logi-cli 0.1.0

data/lib/logi/commands/device_login.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module Logi
+  module Commands
+    # Device-code login for headless / SSH environments.
+    #
+    # Flow:
+    #   1. POST /cli/auth/device → receive user_code + device_code + verification_uri
+    #   2. Show the user_code and URL to the developer
+    #   3. Poll POST /cli/auth/device/poll every `interval` seconds
+    #   4. On success receive PAK → save credentials
+    module DeviceLogin
+      module_function
+
+      POLL_TIMEOUT = 600  # 10 minutes max
+
+      def perform(api_url:, portal_url: nil, **)
+        pastel  = Pastel.new
+        portal  = portal_url || ENV["LOGI_PORTAL_URL"] || Login::DEFAULT_PORTAL
+
+        # Step 1: issue device code
+        grant = request_device_code(api_url: api_url)
+        if grant.nil?
+          abort pastel.red("Couldn't get a device code. Check your connection to the server.")
+        end
+
+        user_code        = grant["user_code"]
+        device_code      = grant["device_code"]
+        verification_uri = grant["verification_uri"] || "#{portal}/cli/activate"
+        interval         = (grant["interval"] || 5).to_i
+        expires_in       = (grant["expires_in"] || 600).to_i
+
+        # Step 2: display to user
+        puts ""
+        puts pastel.bold("Open the URL below in your browser and enter the code.")
+        puts ""
+        puts "  URL:   " + pastel.cyan(verification_uri)
+        puts "  Code:  " + pastel.bold.yellow(user_code)
+        puts ""
+        puts pastel.dim("Waiting for approval… (expires in #{expires_in / 60} minutes)")
+        puts ""
+
+        # Step 3: poll
+        deadline = Time.now + POLL_TIMEOUT
+        loop do
+          sleep interval
+
+          if Time.now > deadline
+            abort pastel.red("Timed out. Try again from your terminal.")
+          end
+
+          result = poll(api_url: api_url, device_code: device_code)
+          next if result.nil?
+
+          error = result["error"]
+
+          case error
+          when nil
+            # Success — result contains token
+            save_and_print(result, pastel)
+            return result
+          when "authorization_pending"
+            next
+          when "slow_down"
+            interval += 5
+            next
+          when "access_denied"
+            abort pastel.red("Sign-in was declined.")
+          when "expired_token"
+            abort pastel.red("The code has expired. Please try again.")
+          else
+            abort pastel.red("Something went wrong: #{error} — #{result['error_description']}")
+          end
+        end
+      end
+
+      def request_device_code(api_url:)
+        uri = URI.join(api_url, "/cli/auth/device")
+        req = Net::HTTP::Post.new(uri.path,
+          "Content-Type" => "application/json",
+          "Accept"       => "application/json"
+        )
+        req.body = "{}"
+        res = http(uri).request(req)
+        JSON.parse(res.body)
+      rescue => e
+        warn "Device authorization request failed: #{e.message}"
+        nil
+      end
+
+      def poll(api_url:, device_code:)
+        uri = URI.join(api_url, "/cli/auth/device/poll")
+        req = Net::HTTP::Post.new(uri.path,
+          "Content-Type" => "application/json",
+          "Accept"       => "application/json"
+        )
+        req.body = JSON.generate(device_code: device_code)
+        res = http(uri).request(req)
+        JSON.parse(res.body)
+      rescue
+        nil
+      end
+
+      def save_and_print(token_response, pastel)
+        Config.save(
+          api_key: token_response["token"],
+          api_url: token_response["api_url"] || Login::DEFAULT_API,
+          name:    "CLI (device)"
+        )
+
+        user = token_response["user"] || {}
+        puts pastel.green("✓ Signed in")
+        puts "  Account: #{user["email_address"] || "(unknown)"}"
+        puts "  Scopes:  #{(token_response["scopes"] || []).join(", ")}"
+        puts "  Saved:   #{pastel.cyan(Config.path)}"
+        puts ""
+        puts pastel.bold("Next steps")
+        puts "  " + pastel.cyan("logi apps list") + pastel.dim("                                    # List your apps")
+        puts "  " + pastel.cyan("logi apps create --name \"My app\" -r https://app.example/cb") + pastel.dim("  # Register your first app")
+        puts "  " + pastel.cyan("logi --help") + pastel.dim("                                       # All commands")
+      end
+
+      def http(uri)
+        Net::HTTP.new(uri.host, uri.port).tap do |h|
+          h.use_ssl = uri.scheme == "https"
+        end
+      end
+    end
+  end
+end

