npm - @agentis-hq/cli - Versions diffs - 0.2.0 → 0.3.1 - Mend

@agentis-hq/cli 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -43,7 +43,9 @@ AGENTIS_API_URL=http://localhost:3001 agentis wallet list
 ## Authentication
-Hosted wallets and hosted agents require an Agentis account key. The CLI gets one through the browser login flow and stores it in your OS keychain.
+Hosted wallets and hosted agents require authentication. The CLI uses OAuth
+authorization code flow with PKCE and stores its access and refresh credentials
+in the OS keychain.
 ```bash
 agentis login
@@ -278,7 +280,7 @@ AGENTIS_API_URL=http://localhost:3001 bun src/index.ts wallet list
 ## Notes
 - Hosted agent keys are shown only when created or regenerated.
-- CLI account keys are stored in the OS keychain.
+- CLI OAuth credentials are stored in the OS keychain.
 - Local wallet vaults live under `~/.agentis/wallets/`.
 - Jupiter Earn commands require mainnet and the `--mainnet` safety flag.
 - Umbra devnet flows are currently safest with SOL or wSOL.

package/dist/index.js CHANGED Viewed

@@ -5,99 +5,235 @@ import { readFileSync as readFileSync2 } from "fs";
 import { dirname as dirname2, join as join3 } from "path";
 import { fileURLToPath } from "url";
+// src/commands/auth.ts
+import { createHash, randomBytes } from "crypto";
+import { execFile } from "child_process";
+// src/lib/config.ts
+var API_BASE = process.env.AGENTIS_API_URL ?? "https://api.agentis.systems";
+async function apiFetch(path, opts = {}, token) {
+  const headers = {
+    "content-type": "application/json",
+    ...opts.headers ?? {}
+  };
+  if (token) headers["authorization"] = `Bearer ${token}`;
+  return fetch(`${API_BASE}${path}`, { ...opts, headers });
+}
 // src/lib/keychain.ts
 import { Entry } from "@napi-rs/keyring";
 var entry = new Entry("agentis-cli", "account-key");
-async function saveToken(token) {
-  entry.setPassword(token);
-}
-async function getToken() {
-  if (process.env.AGENTIS_ACCOUNT_KEY) return process.env.AGENTIS_ACCOUNT_KEY;
+function readPassword() {
   try {
     return entry.getPassword();
   } catch {
     return null;
   }
 }
-async function deleteToken() {
+async function saveOAuthCredentials(credentials) {
+  entry.setPassword(JSON.stringify(credentials));
+}
+async function getStoredCredentials() {
+  const envToken = process.env.AGENTIS_ACCOUNT_KEY;
+  if (envToken) return { type: "legacy", token: envToken };
+  const stored = readPassword();
+  if (!stored) return null;
+  if (!stored.startsWith("{")) return { type: "legacy", token: stored };
   try {
-    entry.deletePassword();
+    const credentials = JSON.parse(stored);
+    if (credentials.version === 2 && credentials.accessToken?.startsWith("agt_oauth_") && credentials.refreshToken?.startsWith("agt_refresh_")) {
+      return { type: "oauth", credentials };
+    }
   } catch {
   }
+  return null;
 }
-// src/lib/config.ts
-var API_BASE = process.env.AGENTIS_API_URL ?? "https://api.agentis.systems";
-async function apiFetch(path, opts = {}, token) {
-  const headers = {
-    "content-type": "application/json",
-    ...opts.headers ?? {}
+async function refresh(credentials) {
+  const response = await fetch(`${API_BASE}/oauth/token`, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: credentials.refreshToken,
+      client_id: credentials.clientId
+    })
+  }).catch(() => null);
+  if (!response?.ok) return null;
+  const body = await response.json();
+  const updated = {
+    ...credentials,
+    accessToken: body.access_token,
+    refreshToken: body.refresh_token,
+    expiresAt: Date.now() + body.expires_in * 1e3,
+    scope: body.scope.split(/\s+/).filter(Boolean)
   };
-  if (token) headers["authorization"] = `Bearer ${token}`;
-  return fetch(`${API_BASE}${path}`, { ...opts, headers });
+  await saveOAuthCredentials(updated);
+  return updated;
+}
+async function getToken() {
+  const stored = await getStoredCredentials();
+  if (!stored) return null;
+  if (stored.type === "legacy") return stored.token;
+  if (stored.credentials.expiresAt > Date.now() + 6e4) {
+    return stored.credentials.accessToken;
+  }
