@aigne/afs-cli 1.11.0-beta.1 → 1.11.0-beta.11

package/dist/core/index.mjs

@@ -0,0 +1,24 @@
+import { formatDeleteOutput } from "./formatters/delete.mjs";
+import { formatExecOutput } from "./formatters/exec.mjs";
+import { formatExplainOutput } from "./formatters/explain.mjs";
+import { formatLsOutput } from "./formatters/ls.mjs";
+import { formatMountListOutput } from "./formatters/mount.mjs";
+import { formatReadOutput } from "./formatters/read.mjs";
+import { formatStatOutput } from "./formatters/stat.mjs";
+import { formatWriteOutput } from "./formatters/write.mjs";
+import { cliPathToCanonical, parseCliPath } from "../path-utils.mjs";
+import "./path-utils.mjs";
+import { createDeleteCommand } from "./commands/delete.mjs";
+import { readStdin } from "./helpers/stdin.mjs";
+import { RESERVED_OPTIONS, parseExecArgs, parseExecArgsWithStdin, parseValueBySchema, schemaTypeToYargs } from "./helpers/exec-args.mjs";
+import { createExecCommand } from "./commands/exec.mjs";
+import { createExplainCommand } from "./commands/explain.mjs";
+import { createLsCommand } from "./commands/ls.mjs";
+import { createMountCommand } from "./commands/mount.mjs";
+import { createReadCommand } from "./commands/read.mjs";
+import { createStatCommand } from "./commands/stat.mjs";
+import { createWriteCommand } from "./commands/write.mjs";
+import { commandFactories } from "./commands/index.mjs";
+import { AFSCommandExecutor } from "./executor/index.mjs";
+
+export { AFSCommandExecutor, RESERVED_OPTIONS, cliPathToCanonical, commandFactories, createDeleteCommand, createExecCommand, createExplainCommand, createLsCommand, createMountCommand, createReadCommand, createStatCommand, createWriteCommand, formatDeleteOutput, formatExecOutput, formatExplainOutput, formatLsOutput, formatMountListOutput, formatReadOutput, formatStatOutput, formatWriteOutput, parseCliPath, parseExecArgs, parseExecArgsWithStdin, parseValueBySchema, readStdin, schemaTypeToYargs };

package/dist/core/path-utils.cjs

@@ -0,0 +1 @@
+const require_path_utils = require('../path-utils.cjs');

package/dist/core/path-utils.mjs

@@ -0,0 +1,3 @@
+import { cliPathToCanonical, parseCliPath } from "../path-utils.mjs";
+
+export {  };

package/dist/core/types.d.cts

@@ -0,0 +1,24 @@
+//#region src/core/types.d.ts
+/**
+ * CLI Core Types
+ *
+ * Minimal type definitions for the core CLI layer.
+ * Uses AFS native types (AFSListResult, AFSReadResult, etc.) directly.
+ */
+type ViewType = "default" | "json" | "yaml" | "llm" | "human";
+/**
+ * Simplified JSON Schema type for CLI parameter parsing
+ */
+interface JSONSchema {
+  type?: "string" | "number" | "integer" | "boolean" | "array" | "object" | "null";
+  properties?: Record<string, JSONSchema>;
+  items?: JSONSchema;
+  required?: string[];
+  description?: string;
+  default?: unknown;
+  enum?: unknown[];
+  [key: string]: unknown;
+}
+//#endregion
+export { JSONSchema, ViewType };
+//# sourceMappingURL=types.d.cts.map

package/dist/core/types.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.cts","names":[],"sources":["../../src/core/types.ts"],"mappings":";;AAWA;;;;;KAAY,QAAA;;;;UASK,UAAA;EACf,IAAA;EACA,UAAA,GAAa,MAAA,SAAe,UAAA;EAC5B,KAAA,GAAQ,UAAA;EACR,QAAA;EACA,WAAA;EACA,OAAA;EACA,IAAA;EAAA,CACC,GAAA;AAAA"}

package/dist/core/types.d.mts

@@ -0,0 +1,24 @@
+//#region src/core/types.d.ts
+/**
+ * CLI Core Types
+ *
+ * Minimal type definitions for the core CLI layer.
+ * Uses AFS native types (AFSListResult, AFSReadResult, etc.) directly.
+ */
+type ViewType = "default" | "json" | "yaml" | "llm" | "human";
+/**
+ * Simplified JSON Schema type for CLI parameter parsing
+ */
+interface JSONSchema {
+  type?: "string" | "number" | "integer" | "boolean" | "array" | "object" | "null";
+  properties?: Record<string, JSONSchema>;
+  items?: JSONSchema;
+  required?: string[];
+  description?: string;
+  default?: unknown;
+  enum?: unknown[];
+  [key: string]: unknown;
+}
+//#endregion
+export { JSONSchema, ViewType };
+//# sourceMappingURL=types.d.mts.map

package/dist/core/types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.mts","names":[],"sources":["../../src/core/types.ts"],"mappings":";;AAWA;;;;;KAAY,QAAA;;;;UASK,UAAA;EACf,IAAA;EACA,UAAA,GAAa,MAAA,SAAe,UAAA;EAC5B,KAAA,GAAQ,UAAA;EACR,QAAA;EACA,WAAA;EACA,OAAA;EACA,IAAA;EAAA,CACC,GAAA;AAAA"}