data/lib/logi/commands/login.rb

@@ -0,0 +1,182 @@
+# frozen_string_literal: true
+
+require "digest"
+require "base64"
+require "securerandom"
+require "uri"
+require "json"
+require "net/http"
+require "socket"
+require "webrick"
+
+module Logi
+  module Commands
+    # Browser-redirect OAuth login (PKCE + loopback). Same pattern as GitHub gh and vercel CLI.
+    #
+    # Flow:
+    #   1. Pick a free port, generate code_verifier + code_challenge.
+    #   2. Open browser → start.1pass.dev/cli/auth/start?code_challenge=…&port=…&state=…
+    #   3. Run a tiny WEBrick server on the port, wait for /cb?code=…&state=….
+    #   4. POST /cli/auth/exchange { code, code_verifier } → receive PAK.
+    #   5. Save credentials.
+    module Login
+      module_function
+
+      DEFAULT_PORTAL = "https://start.1pass.dev"
+      DEFAULT_API    = "https://api.1pass.dev"
+
+      def perform(api_url:, name: "CLI", portal_url: nil, scopes: nil, **)
+        pastel = Pastel.new
+        portal = portal_url || ENV["LOGI_PORTAL_URL"] || DEFAULT_PORTAL
+        scopes ||= %w[apps:read apps:manage org:read profile:read]
+
+        port           = pick_free_port
+        code_verifier  = SecureRandom.urlsafe_base64(64).delete("=")
+        code_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
+        state          = SecureRandom.hex(16)
+
+        authorize_url = build_authorize_url(portal, code_challenge, state, port, scopes)
+
+        puts pastel.dim("Opening your browser…")
+        puts pastel.cyan("  #{authorize_url}")
+        puts ""
+
+        open_browser(authorize_url)
+
+        result = wait_for_callback(port: port, expected_state: state)
+        unless result
+          abort pastel.red("Sign-in timed out or was cancelled.")
+        end
+
+        code = result[:code]
+        if code.nil? || code.empty?
+          abort pastel.red("Sign-in failed: no code was returned.")
+        end
+
+        puts pastel.dim("Exchanging the code for a token…")
+        token_response = exchange_code(api_url: api_url, code: code, verifier: code_verifier)
+
+        Config.save(
+          api_key: token_response["token"],
+          api_url: token_response["api_url"] || api_url,
+          name: name
+        )
+
+        user = token_response["user"] || {}
+        puts pastel.green("✓ Signed in")
+        puts "  Account: #{user["email_address"] || "(unknown)"}"
+        puts "  Scopes:  #{(token_response["scopes"] || []).join(", ")}"
+        puts "  Saved:   #{pastel.cyan(Config.path)}"
+        puts ""
+        puts pastel.bold("Next steps")
+        puts "  " + pastel.cyan("logi apps list") + pastel.dim("                                    # List your apps")
+        puts "  " + pastel.cyan("logi apps create --name \"My app\" -r https://app.example/cb") + pastel.dim("  # Register your first app")
+        puts "  " + pastel.cyan("logi --help") + pastel.dim("                                       # All commands")
+        token_response
+      end
+
+      def pick_free_port
+        server = TCPServer.new("127.0.0.1", 0)
+        port = server.addr[1]
+        server.close
+        port
+      end
+
+      def build_authorize_url(portal, code_challenge, state, port, scopes)
+        query = URI.encode_www_form(
+          code_challenge: code_challenge,
+          code_challenge_method: "S256",
+          state:          state,
+          port:           port,
+          scope:          scopes.join(" ")
+        )
+        "#{portal}/cli/auth/start?#{query}"
+      end
+
+      def open_browser(url)
+        cmd =
+          case RbConfig::CONFIG["host_os"]
+          when /darwin/  then [ "open", url ]
+          when /mingw|mswin/ then [ "cmd", "/C", "start", "", url ]
+          else                [ "xdg-open", url ]
+          end
+        Process.detach(spawn(*cmd, out: File::NULL, err: File::NULL))
+      rescue => e
+        warn "Couldn't open the browser automatically (#{e.message}). Please open the URL above manually."
+      end
+
+      # Run a WEBrick server until /cb is hit, return {code:, state:}.
+      def wait_for_callback(port:, expected_state:, timeout: 300)
+        result = nil
+        server = WEBrick::HTTPServer.new(
+          BindAddress: "127.0.0.1",
+          Port:        port,
+          Logger:      WEBrick::Log.new(File::NULL),
+          AccessLog:   []
+        )
+
+        server.mount_proc("/cb") do |req, res|
+          got_state = req.query["state"]
+          got_code  = req.query["code"]
+          if got_state == expected_state && got_code
+            result = { code: got_code, state: got_state }
+            res["Content-Type"] = "text/html; charset=utf-8"
+            res.body = success_html
+          else
+            res.status = 400
+            res["Content-Type"] = "text/plain; charset=utf-8"
+            res.body = "state mismatch or missing code"
+          end
+          Thread.new { sleep 0.3; server.shutdown }
+        end
+
+        Thread.new do
+          sleep timeout
+          server.shutdown if result.nil?
+        end
+
+        server.start
+        result
+      end
+
+      def exchange_code(api_url:, code:, verifier:)
+        uri = URI.join(api_url, "/cli/auth/exchange")
+        req = Net::HTTP::Post.new(uri.path, "Content-Type" => "application/json", "Accept" => "application/json")
+        req.body = JSON.generate(code: code, code_verifier: verifier)
+
+        res = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") { |h| h.request(req) }
+        body = JSON.parse(res.body) rescue {}
+        unless res.code.to_i == 200
+          abort Pastel.new.red("Token exchange failed (#{res.code}): #{body["error"] || res.body}")
+        end
+        body
+      end
+
+      def success_html
+        <<~HTML
+          <!doctype html>
+          <html lang="en">
+          <head><meta charset="utf-8"><title>logi CLI</title>
+          <style>
+            body { font-family: -apple-system, BlinkMacSystemFont, sans-serif;
+                   background: linear-gradient(135deg, #f5f7ff 0%, #f3f0ff 100%);
+                   margin: 0; padding: 60px 20px; text-align: center; color: #1d1d1f; }
+            .card { display: inline-block; padding: 40px 56px; border-radius: 24px;
+                    background: rgba(255,255,255,0.6); backdrop-filter: blur(20px);
+                    border: 1px solid rgba(255,255,255,0.4); box-shadow: 0 4px 30px rgba(0,0,0,0.05); }
+            h1 { font-size: 28px; margin: 0 0 8px; }
+            p { color: #6e6e73; margin: 4px 0; }
+            .check { font-size: 48px; }
+          </style></head>
+          <body>
+            <div class="card">
+              <div class="check">✓</div>
+              <h1>You're signed in to logi CLI</h1>
+              <p>You can close this window.</p>
+            </div>
+          </body></html>
+        HTML
+      end
+    end
+  end
+end

