@ai-ide-bridge/cli 1.0.5 → 1.1.1

package/src/core/types.ts

@@ -0,0 +1,100 @@
+import { z } from 'zod';
+
+export const MessageSchema = z.object({
+  role: z.enum(['system', 'user', 'assistant', 'tool', 'function']),
+  content: z.string().nullable().optional(),
+  name: z.string().optional(),
+  tool_call_id: z.string().optional(),
+  tool_calls: z
+    .array(
+      z.object({
+        id: z.string(),
+        type: z.literal('function'),
+        function: z.object({
+          name: z.string(),
+          arguments: z.string(),
+        }),
+      }),
+    )
+    .optional(),
+});
+
+export type Message = z.infer<typeof MessageSchema>;
+
+export const ToolDefinitionSchema = z.object({
+  type: z.literal('function'),
+  function: z.object({
+    name: z.string(),
+    description: z.string().optional(),
+    parameters: z.record(z.unknown()),
+  }),
+});
+
+export type ToolDefinition = z.infer<typeof ToolDefinitionSchema>;
+
+export const ModelInfoSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  capabilities: z
+    .object({
+      streaming: z.boolean().optional(),
+      tools: z.boolean().optional(),
+      vision: z.boolean().optional(),
+    })
+    .optional(),
+});
+
+export type ModelInfo = z.infer<typeof ModelInfoSchema>;
+
+export type StreamChunkType = 'text' | 'tool_call' | 'tool_result' | 'error' | 'done';
+export type FinishReason = 'stop' | 'tool_calls' | 'error' | 'length';
+
+export interface StreamChunk {
+  type: StreamChunkType;
+  content?: string;
+  toolCall?: {
+    id: string;
+    name: string;
+    arguments: string;
+  };
+  finishReason?: FinishReason;
+}
+
+export interface BridgePlugin {
+  name: string;
+  version: string;
+  authenticate(config: Record<string, string>): Promise<boolean>;
+  listModels(config: Record<string, string>): Promise<ModelInfo[]>;
+  createSession(config: Record<string, string>, model: string): Promise<BridgeSession>;
+}
+
+export interface BridgeSession {
+  send(messages: Message[], tools?: ToolDefinition[]): AsyncIterable<StreamChunk>;
+  dispose(): Promise<void>;
+}
+
+export interface PluginHealth {
+  name: string;
+  healthy: boolean;
+  lastChecked: Date;
+  error?: string;
+}
+
+export interface BridgeConfig {
+  activePlugin?: string;
+  defaultPlugin: string;
+  port: number;
+  host: string;
+  plugins: Record<string, Record<string, string>>;
+  sessionTTL: number;
+  toolMode: 'strict' | 'lenient';
+}
+
+export const DefaultConfig: BridgeConfig = {
+  defaultPlugin: 'cursor',
+  port: 3849,
+  host: '127.0.0.1',
+  plugins: {},
+  sessionTTL: 1800,
+  toolMode: 'lenient',
+};

package/src/index.ts

@@ -7,8 +7,11 @@ import {
   daemonStatusCommand,
   daemonDownloadCommand,
   daemonLocateCommand,
+  daemonReloadCommand,
 } from './commands/daemon.js';
 import { installDaemonCommand, uninstallDaemonCommand } from './commands/daemon.js';
+import { loginCommand } from './commands/login.js';
+import { logoutCommand } from './commands/logout.js';
 
 const command = process.argv[2] ?? 'help';
 
@@ -44,11 +47,24 @@ async function main(): Promise<void> {
         case 'locate':
           await daemonLocateCommand();
           break;
+        case 'reload':
+          await daemonReloadCommand();
+          break;
         default:
-          console.log('Usage: llm-bridge daemon [status|download|locate]');
+          console.log('Usage: llm-bridge daemon [status|download|locate|reload]');
       }
       break;
     }
+    case 'login': {
+      const provider = process.argv[3];
+      await loginCommand(provider);
+      break;
+    }
+    case 'logout': {
+      const provider = process.argv[3];
+      await logoutCommand(provider);
+      break;
+    }
     case 'help':
     default:
       console.log(`llm-bridge v1.0.0
@@ -56,11 +72,13 @@ async function main(): Promise<void> {
 Usage:
   llm-bridge init              Interactive setup wizard (configure one or more providers)
   llm-bridge start             Launch bridge server (all configured plugins registered)
+  llm-bridge login [provider]  OAuth login (copilot, cursor)
+  llm-bridge logout [provider] Remove stored OAuth token
   llm-bridge configure         Inject OpenCode config for the default provider
   llm-bridge doctor            Run diagnostics
-  llm-bridge install-daemon    Install macOS LaunchAgent
-  llm-bridge uninstall-daemon  Remove macOS LaunchAgent
-  llm-bridge daemon [status|download|locate]  Manage Windsurf daemon binary
+  llm-bridge install-daemon    Install platform daemon (LaunchAgent or systemd)
+  llm-bridge uninstall-daemon  Remove platform daemon
+  llm-bridge daemon [status|download|locate|reload]  Manage Windsurf daemon binary
   llm-bridge help              Show this help`);
   }
 }

