@clinebot/core 0.0.0

package/src/session/index.ts

@@ -0,0 +1,37 @@
+export { DefaultSessionManager } from "./default-session-manager";
+export { RpcCoreSessionService } from "./rpc-session-service";
+export {
+	deriveSubsessionStatus,
+	makeSubSessionId,
+	makeTeamTaskSubSessionId,
+	sanitizeSessionToken,
+} from "./session-graph";
+export type { CreateSessionHostOptions, SessionHost } from "./session-host";
+export { createSessionHost } from "./session-host";
+export type {
+	SendSessionInput,
+	SessionManager,
+	StartSessionInput,
+	StartSessionResult,
+} from "./session-manager";
+export type { SessionManifest } from "./session-manifest";
+export type {
+	CreateRootSessionWithArtifactsInput,
+	RootSessionArtifacts,
+} from "./session-service";
+export { CoreSessionService } from "./session-service";
+export type {
+	WorkspaceManager,
+	WorkspaceManagerEvent,
+} from "./workspace-manager";
+export { InMemoryWorkspaceManager } from "./workspace-manager";
+export type { WorkspaceManifest } from "./workspace-manifest";
+export {
+	buildWorkspaceMetadata,
+	emptyWorkspaceManifest,
+	generateWorkspaceInfo,
+	normalizeWorkspacePath,
+	upsertWorkspaceInfo,
+	WorkspaceInfoSchema,
+	WorkspaceManifestSchema,
+} from "./workspace-manifest";

package/src/session/rpc-session-service.ts

@@ -0,0 +1,189 @@
+import { existsSync, mkdirSync } from "node:fs";
+import { RpcSessionClient, type RpcSessionRow } from "@clinebot/rpc";
+import { nowIso } from "./session-artifacts";
+import type { SessionRowShape } from "./session-service";
+import type {
+	PersistedSessionUpdateInput,
+	SessionPersistenceAdapter,
+} from "./unified-session-persistence-service";
+import { UnifiedSessionPersistenceService } from "./unified-session-persistence-service";
+
+function toShape(row: RpcSessionRow): SessionRowShape {
+	return {
+		session_id: row.sessionId,
+		source: row.source,
+		pid: row.pid,
+		started_at: row.startedAt,
+		ended_at: row.endedAt ?? null,
+		exit_code: row.exitCode ?? null,
+		status: row.status,
+		status_lock: row.statusLock,
+		interactive: row.interactive ? 1 : 0,
+		provider: row.provider,
+		model: row.model,
+		cwd: row.cwd,
+		workspace_root: row.workspaceRoot,
+		team_name: row.teamName ?? null,
+		enable_tools: row.enableTools ? 1 : 0,
+		enable_spawn: row.enableSpawn ? 1 : 0,
+		enable_teams: row.enableTeams ? 1 : 0,
+		parent_session_id: row.parentSessionId ?? null,
+		parent_agent_id: row.parentAgentId ?? null,
+		agent_id: row.agentId ?? null,
+		conversation_id: row.conversationId ?? null,
+		is_subagent: row.isSubagent ? 1 : 0,
+		prompt: row.prompt ?? null,
+		metadata_json: row.metadata ? JSON.stringify(row.metadata) : null,
+		transcript_path: row.transcriptPath,
+		hook_path: row.hookPath,
+		messages_path: row.messagesPath ?? null,
+		updated_at: row.updatedAt,
+	};
+}
+
+function fromShape(row: SessionRowShape): RpcSessionRow {
+	return {
+		sessionId: row.session_id,
+		source: row.source,
+		pid: row.pid,
+		startedAt: row.started_at,
+		endedAt: row.ended_at ?? null,
+		exitCode: row.exit_code ?? null,
+		status: row.status,
+		statusLock: row.status_lock ?? 0,
+		interactive: row.interactive === 1,
+		provider: row.provider,
+		model: row.model,
+		cwd: row.cwd,
+		workspaceRoot: row.workspace_root,
+		teamName: row.team_name ?? undefined,
+		enableTools: row.enable_tools === 1,
+		enableSpawn: row.enable_spawn === 1,
+		enableTeams: row.enable_teams === 1,
+		parentSessionId: row.parent_session_id ?? undefined,
+		parentAgentId: row.parent_agent_id ?? undefined,
+		agentId: row.agent_id ?? undefined,
+		conversationId: row.conversation_id ?? undefined,
+		isSubagent: row.is_subagent === 1,
+		prompt: row.prompt ?? undefined,
+		metadata: (() => {
+			if (!row.metadata_json) {
+				return undefined;
+			}
+			try {
+				const parsed = JSON.parse(row.metadata_json) as unknown;
+				if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+					return parsed as Record<string, unknown>;
+				}
+			} catch {
+				// Ignore malformed metadata payloads.
