@agentis-hq/cli 0.1.7 → 0.3.0

package/README.md

@@ -43,7 +43,9 @@ AGENTIS_API_URL=http://localhost:3001 agentis wallet list
 
 ## Authentication
 
-Hosted wallets and hosted agents require an Agentis account key. The CLI gets one through the browser login flow and stores it in your OS keychain.
+Hosted wallets and hosted agents require authentication. The CLI uses OAuth
+authorization code flow with PKCE and stores its access and refresh credentials
+in the OS keychain.
 
 ```bash
 agentis login
@@ -278,7 +280,7 @@ AGENTIS_API_URL=http://localhost:3001 bun src/index.ts wallet list
 ## Notes
 
 - Hosted agent keys are shown only when created or regenerated.
-- CLI account keys are stored in the OS keychain.
+- CLI OAuth credentials are stored in the OS keychain.
 - Local wallet vaults live under `~/.agentis/wallets/`.
 - Jupiter Earn commands require mainnet and the `--mainnet` safety flag.
 - Umbra devnet flows are currently safest with SOL or wSOL.

package/dist/index.js

@@ -5,99 +5,230 @@ import { readFileSync as readFileSync2 } from "fs";
 import { dirname as dirname2, join as join3 } from "path";
 import { fileURLToPath } from "url";
 
+// src/commands/auth.ts
+import { createHash, randomBytes } from "crypto";
+import { execFile } from "child_process";
+
+// src/lib/config.ts
+var API_BASE = process.env.AGENTIS_API_URL ?? "https://api.agentis.systems";
+async function apiFetch(path, opts = {}, token) {
+  const headers = {
+    "content-type": "application/json",
+    ...opts.headers ?? {}
+  };
+  if (token) headers["authorization"] = `Bearer ${token}`;
+  return fetch(`${API_BASE}${path}`, { ...opts, headers });
+}
+
 // src/lib/keychain.ts
 import { Entry } from "@napi-rs/keyring";
 var entry = new Entry("agentis-cli", "account-key");
-async function saveToken(token) {
-  entry.setPassword(token);
-}
-async function getToken() {
-  if (process.env.AGENTIS_ACCOUNT_KEY) return process.env.AGENTIS_ACCOUNT_KEY;
+function readPassword() {
   try {
     return entry.getPassword();
   } catch {
     return null;
   }
 }
-async function deleteToken() {
+async function saveOAuthCredentials(credentials) {
+  entry.setPassword(JSON.stringify(credentials));
+}
+async function getStoredCredentials() {
+  const envToken = process.env.AGENTIS_ACCOUNT_KEY;
+  if (envToken) return { type: "legacy", token: envToken };
+  const stored = readPassword();
+  if (!stored) return null;
+  if (!stored.startsWith("{")) return { type: "legacy", token: stored };
   try {
-    entry.deletePassword();
+    const credentials = JSON.parse(stored);
+    if (credentials.version === 2 && credentials.accessToken?.startsWith("agt_oauth_") && credentials.refreshToken?.startsWith("agt_refresh_")) {
+      return { type: "oauth", credentials };
+    }
   } catch {
   }
+  return null;
 }
-
-// src/lib/config.ts
-var API_BASE = process.env.AGENTIS_API_URL ?? "https://api.agentis.systems";
-async function apiFetch(path, opts = {}, token) {
-  const headers = {
-    "content-type": "application/json",
-    ...opts.headers ?? {}
+async function refresh(credentials) {
+  const response = await fetch(`${API_BASE}/oauth/token`, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: credentials.refreshToken,
+      client_id: credentials.clientId
+    })
+  }).catch(() => null);
+  if (!response?.ok) return null;
+  const body = await response.json();
+  const updated = {
+    ...credentials,
+    accessToken: body.access_token,
+    refreshToken: body.refresh_token,
+    expiresAt: Date.now() + body.expires_in * 1e3,
+    scope: body.scope.split(/\s+/).filter(Boolean)
   };
-  if (token) headers["authorization"] = `Bearer ${token}`;
-  return fetch(`${API_BASE}${path}`, { ...opts, headers });
+  await saveOAuthCredentials(updated);
+  return updated;
+}
+async function getToken() {
+  const stored = await getStoredCredentials();
+  if (!stored) return null;
+  if (stored.type === "legacy") return stored.token;
+  if (stored.credentials.expiresAt > Date.now() + 6e4) {
+    return stored.credentials.accessToken;
+  }
+  return (await refresh(stored.credentials))?.accessToken ?? null;
+}
+async function deleteToken() {
+  try {
