npm - @agent-relay/cloud - Versions diffs - 0.1.0 - Mend

@agent-relay/cloud 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/dist/api/admin.d.ts +8 -0
package/dist/api/admin.d.ts.map +1 -0
package/dist/api/admin.js +225 -0
package/dist/api/admin.js.map +1 -0
package/dist/api/auth.d.ts +20 -0
package/dist/api/auth.d.ts.map +1 -0
package/dist/api/auth.js +136 -0
package/dist/api/auth.js.map +1 -0
package/dist/api/billing.d.ts +7 -0
package/dist/api/billing.d.ts.map +1 -0
package/dist/api/billing.js +564 -0
package/dist/api/billing.js.map +1 -0
package/dist/api/cli-pty-runner.d.ts +53 -0
package/dist/api/cli-pty-runner.d.ts.map +1 -0
package/dist/api/cli-pty-runner.js +193 -0
package/dist/api/cli-pty-runner.js.map +1 -0
package/dist/api/codex-auth-helper.d.ts +21 -0
package/dist/api/codex-auth-helper.d.ts.map +1 -0
package/dist/api/codex-auth-helper.js +327 -0
package/dist/api/codex-auth-helper.js.map +1 -0
package/dist/api/consensus.d.ts +13 -0
package/dist/api/consensus.d.ts.map +1 -0
package/dist/api/consensus.js +261 -0
package/dist/api/consensus.js.map +1 -0
package/dist/api/coordinators.d.ts +8 -0
package/dist/api/coordinators.d.ts.map +1 -0
package/dist/api/coordinators.js +750 -0
package/dist/api/coordinators.js.map +1 -0
package/dist/api/daemons.d.ts +12 -0
package/dist/api/daemons.d.ts.map +1 -0
package/dist/api/daemons.js +535 -0
package/dist/api/daemons.js.map +1 -0
package/dist/api/generic-webhooks.d.ts +8 -0
package/dist/api/generic-webhooks.d.ts.map +1 -0
package/dist/api/generic-webhooks.js +129 -0
package/dist/api/generic-webhooks.js.map +1 -0
package/dist/api/git.d.ts +8 -0
package/dist/api/git.d.ts.map +1 -0
package/dist/api/git.js +269 -0
package/dist/api/git.js.map +1 -0
package/dist/api/github-app.d.ts +11 -0
package/dist/api/github-app.d.ts.map +1 -0
package/dist/api/github-app.js +223 -0
package/dist/api/github-app.js.map +1 -0
package/dist/api/middleware/planLimits.d.ts +43 -0
package/dist/api/middleware/planLimits.d.ts.map +1 -0
package/dist/api/middleware/planLimits.js +202 -0
package/dist/api/middleware/planLimits.js.map +1 -0
package/dist/api/monitoring.d.ts +11 -0
package/dist/api/monitoring.d.ts.map +1 -0
package/dist/api/monitoring.js +578 -0
package/dist/api/monitoring.js.map +1 -0
package/dist/api/nango-auth.d.ts +9 -0
package/dist/api/nango-auth.d.ts.map +1 -0
package/dist/api/nango-auth.js +674 -0
package/dist/api/nango-auth.js.map +1 -0
package/dist/api/onboarding.d.ts +15 -0
package/dist/api/onboarding.d.ts.map +1 -0
package/dist/api/onboarding.js +679 -0
package/dist/api/onboarding.js.map +1 -0
package/dist/api/policy.d.ts +8 -0
package/dist/api/policy.d.ts.map +1 -0
package/dist/api/policy.js +229 -0
package/dist/api/policy.js.map +1 -0
package/dist/api/provider-env.d.ts +14 -0
package/dist/api/provider-env.d.ts.map +1 -0
package/dist/api/provider-env.js +75 -0
package/dist/api/provider-env.js.map +1 -0
package/dist/api/providers.d.ts +7 -0
package/dist/api/providers.d.ts.map +1 -0
package/dist/api/providers.js +564 -0
package/dist/api/providers.js.map +1 -0
package/dist/api/repos.d.ts +8 -0
package/dist/api/repos.d.ts.map +1 -0
package/dist/api/repos.js +577 -0
package/dist/api/repos.js.map +1 -0
package/dist/api/sessions.d.ts +11 -0
package/dist/api/sessions.d.ts.map +1 -0
package/dist/api/sessions.js +302 -0
package/dist/api/sessions.js.map +1 -0
package/dist/api/teams.d.ts +7 -0
package/dist/api/teams.d.ts.map +1 -0
package/dist/api/teams.js +281 -0
package/dist/api/teams.js.map +1 -0
package/dist/api/test-helpers.d.ts +10 -0
package/dist/api/test-helpers.d.ts.map +1 -0
package/dist/api/test-helpers.js +745 -0
package/dist/api/test-helpers.js.map +1 -0
package/dist/api/usage.d.ts +7 -0
package/dist/api/usage.d.ts.map +1 -0
package/dist/api/usage.js +111 -0
package/dist/api/usage.js.map +1 -0
package/dist/api/webhooks.d.ts +8 -0
package/dist/api/webhooks.d.ts.map +1 -0
package/dist/api/webhooks.js +645 -0
package/dist/api/webhooks.js.map +1 -0
package/dist/api/workspaces.d.ts +25 -0
package/dist/api/workspaces.d.ts.map +1 -0
package/dist/api/workspaces.js +1799 -0
package/dist/api/workspaces.js.map +1 -0
package/dist/billing/index.d.ts +9 -0
package/dist/billing/index.d.ts.map +1 -0
package/dist/billing/index.js +9 -0
package/dist/billing/index.js.map +1 -0
package/dist/billing/plans.d.ts +39 -0
package/dist/billing/plans.d.ts.map +1 -0
package/dist/billing/plans.js +245 -0
package/dist/billing/plans.js.map +1 -0
package/dist/billing/service.d.ts +80 -0
package/dist/billing/service.d.ts.map +1 -0
package/dist/billing/service.js +388 -0
package/dist/billing/service.js.map +1 -0
package/dist/billing/types.d.ts +141 -0