+			}
+			return undefined;
+		})(),
+		transcriptPath: row.transcript_path,
+		hookPath: row.hook_path,
+		messagesPath: row.messages_path ?? undefined,
+		updatedAt: row.updated_at ?? nowIso(),
+	};
+}
+
+class RpcSessionPersistenceAdapter implements SessionPersistenceAdapter {
+	constructor(private readonly client: RpcSessionClient) {}
+
+	ensureSessionsDir(): string {
+		return "";
+	}
+
+	async upsertSession(row: SessionRowShape): Promise<void> {
+		await this.client.upsertSession(fromShape(row));
+	}
+
+	async getSession(sessionId: string): Promise<SessionRowShape | undefined> {
+		const row = await this.client.getSession(sessionId);
+		return row ? toShape(row) : undefined;
+	}
+
+	async listSessions(options: {
+		limit: number;
+		parentSessionId?: string;
+		status?: string;
+	}): Promise<SessionRowShape[]> {
+		const rows = await this.client.listSessions(options);
+		return rows.map((row) => toShape(row));
+	}
+
+	async updateSession(
+		input: PersistedSessionUpdateInput,
+	): Promise<{ updated: boolean; statusLock: number }> {
+		const changed = await this.client.updateSession({
+			sessionId: input.sessionId,
+			status: input.status,
+			endedAt: input.endedAt,
+			exitCode: input.exitCode,
+			prompt: input.prompt,
+			metadata:
+				input.metadataJson === undefined
+					? undefined
+					: input.metadataJson
+						? (JSON.parse(input.metadataJson) as Record<string, unknown>)
+						: null,
+			parentSessionId: input.parentSessionId,
+			parentAgentId: input.parentAgentId,
+			agentId: input.agentId,
+			conversationId: input.conversationId,
+			expectedStatusLock: input.expectedStatusLock,
+			setRunning: input.setRunning,
+		});
+		return changed;
+	}
+
+	async deleteSession(sessionId: string, cascade: boolean): Promise<boolean> {
+		return await this.client.deleteSession(sessionId, cascade);
+	}
+
+	async enqueueSpawnRequest(input: {
+		rootSessionId: string;
+		parentAgentId: string;
+		task?: string;
+		systemPrompt?: string;
+	}): Promise<void> {
+		await this.client.enqueueSpawnRequest(input);
+	}
+
+	async claimSpawnRequest(
+		rootSessionId: string,
+		parentAgentId: string,
+	): Promise<string | undefined> {
+		return await this.client.claimSpawnRequest(rootSessionId, parentAgentId);
+	}
+}
+
+export interface RpcCoreSessionServiceOptions {
+	address?: string;
+	sessionsDir: string;
+}
+
+export class RpcCoreSessionService extends UnifiedSessionPersistenceService {
+	private readonly sessionsDirPath: string;
+	private readonly client: RpcSessionClient;
+
+	constructor(options: RpcCoreSessionServiceOptions) {
+		const client = new RpcSessionClient({
+			address: options.address?.trim() || "127.0.0.1:4317",
+		});
+		super(new RpcSessionPersistenceAdapter(client));
+		this.sessionsDirPath = options.sessionsDir;
+		this.client = client;
+	}
+
+	override ensureSessionsDir(): string {
+		if (!existsSync(this.sessionsDirPath)) {
+			mkdirSync(this.sessionsDirPath, { recursive: true });
+		}
+		return this.sessionsDirPath;
+	}
+
+	close(): void {
+		this.client.close();
+	}
+}

package/src/session/runtime-oauth-token-manager.test.ts

@@ -0,0 +1,137 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+	OAuthReauthRequiredError,
+	RuntimeOAuthTokenManager,
+} from "./runtime-oauth-token-manager";
+
+const {
+	getValidOpenAICodexCredentials,
+	getValidClineCredentials,
+	getValidOcaCredentials,
+} = vi.hoisted(() => ({
+	getValidOpenAICodexCredentials: vi.fn(),
+	getValidClineCredentials: vi.fn(),
