@clinebot/core 0.0.21 → 0.0.23

package/src/session/rpc-spawn-lease.ts

@@ -0,0 +1,122 @@
+import {
+	closeSync,
+	existsSync,
+	mkdirSync,
+	openSync,
+	readFileSync,
+	rmSync,
+	writeFileSync,
+} from "node:fs";
+import { dirname, resolve } from "node:path";
+import { resolveSessionDataDir } from "@clinebot/shared/storage";
+
+const DEFAULT_LEASE_TTL_MS = 15_000;
+
+interface RpcSpawnLeaseRecord {
+	address: string;
+	pid: number;
+	createdAt: number;
+}
+
+export interface RpcSpawnLease {
+	path: string;
+	release: () => void;
+}
+
+function encodeAddress(address: string): string {
+	return Buffer.from(address).toString("base64url");
+}
+
+function getLeasePath(address: string): string {
+	return resolve(
+		resolveSessionDataDir(),
+		"rpc",
+		"spawn-leases",
+		`${encodeAddress(address)}.lock`,
+	);
+}
+
+function isProcessAlive(pid: number): boolean {
+	if (!Number.isInteger(pid) || pid <= 0) {
+		return false;
+	}
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch {
+		return false;
+	}
+}
+
+function shouldClearLease(path: string, ttlMs: number): boolean {
+	try {
+		const raw = readFileSync(path, "utf8");
+		const parsed = JSON.parse(raw) as Partial<RpcSpawnLeaseRecord>;
+		const createdAt = Number(parsed.createdAt ?? 0);
+		if (!Number.isFinite(createdAt) || createdAt <= 0) {
+			return true;
+		}
+		if (Date.now() - createdAt > ttlMs) {
+			return true;
+		}
+		return !isProcessAlive(Number(parsed.pid ?? 0));
+	} catch {
+		return true;
+	}
+}
+
+export function tryAcquireRpcSpawnLease(
+	address: string,
+	options?: { ttlMs?: number },
+): RpcSpawnLease | undefined {
+	const ttlMs = Math.max(1_000, options?.ttlMs ?? DEFAULT_LEASE_TTL_MS);
+	const path = getLeasePath(address);
+	mkdirSync(dirname(path), { recursive: true });
+
+	if (existsSync(path) && shouldClearLease(path, ttlMs)) {
+		rmSync(path, { force: true });
+	}
+
+	let fd: number | undefined;
+	try {
+		fd = openSync(path, "wx");
+		const record: RpcSpawnLeaseRecord = {
+			address,
+			pid: process.pid,
+			createdAt: Date.now(),
+		};
+		writeFileSync(fd, JSON.stringify(record), "utf8");
+	} catch {
+		if (typeof fd === "number") {
+			try {
+				closeSync(fd);
+			} catch {
+				// Best effort.
+			}
+		}
+		return undefined;
+	}
+
+	let released = false;
+	return {
+		path,
+		release: () => {
+			if (released) {
+				return;
+			}
+			released = true;
+			try {
+				if (typeof fd === "number") {
+					closeSync(fd);
+				}
+			} catch {
+				// Best effort.
+			}
+			try {
+				rmSync(path, { force: true });
+			} catch {
+				// Best effort.