data/lib/logi/commands/token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Logi
+  module Commands
+    # JWT inspection. Signature verification fetches JWKS from the server.
+    class Token < Thor
+      desc "inspect JWT", "Decode a JWT access token (header + payload) and verify its signature against JWKS"
+      method_option :verify, type: :boolean, default: true,
+                    desc: "Verify the signature (fetches JWKS)"
+      def inspect(jwt)
+        pastel = Pastel.new
+        segments = jwt.split(".")
+        if segments.size != 3
+          abort pastel.red("Not a valid JWT (expected header.payload.signature).")
+        end
+
+        header_json  = JSON.parse(Base64.urlsafe_decode64(segments[0] + "=" * ((4 - segments[0].size % 4) % 4)))
+        payload_json = JSON.parse(Base64.urlsafe_decode64(segments[1] + "=" * ((4 - segments[1].size % 4) % 4)))
+
+        puts pastel.cyan("Header:")
+        puts JSON.pretty_generate(header_json)
+        puts pastel.cyan("\nPayload:")
+        puts JSON.pretty_generate(payload_json)
+
+        if options[:verify]
+          verify_with_jwks(jwt, header_json, payload_json)
+        end
+      end
+
+      no_commands do
+        def verify_with_jwks(jwt, header, payload)
+          pastel = Pastel.new
+          config = Config.load
+          http = HttpClient.new(base_url: config.api_url)
+          jwks = http.get("/.well-known/jwks.json")
+
+          kid = header["kid"]
+          jwk = (jwks["keys"] || []).find { |k| k["kid"] == kid }
+          if jwk.nil?
+            warn pastel.yellow("⚠ Signature check: kid=#{kid} was not found in JWKS")
+            return
+          end
+
+          public_key = build_rsa(jwk["n"], jwk["e"])
+          JWT.decode(jwt, public_key, true, algorithm: "RS256")
+          puts pastel.green("\n✓ Signature valid (kid=#{kid})")
+
+          exp = payload["exp"]
+          if exp && Time.at(exp) < Time.now
+            puts pastel.yellow("⚠ Expired (exp=#{Time.at(exp).iso8601})")
+          elsif exp
+            remaining = (Time.at(exp) - Time.now).to_i
+            puts pastel.green("  #{remaining} seconds until expiration")
+          end
+        rescue JWT::DecodeError => e
+          warn pastel.red("✗ Signature check failed: #{e.message}")
+        end
+
+        def build_rsa(n_b64, e_b64)
+          decode = ->(v) { OpenSSL::BN.new(Base64.urlsafe_decode64(v + "=" * ((4 - v.size % 4) % 4)), 2) }
+          # Build RSA from modulus+exponent via ASN.1
+          sequence = OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Integer(decode.call(n_b64)),
+            OpenSSL::ASN1::Integer(decode.call(e_b64))
+          ])
+          OpenSSL::PKey::RSA.new(sequence.to_der)
+        end
+      end
+    end
+  end
+end

