@0dai-dev/cli 4.2.0 → 4.3.5

package/lib/commands/auth.js

@@ -3,11 +3,196 @@ const shared = require("../shared");
 const {
   T, R, D, log,
   fs, os,
-  CONFIG_DIR, AUTH_FILE, API_URL,
+  AUTH_FILE, API_URL,
   apiCall, loadAuthState, fetchAuthStatus, updateAuthState,
+  saveAuthState,
   makeEnsureAuthenticated, ensureLicenseActivation,
 } = shared;
 
+function _argAfter(args, names) {
+  const list = Array.isArray(args) ? args : [];
+  const wanted = new Set(Array.isArray(names) ? names : [names]);
+  for (let i = 0; i < list.length; i++) {
+    const arg = String(list[i] || "");
+    if (wanted.has(arg) && list[i + 1]) return String(list[i + 1]);
+    for (const name of wanted) {
+      if (arg.startsWith(`${name}=`)) return arg.slice(name.length + 1);
+    }
+  }
+  return "";
+}
+
+function _looksLikePlanCode(code) {
+  const value = String(code || "").trim().toUpperCase();
+  return /^(PRO|PROD|TEAM|ENT|ENTERPRISE|ESSENTIAL)-/.test(value);
+}
+
+function parseActivationArgs(args = [], options = {}) {
+  const authCode = _argAfter(args, ["--auth-code", "--oauth-code", "--exchange-code"]);
+  const explicitActivationCode = _argAfter(args, ["--activation-code", "--redeem-code", "--plan-code"]);
+  const genericCode = _argAfter(args, "--code");
+  const genericCodePurpose = String(options.genericCode || "auto");
+  if (genericCodePurpose === "auth") {
+    return { authCode: authCode || genericCode, activationCode: explicitActivationCode };
+  }
+  if (genericCodePurpose === "activation") {
+    return { authCode, activationCode: explicitActivationCode || genericCode };
+  }
+  return {
+    authCode: authCode || (genericCode && !_looksLikePlanCode(genericCode) ? genericCode : ""),
+    activationCode: explicitActivationCode || (genericCode && _looksLikePlanCode(genericCode) ? genericCode : ""),
+  };
+}
+
+function parseAuthLoginFlags(args = []) {
+  const list = Array.isArray(args) ? args : [];
+  return {
+    device: list.includes("--device"),
+    mcp: list.includes("--mcp") || list.includes("--mcp-auth"),
+    noBrowser: list.includes("--no-browser"),
+  };
+}
+
+function _positiveNumber(value, fallback) {
+  const number = Number(value);
+  return Number.isFinite(number) && number > 0 ? number : fallback;
+}
+
+function _formatSeconds(seconds) {
+  const value = Math.round(_positiveNumber(seconds, 600));
+  if (value % 60 === 0) return `${value / 60} minute${value === 60 ? "" : "s"}`;
+  return `${value} seconds`;
+}
+
+function printDeviceLoginInstructions(result, writeLine = log) {
+  const expiresIn = _positiveNumber(result && result.expires_in, 600);
+  writeLine(`Open: ${result.verification_uri}`);
+  writeLine(`Code: ${result.user_code}`);
+  writeLine(`Expires in: ${_formatSeconds(expiresIn)}`);
+}
+
+async function loginWithDeviceCode(options = {}) {
+  const writeLine = typeof options.writeLine === "function" ? options.writeLine : log;
+  const spinner = options.spinner || null;
+  const result = await apiCall("/v1/auth/device", { client_id: "cli" });
+  if (!result || result.error) throw new Error(result && result.error ? result.error : "device auth failed");
+
+  printDeviceLoginInstructions(result, writeLine);
+  if (spinner && typeof spinner.start === "function") spinner.start("Waiting for confirmation...");
+
+  const intervalMs = Math.max(1, _positiveNumber(result.interval, 5) * 1000);
+  const expiresIn = _positiveNumber(result.expires_in, 600);
+  const deadline = Date.now() + expiresIn * 1000;
+  while (Date.now() < deadline) {
+    await new Promise(r => setTimeout(r, intervalMs));
+    const poll = await apiCall("/v1/auth/token", { device_code: result.device_code });
+    if (poll.access_token) {
+      if (spinner && typeof spinner.stop === "function") spinner.stop("Authorized!");
+      saveAuthState({
+        access_token: poll.access_token,
+        email: poll.email,
+        plan: poll.plan || "free",
+        authenticated_at: new Date().toISOString(),
+        expires_at: poll.expires_at,