+	getValidOcaCredentials: vi.fn(),
+}));
+
+vi.mock("../auth/codex", () => ({
+	getValidOpenAICodexCredentials,
+}));
+
+vi.mock("../auth/cline", () => ({
+	getValidClineCredentials,
+}));
+
+vi.mock("../auth/oca", () => ({
+	getValidOcaCredentials,
+}));
+
+describe("RuntimeOAuthTokenManager", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	it("refreshes and persists OpenAI Codex OAuth credentials", async () => {
+		const getProviderSettings = vi.fn().mockReturnValue({
+			provider: "openai-codex",
+			auth: {
+				accessToken: "access-old",
+				refreshToken: "refresh-old",
+				expiresAt: Date.now() - 1_000,
+				accountId: "acct-old",
+			},
+		});
+		const saveProviderSettings = vi.fn();
+
+		getValidOpenAICodexCredentials.mockResolvedValueOnce({
+			access: "access-new",
+			refresh: "refresh-new",
+			expires: 4_000_000_000_000,
+			accountId: "acct-new",
+		});
+
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings,
+				saveProviderSettings,
+			} as never,
+		});
+
+		const result = await manager.resolveProviderApiKey({
+			providerId: "openai-codex",
+		});
+
+		expect(result).toMatchObject({
+			providerId: "openai-codex",
+			apiKey: "access-new",
+			accountId: "acct-new",
+			refreshed: true,
+		});
+		expect(saveProviderSettings).toHaveBeenCalledWith(
+			expect.objectContaining({
+				auth: expect.objectContaining({
+					accessToken: "access-new",
+					refreshToken: "refresh-new",
+					accountId: "acct-new",
+					expiresAt: 4_000_000_000_000,
+				}),
+			}),
+			{ setLastUsed: false, tokenSource: "oauth" },
+		);
+	});
+
+	it("throws re-auth required when refresh returns null", async () => {
+		getValidOpenAICodexCredentials.mockResolvedValueOnce(null);
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings: vi.fn().mockReturnValue({
+					provider: "openai-codex",
+					auth: {
+						accessToken: "access-old",
+						refreshToken: "refresh-old",
+						expiresAt: Date.now() - 1_000,
+					},
+				}),
+				saveProviderSettings: vi.fn(),
+			} as never,
+		});
+
+		await expect(
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+		).rejects.toBeInstanceOf(OAuthReauthRequiredError);
+	});
+
+	it("de-duplicates concurrent refresh calls per provider", async () => {
+		const refreshBarrier = Promise.resolve().then(() => ({
+			access: "access-new",
+			refresh: "refresh-new",
+			expires: Date.now() + 60_000,
+		}));
+		getValidOpenAICodexCredentials.mockImplementationOnce(
+			async () => refreshBarrier,
+		);
+
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings: vi.fn().mockReturnValue({
+					provider: "openai-codex",
+					auth: {
+						accessToken: "access-old",
+						refreshToken: "refresh-old",
+						expiresAt: Date.now() - 1_000,
+					},
+				}),
+				saveProviderSettings: vi.fn(),
+			} as never,
+		});
+
+		const [first, second] = await Promise.all([
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+		]);
+
+		expect(first?.apiKey).toBe("access-new");
+		expect(second?.apiKey).toBe("access-new");
+		expect(getValidOpenAICodexCredentials).toHaveBeenCalledTimes(1);
+	});
+});

package/src/session/runtime-oauth-token-manager.ts

@@ -0,0 +1,265 @@
+import type { providers as LlmsProviders } from "@clinebot/llms";
+import {
+	type ClineOAuthCredentials,
+	getValidClineCredentials,
+} from "../auth/cline";
+import { getValidOpenAICodexCredentials } from "../auth/codex";
+import { getValidOcaCredentials } from "../auth/oca";