data/lib/logi/config.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Logi
+  # Load/save credentials.json. Default path: ~/.config/logi/credentials.json
+  # Environment variables LOGI_API_KEY / LOGI_API_URL take precedence when set.
+  class Config
+    DEFAULT_API_URL = "http://localhost:3000"
+
+    def self.path
+      File.expand_path(ENV.fetch("LOGI_CONFIG_PATH", "~/.config/logi/credentials.json"))
+    end
+
+    def self.load
+      env_key = ENV["LOGI_API_KEY"]
+      env_url = ENV["LOGI_API_URL"]
+      if env_key
+        return new(api_key: env_key, api_url: env_url || DEFAULT_API_URL, source: :env)
+      end
+
+      if File.exist?(path)
+        data = JSON.parse(File.read(path))
+        return new(api_key: data["api_key"], api_url: data["api_url"] || DEFAULT_API_URL,
+                   source: :file, name: data["name"])
+      end
+
+      new(api_key: nil, api_url: env_url || DEFAULT_API_URL, source: :none)
+    end
+
+    def self.save(api_key:, api_url:, name:)
+      FileUtils.mkdir_p(File.dirname(path))
+      File.write(path, JSON.pretty_generate({ api_key: api_key, api_url: api_url, name: name }))
+      File.chmod(0o600, path)
+    end
+
+    def self.clear
+      File.delete(path) if File.exist?(path)
+    end
+
+    attr_reader :api_key, :api_url, :source, :name
+
+    def initialize(api_key:, api_url:, source:, name: nil)
+      @api_key = api_key
+      @api_url = api_url
+      @source = source
+      @name = name
+    end
+
+    def authenticated?
+      !api_key.nil? && !api_key.empty?
+    end
+  end
+end

