@axplusb/kepler 0.0.1 → 1.0.0

package/src/auth/oauth.mjs

@@ -0,0 +1,220 @@
+/**
+ * OAuth Client — PKCE OAuth flow for Anthropic and other providers.
+ *
+ * Supports:
+ * - Device code flow (for headless environments)
+ * - Authorization code + PKCE
+ * - Token refresh
+ * - Credential storage in ~/.claude/credentials
+ */
+
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+export class OAuthClient {
+    /**
+     * @param {string} clientId - OAuth client ID
+     * @param {object} [options]
+     * @param {string} [options.authUrl] - authorization endpoint
+     * @param {string} [options.tokenUrl] - token endpoint
+     * @param {string} [options.deviceUrl] - device authorization endpoint
+     * @param {string} [options.credentialsPath] - path to store credentials
+     */
+    constructor(clientId, options = {}) {
+        this.clientId = clientId;
+        this.authUrl = options.authUrl || 'https://console.anthropic.com/oauth/authorize';
+        this.tokenUrl = options.tokenUrl || 'https://console.anthropic.com/oauth/token';
+        this.deviceUrl = options.deviceUrl || 'https://console.anthropic.com/oauth/device';
+        this.credentialsPath = options.credentialsPath ||
+            path.join(os.homedir(), '.claude', 'credentials');
+    }
+
+    /**
+     * Generate a PKCE code verifier and challenge.
+     * @returns {{ verifier: string, challenge: string }}
+     */
+    generatePKCE() {
+        const verifier = crypto.randomBytes(32)
+            .toString('base64url')
+            .replace(/[^a-zA-Z0-9]/g, '')
+            .substring(0, 128);
+
+        const challenge = crypto
+            .createHash('sha256')
+            .update(verifier)
+            .digest('base64url');
+
+        return { verifier, challenge };
+    }
+
+    /**
+     * Get the authorization URL for the PKCE flow.
+     * @param {object} [options]
+     * @param {string} [options.redirectUri] - redirect URI
+     * @param {string} [options.scope] - requested scope
+     * @returns {{ url: string, verifier: string, state: string }}
+     */
+    getAuthorizationUrl(options = {}) {
+        const { verifier, challenge } = this.generatePKCE();
+        const state = crypto.randomBytes(16).toString('hex');
+
+        const params = new URLSearchParams({
+            client_id: this.clientId,
+            response_type: 'code',
+            code_challenge: challenge,
+            code_challenge_method: 'S256',
+            state,
+            redirect_uri: options.redirectUri || 'http://localhost:9876/callback',
+            ...(options.scope && { scope: options.scope }),
+        });
+
+        return {
+            url: `${this.authUrl}?${params.toString()}`,
+            verifier,
+            state,
+        };
+    }
+
+    /**
+     * Start a device code flow (for headless environments).
+     * @returns {Promise<{ device_code: string, user_code: string, verification_uri: string, interval: number, expires_in: number }>}
+     */
+    async startDeviceFlow() {
+        const body = new URLSearchParams({
+            client_id: this.clientId,
+        });
+
+        const res = await fetch(this.deviceUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+        });
+
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Device flow failed (${res.status}): ${text}`);
+        }
+
+        return res.json();
+    }
+
+    /**
+     * Exchange an authorization code for tokens (PKCE flow).
+     * @param {string} code - authorization code
+     * @param {string} verifier - PKCE code verifier
+     * @param {string} [redirectUri]
+     * @returns {Promise<{ access_token: string, refresh_token?: string, expires_in: number }>}
+     */
+    async exchangeCode(code, verifier, redirectUri) {
+        const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            client_id: this.clientId,
+            code,
+            code_verifier: verifier,
+            redirect_uri: redirectUri || 'http://localhost:9876/callback',
+        });
+
+        const res = await fetch(this.tokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+        });
+
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Token exchange failed (${res.status}): ${text}`);
+        }
+
+        const token = await res.json();
+        this.saveToken(token);
+        return token;
+    }
+
+    /**
+     * Refresh an access token using a refresh token.
+     * @param {string} refreshToken
+     * @returns {Promise<{ access_token: string, refresh_token?: string, expires_in: number }>}
+     */
+    async refreshToken(refreshToken) {
+        const body = new URLSearchParams({
+            grant_type: 'refresh_token',
+            client_id: this.clientId,
+            refresh_token: refreshToken,
+        });
+
+        const res = await fetch(this.tokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+        });
+
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Token refresh failed (${res.status}): ${text}`);
+        }
+
+        const token = await res.json();
+        this.saveToken(token);
+        return token;
+    }
+
+    /**
+     * Get stored token from credentials file.