package/dist/credential/auth-server.cjs

@@ -0,0 +1,247 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+let node_crypto = require("node:crypto");
+let node_http = require("node:http");
+
+//#region src/credential/auth-server.ts
+/**
+* Temporary HTTP Server for credential collection.
+*
+* Supports two modes:
+* 1. Form collection: GET /auth renders a form from JSON Schema, POST /auth returns submitted data
+* 2. OAuth callback: GET /callback captures query params for waitForCallback()
+*
+* Security:
+* - Binds to 127.0.0.1 only (no external connections)
+* - One-time nonce per request to prevent CSRF
+* - Auto-closes after 5 minutes
+* - POST data is never logged
+*/
+const DEFAULT_TIMEOUT = 300 * 1e3;
+const MAX_PORT_RETRIES = 3;
+/**
+* Create a temporary auth server bound to 127.0.0.1 with a random port.
+*/
+async function createAuthServer(options) {
+	const timeout = options?.timeout ?? DEFAULT_TIMEOUT;
+	const nonce = (0, node_crypto.randomBytes)(16).toString("hex");
+	let closed = false;
+	let callbackResolve = null;
+	let formResolve = null;
+	let formSchema = null;
+	let formTitle = "AFS Credential Collection";
+	const server = (0, node_http.createServer)((req, res) => {
+		const url = new URL(req.url || "/", `http://127.0.0.1`);
+		const pathname = url.pathname;
+		res.setHeader("Access-Control-Allow-Origin", "*");
+		res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+		res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+		if (req.method === "OPTIONS") {
+			res.writeHead(204);
+			res.end();
+			return;
+		}
+		if (pathname === "/callback") handleCallback(url, req, res, nonce);
+		else if (pathname === "/auth" && req.method === "GET") handleFormGet(url, res, nonce);
+		else if (pathname === "/auth" && req.method === "POST") handleFormPost(req, res, nonce, url);
+		else {
+			res.writeHead(404, { "Content-Type": "text/plain" });
+			res.end("Not Found");
+		}
+	});
+	function handleCallback(url, _req, res, expectedNonce) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		const params = {};
+		for (const [key, value] of url.searchParams.entries()) if (key !== "nonce") params[key] = value;
+		res.writeHead(200, { "Content-Type": "text/html" });
+		res.end("<html><body><h2>Authorization complete.</h2><p>You can close this tab.</p></body></html>");
+		if (callbackResolve) {
+			callbackResolve(params);
+			callbackResolve = null;
+		}
+	}
+	function handleFormGet(url, res, expectedNonce) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		if (!formSchema) {
+			res.writeHead(400, { "Content-Type": "text/plain" });
+			res.end("No form schema available");
+			return;
+		}
+		const html = renderFormHTML(formSchema, formTitle, expectedNonce);
+		res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+		res.end(html);
+	}
+	function handleFormPost(req, res, expectedNonce, url) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		let body = "";
+		req.on("data", (chunk) => {
+			body += chunk.toString();
+		});
+		req.on("end", () => {
+			let data;
+			if ((req.headers["content-type"] || "").includes("application/json")) try {
+				data = JSON.parse(body);
+			} catch {
+				res.writeHead(400, { "Content-Type": "text/plain" });
+				res.end("Invalid JSON");
+				return;
+			}
+			else {
+				const params = new URLSearchParams(body);
+				data = {};
+				for (const [key, value] of params.entries()) if (key !== "nonce") data[key] = value;
+				if (formSchema?.properties) for (const [key, value] of Object.entries(data)) {
+					const prop = formSchema.properties[key];
+					if (!prop) continue;
+					const strValue = String(value);
+					if (prop.type === "number" || prop.type === "integer") {
+						const num = Number(strValue);
+						if (!Number.isNaN(num) && strValue !== "") data[key] = num;
+					} else if (prop.type === "boolean") {
+						if (strValue === "true" || strValue === "1") data[key] = true;
+						else if (strValue === "false" || strValue === "0" || strValue === "") data[key] = false;
+					}
+					if (strValue === "" && prop.type !== "string") delete data[key];
+				}
+			}
+			res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+			res.end("<html><body><h2>Credentials received.</h2><p>You can close this tab.</p></body></html>");
+			if (formResolve) {
+				formResolve(data);
+				formResolve = null;
+			}
+		});
+	}
+	const port = await startServer(server, MAX_PORT_RETRIES);
+	const autoCloseTimer = setTimeout(() => {
+		closeServer();
+	}, timeout);
+	function closeServer() {
+		if (closed) return;
+		closed = true;
+		clearTimeout(autoCloseTimer);
+		server.close();
+		if (callbackResolve) {
+			callbackResolve(null);
+			callbackResolve = null;
+		}
+		if (formResolve) {
+			formResolve(null);
+			formResolve = null;
+		}
+	}
+	const baseURL = `http://127.0.0.1:${port}`;
+	return {
+		baseURL,
+		callbackURL: `${baseURL}/callback?nonce=${nonce}`,
+		nonce,
+		port,
+		waitForCallback(opts) {
+			if (closed) return Promise.resolve(null);
+			return new Promise((resolve) => {
+				callbackResolve = resolve;
+				if (opts?.timeout) setTimeout(() => {
+					if (callbackResolve === resolve) {
+						callbackResolve = null;
+						resolve(null);
+					}
+				}, opts.timeout);
+			});
+		},
+		waitForForm(schema, opts) {
+			if (closed) return Promise.resolve(null);
+			formSchema = schema;
+			if (opts?.title) formTitle = opts.title;
+			return new Promise((resolve) => {
+				formResolve = resolve;
+				if (opts?.timeout) setTimeout(() => {
+					if (formResolve === resolve) {
+						formResolve = null;
+						resolve(null);
+					}
+				}, opts.timeout);
+			});
+		},
+		close: closeServer
+	};
+}
+async function startServer(server, maxRetries) {
+	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
+		return await new Promise((resolve, reject) => {
+			server.listen(0, "127.0.0.1", () => {
+				const addr = server.address();
+				if (addr && typeof addr === "object") resolve(addr.port);
+				else reject(/* @__PURE__ */ new Error("Failed to get server address"));
+			});
+			server.on("error", reject);
+		});
+	} catch (err) {
+		if (attempt === maxRetries) throw new Error(`Failed to start auth server after ${maxRetries + 1} attempts: ${err.message}`);
+		server.close();
+	}
+	throw new Error("Failed to start auth server");
+}
+function renderFormHTML(schema, title, nonce) {
+	const properties = schema.properties || {};
+	const required = new Set(schema.required || []);
+	let fields = "";
+	for (const [key, prop] of Object.entries(properties)) {
+		const label = prop.description || key;
+		const isSensitive = prop.sensitive === true;
+		const isRequired = required.has(key);
+		const inputType = isSensitive ? "password" : "text";
+		const defaultValue = prop.default != null ? String(prop.default) : "";
+		fields += `
+      <div style="margin-bottom: 12px;">
+        <label for="${escapeHTML(key)}" style="display: block; font-weight: 600; margin-bottom: 4px;">
+          ${escapeHTML(label)}${isRequired ? " *" : ""}
+        </label>
+        <input
+          type="${inputType}"
+          id="${escapeHTML(key)}"
+          name="${escapeHTML(key)}"
+          value="${escapeHTML(defaultValue)}"
+          ${isRequired ? "required" : ""}
+          style="width: 100%; padding: 8px; border: 1px solid #ccc; border-radius: 4px; font-size: 14px;"
+          autocomplete="off"
+        />
+      </div>`;
+	}
+	return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>${escapeHTML(title)}</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; max-width: 480px; margin: 40px auto; padding: 0 20px; }
+    h2 { color: #333; }
+    button { background: #2563eb; color: white; border: none; padding: 10px 24px; border-radius: 4px; font-size: 14px; cursor: pointer; }
+    button:hover { background: #1d4ed8; }
+  </style>
+</head>
+<body>
+  <h2>${escapeHTML(title)}</h2>
+  <form method="POST" action="/auth?nonce=${escapeHTML(nonce)}">
+    ${fields}
+    <button type="submit">Submit</button>
+  </form>
+</body>
+</html>`;
+}
+function escapeHTML(str) {
+	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+
+//#endregion
+exports.createAuthServer = createAuthServer;