data/lib/logi/http_client.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module Logi
+  # Minimal HTTP client using Net::HTTP. Keeps dependencies light.
+  class HttpClient
+    class Error < StandardError
+      attr_reader :status, :body
+
+      def initialize(status, body)
+        @status = status
+        @body = body
+        super("HTTP #{status}: #{body}")
+      end
+    end
+
+    def initialize(base_url:, api_key: nil, session_cookie: nil)
+      @base_url = base_url.chomp("/")
+      @api_key = api_key
+      @session_cookie = session_cookie
+    end
+
+    attr_accessor :session_cookie
+
+    def get(path, params: {})
+      request(:get, path, params: params)
+    end
+
+    def post(path, body: nil, params: {})
+      request(:post, path, body: body, params: params)
+    end
+
+    def patch(path, body: nil)
+      request(:patch, path, body: body)
+    end
+
+    def delete(path)
+      request(:delete, path)
+    end
+
+    private
+
+    def request(method, path, body: nil, params: {})
+      uri = URI("#{@base_url}#{path}")
+      uri.query = URI.encode_www_form(params) if params.any?
+
+      req = build_request(method, uri, body)
+      apply_auth!(req)
+
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == "https"
+
+      res = http.request(req)
+      capture_session_cookie!(res)
+      parse_response(res)
+    end
+
+    def build_request(method, uri, body)
+      klass = case method
+              when :get then Net::HTTP::Get
+              when :post then Net::HTTP::Post
+              when :patch then Net::HTTP::Patch
+              when :delete then Net::HTTP::Delete
+              end
+      req = klass.new(uri.request_uri)
+      if body
+        req["Content-Type"] = "application/json"
+        req.body = JSON.dump(body)
+      end
+      req["Accept"] = "application/json"
+      req
+    end
+
+    def apply_auth!(req)
+      req["Authorization"] = "Bearer #{@api_key}" if @api_key
+      req["Cookie"] = "session_id=#{@session_cookie}" if @session_cookie
+    end
+
+    def capture_session_cookie!(res)
+      set = res.get_fields("Set-Cookie") || []
+      set.each do |c|
+        if c.start_with?("session_id=")
+          @session_cookie = c.split(";").first.split("=", 2).last
+        end
+      end
+    end
+
+    def parse_response(res)
+      status = res.code.to_i
+      body = res.body.to_s.empty? ? {} : (JSON.parse(res.body) rescue { "raw" => res.body })
+
+      if status >= 400
+        raise Error.new(status, body)
+      end
+
+      body
+    end
+  end
+end

data/lib/logi/output.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Logi
+  # Centralized output for human / JSON modes.
+  #
+  # Why: When an LLM (Claude, ChatGPT) drives the CLI, it can pass `--json`
+  # (or set `LOGI_OUTPUT=json`) to receive a stable, parseable shape on stdout.
+  # Human messages still go to stderr so they don't pollute pipes.
+  #
+  # Pattern: GitHub `gh --json fields`, Stripe CLI default JSON, Vercel `--output json`.
+  module Output
+    module_function
+
+    # Resolve mode from (in order):
+    #   1. ENV `LOGI_OUTPUT=json` or `=human`
+    #   2. options[:json] true → json
+    #   3. tty/pipe heuristic — pipe defaults to json (LLM-friendly)
+    #   4. fallback: human
+    def mode(options = {})
+      return ENV["LOGI_OUTPUT"] if %w[json human].include?(ENV["LOGI_OUTPUT"])
+      return "json" if options[:json]
+      "human"
+    end
+
+    def json?(options = {}); mode(options) == "json"; end
+
+    # Emit a structured success result. In human mode, runs the block instead.
+    def success(data, options = {}, &human_block)
+      if json?(options)
+        $stdout.puts JSON.generate(success: true, data: data)
+      elsif human_block
+        human_block.call
+      end
+    end
+
+    def failure(code:, message:, status: nil, options: {}, &human_block)
+      payload = { success: false, error: { code: code, message: message } }
+      payload[:error][:status] = status if status
+
+      if json?(options)
+        $stdout.puts JSON.generate(payload)
+      elsif human_block
+        human_block.call
+      else
+        warn message
+      end
+    end
+
+    # Pretty-print to stderr only when human (no-op in JSON mode).
+    # Use for progress chatter ("Opening your browser…" etc).
+    def chatter(text, options = {})
+      return if json?(options)
+      $stderr.puts text
+    end
+  end
+end

data/lib/logi/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Logi
+  VERSION = "0.1.0"
+end

data/lib/logi.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+require "fileutils"
+require "thor"
+require "pastel"
+require "tty-prompt"
+require "tty-table"
+require "jwt"
+require "base64"
+require "openssl"
+
+require_relative "logi/version"
+require_relative "logi/config"
+require_relative "logi/http_client"
+require_relative "logi/output"
+require_relative "logi/commands/login"
+require_relative "logi/commands/device_login"
+require_relative "logi/commands/app"
+require_relative "logi/commands/token"
+require_relative "logi/cli"