package/src/oauth/device-flow.ts

@@ -0,0 +1,111 @@
+import type { OAuthConfig, StoredToken, DeviceCodeResponse } from './types.js';
+
+const SLOW_DOWN_BACKOFF_MS = 5000;
+const DEFAULT_POLL_INTERVAL_S = 5;
+const DEFAULT_TOKEN_EXPIRY_S = 3600;
+
+export class DeviceFlow {
+  private deviceCode = '';
+  private interval = DEFAULT_POLL_INTERVAL_S * 1000;
+  private expiresAt = 0;
+  private firstPoll = true;
+
+  constructor(private config: OAuthConfig) {}
+
+  async start(): Promise<DeviceCodeResponse> {
+    const params = new URLSearchParams({
+      client_id: this.config.provider.clientId,
+      scope: this.config.provider.scopes.join(' '),
+    });
+
+    const response = await fetch(this.config.provider.authUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
+      body: params.toString(),
+    });
+
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`Device code request failed: ${response.status} ${body}`);
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+
+    if (!data.device_code || !data.user_code || !data.verification_uri || !data.expires_in) {
+      throw new Error('Invalid device code response: missing required fields');
+    }
+
+    this.deviceCode = data.device_code as string;
+    this.interval = ((data.interval as number) ?? DEFAULT_POLL_INTERVAL_S) * 1000;
+    this.expiresAt = Date.now() + (data.expires_in as number) * 1000;
+    this.firstPoll = true;
+
+    return {
+      deviceCode: this.deviceCode,
+      userCode: data.user_code as string,
+      verificationUri: data.verification_uri as string,
+      expiresIn: data.expires_in as number,
+      interval: (data.interval as number) ?? DEFAULT_POLL_INTERVAL_S,
+    };
+  }
+
+  async poll(): Promise<StoredToken> {
+    if (!this.deviceCode) {
+      throw new Error('No device code. Call start() first.');
+    }
+
+    while (Date.now() < this.expiresAt) {
+      if (!this.firstPoll) {
+        await this.sleep(this.interval);
+      }
+      this.firstPoll = false;
+
+      const params = new URLSearchParams({
+        client_id: this.config.provider.clientId,
+        device_code: this.deviceCode,
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+      });
+
+      const response = await fetch(this.config.provider.tokenUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          Accept: 'application/json',
+        },
+        body: params.toString(),
+      });
+
+      const data = (await response.json()) as Record<string, unknown>;
+
+      if (response.ok) {
+        if (!data.access_token) {
+          throw new Error('Invalid token response: missing access_token');
+        }
+
+        const token: StoredToken = {
+          version: 1,
+          accessToken: data.access_token as string,
+          refreshToken: data.refresh_token as string | undefined,
+          expiresAt: Date.now() + ((data.expires_in as number) ?? DEFAULT_TOKEN_EXPIRY_S) * 1000,
+          scopes: (data.scope as string)?.split(' ') ?? this.config.provider.scopes,
+        };
+
+        await this.config.store.set(this.config.provider.id, token);
+        return token;
+      }
+
+      const error = data.error as string;
+      if (error === 'slow_down') {
+        this.interval += ((data.interval as number) ?? 0) * 1000 + SLOW_DOWN_BACKOFF_MS;
+      } else if (error !== 'authorization_pending') {
+        throw new Error(`Device flow error: ${error}`);
+      }
+    }
+
+    throw new Error('Device flow expired');
+  }
+
+  private sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+}