package/dist/credential/auth-server.mjs

@@ -0,0 +1,247 @@
+import { randomBytes } from "node:crypto";
+import { createServer } from "node:http";
+
+//#region src/credential/auth-server.ts
+/**
+* Temporary HTTP Server for credential collection.
+*
+* Supports two modes:
+* 1. Form collection: GET /auth renders a form from JSON Schema, POST /auth returns submitted data
+* 2. OAuth callback: GET /callback captures query params for waitForCallback()
+*
+* Security:
+* - Binds to 127.0.0.1 only (no external connections)
+* - One-time nonce per request to prevent CSRF
+* - Auto-closes after 5 minutes
+* - POST data is never logged
+*/
+const DEFAULT_TIMEOUT = 300 * 1e3;
+const MAX_PORT_RETRIES = 3;
+/**
+* Create a temporary auth server bound to 127.0.0.1 with a random port.
+*/
+async function createAuthServer(options) {
+	const timeout = options?.timeout ?? DEFAULT_TIMEOUT;
+	const nonce = randomBytes(16).toString("hex");
+	let closed = false;
+	let callbackResolve = null;
+	let formResolve = null;
+	let formSchema = null;
+	let formTitle = "AFS Credential Collection";
+	const server = createServer((req, res) => {
+		const url = new URL(req.url || "/", `http://127.0.0.1`);
+		const pathname = url.pathname;
+		res.setHeader("Access-Control-Allow-Origin", "*");
+		res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+		res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+		if (req.method === "OPTIONS") {
+			res.writeHead(204);
+			res.end();
+			return;
+		}
+		if (pathname === "/callback") handleCallback(url, req, res, nonce);
+		else if (pathname === "/auth" && req.method === "GET") handleFormGet(url, res, nonce);
+		else if (pathname === "/auth" && req.method === "POST") handleFormPost(req, res, nonce, url);
+		else {
+			res.writeHead(404, { "Content-Type": "text/plain" });
+			res.end("Not Found");
+		}
+	});
+	function handleCallback(url, _req, res, expectedNonce) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		const params = {};
+		for (const [key, value] of url.searchParams.entries()) if (key !== "nonce") params[key] = value;
+		res.writeHead(200, { "Content-Type": "text/html" });
+		res.end("<html><body><h2>Authorization complete.</h2><p>You can close this tab.</p></body></html>");
+		if (callbackResolve) {
+			callbackResolve(params);
+			callbackResolve = null;
+		}
+	}
+	function handleFormGet(url, res, expectedNonce) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		if (!formSchema) {
+			res.writeHead(400, { "Content-Type": "text/plain" });
+			res.end("No form schema available");
+			return;
+		}
+		const html = renderFormHTML(formSchema, formTitle, expectedNonce);
+		res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+		res.end(html);
+	}
+	function handleFormPost(req, res, expectedNonce, url) {
+		if (url.searchParams.get("nonce") !== expectedNonce) {
+			res.writeHead(403, { "Content-Type": "text/plain" });
+			res.end("Forbidden: invalid nonce");
+			return;
+		}
+		let body = "";
+		req.on("data", (chunk) => {
+			body += chunk.toString();
+		});
+		req.on("end", () => {
+			let data;
+			if ((req.headers["content-type"] || "").includes("application/json")) try {
+				data = JSON.parse(body);
+			} catch {
+				res.writeHead(400, { "Content-Type": "text/plain" });
+				res.end("Invalid JSON");
+				return;
+			}
+			else {
+				const params = new URLSearchParams(body);
+				data = {};
+				for (const [key, value] of params.entries()) if (key !== "nonce") data[key] = value;
+				if (formSchema?.properties) for (const [key, value] of Object.entries(data)) {
+					const prop = formSchema.properties[key];
+					if (!prop) continue;
+					const strValue = String(value);
+					if (prop.type === "number" || prop.type === "integer") {
+						const num = Number(strValue);
+						if (!Number.isNaN(num) && strValue !== "") data[key] = num;
+					} else if (prop.type === "boolean") {
+						if (strValue === "true" || strValue === "1") data[key] = true;
+						else if (strValue === "false" || strValue === "0" || strValue === "") data[key] = false;
+					}
+					if (strValue === "" && prop.type !== "string") delete data[key];