+     * @returns {object|null}
+     */
+    getStoredToken() {
+        try {
+            const raw = fs.readFileSync(this.credentialsPath, 'utf-8');
+            return JSON.parse(raw);
+        } catch {
+            return null;
+        }
+    }
+
+    /**
+     * Save a token to the credentials file.
+     * @param {object} token
+     */
+    saveToken(token) {
+        try {
+            const dir = path.dirname(this.credentialsPath);
+            fs.mkdirSync(dir, { recursive: true });
+
+            const data = {
+                ...token,
+                saved_at: new Date().toISOString(),
+            };
+
+            fs.writeFileSync(this.credentialsPath, JSON.stringify(data, null, 2), { mode: 0o600 });
+        } catch {
+            // Best effort
+        }
+    }
+
+    /**
+     * Delete stored credentials.
+     */
+    clearToken() {
+        try {
+            fs.unlinkSync(this.credentialsPath);
+            return true;
+        } catch {
+            return false;
+        }
+    }
+
+    /**
+     * Check if the stored token is expired.
+     * @returns {boolean}
+     */
+    isTokenExpired() {
+        const token = this.getStoredToken();
+        if (!token || !token.saved_at || !token.expires_in) return true;
+
+        const savedAt = new Date(token.saved_at).getTime();
+        const expiresAt = savedAt + (token.expires_in * 1000);
+        return Date.now() >= expiresAt;
+    }
+}

package/src/auth/tarang-auth.mjs

@@ -0,0 +1,277 @@
+/**
+ * Orca Authentication — GitHub OAuth + config management.
+ * Reads/writes ~/.orca/config.json (shared with Python CLI).
+ */
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import * as http from 'node:http';
+import { getLoginSuccessHTML } from '../ui/banner.mjs';
+import { resolveBackendUrl } from '../core/backend-url.mjs';
+
+const CONFIG_DIR = path.join(os.homedir(), '.orca');
+const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
+
+export class TarangAuth {
+    constructor() {
+        this._config = null;
+    }
+
+    /** Ensure ~/.orca/ directory exists with secure permissions. */
+    _ensureConfigDir() {
+        if (!fs.existsSync(CONFIG_DIR)) {
+            fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        }
+    }
+
+    /** Load credentials and settings from config.json. */
+    loadCredentials() {
+        try {
+            if (fs.existsSync(CONFIG_PATH)) {
+                const raw = fs.readFileSync(CONFIG_PATH, 'utf-8');
+                this._config = JSON.parse(raw);
+            } else {
+                this._config = {};
+            }
+        } catch {
+            this._config = {};
+        }
+        return {
+            token: this._config.token || null,
+            openRouterKey: this._config.openrouter_key || process.env.OPENROUTER_API_KEY || null,
+            anthropicKey: this._config.anthropic_api_key || process.env.ANTHROPIC_API_KEY || null,
+            openaiKey: this._config.openai_api_key || process.env.OPENAI_API_KEY || null,
+            googleKey: this._config.google_api_key || process.env.GOOGLE_API_KEY || null,
+            backendUrl: resolveBackendUrl(),
+            mode: this._config.mode || 'auto',
+            gatewayType: this._config.gateway_type || 'openrouter',
+            models: this._config.models || {},
+            configuredProviders: this._config.configured_providers || [],
+            gatewayConfig: this._config.gateway_config || {},
+        };
+    }
+
+    /** Get the raw config object. */
+    getRawConfig() {
+        if (!this._config) this.loadCredentials();
+        return this._config || {};
+    }
+
+    /** Clear credentials — remove token and keys from config. */
+    logout() {
+        try {
+            if (fs.existsSync(CONFIG_PATH)) {
+                fs.unlinkSync(CONFIG_PATH);
+            }
+            this._config = null;
+            return true;
+        } catch {
+            return false;
+        }
+    }
+
+    /** Save credentials atomically (temp-file + rename). */
+    saveCredentials(updates) {
+        this._ensureConfigDir();
+        const current = this._config || {};
+        const merged = { ...current, ...updates };
+        const tmpPath = `${CONFIG_PATH}.tmp.${process.pid}`;
+        fs.writeFileSync(tmpPath, JSON.stringify(merged, null, 2), { mode: 0o600 });
+        fs.renameSync(tmpPath, CONFIG_PATH);
+        this._config = merged;
+    }
+
+    /** Check if user has a valid auth token. */
+    isAuthenticated() {
+        const creds = this.loadCredentials();