+			}
+		},
+	};
+}

package/src/session/runtime-oauth-token-manager.test.ts

@@ -0,0 +1,137 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+	OAuthReauthRequiredError,
+	RuntimeOAuthTokenManager,
+} from "./runtime-oauth-token-manager";
+
+const {
+	getValidOpenAICodexCredentials,
+	getValidClineCredentials,
+	getValidOcaCredentials,
+} = vi.hoisted(() => ({
+	getValidOpenAICodexCredentials: vi.fn(),
+	getValidClineCredentials: vi.fn(),
+	getValidOcaCredentials: vi.fn(),
+}));
+
+vi.mock("../auth/codex", () => ({
+	getValidOpenAICodexCredentials,
+}));
+
+vi.mock("../auth/cline", () => ({
+	getValidClineCredentials,
+}));
+
+vi.mock("../auth/oca", () => ({
+	getValidOcaCredentials,
+}));
+
+describe("RuntimeOAuthTokenManager", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	it("refreshes and persists OpenAI Codex OAuth credentials", async () => {
+		const getProviderSettings = vi.fn().mockReturnValue({
+			provider: "openai-codex",
+			auth: {
+				accessToken: "access-old",
+				refreshToken: "refresh-old",
+				expiresAt: Date.now() - 1_000,
+				accountId: "acct-old",
+			},
+		});
+		const saveProviderSettings = vi.fn();
+
+		getValidOpenAICodexCredentials.mockResolvedValueOnce({
+			access: "access-new",
+			refresh: "refresh-new",
+			expires: 4_000_000_000_000,
+			accountId: "acct-new",
+		});
+
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings,
+				saveProviderSettings,
+			} as never,
+		});
+
+		const result = await manager.resolveProviderApiKey({
+			providerId: "openai-codex",
+		});
+
+		expect(result).toMatchObject({
+			providerId: "openai-codex",
+			apiKey: "access-new",
+			accountId: "acct-new",
+			refreshed: true,
+		});
+		expect(saveProviderSettings).toHaveBeenCalledWith(
+			expect.objectContaining({
+				auth: expect.objectContaining({
+					accessToken: "access-new",
+					refreshToken: "refresh-new",
+					accountId: "acct-new",
+					expiresAt: 4_000_000_000_000,
+				}),
+			}),
+			{ setLastUsed: false, tokenSource: "oauth" },
+		);
+	});
+
+	it("throws re-auth required when refresh returns null", async () => {
+		getValidOpenAICodexCredentials.mockResolvedValueOnce(null);
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings: vi.fn().mockReturnValue({
+					provider: "openai-codex",
+					auth: {
+						accessToken: "access-old",
+						refreshToken: "refresh-old",
+						expiresAt: Date.now() - 1_000,
+					},
+				}),
+				saveProviderSettings: vi.fn(),
+			} as never,
+		});
+
+		await expect(
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+		).rejects.toBeInstanceOf(OAuthReauthRequiredError);
+	});
+
+	it("de-duplicates concurrent refresh calls per provider", async () => {
+		const refreshBarrier = Promise.resolve().then(() => ({
+			access: "access-new",
+			refresh: "refresh-new",
+			expires: Date.now() + 60_000,
+		}));
+		getValidOpenAICodexCredentials.mockImplementationOnce(
+			async () => refreshBarrier,
+		);
+
+		const manager = new RuntimeOAuthTokenManager({
+			providerSettingsManager: {
+				getProviderSettings: vi.fn().mockReturnValue({
+					provider: "openai-codex",
+					auth: {
+						accessToken: "access-old",
+						refreshToken: "refresh-old",
+						expiresAt: Date.now() - 1_000,
+					},
+				}),
+				saveProviderSettings: vi.fn(),
+			} as never,
+		});
+
+		const [first, second] = await Promise.all([
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+			manager.resolveProviderApiKey({ providerId: "openai-codex" }),
+		]);
+
+		expect(first?.apiKey).toBe("access-new");
+		expect(second?.apiKey).toBe("access-new");
+		expect(getValidOpenAICodexCredentials).toHaveBeenCalledTimes(1);
+	});
+});

package/src/session/runtime-oauth-token-manager.ts