+				}
+			}
+			res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+			res.end("<html><body><h2>Credentials received.</h2><p>You can close this tab.</p></body></html>");
+			if (formResolve) {
+				formResolve(data);
+				formResolve = null;
+			}
+		});
+	}
+	const port = await startServer(server, MAX_PORT_RETRIES);
+	const autoCloseTimer = setTimeout(() => {
+		closeServer();
+	}, timeout);
+	function closeServer() {
+		if (closed) return;
+		closed = true;
+		clearTimeout(autoCloseTimer);
+		server.close();
+		if (callbackResolve) {
+			callbackResolve(null);
+			callbackResolve = null;
+		}
+		if (formResolve) {
+			formResolve(null);
+			formResolve = null;
+		}
+	}
+	const baseURL = `http://127.0.0.1:${port}`;
+	return {
+		baseURL,
+		callbackURL: `${baseURL}/callback?nonce=${nonce}`,
+		nonce,
+		port,
+		waitForCallback(opts) {
+			if (closed) return Promise.resolve(null);
+			return new Promise((resolve) => {
+				callbackResolve = resolve;
+				if (opts?.timeout) setTimeout(() => {
+					if (callbackResolve === resolve) {
+						callbackResolve = null;
+						resolve(null);
+					}
+				}, opts.timeout);
+			});
+		},
+		waitForForm(schema, opts) {
+			if (closed) return Promise.resolve(null);
+			formSchema = schema;
+			if (opts?.title) formTitle = opts.title;
+			return new Promise((resolve) => {
+				formResolve = resolve;
+				if (opts?.timeout) setTimeout(() => {
+					if (formResolve === resolve) {
+						formResolve = null;
+						resolve(null);
+					}
+				}, opts.timeout);
+			});
+		},
+		close: closeServer
+	};
+}
+async function startServer(server, maxRetries) {
+	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
+		return await new Promise((resolve, reject) => {
+			server.listen(0, "127.0.0.1", () => {
+				const addr = server.address();
+				if (addr && typeof addr === "object") resolve(addr.port);
+				else reject(/* @__PURE__ */ new Error("Failed to get server address"));
+			});
+			server.on("error", reject);
+		});
+	} catch (err) {
+		if (attempt === maxRetries) throw new Error(`Failed to start auth server after ${maxRetries + 1} attempts: ${err.message}`);
+		server.close();
+	}
+	throw new Error("Failed to start auth server");
+}
+function renderFormHTML(schema, title, nonce) {
+	const properties = schema.properties || {};
+	const required = new Set(schema.required || []);
+	let fields = "";
+	for (const [key, prop] of Object.entries(properties)) {
+		const label = prop.description || key;
+		const isSensitive = prop.sensitive === true;
+		const isRequired = required.has(key);
+		const inputType = isSensitive ? "password" : "text";
+		const defaultValue = prop.default != null ? String(prop.default) : "";
+		fields += `
+      <div style="margin-bottom: 12px;">
+        <label for="${escapeHTML(key)}" style="display: block; font-weight: 600; margin-bottom: 4px;">
+          ${escapeHTML(label)}${isRequired ? " *" : ""}
+        </label>
+        <input
+          type="${inputType}"
+          id="${escapeHTML(key)}"
+          name="${escapeHTML(key)}"
+          value="${escapeHTML(defaultValue)}"
+          ${isRequired ? "required" : ""}
+          style="width: 100%; padding: 8px; border: 1px solid #ccc; border-radius: 4px; font-size: 14px;"
+          autocomplete="off"
+        />
+      </div>`;
+	}
+	return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>${escapeHTML(title)}</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; max-width: 480px; margin: 40px auto; padding: 0 20px; }
+    h2 { color: #333; }
+    button { background: #2563eb; color: white; border: none; padding: 10px 24px; border-radius: 4px; font-size: 14px; cursor: pointer; }
+    button:hover { background: #1d4ed8; }
+  </style>
+</head>
+<body>
+  <h2>${escapeHTML(title)}</h2>
+  <form method="POST" action="/auth?nonce=${escapeHTML(nonce)}">
+    ${fields}
+    <button type="submit">Submit</button>
+  </form>
+</body>
+</html>`;
+}
+function escapeHTML(str) {
+	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+
+//#endregion
+export { createAuthServer };
+//# sourceMappingURL=auth-server.mjs.map

