npm - @aexol/spectral - Versions diffs - 0.2.3 → 0.2.5 - Mend

@aexol/spectral 0.2.3 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli.js +8 -2
package/dist/commands/login-oauth.js +116 -0
package/dist/commands/serve.js +1 -0
package/dist/config.js +5 -1
package/dist/relay/machine-store.js +4 -0
package/dist/relay/registration.js +12 -7
package/package.json +4 -1

package/dist/cli.js CHANGED Viewed

@@ -124,8 +124,9 @@ function printHeader() {
         TAGLINE,
         "",
         "Subcommands:",
-        "  spectral login    Authenticate with the Aexol MCP backend",
-        "  spectral logout   Remove stored Aexol credentials",
+        "  spectral login         Authenticate with a team API key",
+        "  spectral login --oauth Authorize via browser (Aexol Studio OAuth)",
+        "  spectral logout        Remove stored Aexol credentials",
         "  spectral serve    Connect this machine to the Aexol relay backend",
         "  spectral bind     Link this directory to an Aexol Studio project",
         "  spectral unbind   Remove the Aexol Studio project binding",
@@ -193,6 +194,11 @@ async function main() {
     // Subcommands. Dynamic import keeps the cold-start path light when users
     // are just running pi.
     if (first === "login") {
+        if (args[1] === "--oauth") {
+            const { runLoginOAuth } = await import("./commands/login-oauth.js");
+            await runLoginOAuth();
+            process.exit(0);
+        }
         const { runLogin } = await import("./commands/login.js");
         await runLogin();
         process.exit(0);

