@compilr-dev/sdk 0.10.41 → 0.11.0

package/dist/entitlements/fetch.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Shared entitlements fetch — CLI and Desktop had byte-identical copies of this
+ * (only the token source differed). They now both pass a `getToken` thunk; the
+ * `string | null` return lets Desktop wire it straight to `ensureFreshToken`
+ * (`() => ensureFreshToken().then(r => r?.token ?? null)`), which also fixes
+ * "fetch entitlements with an expired JWT".
+ */
+import type { EntitlementResponse } from './types.js';
+/**
+ * GET the caller's entitlements from the backend.
+ *
+ * @param getToken - Resolves the bearer token (or null if unauthenticated).
+ * @param apiUrl - Base URL override. Defaults to `COMPILR_API_URL` then production.
+ * @throws if unauthenticated or the request fails (callers fall back to cache).
+ */
+export declare function fetchEntitlements(getToken: () => Promise<string | null>, apiUrl?: string): Promise<EntitlementResponse>;

package/dist/entitlements/fetch.js

@@ -0,0 +1,32 @@
+/**
+ * Shared entitlements fetch — CLI and Desktop had byte-identical copies of this
+ * (only the token source differed). They now both pass a `getToken` thunk; the
+ * `string | null` return lets Desktop wire it straight to `ensureFreshToken`
+ * (`() => ensureFreshToken().then(r => r?.token ?? null)`), which also fixes
+ * "fetch entitlements with an expired JWT".
+ */
+const DEFAULT_API_BASE_URL = 'https://compilr.dev/.netlify/functions';
+/**
+ * GET the caller's entitlements from the backend.
+ *
+ * @param getToken - Resolves the bearer token (or null if unauthenticated).
+ * @param apiUrl - Base URL override. Defaults to `COMPILR_API_URL` then production.
+ * @throws if unauthenticated or the request fails (callers fall back to cache).
+ */
+export async function fetchEntitlements(getToken, apiUrl) {
+    const token = await getToken();
+    if (!token)
+        throw new Error('Not authenticated');
+    const base = apiUrl ?? process.env['COMPILR_API_URL'] ?? DEFAULT_API_BASE_URL;
+    const resp = await fetch(`${base}/cli-entitlements`, {
+        method: 'GET',
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+    });
+    if (!resp.ok) {
+        throw new Error(`Entitlements fetch failed: ${String(resp.status)}`);
+    }
+    return (await resp.json());
+}

package/dist/entitlements/index.d.ts

@@ -6,3 +6,4 @@ export { UNLIMITED, OFFLINE_FALLBACK_LIMITS } from './types.js';
 export type { IEntitlementStore, EntitlementCacheConfig } from './cache.js';
 export { EntitlementCache } from './cache.js';
 export { DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, } from './gating.js';
+export { fetchEntitlements } from './fetch.js';

package/dist/entitlements/index.js

@@ -4,3 +4,4 @@
 export { UNLIMITED, OFFLINE_FALLBACK_LIMITS } from './types.js';
 export { EntitlementCache } from './cache.js';
 export { DailyCounter, formatLimitMessage, formatTimeUntilReset, formatUpgradeHint, } from './gating.js';
+export { fetchEntitlements } from './fetch.js';