package/dist/credential/auth-server.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-server.mjs","names":[],"sources":["../../src/credential/auth-server.ts"],"sourcesContent":["/**\n * Temporary HTTP Server for credential collection.\n *\n * Supports two modes:\n * 1. Form collection: GET /auth renders a form from JSON Schema, POST /auth returns submitted data\n * 2. OAuth callback: GET /callback captures query params for waitForCallback()\n *\n * Security:\n * - Binds to 127.0.0.1 only (no external connections)\n * - One-time nonce per request to prevent CSRF\n * - Auto-closes after 5 minutes\n * - POST data is never logged\n */\n\nimport { randomBytes } from \"node:crypto\";\nimport { createServer, type IncomingMessage, type Server, type ServerResponse } from \"node:http\";\n\nconst DEFAULT_TIMEOUT = 5 * 60 * 1000; // 5 minutes\nconst MAX_PORT_RETRIES = 3;\n\nexport interface AuthServer {\n  /** Base URL of the server, e.g. http://127.0.0.1:12345 */\n  baseURL: string;\n\n  /** Callback URL for OAuth redirects: baseURL + /callback */\n  callbackURL: string;\n\n  /** Wait for a callback request at /callback. Returns query params or null on timeout/close. */\n  waitForCallback(options?: { timeout?: number }): Promise<Record<string, string> | null>;\n\n  /**\n   * Serve a form for collecting fields, wait for submission.\n   * Returns submitted values or null on timeout/close.\n   *\n   * @param schema - JSON Schema describing fields to collect\n   * @param options - Optional title and timeout\n   */\n  waitForForm(\n    schema: Record<string, any>,\n    options?: { title?: string; timeout?: number },\n  ): Promise<Record<string, unknown> | null>;\n\n  /** Close the server. Idempotent. */\n  close(): void;\n\n  /** The one-time nonce for this server session */\n  readonly nonce: string;\n\n  /** The port the server is listening on */\n  readonly port: number;\n}\n\nexport interface CreateAuthServerOptions {\n  /** Timeout in ms before auto-close. Default: 5 minutes. */\n  timeout?: number;\n}\n\n/**\n * Create a temporary auth server bound to 127.0.0.1 with a random port.\n */\nexport async function createAuthServer(options?: CreateAuthServerOptions): Promise<AuthServer> {\n  const timeout = options?.timeout ?? DEFAULT_TIMEOUT;\n  const nonce = randomBytes(16).toString(\"hex\");\n\n  let closed = false;\n  let callbackResolve: ((value: Record<string, string> | null) => void) | null = null;\n  let formResolve: ((value: Record<string, unknown> | null) => void) | null = null;\n  let formSchema: Record<string, any> | null = null;\n  let formTitle = \"AFS Credential Collection\";\n\n  const server = createServer((req, res) => {\n    const url = new URL(req.url || \"/\", `http://127.0.0.1`);\n    const pathname = url.pathname;\n\n    // CORS headers for local browser forms\n    res.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n    res.setHeader(\"Access-Control-Allow-Methods\", \"GET, POST, OPTIONS\");\n    res.setHeader(\"Access-Control-Allow-Headers\", \"Content-Type\");\n\n    if (req.method === \"OPTIONS\") {\n      res.writeHead(204);\n      res.end();\n      return;\n    }\n\n    if (pathname === \"/callback\") {\n      handleCallback(url, req, res, nonce);\n    } else if (pathname === \"/auth\" && req.method === \"GET\") {\n      handleFormGet(url, res, nonce);\n    } else if (pathname === \"/auth\" && req.method === \"POST\") {\n      handleFormPost(req, res, nonce, url);\n    } else {\n      res.writeHead(404, { \"Content-Type\": \"text/plain\" });\n      res.end(\"Not Found\");\n    }\n  });\n\n  function handleCallback(\n    url: URL,\n    _req: IncomingMessage,\n    res: ServerResponse,\n    expectedNonce: string,\n  ): void {\n    const reqNonce = url.searchParams.get(\"nonce\");\n    if (reqNonce !== expectedNonce) {\n      res.writeHead(403, { \"Content-Type\": \"text/plain\" });\n      res.end(\"Forbidden: invalid nonce\");\n      return;\n    }\n\n    const params: Record<string, string> = {};\n    for (const [key, value] of url.searchParams.entries()) {\n      if (key !== \"nonce\") {\n        params[key] = value;\n      }\n    }\n\n    res.writeHead(200, { \"Content-Type\": \"text/html\" });\n    res.end(\n      \"<html><body><h2>Authorization complete.