+        return !!creds.token;
+    }
+
+    /** Check if OpenRouter key is configured. */
+    hasOpenRouterKey() {
+        const creds = this.loadCredentials();
+        return !!creds.openRouterKey;
+    }
+
+    /** Save an API key by provider name. */
+    saveProviderKey(provider, key) {
+        const keyMap = {
+            openrouter: 'openrouter_key',
+            anthropic: 'anthropic_api_key',
+            openai: 'openai_api_key',
+            googleai: 'google_api_key',
+            azureopenai: 'azure_api_key',
+            bedrock: 'aws_access_key',
+            databricks: 'databricks_token',
+        };
+        const field = keyMap[provider];
+        if (!field) throw new Error(`Unknown provider: ${provider}`);
+        this.saveCredentials({ [field]: key });
+    }
+
+    /** Save OpenRouter API key. */
+    saveOpenRouterKey(key) {
+        this.saveProviderKey('openrouter', key);
+    }
+
+    /** Save Anthropic API key. */
+    saveAnthropicKey(key) {
+        this.saveProviderKey('anthropic', key);
+    }
+
+    /** Save OpenAI API key. */
+    saveOpenAIKey(key) {
+        this.saveProviderKey('openai', key);
+    }
+
+    /** Save Google AI API key. */
+    saveGoogleKey(key) {
+        this.saveProviderKey('googleai', key);
+    }
+
+    /** Sync settings from web backend and save locally. */
+    async syncSettings() {
+        const { fetchRemoteSettings, mergeRemoteSettings } = await import('../core/settings-sync.mjs');
+        const creds = this.loadCredentials();
+        if (!creds.token) throw new Error('Not logged in. Run `orca login` first.');
+
+        const remote = await fetchRemoteSettings(creds.token);
+        if (!remote) throw new Error('Failed to fetch settings from server.');
+
+        const merged = mergeRemoteSettings(this.getRawConfig(), remote);
+        this.saveCredentials(merged);
+        return remote;
+    }
+
+    /** Set default mode. */
+    setMode(mode) {
+        const valid = ['local', 'remote', 'auto'];
+        if (!valid.includes(mode)) {
+            throw new Error(`Invalid mode: ${mode}. Must be one of: ${valid.join(', ')}`);
+        }
+        this.saveCredentials({ mode });
+    }
+
+    /** Display config (styled). */
+    printConfig() {
+        const creds = this.loadCredentials();
+        const GREEN = '\x1b[32m', RED = '\x1b[31m', DIM = '\x1b[2m', BOLD = '\x1b[1m', CYAN = '\x1b[36m', RESET = '\x1b[0m';
+        const check = `${GREEN}\u2713${RESET}`;
+        const cross = `${RED}\u2717${RESET}`;
+
+        const env = process.env.TARANG_ENV || process.env.NODE_ENV || 'production';
+
+        process.stderr.write(`\n${BOLD}Orca Configuration${RESET}\n`);
+        process.stderr.write(`${'─'.repeat(50)}\n`);
+        process.stderr.write(`  Auth:           ${creds.token ? `${check} logged in` : `${cross} not logged in ${DIM}(/login)${RESET}`}\n`);
+        process.stderr.write(`  Environment:    ${DIM}${env}${RESET}\n`);
+        process.stderr.write(`  Backend:        ${DIM}${creds.backendUrl}${RESET}\n`);
+        process.stderr.write(`  Mode:           ${DIM}${creds.mode || 'auto'}${RESET}\n`);
+        process.stderr.write(`  Gateway:        ${DIM}${creds.gatewayType}${RESET}\n`);
+
+        const models = creds.models || {};
+        if (models.orchestrator || models.reasoning || models.local) {
+            process.stderr.write(`\n${BOLD}  Models${RESET}\n`);
+            if (models.orchestrator) process.stderr.write(`  Orchestrator:   ${DIM}${models.orchestrator}${RESET}\n`);
+            if (models.reasoning)    process.stderr.write(`  Coding:         ${DIM}${models.reasoning}${RESET}\n`);
+            if (models.local)        process.stderr.write(`  Local:          ${DIM}${models.local}${RESET}\n`);
+        }
+
+        const providers = creds.configuredProviders || [];
+        if (providers.length > 0) {
+            process.stderr.write(`  Providers:      ${DIM}${providers.join(', ')}${RESET}\n`);
+        }
+
+        const raw = this.getRawConfig();
+        if (raw.last_synced_at) {
+            process.stderr.write(`  Last synced:    ${DIM}${new Date(raw.last_synced_at).toLocaleString()}${RESET}\n`);
+        }
+
+        process.stderr.write(`\n  ${DIM}Run ${RESET}${CYAN}orca sync${RESET}${DIM} to sync settings from web.${RESET}\n`);
+        process.stderr.write(`  ${DIM}Run ${RESET}${CYAN}orca configure${RESET}${DIM} to open settings in browser.${RESET}\n`);
+        process.stderr.write('\n');
+    }
+
+    /**
+     * Run login flow via web app.