+  return (await refresh(stored.credentials))?.accessToken ?? null;
+}
+async function deleteToken() {
+  try {
+    entry.deletePassword();
+  } catch {
+  }
 }
 // src/commands/auth.ts
+var CLIENT_ID = "agentis-cli";
+var SCOPES = [
+  "wallets:read",
+  "wallets:write",
+  "payments:execute",
+  "policy:read",
+  "policy:write",
+  "privacy:read",
+  "privacy:write",
+  "earn:read",
+  "earn:write"
+];
+function base64url(bytes) {
+  return Buffer.from(bytes).toString("base64url");
+}
+function openBrowser(url) {
+  if (process.platform === "darwin") {
+    execFile("open", [url], () => {
+    });
+  } else if (process.platform === "win32") {
+    execFile("cmd", ["/c", "start", "", url], () => {
+    });
+  } else {
+    execFile("xdg-open", [url], () => {
+    });
+  }
+}
 async function login() {
-  const existing = await getToken();
+  const existing = await getStoredCredentials();
   if (existing) {
     console.log("Already logged in. Run `agentis logout` first.");
     return;
   }
-  const res = await apiFetch("/auth/session", { method: "POST" });
-  if (!res.ok) {
-    console.error("Failed to start login session.");
-    process.exit(1);
-  }
-  const { sessionId, loginUrl } = await res.json();
+  const verifier = base64url(randomBytes(48));
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  const state = base64url(randomBytes(24));
+  let resolveCallback;
+  const callback = new Promise((resolve2) => {
+    resolveCallback = resolve2;
+  });
+  let handled = false;
+  const server = Bun.serve({
+    hostname: "127.0.0.1",
+    port: 0,
+    fetch(request) {
+      const url = new URL(request.url);
+      if (url.pathname !== "/callback") return new Response("Not found", { status: 404 });
+      if (!handled) {
+        handled = true;
+        resolveCallback({
+          code: url.searchParams.get("code") ?? void 0,
+          error: url.searchParams.get("error") ?? void 0,
+          state: url.searchParams.get("state") ?? void 0
+        });
+      }
+      return new Response(
+        '<!doctype html><html><body style="font-family:monospace;padding:40px">Agentis authorization complete. You can close this window.</body></html>',
+        { headers: { "content-type": "text/html; charset=utf-8" } }
+      );
+    }
+  });
+  const redirectUri = `http://127.0.0.1:${server.port}/callback`;
+  const authorizeUrl = new URL(`${API_BASE}/oauth/authorize`);
+  authorizeUrl.search = new URLSearchParams({
+    response_type: "code",
+    client_id: CLIENT_ID,
+    redirect_uri: redirectUri,
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+    scope: SCOPES.join(" "),
+    state,
+    resource: API_BASE
+  }).toString();
   console.log("\nOpen this URL in your browser to authenticate:\n");
-  console.log(`  ${loginUrl}
+  console.log(`  ${authorizeUrl}
 `);
+  openBrowser(authorizeUrl.toString());
+  console.log("Waiting for authorization...");
+  let timeoutId;
+  const timeout = new Promise((_, reject) => {
+    timeoutId = setTimeout(
+      () => reject(new Error("Login timed out. Run `agentis login` again.")),
+      10 * 60 * 1e3
+    );
+  });
   try {
-    const { exec } = await import("child_process");
-    const open = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
-    exec(`${open} "${loginUrl}"`);
-  } catch {
-  }
-  console.log("Waiting for authentication...");
-  const deadline = Date.now() + 10 * 60 * 1e3;
-  while (Date.now() < deadline) {
-    await new Promise((r) => setTimeout(r, 2e3));
-    const poll = await apiFetch(`/auth/session/${sessionId}`);
-    if (!poll.ok) {
-      if (poll.status === 410) {
-        console.error("\nSession expired. Run `agentis login` again.");
-        process.exit(1);
-      }
-      continue;
-    }
-    const data = await poll.json();
-    if (data.status === "complete" && data.accountKey) {
-      await saveToken(data.accountKey);
-      console.log("\nAuthenticated! You can now use the Agentis CLI.\n");
-      return;
+    const result = await Promise.race([callback, timeout]);
+    if (result.error) throw new Error(`Authorization failed: ${result.error}`);
+    if (!result.code || result.state !== state) throw new Error("Invalid OAuth callback");