</h2><p>You can close this tab.</p></body></html>\",\n    );\n\n    if (callbackResolve) {\n      callbackResolve(params);\n      callbackResolve = null;\n    }\n  }\n\n  function handleFormGet(url: URL, res: ServerResponse, expectedNonce: string): void {\n    const reqNonce = url.searchParams.get(\"nonce\");\n    if (reqNonce !== expectedNonce) {\n      res.writeHead(403, { \"Content-Type\": \"text/plain\" });\n      res.end(\"Forbidden: invalid nonce\");\n      return;\n    }\n\n    if (!formSchema) {\n      res.writeHead(400, { \"Content-Type\": \"text/plain\" });\n      res.end(\"No form schema available\");\n      return;\n    }\n\n    const html = renderFormHTML(formSchema, formTitle, expectedNonce);\n    res.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n    res.end(html);\n  }\n\n  function handleFormPost(\n    req: IncomingMessage,\n    res: ServerResponse,\n    expectedNonce: string,\n    url: URL,\n  ): void {\n    const reqNonce = url.searchParams.get(\"nonce\");\n    if (reqNonce !== expectedNonce) {\n      res.writeHead(403, { \"Content-Type\": \"text/plain\" });\n      res.end(\"Forbidden: invalid nonce\");\n      return;\n    }\n\n    let body = \"\";\n    req.on(\"data\", (chunk: Buffer) => {\n      body += chunk.toString();\n    });\n    req.on(\"end\", () => {\n      let data: Record<string, unknown>;\n      const contentType = req.headers[\"content-type\"] || \"\";\n\n      if (contentType.includes(\"application/json\")) {\n        try {\n          data = JSON.parse(body);\n        } catch {\n          res.writeHead(400, { \"Content-Type\": \"text/plain\" });\n          res.end(\"Invalid JSON\");\n          return;\n        }\n      } else {\n        // URL-encoded form data\n        const params = new URLSearchParams(body);\n        data = {};\n        for (const [key, value] of params.entries()) {\n          if (key !== \"nonce\") {\n            data[key] = value;\n          }\n        }\n        // Coerce string values to match schema types (HTML forms always submit strings)\n        if (formSchema?.properties) {\n          for (const [key, value] of Object.entries(data)) {\n            const prop = (formSchema.properties as Record<string, any>)[key];\n            if (!prop) continue;\n            const strValue = String(value);\n            if (prop.type === \"number\" || prop.type === \"integer\") {\n              const num = Number(strValue);\n              if (!Number.isNaN(num) && strValue !== \"\") data[key] = num;\n            } else if (prop.type === \"boolean\") {\n              if (strValue === \"true\" || strValue === \"1\") data[key] = true;\n              else if (strValue === \"false\" || strValue === \"0\" || strValue === \"\")\n                data[key] = false;\n            }\n            // Remove empty strings for non-string optional fields (let defaults apply)\n            if (strValue === \"\" && prop.type !== \"string\") {\n              delete data[key];\n            }\n          }\n        }\n      }\n\n      res.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n      res.end(\n        \"<html><body><h2>Credentials received.</h2><p>You can close this tab.</p></body></html>\",\n      );\n\n      if (formResolve) {\n        formResolve(data);\n        formResolve = null;\n      }\n    });\n  }\n\n  // Start server with port retry\n  const port = await startServer(server, MAX_PORT_RETRIES);\n\n  // Auto-close timeout\n  const autoCloseTimer = setTimeout(() => {\n    closeServer();\n  }, timeout);\n\n  function closeServer(): void {\n    if (closed) return;\n    closed = true;\n    clearTimeout(autoCloseTimer);\n    server.close();\n\n    // Resolve any pending waiters with null\n    if (callbackResolve) {\n      callbackResolve(null);\n      callbackResolve = null;\n    }\n    if (formResolve) {\n      formResolve(null);\n      formResolve = null;\n    }\n  }\n\n  const baseURL = `http://127.0.0.1:${port}`;\n\n  return {\n    baseURL,\n    callbackURL: `${baseURL}/callback?nonce=${nonce}`,\n    nonce,\n    port,\n\n    waitForCallback(opts?: { timeout?: number }): Promise<Record<string, string> | null> {\n      if (closed) return Promise.resolve(null);\n\n      