package/dist/host/auth-api.d.ts

@@ -0,0 +1,49 @@
+/**
+ * HTTP client for the compilr.dev CLI auth backend (Netlify Functions).
+ *
+ * Moved from the CLI's `src/auth/api-client.ts` so CLI and Desktop share one
+ * implementation (Desktop previously re-implemented these calls inline). All
+ * endpoints accept an optional `AuthEndpoints` override; by default they use
+ * `COMPILR_API_URL` / `COMPILR_WEB_URL` (falling back to production).
+ *
+ * Pure network module — no fs, no electron. Uses global `fetch` (Node ≥ 20).
+ */
+import type { RefreshTokenResponse, ProfileData, HeartbeatData, DeviceCodeResponse, DeviceTokenResponse, DeviceTokenError, AuthEndpoints } from './auth-types.js';
+/**
+ * Refresh an access token using a refresh token. The server-side function
+ * handles Supabase internally.
+ */
+export declare function refreshToken(refreshTokenValue: string, endpoints?: AuthEndpoints): Promise<RefreshTokenResponse>;
+/** Send a session heartbeat (telemetry). */
+export declare function sendHeartbeat(accessToken: string, data: HeartbeatData, endpoints?: AuthEndpoints): Promise<{
+    success: boolean;
+    telemetry_enabled?: boolean;
+    error?: string;
+}>;
+/** Fetch the user's profile. */
+export declare function getProfile(accessToken: string, endpoints?: AuthEndpoints): Promise<{
+    success: boolean;
+    profile?: ProfileData;
+    error?: string;
+}>;
+/** Update profile settings. */
+export declare function updateProfile(accessToken: string, updates: Partial<Pick<ProfileData, 'telemetry_enabled' | 'default_provider' | 'default_model' | 'default_tier' | 'theme'>>, endpoints?: AuthEndpoints): Promise<{
+    success: boolean;
+    profile?: ProfileData;
+    error?: string;
+}>;
+/** Request a device code to start the browser-based auth flow. */
+export declare function requestDeviceCode(endpoints?: AuthEndpoints): Promise<{
+    success: boolean;
+    data?: DeviceCodeResponse;
+    error?: string;
+}>;
+/** Poll for the device token after the user authorizes in the browser. */
+export declare function pollDeviceToken(deviceCode: string, endpoints?: AuthEndpoints): Promise<{
+    success: boolean;
+    data?: DeviceTokenResponse;
+    error?: DeviceTokenError;
+    networkError?: string;
+}>;
+/** Build the device-flow authorization URL (optionally pre-filling the code). */
+export declare function getAuthorizationUrl(userCode?: string, endpoints?: AuthEndpoints): string;