package/src/oauth/flow.ts

@@ -0,0 +1,94 @@
+import { randomBytes, createHash } from 'node:crypto';
+import type { OAuthConfig, StoredToken, TokenStore, PKCEState } from './types.js';
+
+const DEFAULT_TOKEN_EXPIRY_MS = 3600000;
+
+export class OAuthFlow {
+  private pkceState: PKCEState | null = null;
+
+  constructor(
+    private config: OAuthConfig,
+    private store: TokenStore,
+  ) {}
+
+  async start(): Promise<string> {
+    const codeVerifier = this.generateCodeVerifier();
+    const codeChallenge = this.generateCodeChallenge(codeVerifier);
+    const state = randomBytes(16).toString('hex');
+
+    this.pkceState = { codeVerifier, codeChallenge, state };
+
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: this.config.provider.clientId,
+      scope: this.config.provider.scopes.join(' '),
+      code_challenge: codeChallenge,
+      code_challenge_method: 'S256',
+      state,
+    });
+
+    if (this.config.redirectUri) {
+      params.set('redirect_uri', this.config.redirectUri);
+    }
+
+    return `${this.config.provider.authUrl}?${params.toString()}`;
+  }
+
+  async callback(code: string, state: string): Promise<StoredToken> {
+    if (!this.pkceState) {
+      throw new Error('No pending PKCE state');
+    }
+
+    if (state !== this.pkceState.state) {
+      throw new Error('State mismatch');
+    }
+
+    const { codeVerifier } = this.pkceState;
+    this.pkceState = null;
+
+    const params = new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      code_verifier: codeVerifier,
+      client_id: this.config.provider.clientId,
+    });
+
+    if (this.config.redirectUri) {
+      params.set('redirect_uri', this.config.redirectUri);
+    }
+
+    const response = await fetch(this.config.provider.tokenUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: params.toString(),
+    });
+
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`Token exchange failed: ${response.status} ${body}`);
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+
+    const newToken: StoredToken = {
+      version: 1,
+      accessToken: data.access_token as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresAt: data.expires_in
+        ? Date.now() + (data.expires_in as number) * 1000
+        : Date.now() + DEFAULT_TOKEN_EXPIRY_MS,
+      scopes: this.config.provider.scopes,
+    };
+
+    await this.store.set(this.config.provider.id, newToken);
+    return newToken;
+  }
+
+  private generateCodeVerifier(): string {
+    return randomBytes(32).toString('base64url');
+  }
+
+  private generateCodeChallenge(verifier: string): string {
+    return createHash('sha256').update(verifier).digest('base64url');
+  }
+}

package/src/oauth/index.ts

@@ -0,0 +1,6 @@
+export type { OAuthProvider, TokenStore, StoredToken, OAuthConfig } from './types.js';
+export { createTokenStore } from './storage.js';
+export { OAuthFlow } from './flow.js';
+export { DeviceFlow } from './device-flow.js';
+export { TokenLifecycle, type TokenLifecycleOptions } from './lifecycle.js';
+export { providers } from './providers.js';

package/src/oauth/lifecycle.ts

@@ -0,0 +1,77 @@
+import type { OAuthConfig, StoredToken, TokenStore } from './types.js';
+
+export interface TokenLifecycleOptions {
+  gracePeriodMs?: number;
+  config?: OAuthConfig;
+}
+
+export class TokenLifecycle {
+  private gracePeriodMs: number;
+  private config?: OAuthConfig;
+
+  constructor(
+    private store: TokenStore,
+    options: TokenLifecycleOptions = {},
+  ) {
+    this.gracePeriodMs = options.gracePeriodMs ?? 0;
+    this.config = options.config;
+  }
+
+  async isValid(provider: string): Promise<boolean> {
+    const token = await this.store.get(provider);
+    if (!token) return false;
+
+    const expiresAt = token.expiresAt - this.gracePeriodMs;
+    return Date.now() < expiresAt;
+  }
+
+  async refresh(provider: string): Promise<StoredToken> {
+    const token = await this.store.get(provider);
+    if (!token?.refreshToken) {
+      throw new Error('No refresh token available');
+    }
+
+    if (!this.config) {
+      throw new Error('OAuthConfig required for token refresh');
+    }
+
+    const params = new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: token.refreshToken,
+      client_id: this.config.provider.clientId,
+    });
+
+    const response = await fetch(this.config.provider.tokenUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: params.toString(),
+    });
+
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`Token refresh failed: ${response.status} ${body}`);
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+
+    if (!data.access_token) {
+      throw new Error('Invalid token response: missing access_token');
+    }
+
+    const newToken: StoredToken = {
+      version: 1,
+      accessToken: data.access_token as string,
+      refreshToken: (data.refresh_token as string) ?? token.refreshToken,
+      expiresAt: Date.now() + ((data.expires_in as number) ?? 3600) * 1000,
+      scopes: token.scopes,
+    };
+
+    await this.store.set(provider, newToken);
+
+    if (this.config.onRefresh) {
+      await this.config.onRefresh(newToken);
+    }
+
+    return newToken;
+  }
+}

