@alchemy/cli 0.5.1 → 0.6.0

package/dist/chunk-BAAQ7ELR.js

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
+import {
+  isRevealMode
+} from "./chunk-56ZVYB4G.js";
+
+// src/lib/secrets.ts
+function maskSecret(value) {
+  if (value.length <= 8) return "\u2022".repeat(value.length);
+  return value.slice(0, 4) + "\u2022".repeat(value.length - 8) + value.slice(-4);
+}
+function maskIf(value) {
+  return isRevealMode() ? value : maskSecret(value);
+}
+
+// src/lib/config.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { homedir } from "os";
+import { join, dirname } from "path";
+import { z } from "zod";
+var KEY_MAP = {
+  "api-key": "api_key",
+  api_key: "api_key",
+  "access-key": "access_key",
+  access_key: "access_key",
+  "webhook-api-key": "webhook_api_key",
+  webhook_api_key: "webhook_api_key",
+  network: "network",
+  verbose: "verbose",
+  "wallet-key-file": "wallet_key_file",
+  wallet_key_file: "wallet_key_file",
+  "wallet-address": "wallet_address",
+  wallet_address: "wallet_address",
+  x402: "x402",
+  "auth-token": "auth_token",
+  auth_token: "auth_token",
+  "auth-token-expires-at": "auth_token_expires_at",
+  auth_token_expires_at: "auth_token_expires_at"
+};
+var SAFE_ID_RE = /^[A-Za-z0-9:_-]{1,128}$/;
+var SAFE_NETWORK_RE = /^[A-Za-z0-9:_-]{1,128}$/;
+var MAX_SECRET_LEN = 512;
+var MAX_APP_NAME_LEN = 128;
+var CONTROL_CHAR_RE = /[\u0000-\u001f\u007f]/;
+var safeTextSchema = (maxLen) => z.string().min(1).max(maxLen).refine((value) => !CONTROL_CHAR_RE.test(value));
+var appConfigSchema = z.object({
+  id: z.string().regex(SAFE_ID_RE),
+  name: safeTextSchema(MAX_APP_NAME_LEN),
+  apiKey: safeTextSchema(MAX_SECRET_LEN),
+  webhookApiKey: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0)
+}).strip();
+var MAX_PATH_LEN = 4096;
+var configSchema = z.object({
+  api_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  access_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  webhook_api_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  app: appConfigSchema.optional().catch(void 0),
+  network: z.string().regex(SAFE_NETWORK_RE).optional().catch(void 0),
+  verbose: z.boolean().optional().catch(void 0),
+  wallet_key_file: safeTextSchema(MAX_PATH_LEN).optional().catch(void 0),
+  wallet_address: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  x402: z.boolean().optional().catch(void 0),
+  auth_token: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  auth_token_expires_at: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  siwe_token: safeTextSchema(MAX_PATH_LEN).optional().catch(void 0),
+  siwe_token_expires_at: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0)
+}).strip();
+function sanitizeConfig(input) {
+  const parsed = configSchema.safeParse(input);
+  if (!parsed.success) {
+    return {};
+  }
+  return parsed.data;
+}
+function getHome() {
+  return process.env.HOME || homedir();
+}
+function configPath() {
+  if (process.env.ALCHEMY_CONFIG) return process.env.ALCHEMY_CONFIG;
+  const configHome = process.env.XDG_CONFIG_HOME || join(getHome(), ".config");
+  return join(configHome, "alchemy", "config.json");
+}
+function configDir() {
+  return dirname(configPath());
+}
+function load() {
+  const p = configPath();
+  if (!existsSync(p)) return {};
+  try {
+    const data = readFileSync(p, "utf-8");
+    return sanitizeConfig(JSON.parse(data));
+  } catch {
+    console.error(`warning: could not parse config file at ${p} \u2014 using defaults`);
+    return {};
+  }
+}
+function save(cfg) {
+  const p = configPath();
+  const sanitized = sanitizeConfig(cfg);
+  mkdirSync(dirname(p), { recursive: true, mode: 493 });
+  writeFileSync(p, JSON.stringify(sanitized, null, 2) + "\n", {
+    mode: 384
+  });
+}
+function get(cfg, key) {
+  if (key === "app") {
+    if (!cfg.app) return void 0;
+    return `${cfg.app.name} (${cfg.app.id})`;
+  }
+  const mapped = KEY_MAP[key];
+  if (!mapped) return void 0;
+  const value = cfg[mapped];
+  if (value === void 0) return void 0;
+  if (typeof value === "boolean") return String(value);
+  if (typeof value === "string") return value;
+  return void 0;
+}
+function toMap(cfg) {
+  const m = {};
+  if (cfg.api_key) m["api-key"] = maskIf(cfg.api_key);
+  if (cfg.access_key) m["access-key"] = maskIf(cfg.access_key);
+  if (cfg.webhook_api_key) m["webhook-api-key"] = maskIf(cfg.webhook_api_key);
+  if (cfg.app) m["app"] = `${cfg.app.name} (${cfg.app.id})`;
+  if (cfg.network) m["network"] = cfg.network;
+  if (cfg.verbose !== void 0) m["verbose"] = String(cfg.verbose);
+  if (cfg.wallet_key_file) m["wallet-key-file"] = cfg.wallet_key_file;
+  if (cfg.wallet_address) m["wallet-address"] = cfg.wallet_address;
+  if (cfg.x402 !== void 0) m["x402"] = String(cfg.x402);
+  if (cfg.auth_token) m["auth-token"] = maskIf(cfg.auth_token);
+  if (cfg.auth_token_expires_at) m["auth-token-expires-at"] = cfg.auth_token_expires_at;
+  return m;
+}
+
+export {
+  maskIf,
+  KEY_MAP,
+  configPath,
+  configDir,
+  load,
+  save,
+  get,
+  toMap
+};