return new Promise((resolve) => {\n        callbackResolve = resolve;\n\n        if (opts?.timeout) {\n          setTimeout(() => {\n            if (callbackResolve === resolve) {\n              callbackResolve = null;\n              resolve(null);\n            }\n          }, opts.timeout);\n        }\n      });\n    },\n\n    waitForForm(\n      schema: Record<string, any>,\n      opts?: { title?: string; timeout?: number },\n    ): Promise<Record<string, unknown> | null> {\n      if (closed) return Promise.resolve(null);\n\n      formSchema = schema;\n      if (opts?.title) formTitle = opts.title;\n\n      return new Promise((resolve) => {\n        formResolve = resolve;\n\n        if (opts?.timeout) {\n          setTimeout(() => {\n            if (formResolve === resolve) {\n              formResolve = null;\n              resolve(null);\n            }\n          }, opts.timeout);\n        }\n      });\n    },\n\n    close: closeServer,\n  };\n}\n\nasync function startServer(server: Server, maxRetries: number): Promise<number> {\n  for (let attempt = 0; attempt <= maxRetries; attempt++) {\n    try {\n      return await new Promise<number>((resolve, reject) => {\n        server.listen(0, \"127.0.0.1\", () => {\n          const addr = server.address();\n          if (addr && typeof addr === \"object\") {\n            resolve(addr.port);\n          } else {\n            reject(new Error(\"Failed to get server address\"));\n          }\n        });\n        server.on(\"error\", reject);\n      });\n    } catch (err: any) {\n      if (attempt === maxRetries) {\n        throw new Error(\n          `Failed to start auth server after ${maxRetries + 1} attempts: ${err.message}`,\n        );\n      }\n      // Close and retry\n      server.close();\n    }\n  }\n  throw new Error(\"Failed to start auth server\");\n}\n\nfunction renderFormHTML(schema: Record<string, any>, title: string, nonce: string): string {\n  const properties = schema.properties || {};\n  const required = new Set(schema.required || []);\n\n  let fields = \"\";\n  for (const [key, prop] of Object.entries(properties) as [string, any][]) {\n    const label = prop.description || key;\n    const isSensitive = prop.sensitive === true;\n    const isRequired = required.has(key);\n    const inputType = isSensitive ? \"password\" : \"text\";\n    const defaultValue = prop.default != null ? String(prop.default) : \"\";\n\n    fields += `\n      <div style=\"margin-bottom: 12px;\">\n        <label for=\"${escapeHTML(key)}\" style=\"display: block; font-weight: 600; margin-bottom: 4px;\">\n          ${escapeHTML(label)}${isRequired ? \" *\" : \"\"}\n        </label>\n        <input\n          type=\"${inputType}\"\n          id=\"${escapeHTML(key)}\"\n          name=\"${escapeHTML(key)}\"\n          value=\"${escapeHTML(defaultValue)}\"\n          ${isRequired ? \"required\" : \"\"}\n          style=\"width: 100%; padding: 8px; border: 1px solid #ccc; border-radius: 4px; font-size: 14px;\"\n          autocomplete=\"off\"\n        />\n      </div>`;\n  }\n\n  return `<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>${escapeHTML(title)}</title>\n  <style>\n    body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; max-width: 480px; margin: 40px auto; padding: 0 20px; }\n    h2 { color: #333; }\n    button { background: #2563eb; color: white; border: none; padding: 10px 24px; border-radius: 4px; font-size: 14px; cursor: pointer; }\n    button:hover { background: #1d4ed8; }\n  </style>\n</head>\n<body>\n  <h2>${escapeHTML(title)}</h2>\n  <form method=\"POST\" action=\"/auth?nonce=${escapeHTML(nonce)}\">\n    ${fields}\n    <button type=\"submit\">Submit</button>\n  </form>\n</body>\n</html>`;\n}\n\nfunction escapeHTML(str: string): string {\n  return