+    entry.deletePassword();
+  } catch {
+  }
 }
 
 // src/commands/auth.ts
+var CLIENT_ID = "agentis-cli";
+var SCOPES = [
+  "wallets:read",
+  "wallets:write",
+  "payments:execute",
+  "policy:read",
+  "policy:write",
+  "privacy:read",
+  "privacy:write",
+  "earn:read",
+  "earn:write"
+];
+function base64url(bytes) {
+  return Buffer.from(bytes).toString("base64url");
+}
+function openBrowser(url) {
+  if (process.platform === "darwin") {
+    execFile("open", [url], () => {
+    });
+  } else if (process.platform === "win32") {
+    execFile("cmd", ["/c", "start", "", url], () => {
+    });
+  } else {
+    execFile("xdg-open", [url], () => {
+    });
+  }
+}
 async function login() {
-  const existing = await getToken();
+  const existing = await getStoredCredentials();
   if (existing) {
     console.log("Already logged in. Run `agentis logout` first.");
     return;
   }
-  const res = await apiFetch("/auth/session", { method: "POST" });
-  if (!res.ok) {
-    console.error("Failed to start login session.");
-    process.exit(1);
-  }
-  const { sessionId, loginUrl } = await res.json();
+  const verifier = base64url(randomBytes(48));
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  const state = base64url(randomBytes(24));
+  let resolveCallback;
+  const callback = new Promise((resolve2) => {
+    resolveCallback = resolve2;
+  });
+  let handled = false;
+  const server = Bun.serve({
+    hostname: "127.0.0.1",
+    port: 0,
+    fetch(request) {
+      const url = new URL(request.url);
+      if (url.pathname !== "/callback") return new Response("Not found", { status: 404 });
+      if (!handled) {
+        handled = true;
+        resolveCallback({
+          code: url.searchParams.get("code") ?? void 0,
+          error: url.searchParams.get("error") ?? void 0,
+          state: url.searchParams.get("state") ?? void 0
+        });
+      }
+      return new Response(
+        '<!doctype html><html><body style="font-family:monospace;padding:40px">Agentis authorization complete. You can close this window.</body></html>',
+        { headers: { "content-type": "text/html; charset=utf-8" } }
+      );
+    }
+  });
+  const redirectUri = `http://127.0.0.1:${server.port}/callback`;
+  const authorizeUrl = new URL(`${API_BASE}/oauth/authorize`);
+  authorizeUrl.search = new URLSearchParams({
+    response_type: "code",
+    client_id: CLIENT_ID,
+    redirect_uri: redirectUri,
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+    scope: SCOPES.join(" "),
+    state,
+    resource: API_BASE
+  }).toString();
   console.log("\nOpen this URL in your browser to authenticate:\n");
-  console.log(`  ${loginUrl}
+  console.log(`  ${authorizeUrl}
 `);
+  openBrowser(authorizeUrl.toString());
+  console.log("Waiting for authorization...");
+  const timeout = new Promise((_, reject) => {
+    setTimeout(() => reject(new Error("Login timed out. Run `agentis login` again.")), 10 * 60 * 1e3);
+  });
   try {
-    const { exec } = await import("child_process");
-    const open = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
-    exec(`${open} "${loginUrl}"`);
-  } catch {
-  }
-  console.log("Waiting for authentication...");
-  const deadline = Date.now() + 10 * 60 * 1e3;
-  while (Date.now() < deadline) {
-    await new Promise((r) => setTimeout(r, 2e3));
-    const poll = await apiFetch(`/auth/session/${sessionId}`);
-    if (!poll.ok) {
-      if (poll.status === 410) {
-        console.error("\nSession expired. Run `agentis login` again.");
-        process.exit(1);
-      }
-      continue;
-    }
-    const data = await poll.json();
-    if (data.status === "complete" && data.accountKey) {
-      await saveToken(data.accountKey);
-      console.log("\nAuthenticated! You can now use the Agentis CLI.\n");
-      return;
+    const result = await Promise.race([callback, timeout]);
+    if (result.error) throw new Error(`Authorization failed: ${result.error}`);
+    if (!result.code || result.state !== state) throw new Error("Invalid OAuth callback");
+    const response = await fetch(`${API_BASE}/oauth/token`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code: result.code,
