+          storedCredentialType: "oauth",
+          canLogout: false,
+          usesCallbackServer: false,
+          supported: false,
+          reason: "GitHub OAuth status unavailable."
+        }
+      end
+
+      def provider_name(provider_id)
+        case provider_id
+        when "openrouter" then "OpenRouter"
+        when "openai" then "OpenAI"
+        when "github" then "GitHub"
+        else provider_id
+        end
+      end
+
+      def logout_openai
+        oauth = @oauth_factory.call
+        path = oauth.auth_path if oauth.respond_to?(:auth_path)
+        File.delete(path) if path && File.exist?(path)
+      end
+
+      def wait_for_callback(login, timeout_seconds:)
+        code = login.oauth.wait_for_login_callback(login.server, expected_state: login.state, timeout_seconds: timeout_seconds)
+        complete_login(login, code) unless code.to_s.empty?
+      rescue StandardError => e
+        login.status = "failed"
+        login.error = e.message
+        @server.notify("auth/loginFinished", login_payload(login))
+      ensure
+        login.server&.close unless login.server&.closed?
+      end
+
+      def complete_login(login, code)
+        raise "Missing authorization code" if code.to_s.empty?
+
+        login.oauth.complete_login_flow(code: code, redirect_uri: login.redirect_uri, code_verifier: login.pkce[:verifier])
+        login.status = "completed"
+        @server.notify("auth/loginFinished", login_payload(login))
+      rescue StandardError => e
+        login.status = "failed"
+        login.error = e.message
+        @server.notify("auth/loginFinished", login_payload(login))
+        raise
+      ensure
+        login.server&.close unless login.server&.closed?
+      end
+
+      def login_payload(login)
+        {
+          providerId: "openai",
+          loginId: login.id,
+          status: login.status,
+          redirectUri: login.redirect_uri,
+          message: login_status_message(login.status),
+          error: login.error
+        }.compact
+      end
+
+      def login_status_message(status)
+        case status
+        when "completed"
+          "Logged in to OpenAI."
+        when "failed"
+          "OpenAI login failed."
+        when "cancelled"
+          "OpenAI login cancelled."
+        else
+          "OpenAI login pending."
+        end
+      end
+    end
+  end
+end

data/lib/kward/rpc/config_manager.rb

@@ -0,0 +1,58 @@
+require_relative "../auth/openai_oauth"
+require_relative "../config_files"
+require_relative "../model/model_info"
+require_relative "redactor"
+
+module Kward
+  module RPC
+    class ConfigManager
+      def initialize(config_path: OpenAIOAuth.default_config_path)
+        @config_path = File.expand_path(config_path)
+      end
+
+      attr_reader :config_path
+
+      def read(redacted: true)
+        config = load_config
+        redacted ? Redactor.redact(config) : config
+      end
+
+      def update(values)
+        Redactor.redact(ConfigFiles.update_config(values, @config_path))
+      end
+
+      def set_model(model, provider: nil)
+        model = model.to_s.strip
+        raise "Model must be a non-empty string" if model.empty?
+
+        update(ModelInfo.config_values_for_selection(provider, model))
+      end
+
+      def set_reasoning_effort(effort, provider: nil)
+        effort = effort.to_s.strip
+        raise "Reasoning effort must be a non-empty string" if effort.empty?
+
+        update(ModelInfo.reasoning_config_key_for_provider(provider) => effort)
+      end
+
+      def set_api_key(provider_id, api_key)
+        provider_id = provider_id.to_s
+        api_key = api_key.to_s.strip
+        raise "API key must be a non-empty string" if api_key.empty?
+        raise "Unsupported API key provider: #{provider_id}" unless provider_id == "openrouter"
+
+        update("openrouter_api_key" => api_key)
+      end
+
+      def delete_key(key)
+        ConfigFiles.delete_config_key(key, @config_path)
+      end
+
+      private
+
+      def load_config
+        ConfigFiles.read_config(@config_path)
+      end
+    end
+  end
+end