package/src/oauth/providers.ts

@@ -0,0 +1,21 @@
+import type { OAuthProvider } from './types.js';
+
+export const providers: Record<string, OAuthProvider> = {
+  copilot: {
+    id: 'copilot',
+    name: 'GitHub Copilot',
+    authUrl: 'https://github.com/login/oauth/authorize',
+    tokenUrl: 'https://github.com/login/oauth/access_token',
+    scopes: ['read:user', 'copilot'],
+    clientId: 'Iv1.2a8e2d1e0e8b4f3a',
+    deviceFlow: true,
+  },
+  cursor: {
+    id: 'cursor',
+    name: 'Cursor',
+    authUrl: 'https://authenticator.cursor.sh/oauth/authorize',
+    tokenUrl: 'https://authenticator.cursor.sh/oauth/token',
+    scopes: ['openid', 'profile', 'email'],
+    clientId: 'cursor-oauth-client',
+  },
+};

package/src/oauth/storage-file.ts

@@ -0,0 +1,77 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { homedir, hostname } from 'node:os';
+import { join } from 'node:path';
+import type { StoredToken, TokenStore } from './types.js';
+
+const ALGORITHM = 'aes-256-cbc';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+
+function getEncryptionKey(): Buffer {
+  const machineId = [process.platform, hostname(), homedir()].join(':');
+  return scryptSync(machineId, 'llm-bridge-oauth', KEY_LENGTH);
+}
+
+function getTokenFilePath(): string {
+  const dir = join(homedir(), '.config', 'llm-bridge');
+  mkdirSync(dir, { recursive: true });
+  return join(dir, 'tokens.enc');
+}
+
+function encrypt(data: string): string {
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, getEncryptionKey(), iv);
+  let encrypted = cipher.update(data, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  return iv.toString('hex') + ':' + encrypted;
+}
+
+function decrypt(encryptedData: string): string {
+  const [ivHex, encrypted] = encryptedData.split(':');
+  const iv = Buffer.from(ivHex, 'hex');
+  const decipher = createDecipheriv(ALGORITHM, getEncryptionKey(), iv);
+  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
+
+export function createFileStore(): TokenStore {
+  return {
+    async set(provider: string, token: StoredToken): Promise<void> {
+      const file = getTokenFilePath();
+      const existing: Record<string, StoredToken> = existsSync(file)
+        ? JSON.parse(decrypt(readFileSync(file, 'utf8')))
+        : {};
+      existing[provider] = token;
+      writeFileSync(file, encrypt(JSON.stringify(existing)));
+    },
+
+    async get(provider: string): Promise<StoredToken | null> {
+      const file = getTokenFilePath();
+      if (!existsSync(file)) return null;
+      try {
+        const existing: Record<string, StoredToken> = JSON.parse(
+          decrypt(readFileSync(file, 'utf8')),
+        );
+        return existing[provider] ?? null;
+      } catch {
+        return null;
+      }
+    },
+
+    async delete(provider: string): Promise<void> {
+      const file = getTokenFilePath();
+      if (!existsSync(file)) return;
+      try {
+        const existing: Record<string, StoredToken> = JSON.parse(
+          decrypt(readFileSync(file, 'utf8')),
+        );
+        delete existing[provider];
+        writeFileSync(file, encrypt(JSON.stringify(existing)));
+      } catch {
+        // Ignore errors on delete
+      }
+    },
+  };
+}