+     *
+     * Flow:
+     *   1. CLI starts local HTTP server on random port
+     *   2. Opens browser to web /auth/cli?callback=http://127.0.0.1:{port}/callback
+     *   3. Web checks Supabase session (if none → GitHub OAuth → Supabase)
+     *   4. Web generates CLI token via /api/cli/token
+     *   5. Web redirects browser to CLI callback with token
+     *   6. CLI receives token, saves to ~/.orca/config.json
+     */
+    async login() {
+        const { resolveWebUrl } = await import('../core/backend-url.mjs');
+        const webUrl = resolveWebUrl();
+
+        return new Promise((resolve, reject) => {
+            const server = http.createServer(async (req, res) => {
+                const url = new URL(req.url, `http://localhost`);
+
+                // The web app redirects here with ?token=<cli_token>
+                const token = url.searchParams.get('token');
+
+                if (!token) {
+                    // Maybe an error or missing token
+                    const error = url.searchParams.get('error');
+                    if (error) {
+                        res.writeHead(200, { 'Content-Type': 'text/html' });
+                        res.end(`<html><body><h2>Login failed</h2><p>${error}</p></body></html>`);
+                        server.close();
+                        reject(new Error(error));
+                        return;
+                    }
+                    // Ignore other requests (favicon, etc.)
+                    res.writeHead(200);
+                    res.end('');
+                    return;
+                }
+
+                // Save the CLI token
+                this.saveCredentials({ token });
+
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(getLoginSuccessHTML());
+
+                server.close();
+                resolve(true);
+            });
+
+            server.listen(0, '127.0.0.1', () => {
+                const port = server.address().port;
+                const callbackUrl = `http://127.0.0.1:${port}/callback`;
+                const authUrl = `${webUrl}/auth/cli?callback=${encodeURIComponent(callbackUrl)}`;
+
+                process.stderr.write(`\n\x1b[36mOpening browser for login...\x1b[0m\n`);
+                process.stderr.write(`\x1b[2mIf browser doesn't open, visit:\x1b[0m\n  \x1b[4m${authUrl}\x1b[0m\n\n`);
+
+                // Open browser
+                const openCmd = process.platform === 'darwin' ? 'open' :
+                                process.platform === 'win32' ? 'start' : 'xdg-open';
+                import('node:child_process').then(({ exec }) => {
+                    exec(`${openCmd} "${authUrl}"`, () => {});
+                });
+            });
+
+            // Timeout after 120s
+            setTimeout(() => {
+                server.close();
+                reject(new Error('Login timed out after 120s'));
+            }, 120_000);
+        });
+    }
+
+    /**
+     * Ensure user is authenticated, prompt login if not.
+     */
+    async ensureAuth() {
+        if (!this.isAuthenticated()) {
+            process.stderr.write('\x1b[33mNot logged in.\x1b[0m Starting login flow...\n');
+            await this.login();
+        }
+    }
+}

package/src/config/cli-args.mjs

@@ -0,0 +1,173 @@
+/**
+ * CLI Argument Parser — supports all major Claude Code flags.