data/lib/kward/rpc/prompt_bridge.rb

@@ -0,0 +1,104 @@
+require "securerandom"
+require_relative "../message_access"
+
+module Kward
+  module RPC
+    class PromptBridge
+      MIN_QUESTIONS = 1
+      MAX_QUESTIONS = 4
+      MIN_OPTIONS = 2
+      MAX_OPTIONS = 4
+
+      def initialize(server:, session_id:)
+        @server = server
+        @session_id = session_id
+        @mutex = Mutex.new
+        @condition = ConditionVariable.new
+        @answers = {}
+        @pending_requests = {}
+      end
+
+      def ask_user_question(questions, cancellation: nil)
+        questions = validate_questions(questions)
+        request_id = SecureRandom.uuid
+        @mutex.synchronize { @pending_requests[request_id] = true }
+        cancellation&.on_cancel { cancel_request(request_id) }
+        unless cancellation&.cancelled?
+          @server.notify("ui/question", {
+            sessionId: @session_id,
+            questionRequestId: request_id,
+            questions: questions
+          })
+        end
+
+        @mutex.synchronize do
+          @condition.wait(@mutex) until @answers.key?(request_id)
+          answer = @answers.delete(request_id)
+          @pending_requests.delete(request_id)
+          return nil if answer.nil?
+
+          answer
+        end
+      end
+
+      def answer(request_id, answers)
+        @mutex.synchronize do
+          request_id = request_id.to_s
+          return unless @pending_requests.key?(request_id)
+          return if @answers.key?(request_id)
+
+          @answers[request_id] = normalize_answers(answers)
+          @condition.broadcast
+        end
+      end
+
+      def cancel_request(request_id)
+        @mutex.synchronize do
+          request_id = request_id.to_s
+          return unless @pending_requests.key?(request_id)
+          return if @answers.key?(request_id)
+
+          @answers[request_id] = nil
+          @condition.broadcast
+        end
+      end
+
+      private
+
+      def normalize_answers(answers)
+        return nil if answers.nil?
+        return answers unless answers.is_a?(Array)
+
+        answers.map do |answer|
+          next answer unless answer.is_a?(Hash)
+
+          { question: MessageAccess.value(answer, :question).to_s, answer: MessageAccess.value(answer, :answer).to_s }
+        end
+      end
+
+      def validate_questions(questions)
+        raise ArgumentError, "questions must be an array" unless questions.is_a?(Array)
+        unless questions.length.between?(MIN_QUESTIONS, MAX_QUESTIONS)
+          raise ArgumentError, "ui/question requires 1-4 questions"
+        end
+
+        questions.each_with_index do |question, index|
+          validate_question(question, index)
+        end
+        questions
+      end
+
+      def validate_question(question, index)
+        raise ArgumentError, "question #{index + 1} must be an object" unless question.is_a?(Hash)
+
+        options = MessageAccess.value(question, :options)
+        raise ArgumentError, "question #{index + 1} options must be an array" unless options.is_a?(Array)
+        unless options.length.between?(MIN_OPTIONS, MAX_OPTIONS)
+          raise ArgumentError, "question #{index + 1} requires 2-4 options"
+        end
+        raise ArgumentError, "question #{index + 1} multiSelect is unsupported" if MessageAccess.value(question, :multiSelect) == true
+        raise ArgumentError, "question #{index + 1} preview is unsupported" if options.any? { |option| option.is_a?(Hash) && MessageAccess.value(option, :preview) }
+      end
+    end
+  end
+end

data/lib/kward/rpc/redactor.rb

@@ -0,0 +1,47 @@
+module Kward
+  module RPC
+    module Redactor
+      SECRET_KEYS = /(?:token|secret|api[_-]?key|authorization|password|credential)/i
+
+      module_function
+
+      def redact(value)
+        case value
+        when Hash
+          value.each_with_object({}) do |(key, item), result|
+            if token_count_key?(key.to_s) && item.is_a?(Numeric)
+              result[key] = item
+            elsif secret_key?(key)
+              result[key] = "[REDACTED]"
+            else
+              result[key] = redact(item)
+            end
+          end
+        when Array
+          value.map { |item| redact(item) }
+        when String
+          redact_string(value)
+        else
+          value
+        end
+      end
+
+      def redact_string(value)
+        value
+          .gsub(/Bearer\s+[^\s"']+/i, "Bearer [REDACTED]")
+          .gsub(/(sk-[A-Za-z0-9_-]{8,})/, "[REDACTED]")
+      end
+
+      def secret_key?(key)
+        text = key.to_s
+        return false if text == "apiKeyProviders"
+
+        text.match?(SECRET_KEYS)
+      end
+
+      def token_count_key?(key)
+        key.match?(/\A(?:input|output|cache_read|cache_write|total)_tokens\z/) || key == "estimated"
+      end
+    end
+  end
+end