+        redirect_uri: redirectUri,
+        code_verifier: verifier,
+        client_id: CLIENT_ID
+      })
+    });
+    const body = await response.json();
+    if (!response.ok || !body.access_token || !body.refresh_token || !body.expires_in) {
+      throw new Error(body.error_description ?? "OAuth token exchange failed");
     }
+    await saveOAuthCredentials({
+      version: 2,
+      accessToken: body.access_token,
+      refreshToken: body.refresh_token,
+      expiresAt: Date.now() + body.expires_in * 1e3,
+      scope: body.scope?.split(/\s+/).filter(Boolean) ?? SCOPES,
+      clientId: CLIENT_ID
+    });
+    console.log("\nAuthenticated. You can now use the Agentis CLI.\n");
+  } catch (error) {
+    console.error(`
+${error instanceof Error ? error.message : "Login failed"}`);
+    process.exitCode = 1;
+  } finally {
+    server.stop(true);
   }
-  console.error("\nLogin timed out. Run `agentis login` again.");
-  process.exit(1);
 }
 async function logout() {
-  const token = await getToken();
-  if (!token) {
+  const stored = await getStoredCredentials();
+  if (!stored) {
     console.log("Not logged in.");
     return;
   }
+  if (stored.type === "oauth") {
+    await fetch(`${API_BASE}/oauth/revoke`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ token: stored.credentials.refreshToken })
+    }).catch(() => null);
+  }
   await deleteToken();
   console.log("Logged out.");
 }
 async function whoami() {
+  const stored = await getStoredCredentials();
   const token = await getToken();
-  if (!token) {
+  if (!stored || !token) {
     console.log("Not logged in. Run `agentis login`.");
     return;
   }
   const masked = token.slice(0, 13) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + token.slice(-4);
-  console.log(`Logged in as ${masked}`);
+  console.log(`Logged in via ${stored.type === "oauth" ? "OAuth" : "account key"} as ${masked}`);
 }
 
 // src/lib/account.ts
@@ -134,7 +265,7 @@ import { wordlist as englishWordlist } from "@scure/bip39/wordlists/english.js";
 import { HDKey } from "@scure/bip32";
 import { scrypt } from "@noble/hashes/scrypt.js";
 import { gcm } from "@noble/ciphers/aes.js";
-import { randomBytes } from "@noble/hashes/utils.js";
+import { randomBytes as randomBytes2 } from "@noble/hashes/utils.js";
 import { ed25519 } from "@noble/curves/ed25519.js";
 import { v4 as uuidv4 } from "uuid";
 import { join } from "path";
@@ -185,8 +316,8 @@ function encodeBase58(bytes) {
   return result;
 }
 function encryptMnemonic(mnemonic, passphrase = "") {
-  const salt = randomBytes(32);
-  const iv = randomBytes(12);
+  const salt = randomBytes2(32);
+  const iv = randomBytes2(12);
   const key = scrypt(passphrase, salt, { N: 65536, r: 8, p: 1, dkLen: 32 });
   const cipher = gcm(key, iv);
   const data = new TextEncoder().encode(mnemonic);
@@ -489,6 +620,13 @@ Sent!`);
 }
 
 // src/lib/format-agent.ts
+var blue = "\x1B[38;5;117m";
+var purple = "\x1B[38;5;141m";
+var green = "\x1B[38;5;114m";
+var amber = "\x1B[38;5;179m";
+var red = "\x1B[38;5;203m";
+var muted = "\x1B[38;5;244m";
+var reset = "\x1B[0m";
 function formatPolicy(agent) {
   const mode = agent.policyMode ?? "backend";
   if (mode !== "onchain") return "policy=backend";
@@ -501,16 +639,41 @@ function formatPrivacy(agent) {
 function formatLocalPolicy(wallet) {
   return wallet.policy.killSwitch ? "policy=local:killed" : "policy=local";
 }
+function shorten(value, prefix = 6, suffix = 5) {
+  if (value.length <= prefix + suffix + 3) return value;
+  return `${value.slice(0, prefix)}...${value.slice(-suffix)}`;
+}
+function color(value, ansi) {
+  return `${ansi}${value}${reset}`;
+}
+function colorPolicy(policy) {
+  if (policy === "policy=onchain:ready") return color(policy, purple);
+  if (policy === "policy=onchain:pending") return color(policy, amber);
+  if (policy === "policy=local:killed") return color(policy, red);
+  return color(policy, muted);
+}
+function colorPrivacy(privacy) {
+  if (!privacy) return null;
+  if (privacy === "privacy=registered") return color(privacy, green);
+  if (privacy === "privacy=pending") return color(privacy, amber);