@@ -0,0 +1,272 @@
+import type * as LlmsProviders from "@clinebot/llms/providers";
+import {
+	type ITelemetryService,
+	isOAuthProviderId,
+	type OAuthProviderId,
+} from "@clinebot/shared";
+import {
+	type ClineOAuthCredentials,
+	getValidClineCredentials,
+} from "../auth/cline";
+import { getValidOpenAICodexCredentials } from "../auth/codex";
+import { getValidOcaCredentials } from "../auth/oca";
+import { decodeJwtPayload } from "../auth/utils";
+import { ProviderSettingsManager } from "../storage/provider-settings-manager";
+
+const DEFAULT_CLINE_API_BASE_URL = "https://api.cline.bot";
+const WORKOS_TOKEN_PREFIX = "workos:";
+
+type ManagedOAuthProviderId = OAuthProviderId;
+
+function toStoredAccessToken(
+	providerId: ManagedOAuthProviderId,
+	accessToken: string,
+): string {
+	if (providerId === "cline") {
+		return `${WORKOS_TOKEN_PREFIX}${accessToken}`;
+	}
+	return accessToken;
+}
+
+function fromStoredAccessToken(
+	providerId: ManagedOAuthProviderId,
+	accessToken: string,
+): string {
+	if (
+		providerId === "cline" &&
+		accessToken.toLowerCase().startsWith(WORKOS_TOKEN_PREFIX)
+	) {
+		return accessToken.slice(WORKOS_TOKEN_PREFIX.length);
+	}
+	return accessToken;
+}
+
+function readExpiryFromToken(accessToken: string): number | null {
+	const payload = decodeJwtPayload(accessToken);
+	const exp = payload?.exp;
+	if (typeof exp === "number" && exp > 0) {
+		return exp * 1000;
+	}
+	return null;
+}
+
+function deriveCredentialExpiry(
+	settings: LlmsProviders.ProviderSettings,
+	normalizedAccessToken: string,
+): number {
+	const explicitExpiry = (
+		settings.auth as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	if (
+		typeof explicitExpiry === "number" &&
+		Number.isFinite(explicitExpiry) &&
+		explicitExpiry > 0
+	) {
+		return explicitExpiry;
+	}
+
+	const jwtExpiry = readExpiryFromToken(normalizedAccessToken);
+	if (jwtExpiry) {
+		return jwtExpiry;
+	}
+
+	// Unknown expiry should trigger refresh on next resolution.
+	return Date.now() - 1;
+}
+
+function toCredentials(
+	providerId: ManagedOAuthProviderId,
+	settings: LlmsProviders.ProviderSettings,
+): ClineOAuthCredentials | null {
+	const rawAccess = settings.auth?.accessToken?.trim();
+	const refreshToken = settings.auth?.refreshToken?.trim();
+	if (!rawAccess || !refreshToken) {
+		return null;
+	}
+	const access = fromStoredAccessToken(providerId, rawAccess);
+	if (!access) {
+		return null;
+	}
+
+	return {
+		access,
+		refresh: refreshToken,
+		expires: deriveCredentialExpiry(settings, access),
+		accountId: settings.auth?.accountId,
+	};
+}
+
+function authSettingsEqual(
+	a: LlmsProviders.ProviderSettings["auth"] | undefined,
+	b: LlmsProviders.ProviderSettings["auth"] | undefined,
+): boolean {
+	const aExpiry = (
+		a as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	const bExpiry = (
+		b as
+			| (LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number })
+			| undefined
+	)?.expiresAt;
+	return (
+		a?.accessToken === b?.accessToken &&
+		a?.refreshToken === b?.refreshToken &&
+		a?.accountId === b?.accountId &&
+		aExpiry === bExpiry
+	);
+}
+
+export class OAuthReauthRequiredError extends Error {
+	public readonly providerId: ManagedOAuthProviderId;
+
+	constructor(providerId: ManagedOAuthProviderId) {
+		super(
+			`OAuth credentials for provider "${providerId}" are no longer valid. Re-run authentication for this provider.`,
+		);
+		this.name = "OAuthReauthRequiredError";
+		this.providerId = providerId;
+	}
+}
+
+export type RuntimeOAuthResolution = {
+	providerId: ManagedOAuthProviderId;
+	apiKey: string;
+	accountId?: string;
+	refreshed: boolean;
+};
+
+export class RuntimeOAuthTokenManager {