+      });
+      return poll;
+    }
+    if (poll.error && poll.error !== "authorization_pending") {
+      if (spinner && typeof spinner.stop === "function") spinner.stop("Failed");
+      throw new Error(poll.error);
+    }
+  }
+
+  if (spinner && typeof spinner.stop === "function") spinner.stop("Device code expired");
+  throw new Error(`Device code expired after ${_formatSeconds(expiresIn)}. Run '0dai auth login --device --no-browser' to get a new code.`);
+}
+
+function _authAccessToken(auth) {
+  return auth && (auth.access_token || auth.api_key || auth.token) ? String(auth.access_token || auth.api_key || auth.token) : "";
+}
+
+function writeMcpTokenForAuth(auth, source = "0dai-account-token") {
+  const { writeMcpAuthTokenFromAccount } = require("../utils/mcp-auth");
+  return writeMcpAuthTokenFromAccount(_authAccessToken(auth), {
+    email: auth && auth.email,
+    plan: auth && auth.plan,
+    source,
+  });
+}
+
+function writeMcpTokenForCurrentAuth(source = "0dai-account-token", writeLine = log) {
+  const mcp = writeMcpTokenForAuth(loadAuthState(), source);
+  writeLine(`MCP auth token stored: ${mcp.tokenPath}`);
+  return mcp;
+}
+
+async function loginWithExchangeCode(code) {
+  const clean = String(code || "").trim();
+  if (!clean) throw new Error("auth code required");
+  const exchanged = await apiCall("/v1/auth/exchange", { code: clean });
+  if (!exchanged || exchanged.error || !exchanged.access_token) {
+    throw new Error(exchanged && exchanged.error ? exchanged.error : "invalid or expired auth code");
+  }
+  const status = await fetchAuthStatus(exchanged.access_token);
+  if (!status || status.error || !status.email) {
+    throw new Error(status && status.error ? status.error : "cloud validation failed after auth exchange");
+  }
+  saveAuthState({
+    access_token: exchanged.access_token,
+    email: status.email,
+    plan: status.plan || "free",
+    name: status.name || exchanged.name || "",
+    license: status.license || {},
+    plan_expires_at: status.plan_expires_at || "",
+    authenticated_at: new Date().toISOString(),
+  });
+  return status;
+}
+
+async function loginWithPastedAccessToken(token) {
+  const clean = String(token || "").trim();
+  if (!clean) throw new Error("access token required");
+  const status = await fetchAuthStatus(clean);
+  if (!status || status.error || !status.email) {
+    throw new Error(status && status.error ? status.error : "cloud validation failed");
+  }
+  saveAuthState({
+    access_token: clean,
+    email: status.email,
+    plan: status.plan || "free",
+    name: status.name || "",
+    license: status.license || {},
+    plan_expires_at: status.plan_expires_at || "",
+    authenticated_at: new Date().toISOString(),
+  });
+  return status;
+}
+
+async function redeemActivationCode(code) {
+  const clean = String(code || "").trim().toUpperCase();
+  if (!clean) throw new Error("activation code required");
+  const result = await apiCall("/v1/redeem", { code: clean });
+  if (!result || !result.ok) {
+    throw new Error(result && result.error ? result.error : "activation code redeem failed");
+  }
+  const status = await fetchAuthStatus();
+  if (!status || status.error || !status.email) {
+    throw new Error(status && status.error ? status.error : "cloud validation failed after activation");
+  }
+  return { result, status };
+}
+
+async function promptOptionalActivationCode(p) {
+  if (!(process.stdout.isTTY && process.stdin.isTTY)) return "";
+  if (!p || typeof p.text !== "function") return "";
+  const value = await p.text({
+    message: "Activation / Team code (optional)",
+    placeholder: "TEAM-... or press Enter",
+  });
+  if (p.isCancel(value)) return "";
+  return String(value || "").trim();
+}
+
 async function resolveSessionState() {
   const auth = loadAuthState();
   const hasCachedToken = !!(auth && (auth.api_key || auth.access_token || auth.token));
@@ -42,7 +227,22 @@ async function resolveSessionState() {
   };
 }
 