package/dist/host/auth-api.js

@@ -0,0 +1,201 @@
+/**
+ * HTTP client for the compilr.dev CLI auth backend (Netlify Functions).
+ *
+ * Moved from the CLI's `src/auth/api-client.ts` so CLI and Desktop share one
+ * implementation (Desktop previously re-implemented these calls inline). All
+ * endpoints accept an optional `AuthEndpoints` override; by default they use
+ * `COMPILR_API_URL` / `COMPILR_WEB_URL` (falling back to production).
+ *
+ * Pure network module — no fs, no electron. Uses global `fetch` (Node ≥ 20).
+ */
+import * as os from 'os';
+const DEFAULT_API_BASE_URL = 'https://compilr.dev/.netlify/functions';
+const DEFAULT_WEB_BASE_URL = 'https://compilr.dev';
+function apiBase(endpoints) {
+    return endpoints?.baseUrl ?? process.env.COMPILR_API_URL ?? DEFAULT_API_BASE_URL;
+}
+function webBase(endpoints) {
+    return endpoints?.webUrl ?? process.env.COMPILR_WEB_URL ?? DEFAULT_WEB_BASE_URL;
+}
+// =============================================================================
+// Token Refresh
+// =============================================================================
+/**
+ * Refresh an access token using a refresh token. The server-side function
+ * handles Supabase internally.
+ */
+export async function refreshToken(refreshTokenValue, endpoints) {
+    try {
+        const response = await fetch(`${apiBase(endpoints)}/cli-refresh-token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ refresh_token: refreshTokenValue }),
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                error: `Server returned non-JSON response (${String(response.status)})`,
+            };
+        }
+        const result = (await response.json());
+        if (!response.ok) {
+            return { success: false, error: result.error ?? `HTTP ${String(response.status)}` };
+        }
+        return {
+            success: true,
+            access_token: result.access_token,
+            refresh_token: result.refresh_token,
+            expires_in: result.expires_in,
+            user: result.user,
+        };
+    }
+    catch (error) {
+        return { success: false, error: error instanceof Error ? error.message : 'Network error' };
+    }
+}
+// =============================================================================
+// Profile + Heartbeat
+// =============================================================================
+/** Send a session heartbeat (telemetry). */
+export async function sendHeartbeat(accessToken, data, endpoints) {
+    try {
+        const response = await fetch(`${apiBase(endpoints)}/cli-heartbeat`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(data),
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                error: `Server returned non-JSON response (${String(response.status)})`,
+            };
+        }
+        const result = (await response.json());
+        if (!response.ok) {
+            return { success: false, error: result.error ?? `HTTP ${String(response.status)}` };
+        }
+        return { success: result.success ?? true, telemetry_enabled: result.telemetry_enabled };
+    }
+    catch (error) {
+        return { success: false, error: error instanceof Error ? error.message : 'Network error' };
+    }
+}
+/** Fetch the user's profile. */
+export async function getProfile(accessToken, endpoints) {
+    try {
+        const response = await fetch(`${apiBase(endpoints)}/cli-profile`, {
+            method: 'GET',
+            headers: { Authorization: `Bearer ${accessToken}` },
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                error: `Server returned non-JSON response (${String(response.status)})`,
+            };
+        }
+        const result = (await response.json());
+        if (!response.ok) {
+            return { success: false, error: result.error ?? `HTTP ${String(response.status)}` };
+        }
+        return { success: true, profile: result };
+    }
+    catch (error) {
+        return { success: false, error: error instanceof Error ? error.message : 'Network error' };
+    }
+}
+/** Update profile settings. */
+export async function updateProfile(accessToken, updates, endpoints) {
+    try {
+        const response = await fetch(`${apiBase(endpoints)}/cli-profile`, {
+            method: 'PATCH',
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(updates),
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                error: `Server returned non-JSON response (${String(response.status)})`,
+            };
+        }
+        const result = (await response.json());
+        if (!response.ok) {
+            return { success: false, error: result.error ?? `HTTP ${String(response.status)}` };
+        }
+        return { success: result.success ?? true, profile: result.profile };
+    }
+    catch (error) {
+        return { success: false, error: error instanceof Error ? error.message : 'Network error' };
+    }
+}
+// =============================================================================
+// Device Flow
+// =============================================================================
+/** Request a device code to start the browser-based auth flow. */
+export async function requestDeviceCode(endpoints) {
+    try {
+        const url = `${apiBase(endpoints)}/cli-device-code`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                error: `Non-JSON response (${String(response.status)}) from: ${url}`,
+            };
+        }
+        if (!response.ok) {
+            const result = (await response.json());
+            return { success: false, error: result.error ?? `HTTP ${String(response.status)}` };
+        }
+        const data = (await response.json());
+        return { success: true, data };
+    }
+    catch (error) {
+        return { success: false, error: error instanceof Error ? error.message : 'Network error' };
+    }
+}
+/** Poll for the device token after the user authorizes in the browser. */
+export async function pollDeviceToken(deviceCode, endpoints) {
+    try {
+        const response = await fetch(`${apiBase(endpoints)}/cli-device-token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ device_code: deviceCode, hostname: os.hostname() }),
+        });
+        const contentType = response.headers.get('content-type') ?? '';
+        if (!contentType.includes('application/json')) {
+            return {
+                success: false,
+                networkError: `Server returned non-JSON response (${String(response.status)})`,
+            };
+        }
+        const result = (await response.json());
+        if (!response.ok) {
+            return { success: false, error: result };
+        }
+        return { success: true, data: result };
+    }
+    catch (error) {
+        return {
+            success: false,
+            networkError: error instanceof Error ? error.message : 'Network error',
+        };
+    }
+}
+/** Build the device-flow authorization URL (optionally pre-filling the code). */
+export function getAuthorizationUrl(userCode, endpoints) {
+    const url = `${webBase(endpoints)}/cli/authorize`;
+    return userCode ? `${url}?code=${userCode}` : url;
+}