package/src/oauth/storage.ts

@@ -0,0 +1,6 @@
+import type { TokenStore } from './types.js';
+import { createFileStore } from './storage-file.js';
+
+export function createTokenStore(): TokenStore {
+  return createFileStore();
+}

package/src/oauth/types.ts

@@ -0,0 +1,50 @@
+export interface OAuthProvider {
+  id: string;
+  name: string;
+  authUrl: string;
+  tokenUrl: string;
+  scopes: string[];
+  clientId: string;
+  deviceFlow?: boolean;
+}
+
+export interface StoredToken {
+  version: 1;
+  accessToken: string;
+  refreshToken?: string;
+  expiresAt: number;
+  scopes: string[];
+}
+
+export interface TokenStore {
+  set(provider: string, token: StoredToken): Promise<void>;
+  get(provider: string): Promise<StoredToken | null>;
+  delete(provider: string): Promise<void>;
+}
+
+export interface OAuthConfig {
+  provider: OAuthProvider;
+  store: TokenStore;
+  onRefresh?: (newToken: StoredToken) => Promise<void>;
+  redirectUri?: string;
+}
+
+export interface PKCEState {
+  codeVerifier: string;
+  codeChallenge: string;
+  state: string;
+}
+
+export interface DeviceCodeResponse {
+  deviceCode: string;
+  userCode: string;
+  verificationUri: string;
+  expiresIn: number;
+  interval: number;
+}
+
+export interface RefreshQueueEntry {
+  promise: Promise<StoredToken>;
+  resolve: (token: StoredToken) => void;
+  reject: (error: Error) => void;
+}

package/src/plugins/copilot/auth.ts

@@ -0,0 +1,39 @@
+import type { CopilotConfig } from './types.js';
+import { createTokenStore } from '../../oauth/index.js';
+
+const COPILOT_API_BASE = 'https://api.github.com';
+
+export async function validateToken(token: string): Promise<boolean> {
+  try {
+    const response = await fetch(`${COPILOT_API_BASE}/copilot_internal/v2/token`, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/json',
+      },
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+export async function getToken(config: CopilotConfig): Promise<string | null> {
+  if (config.COPILOT_TOKEN) return config.COPILOT_TOKEN;
+
+  const store = createTokenStore();
+  const token = await store.get('copilot');
+  if (token && Date.now() < token.expiresAt) {
+    return token.accessToken;
+  }
+
+  return config.COPILOT_OAUTH_TOKEN ?? null;
+}
+
+export async function refreshOAuthToken(
+  _refreshToken: string,
+  _clientId: string,
+  _clientSecret: string,
+): Promise<{ accessToken: string; refreshToken: string } | null> {
+  return null;
+}

package/src/plugins/copilot/index.ts

@@ -0,0 +1,5 @@
+export { CopilotBridgePlugin } from './plugin.js';
+export { CopilotBridgeSession } from './session.js';
+export type { CopilotModel, CopilotConfig } from './types.js';
+export { COPILOT_MODELS } from './types.js';
+export { validateToken, getToken } from './auth.js';

package/src/plugins/copilot/plugin.ts

@@ -0,0 +1,31 @@
+import type { BridgePlugin, BridgeSession, ModelInfo } from '../../core/index.js';
+import { CopilotBridgeSession } from './session.js';
+import { COPILOT_MODELS, type CopilotConfig } from './types.js';
+import { validateToken, getToken } from './auth.js';
+
+export class CopilotBridgePlugin implements BridgePlugin {
+  name = 'copilot';
+  version = '2.0.0';
+
+  async authenticate(config: Record<string, string>): Promise<boolean> {
+    const token = await getToken(config as CopilotConfig);
+    if (!token) return false;
+    return validateToken(token);
+  }
+
+  async listModels(config: Record<string, string>): Promise<ModelInfo[]> {
+    const token = await getToken(config as CopilotConfig);
+    if (!token) throw new Error('Missing COPILOT_TOKEN');
+    return COPILOT_MODELS.map((m) => ({
+      id: m.id,
+      name: m.name,
+      capabilities: m.capabilities,
+    }));
+  }
+
+  async createSession(config: Record<string, string>, model: string): Promise<BridgeSession> {
+    const token = await getToken(config as CopilotConfig);
+    if (!token) throw new Error('Missing COPILOT_TOKEN');
+    return new CopilotBridgeSession(token, model);
+  }
+}