package/dist/billing/types.d.ts.map +1 -0
package/dist/billing/types.js +7 -0
package/dist/billing/types.js.map +1 -0
package/dist/config.d.ts +5 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +5 -0
package/dist/config.js.map +1 -0
package/dist/db/bulk-ingest.d.ts +89 -0
package/dist/db/bulk-ingest.d.ts.map +1 -0
package/dist/db/bulk-ingest.js +268 -0
package/dist/db/bulk-ingest.js.map +1 -0
package/dist/db/drizzle.d.ts +256 -0
package/dist/db/drizzle.d.ts.map +1 -0
package/dist/db/drizzle.js +1286 -0
package/dist/db/drizzle.js.map +1 -0
package/dist/db/index.d.ts +55 -0
package/dist/db/index.d.ts.map +1 -0
package/dist/db/index.js +68 -0
package/dist/db/index.js.map +1 -0
package/dist/db/schema.d.ts +4873 -0
package/dist/db/schema.d.ts.map +1 -0
package/dist/db/schema.js +620 -0
package/dist/db/schema.js.map +1 -0
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +38 -0
package/dist/index.js.map +1 -0
package/dist/provisioner/index.d.ts +207 -0
package/dist/provisioner/index.d.ts.map +1 -0
package/dist/provisioner/index.js +2114 -0
package/dist/provisioner/index.js.map +1 -0
package/dist/server.d.ts +17 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +1924 -0
package/dist/server.js.map +1 -0
package/dist/services/auto-scaler.d.ts +152 -0
package/dist/services/auto-scaler.d.ts.map +1 -0
package/dist/services/auto-scaler.js +439 -0
package/dist/services/auto-scaler.js.map +1 -0
package/dist/services/capacity-manager.d.ts +148 -0
package/dist/services/capacity-manager.d.ts.map +1 -0
package/dist/services/capacity-manager.js +449 -0
package/dist/services/capacity-manager.js.map +1 -0
package/dist/services/ci-agent-spawner.d.ts +49 -0
package/dist/services/ci-agent-spawner.d.ts.map +1 -0
package/dist/services/ci-agent-spawner.js +373 -0
package/dist/services/ci-agent-spawner.js.map +1 -0
package/dist/services/cloud-message-bus.d.ts +28 -0
package/dist/services/cloud-message-bus.d.ts.map +1 -0
package/dist/services/cloud-message-bus.js +19 -0
package/dist/services/cloud-message-bus.js.map +1 -0
package/dist/services/compute-enforcement.d.ts +57 -0
package/dist/services/compute-enforcement.d.ts.map +1 -0
package/dist/services/compute-enforcement.js +175 -0
package/dist/services/compute-enforcement.js.map +1 -0
package/dist/services/coordinator.d.ts +62 -0
package/dist/services/coordinator.d.ts.map +1 -0
package/dist/services/coordinator.js +389 -0
package/dist/services/coordinator.js.map +1 -0
package/dist/services/index.d.ts +17 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +25 -0
package/dist/services/index.js.map +1 -0
package/dist/services/intro-expiration.d.ts +60 -0
package/dist/services/intro-expiration.d.ts.map +1 -0
package/dist/services/intro-expiration.js +252 -0
package/dist/services/intro-expiration.js.map +1 -0
package/dist/services/mention-handler.d.ts +65 -0
package/dist/services/mention-handler.d.ts.map +1 -0
package/dist/services/mention-handler.js +405 -0
package/dist/services/mention-handler.js.map +1 -0
package/dist/services/nango.d.ts +201 -0
package/dist/services/nango.d.ts.map +1 -0
package/dist/services/nango.js +392 -0
package/dist/services/nango.js.map +1 -0
package/dist/services/persistence.d.ts +131 -0
package/dist/services/persistence.d.ts.map +1 -0
package/dist/services/persistence.js +200 -0
package/dist/services/persistence.js.map +1 -0
package/dist/services/planLimits.d.ts +147 -0
package/dist/services/planLimits.d.ts.map +1 -0
package/dist/services/planLimits.js +335 -0
package/dist/services/planLimits.js.map +1 -0
package/dist/services/presence-registry.d.ts +56 -0
package/dist/services/presence-registry.d.ts.map +1 -0
package/dist/services/presence-registry.js +91 -0
package/dist/services/presence-registry.js.map +1 -0
package/dist/services/scaling-orchestrator.d.ts +159 -0
package/dist/services/scaling-orchestrator.d.ts.map +1 -0
package/dist/services/scaling-orchestrator.js +502 -0
package/dist/services/scaling-orchestrator.js.map +1 -0
package/dist/services/scaling-policy.d.ts +121 -0
package/dist/services/scaling-policy.d.ts.map +1 -0
package/dist/services/scaling-policy.js +415 -0
package/dist/services/scaling-policy.js.map +1 -0
package/dist/services/ssh-security.d.ts +31 -0
package/dist/services/ssh-security.d.ts.map +1 -0
package/dist/services/ssh-security.js +63 -0
package/dist/services/ssh-security.js.map +1 -0
package/dist/services/workspace-keepalive.d.ts +76 -0
package/dist/services/workspace-keepalive.d.ts.map +1 -0
package/dist/services/workspace-keepalive.js +234 -0
package/dist/services/workspace-keepalive.js.map +1 -0
package/dist/shims/consensus.d.ts +23 -0
package/dist/shims/consensus.d.ts.map +1 -0