package/dist/host/auth-store.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Persistent storage for auth credentials (`~/.compilr-dev/auth.json`).
+ *
+ * Moved from the CLI's `src/auth/storage.ts` so CLI and Desktop read/write the
+ * shared file identically (Desktop previously parsed auth.json inline in several
+ * places). The on-disk shape is unchanged.
+ *
+ * Security: the file is written 0600 (owner read/write only).
+ *
+ * All functions accept an optional `dir` (the `.compilr-dev` directory) for
+ * tests and for hosts whose home path differs from `os.homedir()`. It defaults
+ * to `~/.compilr-dev`.
+ */
+import type { AuthData, AuthSession } from './auth-types.js';
+/**
+ * Load auth data from disk. Returns null if the file is missing, unparseable,
+ * or missing required fields.
+ */
+export declare function loadAuthData(dir?: string): AuthData | null;
+/** Save auth data to disk with restrictive (0600) permissions. */
+export declare function saveAuthData(data: AuthData, dir?: string): void;
+/** Remove stored credentials (logout). */
+export declare function clearAuthData(dir?: string): void;
+/**
+ * Replace just the session tokens (after a refresh), preserving the rest of the
+ * file. Returns false if there's no existing auth data.
+ */
+export declare function updateSession(session: AuthSession, dir?: string): boolean;
+/** Quick existence check without loading/parsing. */
+export declare function hasAuthData(dir?: string): boolean;
+/**
+ * Returns a warning string if the auth file has group/other-accessible
+ * permissions, or null if it's secure / absent.
+ */
+export declare function checkAuthFilePermissions(dir?: string): string | null;
+export { loadAuthData as readAuthFile, saveAuthData as writeAuthFile };

package/dist/host/auth-store.js

@@ -0,0 +1,105 @@
+/**
+ * Persistent storage for auth credentials (`~/.compilr-dev/auth.json`).
+ *
+ * Moved from the CLI's `src/auth/storage.ts` so CLI and Desktop read/write the
+ * shared file identically (Desktop previously parsed auth.json inline in several
+ * places). The on-disk shape is unchanged.
+ *
+ * Security: the file is written 0600 (owner read/write only).
+ *
+ * All functions accept an optional `dir` (the `.compilr-dev` directory) for
+ * tests and for hosts whose home path differs from `os.homedir()`. It defaults
+ * to `~/.compilr-dev`.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+function configDir(dir) {
+    return dir ?? path.join(os.homedir(), '.compilr-dev');
+}
+function authFile(dir) {
+    return path.join(configDir(dir), 'auth.json');
+}
+/**
+ * Load auth data from disk. Returns null if the file is missing, unparseable,
+ * or missing required fields.
+ */
+export function loadAuthData(dir) {
+    try {
+        const file = authFile(dir);
+        if (!fs.existsSync(file))
+            return null;
+        const parsed = JSON.parse(fs.readFileSync(file, 'utf-8'));
+        if (typeof parsed.version !== 'number' ||
+            typeof parsed.user !== 'object' ||
+            !parsed.user ||
+            typeof parsed.session !== 'object' ||
+            !parsed.session) {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/** Save auth data to disk with restrictive (0600) permissions. */
+export function saveAuthData(data, dir) {
+    fs.mkdirSync(configDir(dir), { recursive: true });
+    const file = authFile(dir);
+    fs.writeFileSync(file, JSON.stringify(data, null, 2), { encoding: 'utf-8', mode: 0o600 });
+    try {
+        fs.chmodSync(file, 0o600);
+    }
+    catch {
+        // chmod may be unsupported (e.g. Windows) — ignore.
+    }
+}
+/** Remove stored credentials (logout). */
+export function clearAuthData(dir) {
+    try {
+        const file = authFile(dir);
+        if (fs.existsSync(file))
+            fs.unlinkSync(file);
+    }
+    catch {
+        // ignore
+    }
+}
+/**
+ * Replace just the session tokens (after a refresh), preserving the rest of the
+ * file. Returns false if there's no existing auth data.
+ */
+export function updateSession(session, dir) {
+    const data = loadAuthData(dir);
+    if (!data)
+        return false;
+    data.session = session;
+    saveAuthData(data, dir);
+    return true;
+}
+/** Quick existence check without loading/parsing. */
+export function hasAuthData(dir) {
+    return fs.existsSync(authFile(dir));
+}
+/**
+ * Returns a warning string if the auth file has group/other-accessible
+ * permissions, or null if it's secure / absent.
+ */
+export function checkAuthFilePermissions(dir) {
+    try {
+        const file = authFile(dir);
+        if (!fs.existsSync(file))
+            return null;
+        const mode = fs.statSync(file).mode & 0o777;
+        if (mode & 0o077) {
+            return `Warning: Auth file has insecure permissions (${mode.toString(8)}). Consider running: chmod 600 ${file}`;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+// Spec §5.2 names — aliases of the canonical load/save.
+export { loadAuthData as readAuthFile, saveAuthData as writeAuthFile };