-async function cmdAuthLogin() {
+async function cmdAuthLogin(args = []) {
+  const rawArgs = Array.isArray(args) ? args : [];
+  const flags = parseAuthLoginFlags(rawArgs);
+  const parsed = parseActivationArgs(rawArgs, { genericCode: "auth" });
+  if (parsed.authCode) {
+    try {
+      const status = await loginWithExchangeCode(parsed.authCode);
+      if (flags.mcp) writeMcpTokenForCurrentAuth("0dai-browser-oauth");
+      log(`Logged in as ${status.email} (${status.plan || "free"} plan)`);
+      return status;
+    } catch (err) {
+      log(`auth failed: ${err.message || err}`);
+      process.exit(1);
+    }
+  }
+
   const isTTY = process.stdout.isTTY && process.stdin.isTTY;
 
   // Check if already authenticated
@@ -55,13 +255,15 @@ async function cmdAuthLogin() {
         p.log.success(`Already logged in as ${T}${existing.email || "unknown"}${R} (${existing.plan || "free"} plan)`);
         const reauth = await p.confirm({ message: "Sign in with a different account?" });
         if (p.isCancel(reauth) || !reauth) {
+          if (flags.mcp) writeMcpTokenForCurrentAuth("0dai-account-token", p.log.success);
           p.outro("Current session kept");
-          return;
+          return existing;
         }
       } else {
+        if (flags.mcp) writeMcpTokenForCurrentAuth("0dai-account-token");
         log(`Already logged in as ${existing.email || "unknown"} (${existing.plan || "free"} plan)`);
         log("To switch accounts, delete ~/.0dai/auth.json and run again");
-        return;
+        return existing;
       }
     }
   } catch {}
@@ -78,15 +280,20 @@ async function cmdAuthLogin() {
       "Why sign in?"
     );
 
-    const method = await p.select({
-      message: "How would you like to sign in?",
-      options: [
-        { value: "github", label: "GitHub", hint: "recommended" },
-        { value: "google", label: "Google" },
-        { value: "device", label: "Device code", hint: "no browser needed" },
-      ],
-    });
-    if (p.isCancel(method)) { p.cancel("Cancelled"); process.exit(0); }
+    let method = "device";
+    if (!(flags.device || flags.noBrowser)) {
+      method = await p.select({
+        message: "How would you like to sign in?",
+        options: [
+          { value: "github", label: "GitHub", hint: "recommended" },
+          { value: "google", label: "Google" },
+          { value: "device", label: "Device code", hint: "no browser needed" },
+        ],
+      });
+      if (p.isCancel(method)) { p.cancel("Cancelled"); process.exit(0); }
+    } else {
+      p.log.info("Using device code flow (--device/--no-browser).");
+    }
 
     if (method === "github" || method === "google") {
       const url = `${API_URL}/v1/auth/${method}?cli=true`;
@@ -103,97 +310,71 @@ async function cmdAuthLogin() {
       const s = p.spinner();
       s.start("Waiting for browser confirmation...");
 