package/dist/{chunk-IGD4NIK7.js → chunk-FFMNT74F.js}

@@ -18,7 +18,7 @@ var SHARED_STYLE = `
     font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
     display: flex; justify-content: center; align-items: center;
     min-height: 100vh;
-    background: #000;
+    background: linear-gradient(180deg, #4F46E5 0%, #06B6D4 100%);
     color: #fff;
     overflow: hidden;
   }
@@ -35,7 +35,7 @@ var SHARED_STYLE = `
     letter-spacing: -0.01em;
   }
   p {
-    color: #6b6b6b;
+    color: #fff;
     font-size: 0.875rem;
   }
 `;
@@ -130,7 +130,7 @@ ${SHARED_STYLE}
 // src/lib/auth.ts
 var AUTH_PORT = 16424;
 var AUTH_CALLBACK_PATH = "/callback";
-var DEFAULT_EXPIRES_IN_SECONDS = 90 * 24 * 60 * 60;
+var OAUTH_CLIENT_ID = "alchemy-cli";
 function getAuthBaseUrl() {
   return process.env.ALCHEMY_AUTH_URL || `https://auth.${getBaseDomain()}`;
 }
@@ -140,14 +140,29 @@ function generateCodeVerifier() {
 function deriveCodeChallenge(verifier) {
   return createHash("sha256").update(verifier).digest("base64url");
 }
-function getLoginUrl(port, codeChallenge) {
+function generateState() {
+  return randomBytes(32).toString("base64url");
+}
+function getAuthorizeUrl(port, codeChallenge, state) {
   const base = getAuthBaseUrl();
-  const redirect = encodeURIComponent(`http://localhost:${port}${AUTH_CALLBACK_PATH}`);
-  let url = `${base}/login?redirectUrl=${redirect}&_t=${Date.now()}`;
-  if (codeChallenge) {
-    url += `&code_challenge=${encodeURIComponent(codeChallenge)}`;
-  }
-  return url;
+  const url = new URL(`${base}/oauth/authorize`);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", OAUTH_CLIENT_ID);
+  url.searchParams.set("redirect_uri", `http://localhost:${port}${AUTH_CALLBACK_PATH}`);
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", state);
+  return url.toString();
+}
+function prepareBrowserLogin(port = AUTH_PORT) {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = deriveCodeChallenge(codeVerifier);
+  const state = generateState();
+  return {
+    authorizeUrl: getAuthorizeUrl(port, codeChallenge, state),
+    codeVerifier,
+    state
+  };
 }
 function openBrowser(url) {
   const cmd = platform() === "darwin" ? "open" : platform() === "win32" ? "start" : "xdg-open";
@@ -188,6 +203,7 @@ function waitForCallback(port, timeoutMs = 12e4) {
       clearTimeout(timer);
       resolve({
         code,
+        state: url.searchParams.get("state"),
         sendSuccess: () => {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end(AUTH_SUCCESS_HTML);
@@ -220,43 +236,44 @@ function waitForCallback(port, timeoutMs = 12e4) {
 async function exchangeCodeForToken(code, port, options) {
   const baseUrl = getAuthBaseUrl();
   const redirectUri = `http://localhost:${port}${AUTH_CALLBACK_PATH}`;
-  const body = {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
     code,
-    redirect_uri: redirectUri
-  };
-  if (options?.expiresInSeconds) {
-    body.expires_in_seconds = options.expiresInSeconds;
-  }
-  if (options?.codeVerifier) {
-    body.code_verifier = options.codeVerifier;
-  }
-  const response = await fetch(`${baseUrl}/api/cli/token`, {
+    redirect_uri: redirectUri,
+    client_id: OAUTH_CLIENT_ID,
+    code_verifier: options.codeVerifier
+  });
+  const response = await fetch(`${baseUrl}/oauth/token`, {
     method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(body)
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
   });
   if (!response.ok) {
     const errBody = await response.json().catch(() => ({}));
-    throw new Error(
-      errBody.error || `Token exchange failed (HTTP ${response.status})`
-    );
+    const errMsg = errBody.error_description || errBody.error || `Token exchange failed (HTTP ${response.status})`;
+    throw new Error(errMsg);
   }
   const data = await response.json();
-  if (!data.authToken) {
-    throw new Error("Token exchange response missing authToken");
+  if (!data.access_token) {
+    throw new Error("Token exchange response missing access_token");
   }
-  return { token: data.authToken, expiresAt: data.expiresAt };
+  const expiresAt = new Date(Date.now() + data.expires_in * 1e3).toISOString();
+  return { token: data.access_token, expiresAt };
 }
-async function performBrowserLogin(port = AUTH_PORT, options) {
-  const codeVerifier = generateCodeVerifier();
-  const codeChallenge = deriveCodeChallenge(codeVerifier);
-  const loginUrl = getLoginUrl(port, codeChallenge);
+async function performBrowserLogin(prepared, options) {
+  const port = options?.port ?? AUTH_PORT;
+  const { authorizeUrl, codeVerifier, state } = prepared ?? prepareBrowserLogin(port);
   const callbackPromise = waitForCallback(port);
-  openBrowser(loginUrl);
+  if (!options?.skipBrowserOpen) {
+    openBrowser(authorizeUrl);
+  }
   const callback = await callbackPromise;
+  if (callback.state !== state) {
+    callback.sendError("State mismatch \u2014 possible CSRF attack.");
+    throw new Error("OAuth state mismatch. Authentication aborted.");
+  }
   try {
     const result = await exchangeCodeForToken(callback.code, port, {
-      expiresInSeconds: options?.expiresInSeconds ?? DEFAULT_EXPIRES_IN_SECONDS,
       codeVerifier
     });
     callback.sendSuccess();
@@ -290,8 +307,9 @@ async function revokeToken(token) {
 