str\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/'/g, \"&#39;\");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAiBA,MAAM,kBAAkB,MAAS;AACjC,MAAM,mBAAmB;;;;AA0CzB,eAAsB,iBAAiB,SAAwD;CAC7F,MAAM,UAAU,SAAS,WAAW;CACpC,MAAM,QAAQ,YAAY,GAAG,CAAC,SAAS,MAAM;CAE7C,IAAI,SAAS;CACb,IAAI,kBAA2E;CAC/E,IAAI,cAAwE;CAC5E,IAAI,aAAyC;CAC7C,IAAI,YAAY;CAEhB,MAAM,SAAS,cAAc,KAAK,QAAQ;EACxC,MAAM,MAAM,IAAI,IAAI,IAAI,OAAO,KAAK,mBAAmB;EACvD,MAAM,WAAW,IAAI;AAGrB,MAAI,UAAU,+BAA+B,IAAI;AACjD,MAAI,UAAU,gCAAgC,qBAAqB;AACnE,MAAI,UAAU,gCAAgC,eAAe;AAE7D,MAAI,IAAI,WAAW,WAAW;AAC5B,OAAI,UAAU,IAAI;AAClB,OAAI,KAAK;AACT;;AAGF,MAAI,aAAa,YACf,gBAAe,KAAK,KAAK,KAAK,MAAM;WAC3B,aAAa,WAAW,IAAI,WAAW,MAChD,eAAc,KAAK,KAAK,MAAM;WACrB,aAAa,WAAW,IAAI,WAAW,OAChD,gBAAe,KAAK,KAAK,OAAO,IAAI;OAC/B;AACL,OAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,OAAI,IAAI,YAAY;;GAEtB;CAEF,SAAS,eACP,KACA,MACA,KACA,eACM;AAEN,MADiB,IAAI,aAAa,IAAI,QAAQ,KAC7B,eAAe;AAC9B,OAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,OAAI,IAAI,2BAA2B;AACnC;;EAGF,MAAM,SAAiC,EAAE;AACzC,OAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAAa,SAAS,CACnD,KAAI,QAAQ,QACV,QAAO,OAAO;AAIlB,MAAI,UAAU,KAAK,EAAE,gBAAgB,aAAa,CAAC;AACnD,MAAI,IACF,2FACD;AAED,MAAI,iBAAiB;AACnB,mBAAgB,OAAO;AACvB,qBAAkB;;;CAItB,SAAS,cAAc,KAAU,KAAqB,eAA6B;AAEjF,MADiB,IAAI,aAAa,IAAI,QAAQ,KAC7B,eAAe;AAC9B,OAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,OAAI,IAAI,2BAA2B;AACnC;;AAGF,MAAI,CAAC,YAAY;AACf,OAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,OAAI,IAAI,2BAA2B;AACnC;;EAGF,MAAM,OAAO,eAAe,YAAY,WAAW,cAAc;AACjE,MAAI,UAAU,KAAK,EAAE,gBAAgB,4BAA4B,CAAC;AAClE,MAAI,IAAI,KAAK;;CAGf,SAAS,eACP,KACA,KACA,eACA,KACM;AAEN,MADiB,IAAI,aAAa,IAAI,QAAQ,KAC7B,eAAe;AAC9B,OAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,OAAI,IAAI,2BAA2B;AACnC;;EAGF,IAAI,OAAO;AACX,MAAI,GAAG,SAAS,UAAkB;AAChC,WAAQ,MAAM,UAAU;IACxB;AACF,MAAI,GAAG,aAAa;GAClB,IAAI;AAGJ,QAFoB,IAAI,QAAQ,mBAAmB,IAEnC,SAAS,mBAAmB,CAC1C,KAAI;AACF,WAAO,KAAK,MAAM,KAAK;WACjB;AACN,QAAI,UAAU,KAAK,EAAE,gBAAgB,cAAc,CAAC;AACpD,QAAI,IAAI,eAAe;AACvB;;QAEG;IAEL,MAAM,SAAS,IAAI,gBAAgB,KAAK;AACxC,WAAO,EAAE;AACT,SAAK,MAAM,CAAC,KAAK,UAAU,OAAO,SAAS,CACzC,KAAI,QAAQ,QACV,MAAK,OAAO;AAIhB,QAAI,YAAY,WACd,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,EAAE;KAC/C,MAAM,OAAQ,WAAW,WAAmC;AAC5D,SAAI,CAAC,KAAM;KACX,MAAM,WAAW,OAAO,MAAM;AAC9B,SAAI,KAAK,SAAS,YAAY,KAAK,SAAS,WAAW;MACrD,MAAM,MAAM,OAAO,SAAS;AAC5B,UAAI,CAAC,OAAO,MAAM,IAAI,IAAI,aAAa,GAAI,MAAK,OAAO;gBAC9C,KAAK,SAAS,WACvB;UAAI,aAAa,UAAU,aAAa,IAAK,MAAK,OAAO;eAChD,aAAa,WAAW,aAAa,OAAO,aAAa,GAChE,MAAK,OAAO;;AAGhB,SAAI,aAAa,MAAM,KAAK,SAAS,SACnC,QAAO,KAAK;;;AAMpB,OAAI,UAAU,KAAK,EAAE,gBAAgB,4BAA4B,CAAC;AAClE,OAAI,IACF,yFACD;AAED,OAAI,aAAa;AACf,gBAAY,KAAK;AACjB,kBAAc;;IAEhB;;CAIJ,MAAM,OAAO,MAAM,YAAY,QAAQ,iBAAiB;CAGxD,MAAM,iBAAiB,iBAAiB;AACtC,eAAa;IACZ,QAAQ;CAEX,SAAS,cAAoB;AAC3B,MAAI,OAAQ;AACZ,WAAS;AACT,eAAa,eAAe;AAC5B,SAAO,OAAO;AAGd,MAAI,iBAAiB;AACnB,mBAAgB,KAAK;AACrB,qBAAkB;;AAEpB,MAAI,aAAa;AACf,eAAY,KAAK;AACjB,iBAAc;;;CAIlB,MAAM,UAAU,oBAAoB;AAEpC,QAAO;EACL;EACA,aAAa,GAAG,QAAQ,kBAAkB;EAC1C;EACA;EAEA,gBAAgB,MAAqE;AACnF,OAAI,OAAQ,QAAO,QAAQ,QAAQ,KAAK;AAExC,UAAO,IAAI,SAAS,YAAY;AAC9B,sBAAkB;AAElB,QAAI,MAAM,QACR,kBAAiB;AACf,SAAI,oBAAoB,SAAS;AAC/B,wBAAkB;AAClB,cAAQ,KAAK;;OAEd,KAAK,QAAQ;KAElB;;EAGJ,YACE,QACA,MACyC;AACzC,OAAI,OAAQ,QAAO,QAAQ,QAAQ,KAAK;AAExC,gBAAa;AACb,OAAI,MAAM,MAAO,aAAY,KAAK;AAElC,UAAO,IAAI,SAAS,YAAY;AAC9B,kBAAc;AAEd,QAAI,MAAM,QACR,kBAAiB;AACf,SAAI,gBAAgB,SAAS;AAC3B,oBAAc;AACd,cAAQ,KAAK;;OAEd,KAAK,QAAQ;KAElB;;EAGJ,OAAO;EACR;;AAGH,eAAe,YAAY,QAAgB,YAAqC;AAC9E,MAAK,IAAI,UAAU,GAAG,WAAW,YAAY,UAC3C,KAAI;AACF,SAAO,MAAM,IAAI,SAAiB,SAAS,WAAW;AACpD,UAAO,OAAO,GAAG,mBAAmB;IAClC,MAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,QAAQ,OAAO,SAAS,SAC1B,SAAQ,KAAK,KAAK;QAElB,wBAAO,IAAI,MAAM,+BAA+B,CAAC;KAEnD;AACF,UAAO,GAAG,SAAS,OAAO;IAC1B;UACK,KAAU;AACjB,MAAI,YAAY,WACd,OAAM,IAAI,MACR,qCAAqC,aAAa,EAAE,aAAa,IAAI,UACtE;AAGH,SAAO,OAAO;;AAGlB,OAAM,IAAI,MAAM,8BAA8B;;AAGhD,SAAS,eAAe,QAA6B,OAAe,OAAuB;CACzF,MAAM,aAAa,OAAO,cAAc,EAAE;CAC1C,MAAM,WAAW,IAAI,IAAI,OAAO,YAAY,EAAE,CAAC;CAE/C,IAAI,SAAS;AACb,MAAK,MAAM,CAAC,KAAK,SAAS,OAAO,QAAQ,WAAW,EAAqB;EACvE,MAAM,QAAQ,KAAK,eAAe;EAClC,MAAM,cAAc,KAAK,cAAc;EACvC,MAAM,aAAa,SAAS,IAAI,IAAI;EACpC,MAAM,YAAY,cAAc,aAAa;EAC7C,MAAM,eAAe,KAAK,WAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AAEnE,YAAU;;sBAEQ,WAAW,IAAI,CAAC;YAC1B,WAAW,MAAM,GAAG,aAAa,OAAO,GAAG;;;kBAGrC,UAAU;gBACZ,WAAW,IAAI,CAAC;kBACd,WAAW,IAAI,CAAC;mBACf,WAAW,aAAa,CAAC;YAChC,aAAa,aAAa,GAAG;;;;;;AAOvC,QAAO;;;;WAIE,WAAW,MAAM,CAAC;;;;;;;;;QASrB,WAAW,MAAM,CAAC;4CACkB,WAAW,MAAM,CAAC;MACxD,OAAO;;;;;;AAOb,SAAS,WAAW,KAAqB;AACvC,QAAO,IACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,QAAQ"}