-      // Poll auth/status until we get a new token (check every 3s, 5min timeout)
-      // For now, ask user to paste token from success page
       s.stop("Browser opened");
-      const token = await p.text({
-        message: "Paste your token from the success page (or press Enter to skip):",
-        placeholder: "0dai_at_...",
+      const code = await p.text({
+        message: "Paste the code from the success page (or press Enter for device code):",
+        placeholder: "code from browser success page",
       });
-      if (token && !p.isCancel(token) && token.startsWith("0dai_at_")) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-        fs.writeFileSync(AUTH_FILE, JSON.stringify({
-          access_token: token,
-          authenticated_at: new Date().toISOString(),
-        }, null, 2) + "\n", { mode: 0o600 });
-        // Fetch profile
-        const status = await apiCall("/v1/auth/status");
-        if (status.email) {
-          const auth = JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
-          auth.email = status.email;
-          auth.plan = status.plan;
-          auth.name = status.name;
-          fs.writeFileSync(AUTH_FILE, JSON.stringify(auth, null, 2) + "\n", { mode: 0o600 });
-          p.outro(`${T}Logged in${R} as ${status.email} (${status.plan} plan)`);
-        } else {
-          p.outro(`${T}Token saved${R}`);
+      if (code && !p.isCancel(code)) {
+        const pasted = String(code).trim();
+        try {
+          if (pasted.startsWith("0dai_at_")) {
+            const status = await loginWithPastedAccessToken(pasted);
+            if (flags.mcp) writeMcpTokenForCurrentAuth("0dai-pasted-token", p.log.success);
+            p.outro(`${T}Logged in${R} as ${status.email} (${status.plan || "free"} plan)`);
+            return status;
+          } else {
+            const status = await loginWithExchangeCode(pasted);
+            if (flags.mcp) writeMcpTokenForCurrentAuth("0dai-browser-oauth", p.log.success);
+            p.outro(`${T}Logged in${R} as ${status.email} (${status.plan || "free"} plan)`);
+            return status;
+          }
+        } catch (err) {
+          p.log.error(err.message || String(err));
+          if (pasted.startsWith("0dai_at_")) process.exit(1);
         }
-        return;
       }
       p.log.info("Skipped. You can also use device code flow:");
     }
 
-    // Device code fallback
-    const result = await apiCall("/v1/auth/device", { client_id: "cli" });
-    if (result.error) { p.log.error(result.error); process.exit(1); }
-
-    p.log.step(`Open: ${result.verification_uri}`);
-    p.log.step(`Code: ${T}${result.user_code}${R}`);
-
     const s = p.spinner();
-    s.start("Waiting for confirmation...");
-
-    const interval = (result.interval || 5) * 1000;
-    const deadline = Date.now() + (result.expires_in || 600) * 1000;
-    while (Date.now() < deadline) {
-      await new Promise(r => setTimeout(r, interval));
-      const poll = await apiCall("/v1/auth/token", { device_code: result.device_code });
-      if (poll.access_token) {
-        s.stop("Authorized!");
-        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-        fs.writeFileSync(AUTH_FILE, JSON.stringify({
-          access_token: poll.access_token, email: poll.email,
-          plan: poll.plan || "free", authenticated_at: new Date().toISOString(),
-          expires_at: poll.expires_at,
-        }, null, 2) + "\n", { mode: 0o600 });
-        p.outro(`${T}Logged in${R} as ${poll.email} (${poll.plan} plan)`);
-        return;
-      }
-      if (poll.error && poll.error !== "authorization_pending") {
-        s.stop("Failed");
-        p.log.error(poll.error);
-        process.exit(1);
+    try {
+      const poll = await loginWithDeviceCode({
+        writeLine: (message) => p.log.step(message),
+        spinner: s,
+      });
+      if (flags.mcp) {
+        const mcp = writeMcpTokenForAuth(
+          { access_token: poll.access_token, email: poll.email, plan: poll.plan },
+          "0dai-device-code"
+        );
+        p.log.success(`MCP auth token stored: ${mcp.tokenPath}`);
       }
+      p.outro(`${T}Logged in${R} as ${poll.email} (${poll.plan || "free"} plan)`);
+      return poll;
+    } catch (err) {
+      p.log.error(err.message || String(err));
+      process.exit(1);
     }
-    s.stop("Device code expired");
-    p.log.error("The code expired after 10 minutes. Run '0dai auth login' to get a new code.");
-    process.exit(1);
 