 export {
   AUTH_PORT,
-  DEFAULT_EXPIRES_IN_SECONDS,
-  getLoginUrl,
+  OAUTH_CLIENT_ID,
+  getAuthorizeUrl,
+  prepareBrowserLogin,
   openBrowser,
   waitForCallback,
   exchangeCodeForToken,

package/dist/chunk-JQRGILIS.js

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
+
+// src/lib/credential-storage.ts
+import {
+  getPassword,
+  setPassword,
+  deletePassword,
+  getKeyring,
+  PasswordDeleteError
+} from "cross-keychain";
+var SERVICE = "alchemy-cli";
+var ACCOUNT = "oauth-credentials";
+async function getCredentials() {
+  try {
+    const raw = await getPassword(SERVICE, ACCOUNT);
+    if (!raw) return null;
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed.auth_token === "string" && typeof parsed.auth_token_expires_at === "string") {
+      return parsed;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function saveCredentials(creds) {
+  await setPassword(SERVICE, ACCOUNT, JSON.stringify(creds));
+}
+async function deleteCredentials() {
+  try {
+    await deletePassword(SERVICE, ACCOUNT);
+  } catch (err) {
+    if (!(err instanceof PasswordDeleteError)) {
+      throw err;
+    }
+  }
+}
+async function getStorageBackend() {
+  try {
+    const keyring = await getKeyring();
+    return keyring.name;
+  } catch {
+    return "unknown";
+  }
+}
+
+export {
+  getCredentials,
+  saveCredentials,
+  deleteCredentials,
+  getStorageBackend
+};

package/dist/chunk-KDMIWPZH.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
+import {
+  isJSONMode
+} from "./chunk-56ZVYB4G.js";
+
+// src/lib/interaction.ts
+import { stdin, stdout } from "process";
+function isTruthy(value) {
+  if (!value) return false;
+  const normalized = value.trim().toLowerCase();
+  return normalized === "1" || normalized === "true" || normalized === "yes";
+}
+function isNonInteractiveEnv() {
+  return isTruthy(process.env.ALCHEMY_NON_INTERACTIVE);
+}
+function isInteractiveAllowed(program) {
+  if (!stdin.isTTY || !stdout.isTTY) return false;
+  if (isJSONMode()) return false;
+  if (isNonInteractiveEnv()) return false;
+  if (program && program.opts().interactive === false) return false;
+  return true;
+}
+
+export {
+  isInteractiveAllowed
+};