package/dist/shims/consensus.js +5 -0
package/dist/shims/consensus.js.map +1 -0
package/dist/webhooks/index.d.ts +24 -0
package/dist/webhooks/index.d.ts.map +1 -0
package/dist/webhooks/index.js +29 -0
package/dist/webhooks/index.js.map +1 -0
package/dist/webhooks/parsers/github.d.ts +8 -0
package/dist/webhooks/parsers/github.d.ts.map +1 -0
package/dist/webhooks/parsers/github.js +234 -0
package/dist/webhooks/parsers/github.js.map +1 -0
package/dist/webhooks/parsers/index.d.ts +23 -0
package/dist/webhooks/parsers/index.d.ts.map +1 -0
package/dist/webhooks/parsers/index.js +30 -0
package/dist/webhooks/parsers/index.js.map +1 -0
package/dist/webhooks/parsers/linear.d.ts +9 -0
package/dist/webhooks/parsers/linear.d.ts.map +1 -0
package/dist/webhooks/parsers/linear.js +258 -0
package/dist/webhooks/parsers/linear.js.map +1 -0
package/dist/webhooks/parsers/slack.d.ts +9 -0
package/dist/webhooks/parsers/slack.d.ts.map +1 -0
package/dist/webhooks/parsers/slack.js +214 -0
package/dist/webhooks/parsers/slack.js.map +1 -0
package/dist/webhooks/responders/github.d.ts +8 -0
package/dist/webhooks/responders/github.d.ts.map +1 -0
package/dist/webhooks/responders/github.js +73 -0
package/dist/webhooks/responders/github.js.map +1 -0
package/dist/webhooks/responders/index.d.ts +23 -0
package/dist/webhooks/responders/index.d.ts.map +1 -0
package/dist/webhooks/responders/index.js +30 -0
package/dist/webhooks/responders/index.js.map +1 -0
package/dist/webhooks/responders/linear.d.ts +9 -0
package/dist/webhooks/responders/linear.d.ts.map +1 -0
package/dist/webhooks/responders/linear.js +149 -0
package/dist/webhooks/responders/linear.js.map +1 -0
package/dist/webhooks/responders/slack.d.ts +20 -0
package/dist/webhooks/responders/slack.d.ts.map +1 -0
package/dist/webhooks/responders/slack.js +178 -0
package/dist/webhooks/responders/slack.js.map +1 -0
package/dist/webhooks/router.d.ts +25 -0
package/dist/webhooks/router.d.ts.map +1 -0
package/dist/webhooks/router.js +504 -0
package/dist/webhooks/router.js.map +1 -0
package/dist/webhooks/rules-engine.d.ts +24 -0
package/dist/webhooks/rules-engine.d.ts.map +1 -0
package/dist/webhooks/rules-engine.js +287 -0
package/dist/webhooks/rules-engine.js.map +1 -0
package/dist/webhooks/types.d.ts +186 -0
package/dist/webhooks/types.d.ts.map +1 -0
package/dist/webhooks/types.js +8 -0
package/dist/webhooks/types.js.map +1 -0
package/package.json +55 -0

package/dist/api/onboarding.js ADDED Viewed

@@ -0,0 +1,679 @@
+/**
+ * Onboarding API Routes
+ *
+ * Handles CLI proxy authentication for Claude Code and other providers.
+ * Spawns CLI tools via PTY to get auth URLs, captures tokens.
+ *
+ * Uses relay-pty binary for PTY emulation, which provides:
+ * 1. TTY detection for CLIs that behave differently in non-TTY
+ * 2. Proper interactive OAuth flow handling
+ * 3. Better Node.js version compatibility (no native compilation)
+ */
+import { Router } from 'express';
+import * as crypto from 'crypto';
+import { requireAuth } from './auth.js';
+import { db } from '../db/index.js';
+import { setProviderApiKeyEnv } from './provider-env.js';
+// Import for local use
+import { CLI_AUTH_CONFIG, runCLIAuthViaPTY, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, validateProviderConfig, validateAllProviderConfigs, getSupportedProviders, } from './cli-pty-runner.js';
+// Re-export from shared module for backward compatibility
+export { CLI_AUTH_CONFIG, runCLIAuthViaPTY, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, validateProviderConfig, validateAllProviderConfigs, getSupportedProviders, };
+export const onboardingRouter = Router();
+// Debug: log all requests to this router
+onboardingRouter.use((req, res, next) => {
+    console.log(`[onboarding] ${req.method} ${req.path} - body:`, JSON.stringify(req.body));
+    next();
+});
+// All routes require authentication
+onboardingRouter.use(requireAuth);
+const activeSessions = new Map();
+// Clean up old sessions periodically
+setInterval(() => {
+    const now = Date.now();
+    activeSessions.forEach((session, id) => {
+        // Remove sessions older than 10 minutes
+        if (now - session.createdAt.getTime() > 10 * 60 * 1000) {
+            if (session.process) {
+                try {
+                    session.process.kill();
+                }
+                catch {
+                    // Process may already be dead
+                }
+            }
+            activeSessions.delete(id);
+        }
+    });
+}, 60000);
+/**
+ * POST /api/onboarding/cli/:provider/start
+ * Start CLI-based auth - forwards to workspace daemon if available
+ *
+ * CLI auth requires a running workspace since CLI tools are installed there.