   } else {
     // Non-interactive: device code only
     log("0dai auth is separate from agent CLIs. It tracks projects, limits, and team features.");
-    const result = await apiCall("/v1/auth/device", { client_id: "cli" });
-    if (result.error) { log(`error: ${result.error}`); process.exit(1); }
-    log(`Open: ${result.verification_uri}`);
-    log(`Code: ${result.user_code}`);
-    log("Waiting...");
-    const interval = (result.interval || 5) * 1000;
-    const deadline = Date.now() + (result.expires_in || 600) * 1000;
-    while (Date.now() < deadline) {
-      await new Promise(r => setTimeout(r, interval));
-      const poll = await apiCall("/v1/auth/token", { device_code: result.device_code });
-      if (poll.access_token) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-        fs.writeFileSync(AUTH_FILE, JSON.stringify({
-          access_token: poll.access_token, email: poll.email,
-          plan: poll.plan || "free", authenticated_at: new Date().toISOString(),
-        }, null, 2) + "\n", { mode: 0o600 });
-        log(`Logged in as ${poll.email}`);
-        return;
+    try {
+      const poll = await loginWithDeviceCode({ writeLine: log });
+      if (flags.mcp) {
+        const mcp = writeMcpTokenForAuth(
+          { access_token: poll.access_token, email: poll.email, plan: poll.plan },
+          "0dai-device-code"
+        );
+        log(`MCP auth token stored: ${mcp.tokenPath}`);
       }
+      log(`Logged in as ${poll.email} (${poll.plan || "free"} plan)`);
+      return poll;
+    } catch (err) {
+      log(`error: ${err.message || err}`);
+      process.exit(1);
     }
-    log("Device code expired after 10 minutes. Run '0dai auth login' again.");
-    process.exit(1);
   }
 }
 
@@ -202,6 +383,31 @@ function cmdAuthLogout() {
   log("Logged out");
 }
 
+async function cmdAuthMcp(args = []) {
+  const rawArgs = Array.isArray(args) ? args : [];
+  const flags = parseAuthLoginFlags(rawArgs);
+  let auth = loadAuthState();
+
+  if (flags.device || !_authAccessToken(auth)) {
+    log("Starting device code flow for MCP auth.");
+    const poll = await loginWithDeviceCode({ writeLine: log });
+    auth = {
+      access_token: poll.access_token,
+      email: poll.email,
+      plan: poll.plan || "free",
+    };
+    const mcp = writeMcpTokenForAuth(auth, "0dai-device-code");
+    log(`MCP auth token stored: ${mcp.tokenPath}`);
+    log("For bearer-env MCP clients, launch them with OPERATOR_MCP_TOKEN set from the saved 0dai auth token.");
+    return poll;
+  }
+
+  const mcp = writeMcpTokenForAuth(auth, "0dai-account-token");
+  log(`MCP auth token stored: ${mcp.tokenPath}`);
+  log(`Account: ${auth.email || "unknown"} (${auth.plan || "free"} plan)`);
+  return { email: auth.email || "", plan: auth.plan || "free" };
+}
+
 async function cmdRedeem(code) {
   if (!code) {
     console.log("Usage: 0dai redeem <CODE>");
@@ -215,20 +421,43 @@ async function cmdRedeem(code) {
     process.exit(1);
   }
   log(`Redeeming code ${T}${code.toUpperCase()}${R}...`);
-  const result = await apiCall("/v1/redeem", { code: code.toUpperCase().trim() });
-  if (result.ok) {
+  try {
+    const { result, status } = await redeemActivationCode(code);
     log(`${T}✓${R} ${result.message}`);
-    if (result.duration_days) {
-      log(`  Plan active for ${result.duration_days} days`);
-    }
-    log(`  Run ${D}0dai auth status${R} to see updated limits`);
-  } else {
-    log(`error: ${result.error || "unknown"}`);
-    if (result.hint) log(`hint: ${result.hint}`);
+    if (result.duration_days) log(`  Plan active for ${result.duration_days} days`);
+    log(`  Account: ${status.email} · plan: ${status.plan || "free"}`);
+  } catch (err) {
+    log(`error: ${err.message || err}`);
     process.exit(1);
   }
 }
 