+    const response = await fetch(`${API_BASE}/oauth/token`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code: result.code,
+        redirect_uri: redirectUri,
+        code_verifier: verifier,
+        client_id: CLIENT_ID
+      })
+    });
+    const body = await response.json();
+    if (!response.ok || !body.access_token || !body.refresh_token || !body.expires_in) {
+      throw new Error(body.error_description ?? "OAuth token exchange failed");
     }
+    await saveOAuthCredentials({
+      version: 2,
+      accessToken: body.access_token,
+      refreshToken: body.refresh_token,
+      expiresAt: Date.now() + body.expires_in * 1e3,
+      scope: body.scope?.split(/\s+/).filter(Boolean) ?? SCOPES,
+      clientId: CLIENT_ID
+    });
+    console.log("\nAuthenticated. You can now use the Agentis CLI.\n");
+  } catch (error) {
+    console.error(`
+${error instanceof Error ? error.message : "Login failed"}`);
+    process.exitCode = 1;
+  } finally {
+    if (timeoutId) clearTimeout(timeoutId);
+    server.stop(true);
   }
-  console.error("\nLogin timed out. Run `agentis login` again.");
-  process.exit(1);
 }
 async function logout() {
-  const token = await getToken();
-  if (!token) {
+  const stored = await getStoredCredentials();
+  if (!stored) {
     console.log("Not logged in.");
     return;
   }
+  if (stored.type === "oauth") {
+    await fetch(`${API_BASE}/oauth/revoke`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ token: stored.credentials.refreshToken })
+    }).catch(() => null);
+  }
   await deleteToken();
   console.log("Logged out.");
 }
 async function whoami() {
+  const stored = await getStoredCredentials();
   const token = await getToken();
-  if (!token) {
+  if (!stored || !token) {
     console.log("Not logged in. Run `agentis login`.");
     return;
   }
   const masked = token.slice(0, 13) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + token.slice(-4);
-  console.log(`Logged in as ${masked}`);
+  console.log(`Logged in via ${stored.type === "oauth" ? "OAuth" : "account key"} as ${masked}`);
 }
 // src/lib/account.ts
@@ -134,7 +270,7 @@ import { wordlist as englishWordlist } from "@scure/bip39/wordlists/english.js";
 import { HDKey } from "@scure/bip32";
 import { scrypt } from "@noble/hashes/scrypt.js";
 import { gcm } from "@noble/ciphers/aes.js";
-import { randomBytes } from "@noble/hashes/utils.js";
+import { randomBytes as randomBytes2 } from "@noble/hashes/utils.js";
 import { ed25519 } from "@noble/curves/ed25519.js";
 import { v4 as uuidv4 } from "uuid";
 import { join } from "path";
@@ -185,8 +321,8 @@ function encodeBase58(bytes) {
   return result;
 }
 function encryptMnemonic(mnemonic, passphrase = "") {
-  const salt = randomBytes(32);
-  const iv = randomBytes(12);
+  const salt = randomBytes2(32);
+  const iv = randomBytes2(12);
   const key = scrypt(passphrase, salt, { N: 65536, r: 8, p: 1, dkLen: 32 });
   const cipher = gcm(key, iv);
   const data = new TextEncoder().encode(mnemonic);
@@ -937,7 +1073,7 @@ async function privacyCommand(args2) {
 import { mkdir, readdir, readFile, stat, writeFile } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
 import { dirname, join as join2, resolve } from "path";
-import { randomBytes as randomBytes2 } from "crypto";
+import { randomBytes as randomBytes3 } from "crypto";
 var DEVNET_USDC = "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU";
 var SOLANA_DEVNET_NETWORK = "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1";
 async function requireAuth2() {
@@ -1056,7 +1192,7 @@ async function facilitatorCreate(args2) {
   }
   const facilitator = await res.json();
   const templateDir = facilitatorTemplateDir();
-  const koraApiKey = "kora_" + randomBytes2(24).toString("hex");
+  const koraApiKey = "kora_" + randomBytes3(24).toString("hex");
   await renderTemplateDir(templateDir, targetDir, {
     NAME: name,
     FACILITATOR_ID: facilitator.id,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@agentis-hq/cli",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "type": "module",
   "bin": {
     "agentis": "dist/index.js"