+ * For onboarding without a workspace, users should use the API key flow.
+ */
+onboardingRouter.post('/cli/:provider/start', async (req, res) => {
+    console.log('[onboarding] Route handler entered! provider:', req.params.provider);
+    const provider = req.params.provider;
+    const userId = req.session.userId;
+    const { workspaceId, useDeviceFlow: requestedDeviceFlow } = req.body; // Optional: specific workspace, device flow option
+    // Device flow is only used if explicitly requested by the client
+    // Standard flow: user runs `codex-auth` CLI locally to capture OAuth callback and forward to cloud
+    const config = CLI_AUTH_CONFIG[provider];
+    const useDeviceFlow = requestedDeviceFlow ?? false;
+    console.log('[onboarding] userId:', userId, 'workspaceId:', workspaceId, 'useDeviceFlow:', useDeviceFlow);
+    if (!config) {
+        return res.status(400).json({
+            error: 'Provider not supported for CLI auth',
+            supportedProviders: Object.keys(CLI_AUTH_CONFIG),
+        });
+    }
+    try {
+        // Find a running workspace to use for CLI auth
+        let workspace;
+        if (workspaceId) {
+            workspace = await db.workspaces.findById(workspaceId);
+            if (!workspace) {
+                console.log(`[onboarding] Workspace ${workspaceId} not found in database`);
+                return res.status(404).json({ error: 'Workspace not found' });
+            }
+            if (workspace.userId !== userId) {
+                console.log(`[onboarding] Workspace ${workspaceId} belongs to ${workspace.userId}, not ${userId}`);
+                return res.status(404).json({ error: 'Workspace not found' });
+            }
+        }
+        else {
+            // Find any running workspace for this user
+            const workspaces = await db.workspaces.findByUserId(userId);
+            workspace = workspaces.find(w => w.status === 'running' && w.publicUrl);
+        }
+        if (!workspace || workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({
+                error: 'CLI auth requires a running workspace',
+                code: 'NO_RUNNING_WORKSPACE',
+                message: 'Please start a workspace first, or use the API key input to connect your provider.',
+                hint: 'You can create a workspace without providers and connect them afterward using CLI auth.',
+            });
+        }
+        // Forward auth request to workspace daemon
+        // When running in Docker, localhost refers to the container, not the host
+        // Use host.docker.internal on Mac/Windows to reach the host machine
+        // When running on Fly.io, use internal networking (.internal) instead of public DNS
+        let workspaceUrl = workspace.publicUrl.replace(/\/$/, '');
+        // Detect Fly.io by checking FLY_APP_NAME env var
+        const isOnFly = !!process.env.FLY_APP_NAME;
+        // Detect Docker by checking for /.dockerenv file or RUNNING_IN_DOCKER env var
+        const isInDocker = process.env.RUNNING_IN_DOCKER === 'true' ||
+            await import('fs').then(fs => fs.existsSync('/.dockerenv')).catch(() => false);
+        console.log('[onboarding] isOnFly:', isOnFly, 'isInDocker:', isInDocker);
+        if (isOnFly && workspaceUrl.includes('.fly.dev')) {
+            // Use Fly.io internal networking for server-to-server communication
+            // ar-583f273b.fly.dev -> http://ar-583f273b.internal:3888
+            // .internal uses IPv6 and works by default for apps in the same org
+            const appName = workspaceUrl.match(/https?:\/\/([^.]+)\.fly\.dev/)?.[1];
+            if (appName) {
+                workspaceUrl = `http://${appName}.internal:3888`;
+                console.log('[onboarding] Using Fly internal network:', workspaceUrl);
+            }
+        }
+        else if (isInDocker && workspaceUrl.includes('localhost')) {
+            workspaceUrl = workspaceUrl.replace('localhost', 'host.docker.internal');
+            console.log('[onboarding] Translated localhost to host.docker.internal');
+        }
+        const targetUrl = `${workspaceUrl}/auth/cli/${provider}/start`;
+        console.log('[onboarding] Forwarding to workspace daemon:', targetUrl);
+        // Pass userId to enable per-user credential storage in multi-user workspaces
+        const authResponse = await fetch(targetUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ useDeviceFlow, userId }),
+        });
+        console.log('[onboarding] Workspace daemon response:', authResponse.status);
+        if (!authResponse.ok) {
+            const errorData = await authResponse.json().catch(() => ({}));
+            console.log('[onboarding] Workspace daemon error:', errorData);
+            return res.status(authResponse.status).json({
+                error: errorData.error || 'Failed to start CLI auth in workspace',
+            });
+        }
+        const workspaceSession = await authResponse.json();
+        // Create cloud session to track this
+        const sessionId = crypto.randomUUID();
+        const session = {
+            userId,
+            provider,
+            status: workspaceSession.status || 'starting',
+            authUrl: workspaceSession.authUrl,
+            createdAt: new Date(),
+            output: '',
+            // Store workspace info for status polling and auth code forwarding
+            workspaceId: workspace.id,
+            workspaceUrl,
+            workspaceSessionId: workspaceSession.sessionId,
+        };
+        activeSessions.set(sessionId, session);
+        console.log('[onboarding] Session created:', { sessionId, workspaceUrl, workspaceSessionId: workspaceSession.sessionId });
+        res.json({
+            sessionId,
+            status: session.status,
+            authUrl: session.authUrl,
+            workspaceId: workspace.id,
+            useDeviceFlow, // Tell dashboard whether device flow is being used (no CLI helper needed)
+            message: session.authUrl ? 'Open the auth URL to complete login' : 'Auth session starting, poll for status',
+        });
+    }
+    catch (error) {
+        console.error(`Error starting CLI auth for ${provider}:`, error);
+        res.status(500).json({ error: 'Failed to start CLI authentication' });