+import { decodeJwtPayload } from "../auth/utils";
+import { ProviderSettingsManager } from "../storage/provider-settings-manager";
+
+const DEFAULT_CLINE_API_BASE_URL = "https://api.cline.bot";
+const WORKOS_TOKEN_PREFIX = "workos:";
+
+const MANAGED_OAUTH_PROVIDERS = ["cline", "oca", "openai-codex"] as const;
+type ManagedOAuthProviderId = (typeof MANAGED_OAUTH_PROVIDERS)[number];
+
+function isManagedOAuthProviderId(
+	providerId: string,
+): providerId is ManagedOAuthProviderId {
+	return (MANAGED_OAUTH_PROVIDERS as readonly string[]).includes(providerId);
+}
+
+function toStoredAccessToken(
+	providerId: ManagedOAuthProviderId,
+	accessToken: string,
+): string {
+	if (providerId === "cline") {
+		return `${WORKOS_TOKEN_PREFIX}${accessToken}`;
+	}
+	return accessToken;
+}
+
+function fromStoredAccessToken(
+	providerId: ManagedOAuthProviderId,
+	accessToken: string,
+): string {
+	if (
+		providerId === "cline" &&
+		accessToken.toLowerCase().startsWith(WORKOS_TOKEN_PREFIX)
+	) {
+		return accessToken.slice(WORKOS_TOKEN_PREFIX.length);
+	}
+	return accessToken;
+}
+
+function readExpiryFromToken(accessToken: string): number | null {
+	const payload = decodeJwtPayload(accessToken);
+	const exp = payload?.exp;
+	if (typeof exp === "number" && exp > 0) {
+		return exp * 1000;
+	}
+	return null;
+}
+
+function deriveCredentialExpiry(
+	settings: LlmsProviders.ProviderSettings,
+	normalizedAccessToken: string,
+): number {
+	const explicitExpiry = (
+		settings.auth as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	if (
+		typeof explicitExpiry === "number" &&
+		Number.isFinite(explicitExpiry) &&
+		explicitExpiry > 0
+	) {
+		return explicitExpiry;
+	}
+
+	const jwtExpiry = readExpiryFromToken(normalizedAccessToken);
+	if (jwtExpiry) {
+		return jwtExpiry;
+	}
+
+	// Unknown expiry should trigger refresh on next resolution.
+	return Date.now() - 1;
+}
+
+function toCredentials(
+	providerId: ManagedOAuthProviderId,
+	settings: LlmsProviders.ProviderSettings,
+): ClineOAuthCredentials | null {
+	const rawAccess = settings.auth?.accessToken?.trim();
+	const refreshToken = settings.auth?.refreshToken?.trim();
+	if (!rawAccess || !refreshToken) {
+		return null;
+	}
+	const access = fromStoredAccessToken(providerId, rawAccess);
+	if (!access) {
+		return null;
+	}
+
+	return {
+		access,
+		refresh: refreshToken,
+		expires: deriveCredentialExpiry(settings, access),
+		accountId: settings.auth?.accountId,
+	};
+}
+
+function authSettingsEqual(
+	a: LlmsProviders.ProviderSettings["auth"] | undefined,
+	b: LlmsProviders.ProviderSettings["auth"] | undefined,
+): boolean {
+	const aExpiry = (
+		a as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	const bExpiry = (
+		b as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	return (
+		a?.accessToken === b?.accessToken &&
+		a?.refreshToken === b?.refreshToken &&
+		a?.accountId === b?.accountId &&
+		aExpiry === bExpiry
+	);
+}
+
+export class OAuthReauthRequiredError extends Error {
+	public readonly providerId: ManagedOAuthProviderId;
+
+	constructor(providerId: ManagedOAuthProviderId) {
+		super(
+			`OAuth credentials for provider "${providerId}" are no longer valid. Re-run authentication for this provider.`,
+		);
+		this.name = "OAuthReauthRequiredError";
+		this.providerId = providerId;
+	}
+}
+
+export type RuntimeOAuthResolution = {
+	providerId: ManagedOAuthProviderId;
+	apiKey: string;
+	accountId?: string;
+	refreshed: boolean;
+};
+
+export class RuntimeOAuthTokenManager {
