@agentuity/cli 0.0.67 → 0.0.69

package/src/config.ts

@@ -15,6 +15,12 @@ import JSON5 from 'json5';
 import type { Config, Profile, AuthData } from './types';
 import { ConfigSchema, ProjectSchema } from './types';
 import * as tui from './tui';
+import {
+	isMacOS,
+	saveAuthToKeychain,
+	getAuthFromKeychain,
+	deleteAuthFromKeychain,
+} from './keychain';
 
 export const defaultProfileName = 'production';
 
@@ -233,11 +239,7 @@ export async function saveConfig(config: Config, customPath?: string): Promise<v
 	const configPath = customPath || (await getProfile());
 	await ensureConfigDir();
 
-	// Strip auth from config before saving (never store auth in config file)
-	const configToSave = { ...config };
-	delete configToSave.auth;
-
-	const content = formatYAML(configToSave);
+	const content = formatYAML(config);
 	await writeFile(configPath, content + '\n', { mode: 0o600 });
 	// Ensure existing files get correct permissions on upgrade
 	await chmod(configPath, 0o600);
@@ -264,47 +266,45 @@ export async function saveAuth(auth: AuthData): Promise<void> {
 		expires: auth.expires.getTime(),
 	};
 
-	// Try to store in Bun secrets API
-	try {
-		await Bun.secrets.set({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-			value: JSON.stringify(authData),
-		});
-
-		// Successfully stored in secrets, ensure auth is removed from config file
-		if (config.auth) {
-			delete config.auth;
-			await saveConfig(config);
-		}
-	} catch {
-		// Bun.secrets API not available or failed, fallback to config file
-		config.auth = authData;
-		config.preferences = config.preferences || {};
-		(config.preferences as Record<string, unknown>).orgId = '';
+	// On macOS, store in Keychain for better security
+	if (isMacOS()) {
+		try {
+			await saveAuthToKeychain(profileName, authData);
 
-		// Save with auth in config as fallback (saveConfig will try to strip it but we're setting it here)
-		const configPath = await getProfile();
-		await ensureConfigDir();
-		const content = formatYAML(config);
-		await writeFile(configPath, content + '\n', { mode: 0o600 });
-		await chmod(configPath, 0o600);
-		cachedConfig = config;
+			// Successfully stored in keychain, remove from config if present
+			if (config.auth) {
+				delete config.auth;
+				await saveConfig(config);
+			}
+			return;
+		} catch (error) {
+			// Keychain failed, fall back to config file
+			console.warn('Failed to store auth in keychain, falling back to config file:', error);
+		}
 	}
+
+	// Store in config file (non-macOS or keychain failed)
+	config.auth = authData;
+	config.preferences = config.preferences || {};
+	(config.preferences as Record<string, unknown>).orgId = '';
+
+	await saveConfig(config);
 }
 
 export async function clearAuth(): Promise<void> {
 	const config = await getOrInitConfig();
 	const profileName = config.name || defaultProfileName;
 
-	// Try to delete from Bun secrets API
-	try {
-		await Bun.secrets.delete({ service: `agentuity.cli.${profileName}`, name: 'auth' });
-	} catch {
-		// Bun.secrets API not available or failed
+	// On macOS, clear from Keychain
+	if (isMacOS()) {
+		try {
+			await deleteAuthFromKeychain(profileName);
+		} catch {
+			// Ignore errors - keychain entry may not exist
+		}
 	}
 
-	// Clear auth from config file (for backwards compatibility)
+	// Also clear from config file (for backwards compatibility)
 	if (config.auth) {
 		delete config.auth;
 		config.preferences = config.preferences || {};
@@ -328,59 +328,11 @@ export async function saveOrgId(orgId: string): Promise<void> {
 	await saveConfig(config);
 }
 
-async function migrateAuthToSecrets(
-	config: Config,
-	profileName: string,
-	auth: { api_key: string; user_id: string; expires: number }
-): Promise<boolean> {
-	try {
-		const authData = {
-			api_key: auth.api_key,
-			user_id: auth.user_id,
-			expires: auth.expires,
-		};
-
-		await Bun.secrets.set({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-			value: JSON.stringify(authData),
-		});
-
-		// Successfully migrated, remove from config file
-		delete config.auth;
-		await saveConfig(config);
-
-		return true;
-	} catch {
-		// Migration failed, leave in config file
-		return false;
-	}
-}
-
 export async function getAuth(): Promise<AuthData | null> {
 	const config = await loadConfig();
 	const profileName = config?.name || defaultProfileName;
 