+  if (privacy === "privacy=failed") return color(privacy, red);
+  return color(privacy, muted);
+}
 function formatBadges(parts) {
-  return parts.filter(Boolean).join(", ");
+  return parts.filter(Boolean).join("  ");
+}
+function formatName(name) {
+  return color(shorten(name, 17, 4).padEnd(24), blue);
 }
 function formatHostedAgentLine(agent) {
-  const badges = formatBadges(["hosted", formatPolicy(agent), formatPrivacy(agent)]);
-  return `  ${agent.name.padEnd(20)} ${agent.walletAddress}  [${agent.id}]  ${badges}`;
+  const badges = formatBadges([
+    colorPolicy(formatPolicy(agent)),
+    colorPrivacy(formatPrivacy(agent))
+  ]);
+  return `  ${formatName(agent.name)} ${shorten(agent.walletAddress)}  ${badges}`;
 }
 function formatLocalWalletLine(wallet) {
-  const badges = formatBadges(["local", formatLocalPolicy(wallet)]);
-  return `  ${wallet.name.padEnd(20)} ${wallet.solanaAddress}  [${wallet.id}]  ${badges}`;
+  return `  ${formatName(wallet.name)} ${shorten(wallet.solanaAddress)}  ${colorPolicy(formatLocalPolicy(wallet))}`;
 }
 
 // src/commands/wallet.ts
@@ -905,7 +1068,7 @@ async function privacyCommand(args2) {
 import { mkdir, readdir, readFile, stat, writeFile } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
 import { dirname, join as join2, resolve } from "path";
-import { randomBytes as randomBytes2 } from "crypto";
+import { randomBytes as randomBytes3 } from "crypto";
 var DEVNET_USDC = "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU";
 var SOLANA_DEVNET_NETWORK = "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1";
 async function requireAuth2() {
@@ -1024,7 +1187,7 @@ async function facilitatorCreate(args2) {
   }
   const facilitator = await res.json();
   const templateDir = facilitatorTemplateDir();
-  const koraApiKey = "kora_" + randomBytes2(24).toString("hex");
+  const koraApiKey = "kora_" + randomBytes3(24).toString("hex");
   await renderTemplateDir(templateDir, targetDir, {
     NAME: name,
     FACILITATOR_ID: facilitator.id,
@@ -1395,11 +1558,11 @@ async function earnSweep(args2) {
 var args = process.argv.slice(2);
 var cmd = args[0];
 var sub = args[1];
-var blue = "\x1B[38;5;117m";
-var green = "\x1B[38;5;114m";
-var muted = "\x1B[38;5;244m";
+var blue2 = "\x1B[38;5;117m";
+var green2 = "\x1B[38;5;114m";
+var muted2 = "\x1B[38;5;244m";
 var bold = "\x1B[1m";
-var reset = "\x1B[0m";
+var reset2 = "\x1B[0m";
 function readCliVersion() {
   try {
     const packageJsonPath = join3(dirname2(fileURLToPath(import.meta.url)), "..", "package.json");
@@ -1671,18 +1834,18 @@ var helpSpecs = {
   }
 };
 function showHelp() {
-  console.log(`${blue}${bold}
+  console.log(`${blue2}${bold}
  \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551
 \u2588\u2588\u2551  \u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551
 \u255A\u2550\u255D  \u255A\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-${reset}${muted}v${version}${reset}
+${reset2}${muted2}v${version}${reset2}
 
-${bold}Agentis${reset} \u2014 financial infrastructure for AI agents
+${bold}Agentis${reset2} \u2014 financial infrastructure for AI agents
 
-${green}${bold}Commands:${reset}
+${green2}${bold}Commands:${reset2}
   login                                    authenticate with your Agentis account
   logout                                   remove stored credentials
   whoami                                   show current account
@@ -1751,7 +1914,7 @@ function helpPath(values) {
 }
 function printRows(title, rows) {
   console.log(`
-${green}${bold}${title}:${reset}`);
+${green2}${bold}${title}:${reset2}`);
   for (const [left, right] of rows) {
     console.log(`  ${left.padEnd(38)} ${right}`);
   }
@@ -1766,7 +1929,7 @@ function showCommandHelp(path) {
     showHelp();
     return;
   }
-  console.log(`${bold}Usage:${reset} ${spec.usage}
+  console.log(`${bold}Usage:${reset2} ${spec.usage}
 `);
   console.log(spec.description);
   if (spec.commands) printRows("Commands", spec.commands);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentis-hq/cli",
-  "version": "0.1.7",
+  "version": "0.3.0",
   "type": "module",
   "bin": {
     "agentis": "dist/index.js"