+ *
+ * Flags:
+ * --model, -m          Model to use
+ * --permission-mode    Permission mode
+ * --print, -p          Print mode (non-interactive prompt)
+ * --output-format      json, text, stream-json
+ * --system-prompt      Override system prompt
+ * --add-dir            Additional CLAUDE.md directories
+ * --max-turns          Maximum conversation turns
+ * --allowedTools       Comma-separated allowed tools
+ * --disallowedTools    Comma-separated denied tools
+ * --verbose, -v        Verbose output
+ * --debug, -d          Debug mode
+ * --version            Show version
+ * --help, -h           Show help
+ */
+
+export function parseArgs(args) {
+    const result = {
+        prompt: null,
+        model: null,
+        permissionMode: null,
+        outputFormat: null,
+        systemPrompt: null,
+        addDirs: [],
+        maxTurns: null,
+        allowedTools: null,
+        disallowedTools: null,
+        resume: false,
+        resumeSessionId: null,
+        headless: false,
+        freeswim: false,
+        verbose: false,
+        debug: false,
+        showVersion: false,
+        showHelp: false,
+    };
+
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+
+        switch (arg) {
+            case '--model':
+            case '-m':
+                result.model = args[++i];
+                break;
+
+            case '--permission-mode':
+                result.permissionMode = args[++i];
+                break;
+
+            case '--print':
+            case '-p':
+                result.prompt = args[++i];
+                break;
+
+            case '--output-format':
+                result.outputFormat = args[++i];
+                break;
+
+            case '--system-prompt':
+                result.systemPrompt = args[++i];
+                break;
+
+            case '--add-dir':
+                result.addDirs.push(args[++i]);
+                break;
+
+            case '--max-turns':
+                result.maxTurns = parseInt(args[++i], 10);
+                break;
+
+            case '--allowedTools':
+                result.allowedTools = args[++i]?.split(',').map(s => s.trim());
+                break;
+
+            case '--disallowedTools':
+                result.disallowedTools = args[++i]?.split(',').map(s => s.trim());
+                break;
+
+            case '--resume':
+            case '--continue':
+            case '-r': {
+                result.resume = true;
+                // Optional: --resume <sessionId>
+                const next = args[i + 1];
+                if (next && !next.startsWith('-')) {
+                    result.resumeSessionId = next;
+                    i++;
+                }
+                break;
+            }
+
+            case '--headless':
+                result.headless = true;
+                result.freeswim = true; // headless implies skip permissions
+                break;
+
+            case '--freeswim-open-waters':
+            case '--freeswim':
+            case '--yes':
+                result.freeswim = true;
+                break;
+
+            case '--verbose':
+            case '-v':
+                result.verbose = true;
+                break;
+
+            case '--debug':
+            case '-d':
+                result.debug = true;
+                break;
+
+            case '--version':
+                result.showVersion = true;
+                break;
+
+            case '--help':
+            case '-h':
+                result.showHelp = true;
+                break;
+
+            default:
+                // Bare argument becomes prompt
+                if (!arg.startsWith('-')) {
+                    result.prompt = arg;
+                }
+                break;
+        }
+    }
+
+    return result;
+}
+
+/**
+ * Print usage/help text.
+ * @returns {string}
+ */
+export function getUsageText() {
+    return `
+Usage: occ [options] [prompt]
+
+Options:
+  --model, -m <model>        Model to use (default: claude-sonnet-4-6)
+  --permission-mode <mode>   Permission mode (bypassPermissions, acceptEdits, plan, auto, dontAsk)
+  --print, -p <prompt>       Non-interactive mode: run prompt and exit
+  --output-format <fmt>      Output format: text, json, stream-json
+  --system-prompt <text>     Override system prompt
+  --add-dir <dir>            Additional directory to search for CLAUDE.md
+  --max-turns <n>            Maximum conversation turns
+  --allowedTools <tools>     Comma-separated list of allowed tools
+  --disallowedTools <tools>  Comma-separated list of denied tools
+  --resume, -r [sessionId]   Resume last session (or specific session)
+  --continue                 Alias for --resume
+  --headless                 Non-interactive mode: auto-approve, JSONL output
+  --freeswim-open-waters     Skip all approval prompts (no boundaries)
+  --freeswim                 Alias for --freeswim-open-waters
+  --yes                      Alias for --freeswim-open-waters
+  --verbose, -v              Verbose output
+  --debug, -d                Debug mode
+  --version                  Show version
+  --help, -h                 Show this help
+
+Examples:
+  occ                        Start interactive REPL
+  occ -p "What is 2+2?"     Run prompt and exit
+  occ -m claude-haiku-4-5    Use Haiku model
+  occ --debug -p "Fix bug"  Debug mode with prompt
+`.trim();
+}