+    }
+});
+/**
+ * GET /api/onboarding/cli/:provider/status/:sessionId
+ * Check status of CLI auth session - forwards to workspace daemon
+ */
+onboardingRouter.get('/cli/:provider/status/:sessionId', async (req, res) => {
+    const provider = req.params.provider;
+    const sessionId = req.params.sessionId;
+    const userId = req.session.userId;
+    const session = activeSessions.get(sessionId);
+    if (!session) {
+        return res.status(404).json({ error: 'Session not found or expired' });
+    }
+    if (session.userId !== userId) {
+        return res.status(403).json({ error: 'Unauthorized' });
+    }
+    // If we have workspace info, poll the workspace for status
+    if (session.workspaceUrl && session.workspaceSessionId) {
+        try {
+            const statusResponse = await fetch(`${session.workspaceUrl}/auth/cli/${provider}/status/${session.workspaceSessionId}`);
+            if (statusResponse.ok) {
+                const workspaceStatus = await statusResponse.json();
+                // Update local session with workspace status
+                session.status = workspaceStatus.status || session.status;
+                session.authUrl = workspaceStatus.authUrl || session.authUrl;
+                session.error = workspaceStatus.error;
+                session.errorHint = workspaceStatus.errorHint;
+                session.recoverable = workspaceStatus.recoverable;
+            }
+        }
+        catch (err) {
+            console.error('[onboarding] Failed to poll workspace status:', err);
+        }
+    }
+    res.json({
+        status: session.status,
+        authUrl: session.authUrl,
+        error: session.error,
+        errorHint: session.errorHint,
+        recoverable: session.recoverable,
+    });
+});
+/**
+ * POST /api/onboarding/cli/:provider/complete/:sessionId
+ * Mark CLI auth as complete and store credentials
+ *
+ * Handles two modes:
+ * 1. Workspace delegation: Forwards to workspace daemon to complete auth, then fetches credentials
+ * 2. Direct: Uses token from body or session
+ */
+onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req, res) => {
+    const provider = req.params.provider;
+    const sessionId = req.params.sessionId;
+    const userId = req.session.userId;
+    const { token, authCode } = req.body; // token for direct mode, authCode for Codex redirect
+    console.log(`[onboarding] POST /cli/${provider}/complete/${sessionId} - token: ${token ? 'provided' : 'none'}, authCode: ${authCode ? 'provided' : 'none'}`);
+    const session = activeSessions.get(sessionId);
+    if (!session) {
+        return res.status(404).json({ error: 'Session not found or expired' });
+    }
+    if (session.userId !== userId) {
+        return res.status(403).json({ error: 'Unauthorized' });
+    }
+    try {
+        let accessToken = token || session.token;
+        let refreshToken = session.refreshToken;
+        let _tokenExpiresAt = session.tokenExpiresAt;
+        // If using workspace delegation, forward complete request first
+        if (session.workspaceUrl && session.workspaceSessionId) {
+            // Forward authCode to workspace if provided (for Codex-style redirects)
+            if (authCode) {
+                const backendProviderId = provider === 'anthropic' ? 'anthropic' : provider;
+                const targetUrl = `${session.workspaceUrl}/auth/cli/${backendProviderId}/complete/${session.workspaceSessionId}`;
+                console.log('[onboarding] Forwarding complete request to workspace:', targetUrl);
+                const completeResponse = await fetch(targetUrl, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ authCode }),
+                });
+                if (!completeResponse.ok) {
+                    const errorData = await completeResponse.json().catch(() => ({}));
+                    return res.status(completeResponse.status).json({
+                        error: errorData.error || 'Failed to complete authentication in workspace',
+                    });
+                }
+                session.status = 'success';
+            }
+            // Fetch credentials from workspace with retry
+            // Credentials may not be immediately available after OAuth completes
+            if (!accessToken) {
+                const MAX_CREDS_RETRIES = 5;
+                const CREDS_RETRY_DELAY = 1000; // 1 second between retries
+                for (let attempt = 1; attempt <= MAX_CREDS_RETRIES; attempt++) {
+                    try {
+                        console.log(`[onboarding] Fetching credentials from workspace (attempt ${attempt}/${MAX_CREDS_RETRIES})`);
+                        const credsResponse = await fetch(`${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`);
+                        if (credsResponse.ok) {
+                            const creds = await credsResponse.json();
+                            accessToken = creds.token;
+                            refreshToken = creds.refreshToken;
+                            if (creds.tokenExpiresAt) {
+                                _tokenExpiresAt = new Date(creds.tokenExpiresAt);
+                            }
+                            console.log('[onboarding] Fetched credentials from workspace:', {
+                                hasToken: !!accessToken,
+                                hasRefreshToken: !!refreshToken,
+                                attempt,
+                            });
+                            break; // Success, exit retry loop
+                        }
+                        // Check if it's an error state (not just "not ready yet")
+                        const errorBody = await credsResponse.json().catch(() => ({}));
+                        if (errorBody.status === 'error') {
+                            // Auth failed, don't retry
+                            console.error('[onboarding] Auth failed in workspace:', errorBody);
+                            return res.status(400).json({
+                                error: errorBody.error || 'Authentication failed',
+                                errorHint: errorBody.errorHint,
+                                recoverable: errorBody.recoverable,
+                            });
+                        }