+	private readonly providerSettingsManager: ProviderSettingsManager;
+	private readonly refreshInFlight = new Map<
+		ManagedOAuthProviderId,
+		Promise<RuntimeOAuthResolution | null>
+	>();
+
+	constructor(options?: { providerSettingsManager?: ProviderSettingsManager }) {
+		this.providerSettingsManager =
+			options?.providerSettingsManager ?? new ProviderSettingsManager();
+	}
+
+	public async resolveProviderApiKey(input: {
+		providerId: string;
+		forceRefresh?: boolean;
+	}): Promise<RuntimeOAuthResolution | null> {
+		if (!isManagedOAuthProviderId(input.providerId)) {
+			return null;
+		}
+		return this.resolveWithSingleFlight(input.providerId, input.forceRefresh);
+	}
+
+	private async resolveWithSingleFlight(
+		providerId: ManagedOAuthProviderId,
+		forceRefresh = false,
+	): Promise<RuntimeOAuthResolution | null> {
+		const currentInFlight = this.refreshInFlight.get(providerId);
+		if (currentInFlight) {
+			return currentInFlight;
+		}
+		const pending = this.resolveProviderApiKeyInternal(providerId, forceRefresh)
+			.catch((error) => {
+				throw error;
+			})
+			.finally(() => {
+				this.refreshInFlight.delete(providerId);
+			});
+		this.refreshInFlight.set(providerId, pending);
+		return pending;
+	}
+
+	private async resolveProviderApiKeyInternal(
+		providerId: ManagedOAuthProviderId,
+		forceRefresh: boolean,
+	): Promise<RuntimeOAuthResolution | null> {
+		const settings =
+			this.providerSettingsManager.getProviderSettings(providerId);
+		if (!settings) {
+			return null;
+		}
+
+		const currentCredentials = toCredentials(providerId, settings);
+		if (!currentCredentials) {
+			return null;
+		}
+
+		const nextCredentials = await this.resolveCredentials(
+			providerId,
+			settings,
+			currentCredentials,
+			forceRefresh,
+		);
+		if (!nextCredentials) {
+			throw new OAuthReauthRequiredError(providerId);
+		}
+
+		const persistedAccessToken = toStoredAccessToken(
+			providerId,
+			nextCredentials.access,
+		);
+		const nextAuth = {
+			...(settings.auth ?? {}),
+			accessToken: persistedAccessToken,
+			refreshToken: nextCredentials.refresh,
+			accountId: nextCredentials.accountId,
+		} as LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number };
+		nextAuth.expiresAt = nextCredentials.expires;
+		const nextSettings: LlmsProviders.ProviderSettings = {
+			...settings,
+			auth: nextAuth,
+		};
+		const wasRefreshed = !authSettingsEqual(settings.auth, nextSettings.auth);
+		if (wasRefreshed) {
+			this.providerSettingsManager.saveProviderSettings(nextSettings, {
+				setLastUsed: false,
+				tokenSource: "oauth",
+			});
+		}
+
+		return {
+			providerId,
+			apiKey: persistedAccessToken,
+			accountId: nextCredentials.accountId,
+			refreshed: wasRefreshed,
+		};
+	}
+
+	private async resolveCredentials(
+		providerId: ManagedOAuthProviderId,
+		settings: LlmsProviders.ProviderSettings,
+		currentCredentials: ClineOAuthCredentials,
+		forceRefresh: boolean,
+	): Promise<ClineOAuthCredentials | null> {
+		if (providerId === "cline") {
+			return getValidClineCredentials(
+				currentCredentials,
+				{
+					apiBaseUrl: settings.baseUrl?.trim() || DEFAULT_CLINE_API_BASE_URL,
+				},
+				{ forceRefresh },
+			);
+		}
+		if (providerId === "oca") {
+			return getValidOcaCredentials(
+				currentCredentials,
+				{ forceRefresh },
+				{ mode: settings.oca?.mode },
+			);
+		}
+		return getValidOpenAICodexCredentials(currentCredentials, { forceRefresh });
+	}
+}