package/dist/commands/login-oauth.js ADDED Viewed

@@ -0,0 +1,116 @@
+/**
+ * `spectral login --oauth` — browser-based OAuth login for CLI machine ownership.
+ *
+ * Flow:
+ *   1. Start a temporary HTTP server on a random localhost port.
+ *   2. Open the browser to `https://studio.aexol.ai/cli-auth?port=<PORT>`.
+ *   3. Wait for the browser to redirect to `http://localhost:<PORT>?token=<JWT>`.
+ *   4. Save the token to `~/.spectral/config.json` as `userJwt`.
+ *   5. Shutdown the HTTP server and exit.
+ *
+ * On failure (timeout, network error, user closes browser), the server shuts
+ * down after a configurable timeout (default 120s).
+ */
+import { createServer } from "node:http";
+import pc from "picocolors";
+import { DEFAULT_API_URL, getConfigFile, readConfig, writeConfig, } from "../config.js";
+const DEFAULT_BACKEND_URL = "https://studio.aexol.ai";
+const CALLBACK_TIMEOUT_MS = 120_000; // 2 minutes
+/**
+ * Start a temporary HTTP server to receive the OAuth callback.
+ * Returns the port and a promise that resolves with the JWT token.
+ */
+function listenForCallback(timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const server = createServer();
+        const timeout = setTimeout(() => {
+            server.close();
+            reject(new Error(`Timed out after ${timeoutMs / 1000}s waiting for browser authorization.`));
+        }, timeoutMs);
+        server.on("request", (req, res) => {
+            const url = new URL(req.url ?? "/", `http://localhost`);
+            const token = url.searchParams.get("token");
+            if (token) {
+                clearTimeout(timeout);
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end("<html><body><h1>✓ Authorized</h1><p>You can close this tab and return to your terminal.</p></body></html>");
+                resolve({ token, server });
+            }
+            else {
+                res.writeHead(400, { "Content-Type": "text/plain" });
+                res.end("Missing token parameter.");
+            }
+        });
+        server.on("error", (err) => {
+            clearTimeout(timeout);
+            server.close();
+            reject(new Error(`Failed to start local server: ${err.message}`));
+        });
+        server.listen(0, "127.0.0.1", () => {
+            // Port 0 lets the OS assign an ephemeral port — we read it from the server.
+        });
+    });
+}
+/** Derive the landing base URL from the backend URL. */
+function deriveLandingUrl(backendUrl) {
+    const env = process.env.SPECTRAL_LANDING_URL;
+    if (env)
+        return env;
+    // If using local dev backend, use local dev landing
+    if (backendUrl.includes("localhost") || backendUrl.includes("127.0.0.1")) {
+        return "http://localhost:3000";
+    }
+    return DEFAULT_BACKEND_URL;
+}
+export async function runLoginOAuth() {
+    process.stdout.write(pc.bold("Spectral login (OAuth)\n"));
+    process.stdout.write(pc.dim(`Opens a browser to authorize the CLI. The JWT is stored at ${getConfigFile()}.\n\n`));
+    // Load existing config to get backendUrl
+    const existingCfg = await readConfig();
+    const landingUrl = deriveLandingUrl(existingCfg?.apiUrl ?? process.env.SPECTRAL_MCP_URL ?? DEFAULT_API_URL);
+    // Start the callback listener FIRST (port must be known before opening the browser)
+    let server;
+    let token;
+    try {
+        const result = await listenForCallback(CALLBACK_TIMEOUT_MS);
+        server = result.server;
+        const addr = server.address();
+        const port = addr.port;
+        // Open browser to the CLI auth page
+        const authUrl = `${landingUrl}/cli-auth?port=${port}`;
+        process.stdout.write(pc.dim(`Opening browser: ${authUrl}\n`));
+        const { exec } = await import("node:child_process");
+        const platform = process.platform;
+        const openCmd = platform === "darwin"
+            ? `open "${authUrl}"`
+            : platform === "win32"
+                ? `start "" "${authUrl}"`
+                : `xdg-open "${authUrl}"`;
+        exec(openCmd, (err) => {
+            if (err) {
+                process.stderr.write(pc.yellow(`⚠ Could not open browser automatically. Please visit:\n  ${authUrl}\n`));
+            }
+        });
+        // Wait for the token
+        process.stdout.write(pc.dim("Waiting for authorization...\n"));
+        token = result.token;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(pc.red(`✗ ${msg}\n`));
+        process.exit(1);
+    }
+    finally {
+        server?.close();
+    }
+    // Save the token. Preserve existing config (especially teamApiKey).
+    const cfg = existingCfg ?? {
+        apiUrl: process.env.SPECTRAL_MCP_URL ?? DEFAULT_API_URL,
+        teamApiKey: "",
+    };
+    cfg.userJwt = token;
+    await writeConfig(cfg);
+    process.stdout.write(pc.green("✓ CLI authorized.\n"));
+    process.stdout.write(pc.dim(`Saved user JWT to ${getConfigFile()}\n`));
+    process.stdout.write(pc.dim("Run `spectral serve` to register your machine with owner info.\n"));
+}

package/dist/commands/serve.js CHANGED Viewed

@@ -154,6 +154,7 @@ export async function runServe(opts = {}) {
         registration = await ensureMachineRegistered({
             backendUrl,
             apiKey: cfg.teamApiKey,
+            userJwt: cfg.userJwt,
             machineNameOverride: opts.machineName,
             version,
             fetchImpl: opts.fetchImpl,

package/dist/config.js CHANGED Viewed

@@ -59,7 +59,11 @@ export async function readConfig() {
         if (typeof parsed.apiUrl === "string" &&
             typeof parsed.teamApiKey === "string" &&
             parsed.teamApiKey.length > 0) {
-            return { apiUrl: parsed.apiUrl, teamApiKey: parsed.teamApiKey };
+            return {
+                apiUrl: parsed.apiUrl,
+                teamApiKey: parsed.teamApiKey,
+                userJwt: typeof parsed.userJwt === "string" ? parsed.userJwt : undefined,
+            };
         }
         return null;
     }