+                        // If not ready yet and we have more retries, wait and try again
+                        if (attempt < MAX_CREDS_RETRIES) {
+                            console.log(`[onboarding] Credentials not ready yet, retrying in ${CREDS_RETRY_DELAY}ms...`);
+                            await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
+                        }
+                    }
+                    catch (err) {
+                        console.error(`[onboarding] Failed to get credentials from workspace (attempt ${attempt}):`, err);
+                        if (attempt < MAX_CREDS_RETRIES) {
+                            await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
+                        }
+                    }
+                }
+            }
+        }
+        if (!accessToken) {
+            return res.status(400).json({
+                error: 'No token found. Please complete authentication or paste your token.',
+            });
+        }
+        // Mark provider as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
+        await db.credentials.upsert({
+            userId,
+            workspaceId: session.workspaceId,
+            provider,
+            scopes: getProviderScopes(provider),
+        });
+        // Clean up session
+        activeSessions.delete(sessionId);
+        res.json({
+            success: true,
+            message: `${provider} connected successfully`,
+        });
+    }
+    catch (error) {
+        console.error(`Error completing CLI auth for ${provider}:`, error);
+        res.status(500).json({ error: 'Failed to complete authentication' });
+    }
+});
+/**
+ * POST /api/onboarding/cli/:provider/code/:sessionId
+ * Submit auth code to the CLI PTY session
+ * Used when OAuth returns a code that must be pasted into the CLI
+ */
+onboardingRouter.post('/cli/:provider/code/:sessionId', async (req, res) => {
+    const provider = req.params.provider;
+    const sessionId = req.params.sessionId;
+    const userId = req.session.userId;
+    const { code, state } = req.body; // state is optional, used for Codex OAuth
+    console.log('[onboarding] Auth code submission request:', { provider, sessionId, codeLength: code?.length, hasState: !!state });
+    if (!code || typeof code !== 'string') {
+        return res.status(400).json({ error: 'Auth code is required' });
+    }
+    const session = activeSessions.get(sessionId);
+    if (!session) {
+        console.log('[onboarding] Session not found:', { sessionId, activeSessions: Array.from(activeSessions.keys()) });
+        return res.status(404).json({ error: 'Session not found or expired. Please try connecting again.' });
+    }
+    if (session.userId !== userId) {
+        return res.status(403).json({ error: 'Unauthorized' });
+    }
+    console.log('[onboarding] Session found:', {
+        sessionId,
+        workspaceUrl: session.workspaceUrl,
+        workspaceSessionId: session.workspaceSessionId,
+        status: session.status,
+    });
+    // Forward to workspace daemon
+    if (session.workspaceUrl && session.workspaceSessionId) {
+        try {
+            const targetUrl = `${session.workspaceUrl}/auth/cli/${provider}/code/${session.workspaceSessionId}`;
+            console.log('[onboarding] Forwarding auth code to workspace:', targetUrl);
+            const codeResponse = await fetch(targetUrl, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ code, state }), // Forward state for Codex CSRF validation
+            });
+            console.log('[onboarding] Workspace response:', { status: codeResponse.status });
+            if (codeResponse.ok) {
+                return res.json({ success: true, message: 'Auth code submitted' });
+            }
+            const errorData = await codeResponse.json().catch(() => ({}));
+            console.log('[onboarding] Workspace error:', errorData);
+            // Provide more helpful error message
+            const needsRestart = errorData.needsRestart;
+            if (codeResponse.status === 404 || codeResponse.status === 400) {
+                return res.status(400).json({
+                    error: errorData.error || 'Auth session expired in workspace. The CLI process may have timed out. Please try connecting again.',
+                    needsRestart: needsRestart ?? true,
+                });
+            }
+            return res.status(codeResponse.status).json({
+                error: errorData.error || 'Failed to submit auth code to workspace',
+                needsRestart,
+            });
+        }
+        catch (err) {
+            console.error('[onboarding] Failed to submit auth code to workspace:', err);
+            return res.status(500).json({
+                error: 'Failed to reach workspace. Please ensure your workspace is running and try again.',
+            });
+        }
+    }
+    console.log('[onboarding] No workspace session info available');
+    return res.status(400).json({
+        error: 'No workspace session available. This can happen if the workspace was restarted. Please try connecting again.',
+    });
+});
+// Note: POST /cli/:provider/complete/:sessionId handler is defined above (lines 269-368)
+// It handles both direct token storage and workspace delegation with authCode forwarding
+/**
+ * POST /api/onboarding/cli/:provider/cancel/:sessionId
+ * Cancel a CLI auth session
+ */
+onboardingRouter.post('/cli/:provider/cancel/:sessionId', async (req, res) => {
+    const provider = req.params.provider;
+    const sessionId = req.params.sessionId;
+    const userId = req.session.userId;
+    const session = activeSessions.get(sessionId);
+    if (session?.userId === userId) {
+        // Cancel on workspace side if applicable
+        if (session.workspaceUrl && session.workspaceSessionId) {
+            try {
+                await fetch(`${session.workspaceUrl}/auth/cli/${provider}/cancel/${session.workspaceSessionId}`, { method: 'POST' });
+            }
+            catch {
+                // Ignore cancel errors
+            }
+        }
+        activeSessions.delete(sessionId);
+    }
+    res.json({ success: true });
+});
+/**
+ * POST /api/onboarding/mark-connected/:provider
+ * Mark a provider as connected without storing a token.