+async function ensureAccountForActivation(actionLabel, args = []) {
+  const parsed = parseActivationArgs(args, { genericCode: "activation" });
+  if (parsed.authCode) {
+    log("using auth code from command line");
+    await loginWithExchangeCode(parsed.authCode);
+  }
+
+  const ensureAuthenticated = makeEnsureAuthenticated(cmdAuthLogin);
+  let status = await ensureAuthenticated(actionLabel);
+
+  let activationCode = parsed.activationCode;
+  let prompts = null;
+  if (!activationCode && process.stdout.isTTY && process.stdin.isTTY) {
+    try { prompts = require("@clack/prompts"); } catch {}
+    activationCode = await promptOptionalActivationCode(prompts);
+  }
+  if (activationCode) {
+    log(`redeeming activation code ${T}${activationCode.toUpperCase()}${R}`);
+    const redeemed = await redeemActivationCode(activationCode);
+    status = redeemed.status;
+    log(`plan active: ${status.plan || "free"}`);
+  }
+
+  return status;
+}
+
 async function cmdAuthStatus() {
   const session = await resolveSessionState();
   if (!session.ok) {
@@ -277,4 +506,21 @@ async function cmdActivateStatus() {
   console.log(`  plan: ${license.plan || session.status.plan || session.auth.plan || "free"}`);
 }
 
-module.exports = { cmdAuthLogin, cmdAuthLogout, cmdRedeem, cmdAuthStatus, cmdActivateFree, cmdActivateStatus, resolveSessionState };
+module.exports = {
+  cmdAuthLogin,
+  cmdAuthLogout,
+  cmdAuthMcp,
+  cmdRedeem,
+  cmdAuthStatus,
+  cmdActivateFree,
+  cmdActivateStatus,
+  resolveSessionState,
+  ensureAccountForActivation,
+  loginWithExchangeCode,
+  loginWithPastedAccessToken,
+  loginWithDeviceCode,
+  redeemActivationCode,
+  parseActivationArgs,
+  parseAuthLoginFlags,
+  printDeviceLoginInstructions,
+};

package/lib/commands/boneyard.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * `0dai boneyard` — weekly digest of worst agent moves with lessons.
+ *
+ * Wraps scripts/boneyard.py which aggregates the week's regressions,
+ * high-cost failures, and blunders from outcome_tracker + quality_scorer.
+ *
+ * Issue: #538 (Boneyard); follow-up #578 (wire-up).
+ */
+const shared = require("../shared");
+const { log, D, R, findRepoScript, spawnSync } = shared;
+
+function _findArg(args, flag) {
+  const idx = args.indexOf(flag);
+  if (idx < 0 || !args[idx + 1]) return null;
+  return args[idx + 1];
+}
+
+function cmdBoneyard(target, args) {
+  const script = findRepoScript(target, "boneyard.py");
+  if (!script) {
+    log("boneyard unavailable — missing scripts/boneyard.py");
+    console.log(`  ${D}Run from a 0dai-initialized project root.${R}`);
+    return;
+  }
+
+  const fwd = [script, "--target", target];
+
+  const week = _findArg(args, "--week");
+  if (week) fwd.push("--week", week);
+
+  const count = _findArg(args, "--count");
+  if (count) fwd.push("--count", count);
+
+  if (args.includes("--json")) fwd.push("--format", "json");
+  if (args.includes("--save")) fwd.push("--save");
+
+  const result = spawnSync("python3", fwd, { stdio: "inherit" });
+  if (typeof result.status === "number" && result.status !== 0) {
+    process.exit(result.status);
+  }
+}
+
+module.exports = { cmdBoneyard };