-	// Priority 1: Try Bun secrets API first (most secure)
-	try {
-		const authJson = await Bun.secrets.get({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-		});
-
-		if (authJson) {
-			const auth = JSON.parse(authJson) as { api_key: string; user_id: string; expires: number };
-			return {
-				apiKey: auth.api_key,
-				userId: auth.user_id,
-				expires: new Date(auth.expires),
-			};
-		}
-	} catch {
-		// Bun.secrets API not available or failed, fallback to other methods
-	}
-
-	// Priority 2: Allow automated login from environment variables
+	// Priority 1: Allow automated login from environment variables
 	if (process.env.AGENTUITY_CLI_API_KEY && process.env.AGENTUITY_USER_ID) {
 		return {
 			apiKey: process.env.AGENTUITY_CLI_API_KEY,
@@ -389,7 +341,23 @@ export async function getAuth(): Promise<AuthData | null> {
 		};
 	}
 
-	// Priority 3: Fallback to config file (backwards compatibility + migration)
+	// Priority 2: On macOS, try to read from Keychain
+	if (isMacOS()) {
+		try {
+			const keychainAuth = await getAuthFromKeychain(profileName);
+			if (keychainAuth) {
+				return {
+					apiKey: keychainAuth.api_key,
+					userId: keychainAuth.user_id,
+					expires: new Date(keychainAuth.expires),
+				};
+			}
+		} catch {
+			// Keychain read failed, fall through to config file
+		}
+	}
+
+	// Priority 3: Read from config file (non-macOS or keychain failed)
 	if (!config) return null;
 	const auth = config.auth as { api_key?: string; user_id?: string; expires?: number } | undefined;
 
@@ -397,18 +365,7 @@ export async function getAuth(): Promise<AuthData | null> {
 		return null;
 	}
 
-	// Check if token is unexpired
 	const expiresDate = new Date(auth.expires || 0);
-	const isExpired = expiresDate.getTime() <= Date.now();
-
-	// If unexpired, attempt to migrate to Bun.secrets
-	if (!isExpired) {
-		await migrateAuthToSecrets(config, profileName, {
-			api_key: auth.api_key,
-			user_id: auth.user_id,
-			expires: auth.expires || 0,
-		});
-	}
 