+ * Used by terminal-based setup where the CLI stores credentials locally.
+ */
+onboardingRouter.post('/mark-connected/:provider', async (req, res) => {
+    const provider = req.params.provider;
+    const userId = req.session.userId;
+    const { workspaceId } = req.body;
+    // Validate provider
+    const validProviders = ['anthropic', 'openai', 'google', 'github', 'opencode', 'factory', 'cursor'];
+    if (!validProviders.includes(provider)) {
+        return res.status(400).json({ error: 'Invalid provider' });
+    }
+    try {
+        // Mark provider as connected (tokens are stored by CLI on workspace)
+        await db.credentials.upsert({
+            userId,
+            workspaceId,
+            provider,
+            scopes: getProviderScopes(provider),
+        });
+        console.log(`[onboarding] Marked ${provider} as connected for user ${userId} workspace ${workspaceId}`);
+        res.json({
+            success: true,
+            message: `${provider} connected successfully`,
+        });
+    }
+    catch (error) {
+        console.error(`Error marking ${provider} as connected:`, error);
+        res.status(500).json({ error: 'Failed to mark provider as connected' });
+    }
+});
+/**
+ * POST /api/onboarding/token/:provider
+ * Directly store a token (for manual paste flow)
+ */
+onboardingRouter.post('/token/:provider', async (req, res) => {
+    const provider = req.params.provider;
+    const userId = req.session.userId;
+    const { token, email, workspaceId } = req.body;
+    if (!token) {
+        return res.status(400).json({ error: 'Token is required' });
+    }
+    try {
+        // Validate token by making a test API call
+        const isValid = await validateProviderToken(provider, token);
+        if (!isValid) {
+            return res.status(400).json({ error: 'Invalid token' });
+        }
+        // Mark provider as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
+        await db.credentials.upsert({
+            userId,
+            provider,
+            scopes: getProviderScopes(provider),
+            providerAccountEmail: email,
+            workspaceId,
+        });
+        // Set env var and write credential file to workspace
+        await setProviderApiKeyEnv(userId, provider, token, workspaceId);
+        res.json({
+            success: true,
+            message: `${provider} connected successfully`,
+            note: 'Token validated. Configure this on your workspace for usage.',
+        });
+    }
+    catch (error) {
+        console.error(`Error storing provider connection for ${provider}:`, error);
+        res.status(500).json({ error: 'Failed to store provider connection' });
+    }
+});
+/**
+ * GET /api/onboarding/status
+ * Get overall onboarding status
+ */
+onboardingRouter.get('/status', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        const [user, credentials, repositories] = await Promise.all([
+            db.users.findById(userId),
+            db.credentials.findByUserId(userId),
+            db.repositories.findByUserId(userId),
+        ]);
+        const connectedProviders = credentials.map(c => c.provider);
+        const hasAIProvider = connectedProviders.some(p => ['anthropic', 'openai', 'google', 'cursor'].includes(p));
+        res.json({
+            steps: {
+                github: { complete: connectedProviders.includes('github') },
+                aiProvider: {
+                    complete: hasAIProvider,
+                    connected: connectedProviders.filter(p => p !== 'github'),
+                },
+                repository: {
+                    complete: repositories.length > 0,
+                    count: repositories.length,
+                },
+            },
+            onboardingComplete: user?.onboardingCompletedAt != null,
+            canCreateWorkspace: hasAIProvider && repositories.length > 0,
+        });
+    }
+    catch (error) {
+        console.error('Error getting onboarding status:', error);
+        res.status(500).json({ error: 'Failed to get status' });
+    }
+});
+/**
+ * POST /api/onboarding/complete
+ * Mark onboarding as complete
+ */
+onboardingRouter.post('/complete', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        await db.users.completeOnboarding(userId);
+        res.json({ success: true });
+    }
+    catch (error) {
+        console.error('Error completing onboarding:', error);
+        res.status(500).json({ error: 'Failed to complete onboarding' });
+    }
+});
+/**
+ * Helper: Extract credentials from CLI credential file
+ * @deprecated Currently unused - kept for potential future use
+ */
+async function _extractCredentials(session, config) {
+    if (!config.credentialPath)
+        return;
+    try {
+        const fs = await import('fs/promises');
+        const os = await import('os');
+        const credPath = config.credentialPath.replace('~', os.homedir());
+        const content = await fs.readFile(credPath, 'utf8');
+        const creds = JSON.parse(content);