+	private readonly providerSettingsManager: ProviderSettingsManager;
+	private readonly telemetry?: ITelemetryService;
+	private readonly refreshInFlight = new Map<
+		ManagedOAuthProviderId,
+		Promise<RuntimeOAuthResolution | null>
+	>();
+
+	constructor(options?: {
+		providerSettingsManager?: ProviderSettingsManager;
+		telemetry?: ITelemetryService;
+	}) {
+		this.providerSettingsManager =
+			options?.providerSettingsManager ?? new ProviderSettingsManager();
+		this.telemetry = options?.telemetry;
+	}
+
+	public async resolveProviderApiKey(input: {
+		providerId: string;
+		forceRefresh?: boolean;
+	}): Promise<RuntimeOAuthResolution | null> {
+		if (!isOAuthProviderId(input.providerId)) {
+			return null;
+		}
+		return this.resolveWithSingleFlight(input.providerId, input.forceRefresh);
+	}
+
+	private async resolveWithSingleFlight(
+		providerId: ManagedOAuthProviderId,
+		forceRefresh = false,
+	): Promise<RuntimeOAuthResolution | null> {
+		const currentInFlight = this.refreshInFlight.get(providerId);
+		if (currentInFlight) {
+			return currentInFlight;
+		}
+		const pending = this.resolveProviderApiKeyInternal(providerId, forceRefresh)
+			.catch((error) => {
+				throw error;
+			})
+			.finally(() => {
+				this.refreshInFlight.delete(providerId);
+			});
+		this.refreshInFlight.set(providerId, pending);
+		return pending;
+	}
+
+	private async resolveProviderApiKeyInternal(
+		providerId: ManagedOAuthProviderId,
+		forceRefresh: boolean,
+	): Promise<RuntimeOAuthResolution | null> {
+		const settings =
+			this.providerSettingsManager.getProviderSettings(providerId);
+		if (!settings) {
+			return null;
+		}
+
+		const currentCredentials = toCredentials(providerId, settings);
+		if (!currentCredentials) {
+			return null;
+		}
+
+		const nextCredentials = await this.resolveCredentials(
+			providerId,
+			settings,
+			currentCredentials,
+			forceRefresh,
+		);
+		if (!nextCredentials) {
+			throw new OAuthReauthRequiredError(providerId);
+		}
+
+		const persistedAccessToken = toStoredAccessToken(
+			providerId,
+			nextCredentials.access,
+		);
+		const nextAuth = {
+			...(settings.auth ?? {}),
+			accessToken: persistedAccessToken,
+			refreshToken: nextCredentials.refresh,
+			accountId: nextCredentials.accountId,
+		} as LlmsProviders.ProviderSettings["auth"] & { expiresAt?: number };
+		nextAuth.expiresAt = nextCredentials.expires;
+		const nextSettings: LlmsProviders.ProviderSettings = {
+			...settings,
+			auth: nextAuth,
+		};
+		const wasRefreshed = !authSettingsEqual(settings.auth, nextSettings.auth);
+		if (wasRefreshed) {
+			this.providerSettingsManager.saveProviderSettings(nextSettings, {
+				setLastUsed: false,
+				tokenSource: "oauth",
+			});
+		}
+
+		return {
+			providerId,
+			apiKey: persistedAccessToken,
+			accountId: nextCredentials.accountId,
+			refreshed: wasRefreshed,
+		};
+	}
+
+	private async resolveCredentials(
+		providerId: ManagedOAuthProviderId,
+		settings: LlmsProviders.ProviderSettings,
+		currentCredentials: ClineOAuthCredentials,
+		forceRefresh: boolean,
+	): Promise<ClineOAuthCredentials | null> {
+		if (providerId === "cline") {
+			return getValidClineCredentials(
+				currentCredentials,
+				{
+					apiBaseUrl: settings.baseUrl?.trim() || DEFAULT_CLINE_API_BASE_URL,
+					telemetry: this.telemetry,
+				},
+				{ forceRefresh },
+			);
+		}
+		if (providerId === "oca") {
+			return getValidOcaCredentials(
+				currentCredentials,
+				{ forceRefresh, telemetry: this.telemetry },
+				{ mode: settings.oca?.mode, telemetry: this.telemetry },
+			);
+		}
+		return getValidOpenAICodexCredentials(currentCredentials, {
+			forceRefresh,
+			telemetry: this.telemetry,
+		});
+	}
+}