package/dist/relay/machine-store.js CHANGED Viewed

@@ -29,6 +29,7 @@ const KNOWN_KEYS = new Set([
     "machineName",
     "machineJwt",
     "teamId",
+    "ownerId",
     "registeredAt",
     "hostname",
     "version",
@@ -77,6 +78,7 @@ export async function loadMachine() {
         machineName: parsed.machineName,
         machineJwt: parsed.machineJwt,
         teamId: typeof parsed.teamId === "string" ? parsed.teamId : undefined,
+        ownerId: typeof parsed.ownerId === "string" ? parsed.ownerId : undefined,
         registeredAt: parsed.registeredAt,
         hostname: parsed.hostname,
         version: parsed.version,
@@ -105,6 +107,8 @@ export async function saveMachine(rec) {
     };
     if (rec.teamId !== undefined)
         toWrite.teamId = rec.teamId;
+    if (rec.ownerId !== undefined)
+        toWrite.ownerId = rec.ownerId;
     if (rec.extra) {
         for (const [k, v] of Object.entries(rec.extra))
             toWrite[k] = v;

package/dist/relay/registration.js CHANGED Viewed

@@ -3,15 +3,19 @@
  *
  * Contract (Batch 1 backend):
  *   POST <backend>/api/machines/register
- *     Headers: Authorization: Bearer <teamApiKey>
+ *     Headers: Authorization: Bearer <teamApiKey|userJwt>
  *     Body:    { name?: string, hostname: string, version: string, pid: number }
- *     200:     { machineId: string, jwt: string, name: string }
+ *     200:     { machineId: string, jwt: string, name: string, ownerId?: string }
+ *
+ * Auth priority:
+ *   - If `userJwt` is set → used as Bearer token (machine gets ownerId)
+ *   - Else → `apiKey` (team API key, machine gets no owner)
  *
  * Why this lives in its own module:
- *  - It's the ONLY consumer of the team API key. Once registration succeeds,
- *    the team key is dropped on the floor — only the short-lived `machineJwt`
- *    is persisted (in `machine.json`) and threaded into `RelayClient`. Keeps
- *    the blast radius of an in-memory leak minimal.
+ *  - It's the ONLY consumer of the team API key / user JWT for registration.
+ *    Once registration succeeds, the auth token is dropped on the floor —
+ *    only the `machineJwt` is persisted (in `machine.json`) and threaded
+ *    into `RelayClient`. Keeps the blast radius of an in-memory leak minimal.
  *  - It owns JWT expiry decoding so `serve.ts` doesn't have to know about
  *    JWT internals; a single boundary for "is the saved record still good".
  *
@@ -87,7 +91,7 @@ export async function ensureMachineRegistered(deps) {
         res = await fetchImpl(url, {
             method: "POST",
             headers: {
-                Authorization: `Bearer ${deps.apiKey}`,
+                Authorization: `Bearer ${deps.userJwt ?? deps.apiKey}`,
                 "Content-Type": "application/json",
             },
             body: JSON.stringify(body),
@@ -126,6 +130,7 @@ export async function ensureMachineRegistered(deps) {
         machineName: obj.name,
         machineJwt: obj.jwt,
         teamId: typeof obj.teamId === "string" ? obj.teamId : undefined,
+        ownerId: typeof obj.ownerId === "string" ? obj.ownerId : undefined,
         registeredAt: Date.now(),
         hostname: hostname(),
         version: deps.version,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aexol/spectral",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Always-on coding agent for Aexol — branded pi wrapper with relay-based browser access.",
   "type": "module",
   "private": false,
@@ -55,6 +55,9 @@
     "@mariozechner/pi-coding-agent": "^0.70.2",
     "better-sqlite3": "^12.9.0",
     "pi-mcp-adapter": "file:../packages/pi-mcp-adapter",
+    "@modelcontextprotocol/sdk": "^1.25.1",
+    "@modelcontextprotocol/ext-apps": "^1.2.2",
+    "open": "^10.2.0",
     "picocolors": "^1.1.1",
     "ws": "^8.20.0"
   },