+        // Extract token based on provider structure
+        if (session.provider === 'anthropic') {
+            // Claude stores OAuth in: { claudeAiOauth: { accessToken: "...", refreshToken: "...", expiresAt: ... } }
+            if (creds.claudeAiOauth?.accessToken) {
+                session.token = creds.claudeAiOauth.accessToken;
+                session.refreshToken = creds.claudeAiOauth.refreshToken;
+                if (creds.claudeAiOauth.expiresAt) {
+                    session.tokenExpiresAt = new Date(creds.claudeAiOauth.expiresAt);
+                }
+            }
+            else {
+                // Fallback to legacy formats
+                session.token = creds.oauth_token || creds.access_token || creds.api_key;
+            }
+        }
+        else if (session.provider === 'openai') {
+            // Codex stores OAuth in: { tokens: { access_token: "...", refresh_token: "...", ... } }
+            if (creds.tokens?.access_token) {
+                session.token = creds.tokens.access_token;
+                session.refreshToken = creds.tokens.refresh_token;
+                // Codex doesn't store expiry in the file, but JWTs have exp claim
+                // We could decode it, but for now just skip
+            }
+            else {
+                // Fallback: API key or legacy formats
+                session.token = creds.OPENAI_API_KEY || creds.token || creds.access_token || creds.api_key;
+            }
+        }
+    }
+    catch (error) {
+        // Credentials file doesn't exist or isn't readable yet
+        console.log(`Could not read credentials file: ${error}`);
+    }
+}
+/**
+ * Helper: Get default scopes for a provider
+ */
+function getProviderScopes(provider) {
+    const scopes = {
+        anthropic: ['claude-code:execute', 'user:read'],
+        openai: ['codex:execute', 'chat:write'],
+        google: ['generative-language'],
+        github: ['read:user', 'user:email', 'repo'],
+        opencode: ['code:execute'],
+        factory: ['droid:execute'],
+        cursor: ['cursor:execute', 'code:write'],
+    };
+    return scopes[provider] || [];
+}
+/**
+ * Helper: Validate a provider token by making a test API call
+ *
+ * Note: OAuth tokens from CLI flows (like `claude` CLI) are different from API keys.
+ * - API keys: sk-ant-api03-... (can be validated via API)
+ * - OAuth tokens: Session tokens from OAuth flow (can't be validated the same way)
+ *
+ * For OAuth tokens, we accept them if they look valid (non-empty, reasonable length).
+ * The CLI already validated the OAuth flow, so we trust those tokens.
+ */
+async function validateProviderToken(provider, token) {
+    // Basic sanity check
+    if (!token || token.length < 10) {
+        return false;
+    }
+    try {
+        // Check if this looks like an API key vs OAuth token
+        const isAnthropicApiKey = token.startsWith('sk-ant-');
+        const isOpenAIApiKey = token.startsWith('sk-');
+        // For OAuth tokens (not API keys), accept them without API validation
+        // The OAuth flow already authenticated the user
+        if (provider === 'anthropic' && !isAnthropicApiKey) {
+            console.log('[onboarding] Accepting OAuth token for anthropic (not an API key)');
+            return true;
+        }
+        if (provider === 'openai' && !isOpenAIApiKey) {
+            console.log('[onboarding] Accepting OAuth token for openai (not an API key)');
+            return true;
+        }
+        // For API keys, validate via API call
+        const endpoints = {
+            anthropic: {
+                url: 'https://api.anthropic.com/v1/messages',
+                headers: {
+                    'x-api-key': token,
+                    'anthropic-version': '2023-06-01',
+                },
+            },
+            openai: {
+                url: 'https://api.openai.com/v1/models',
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            },
+            google: {
+                url: `https://generativelanguage.googleapis.com/v1/models?key=${encodeURIComponent(token)}`,
+                headers: {},
+            },
+        };
+        const config = endpoints[provider];
+        if (!config)
+            return true; // Unknown provider, assume valid
+        const response = await fetch(config.url, {
+            method: provider === 'anthropic' ? 'POST' : 'GET',
+            headers: config.headers,
+            ...(provider === 'anthropic' && {
+                body: JSON.stringify({
+                    model: 'claude-3-haiku-20240307',
+                    max_tokens: 1,
+                    messages: [{ role: 'user', content: 'test' }],
+                }),
+            }),
+        });
+        // 401/403 means invalid token, anything else (including rate limits) means valid
+        return response.status !== 401 && response.status !== 403;
+    }
+    catch (error) {
+        console.error(`Error validating ${provider} token:`, error);
+        return false;
+    }
+}
+//# sourceMappingURL=onboarding.js.map