 	return {
 		apiKey: auth.api_key,

package/src/keychain.ts

@@ -0,0 +1,176 @@
+/**
+ * macOS Keychain integration for secure auth token storage
+ *
+ * Stores auth tokens encrypted in the macOS Keychain using a per-device AES-256 key.
+ * No user prompts required - fully automatic and secure.
+ */
+
+const SERVICE_PREFIX = 'com.agentuity.cli';
+const KEY_ACCOUNT = 'aes-encryption-key';
+
+/**
+ * Check if we're running on macOS
+ */
+export function isMacOS(): boolean {
+	return process.platform === 'darwin';
+}
+
+/**
+ * Get or create an AES encryption key stored in the macOS Keychain
+ */
+async function ensureEncryptionKey(service: string): Promise<Uint8Array> {
+	// Try to read existing key
+	const find = Bun.spawn(
+		['security', 'find-generic-password', '-s', service, '-a', KEY_ACCOUNT, '-w'],
+		{ stderr: 'ignore' }
+	);
+
+	const stdout = await new Response(find.stdout).text();
+
+	if (stdout.length > 0) {
+		const b64 = stdout.trim();
+		return Uint8Array.from(Buffer.from(b64, 'base64'));
+	}
+
+	// Create a new 32-byte (256-bit) AES key
+	const key = crypto.getRandomValues(new Uint8Array(32));
+	const b64 = Buffer.from(key).toString('base64');
+
+	// Store in macOS Keychain (no user prompts with -U flag)
+	const add = Bun.spawn([
+		'security',
+		'add-generic-password',
+		'-s',
+		service,
+		'-a',
+		KEY_ACCOUNT,
+		'-w',
+		b64,
+		'-U', // Update without user confirmation
+	]);
+	await add.exited;
+
+	return key;
+}
+
+/**
+ * Encrypt data using AES-256-GCM
+ */
+async function encrypt(data: string, keyBytes: Uint8Array): Promise<Uint8Array> {
+	const key = await crypto.subtle.importKey('raw', keyBytes, 'AES-GCM', false, ['encrypt']);
+
+	const iv = crypto.getRandomValues(new Uint8Array(12));
+	const plaintext = new TextEncoder().encode(data);
+
+	const ciphertext = new Uint8Array(
+		await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plaintext)
+	);
+
+	// Combine IV + ciphertext
+	const combined = new Uint8Array(iv.length + ciphertext.length);
+	combined.set(iv, 0);
+	combined.set(ciphertext, iv.length);
+
+	return combined;
+}
+
+/**
+ * Decrypt data using AES-256-GCM
+ */
+async function decrypt(combined: Uint8Array, keyBytes: Uint8Array): Promise<string> {
+	const key = await crypto.subtle.importKey('raw', keyBytes, 'AES-GCM', false, ['decrypt']);
+
+	const iv = combined.slice(0, 12);
+	const ciphertext = combined.slice(12);
+
+	const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
+
+	return new TextDecoder().decode(plaintext);
+}
+
+/**
+ * Store auth data in macOS Keychain
+ */
+export async function saveAuthToKeychain(
+	profileName: string,
+	authData: { api_key: string; user_id: string; expires: number }
+): Promise<void> {
+	const service = `${SERVICE_PREFIX}.${profileName}`;
+	const account = 'auth-token';
+
+	// Get or create encryption key
+	const key = await ensureEncryptionKey(service);
+
+	// Encrypt the auth data
+	const json = JSON.stringify(authData);
+	const encrypted = await encrypt(json, key);
+	const b64 = Buffer.from(encrypted).toString('base64');
+
+	// Store encrypted auth in keychain
+	// First try to delete if exists, then add
+	const del = Bun.spawn(['security', 'delete-generic-password', '-s', service, '-a', account], {
+		stderr: 'ignore',
+	});
+	await del.exited;
+
+	const add = Bun.spawn([
+		'security',
+		'add-generic-password',
+		'-s',
+		service,
+		'-a',
+		account,
+		'-w',
+		b64,
+		'-U',
+	]);
+	await add.exited;
+}
+
+/**
+ * Retrieve auth data from macOS Keychain
+ */
+export async function getAuthFromKeychain(
+	profileName: string
+): Promise<{ api_key: string; user_id: string; expires: number } | null> {
+	const service = `${SERVICE_PREFIX}.${profileName}`;
+	const account = 'auth-token';
+
+	try {
+		// Get the encrypted auth data
+		const find = Bun.spawn(
+			['security', 'find-generic-password', '-s', service, '-a', account, '-w'],
+			{ stderr: 'ignore' }
+		);
+
+		const stdout = await new Response(find.stdout).text();
+		if (stdout.length === 0) {
+			return null;
+		}
+
+		const b64 = stdout.trim();
+		const encrypted = Uint8Array.from(Buffer.from(b64, 'base64'));
+
+		// Get the encryption key
+		const key = await ensureEncryptionKey(service);
+
+		// Decrypt the auth data
+		const json = await decrypt(encrypted, key);
+		return JSON.parse(json);
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Delete auth data from macOS Keychain
+ */
+export async function deleteAuthFromKeychain(profileName: string): Promise<void> {
+	const service = `${SERVICE_PREFIX}.${profileName}`;
+	const account = 'auth-token';
+
+	const del = Bun.spawn(['security', 'delete-generic-password', '-s', service, '-a', account], {
+		stderr: 'ignore',
+	});
+	await del.exited;
+}

package/src/utils/detectSubagent.ts

@@ -1,7 +1,7 @@
 /**
  * Detects if a file path represents a subagent based on path structure.
  *
- * Subagents follow the pattern: agents/parent/child/agent.ts or agents/parent/child/route.ts
+ * Subagents follow the pattern: agent/parent/child/agent.ts or agent/parent/child/route.ts
  * The path structure is currently hardcoded to 4 segments but could be made configurable later.
  *
  * @param filePath - The file path to analyze (can include leading './')
@@ -22,9 +22,9 @@ export function detectSubagent(
 	// Strip leading './' and split into parts, filtering out empty segments
 	const pathParts = normalizedPath.replace(/^\.\//, '').split('/').filter(Boolean);
 
-	// Path structure assumption: ['agents', 'parent', 'child', 'agent.ts' | 'route.ts' | 'route']
+	// Path structure assumption: ['agent', 'parent', 'child', 'agent.ts' | 'route.ts' | 'route']
 	// Currently hardcoded to 4 segments - consider making configurable in the future
-	const isSubagent = pathParts.length === 4 && pathParts[0] === 'agents';
+	const isSubagent = pathParts.length === 4 && pathParts[0] === 'agent';
 	const parentName = isSubagent ? pathParts[1] : null;
 
 	return { isSubagent, parentName };

package/dist/cmd/build/ast.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=ast.test.d.ts.map

package/dist/cmd/build/ast.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ast.test.d.ts","sourceRoot":"","sources":["../../../src/cmd/build/ast.test.ts"],"names":[],"mappings":""}