package/dist/host/auth-types.d.ts

@@ -0,0 +1,105 @@
+/**
+ * Shared auth types for the host integration layer.
+ *
+ * Covers both the on-disk credential shape (`~/.compilr-dev/auth.json`) and the
+ * response shapes of the compilr.dev CLI backend (Netlify Functions). CLI and
+ * Desktop both speak this protocol; these types are the single source of truth
+ * (Desktop previously re-declared them inline with `as` casts).
+ *
+ * USER authentication only — users still bring their own LLM API keys.
+ */
+export type AccountType = 'free' | 'pro' | 'team' | 'enterprise';
+export interface AuthUser {
+    id: string;
+    email: string;
+    createdAt: string;
+}
+export interface AuthSession {
+    accessToken: string;
+    refreshToken: string;
+    /** ISO timestamp of JWT expiry. */
+    expiresAt: string;
+    /** Long-lived API token (tok_xxx). When present it's preferred over the JWT. */
+    apiToken?: string;
+}
+export interface AuthData {
+    version: number;
+    user: AuthUser;
+    session: AuthSession;
+}
+export interface RefreshTokenResponse {
+    success: boolean;
+    access_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+    user?: {
+        id: string;
+        email: string;
+    };
+    error?: string;
+}
+export interface ProfileData {
+    user_id: string;
+    email: string;
+    account_type: AccountType;
+    telemetry_enabled: boolean;
+    default_provider: string;
+    default_model: string;
+    default_tier: string;
+    theme: string;
+    total_sessions: number;
+    total_messages: number;
+    first_session_at: string | null;
+    last_session_at: string | null;
+    created_at: string;
+}
+export interface HeartbeatData {
+    session_id: string;
+    cli_version: string;
+    os: string;
+    node_version: string;
+    project_id?: number;
+    total_messages?: number;
+    total_tokens_in?: number;
+    total_tokens_out?: number;
+    commands_used?: Record<string, number>;
+    agents_used?: string[];
+    tools_used?: string[];
+    llm_provider?: string;
+    llm_model?: string;
+}
+export interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+export interface DeviceTokenResponse {
+    access_token: string;
+    refresh_token: string;
+    token_type: string;
+    expires_in: number;
+    /** Long-lived CLI token (tok_xxx) — persistent auth. */
+    api_token?: string;
+    user: {
+        id: string;
+        email: string;
+    };
+}
+export interface DeviceTokenError {
+    error: 'authorization_pending' | 'slow_down' | 'expired_token' | 'access_denied' | 'invalid_grant' | 'server_error';
+    error_description: string;
+}
+/**
+ * Optional endpoint overrides. Both default to the production URLs (or the
+ * `COMPILR_API_URL` / `COMPILR_WEB_URL` env vars). Pass explicit values in tests
+ * or to target a branch preview.
+ */
+export interface AuthEndpoints {
+    /** Base URL for Netlify Functions, e.g. https://compilr.dev/.netlify/functions */
+    baseUrl?: string;
+    /** Web base URL for the device-flow authorization page, e.g. https://compilr.dev */
+    webUrl?: string;
+}

package/dist/host/auth-types.js

@@ -0,0 +1,11 @@
+/**
+ * Shared auth types for the host integration layer.
+ *
+ * Covers both the on-disk credential shape (`~/.compilr-dev/auth.json`) and the
+ * response shapes of the compilr.dev CLI backend (Netlify Functions). CLI and
+ * Desktop both speak this protocol; these types are the single source of truth
+ * (Desktop previously re-declared them inline with `as` casts).
+ *
+ * USER authentication only — users still bring their own LLM API keys.
+ */
+export {};

package/dist/host/device-flow.d.ts

@@ -0,0 +1,44 @@
+/**
+ * runDeviceFlow — browser-based (OAuth device flow) login state machine.
+ *
+ * Ported from the CLI's AuthManager.loginWithDeviceFlow so CLI and Desktop share
+ * one implementation. Desktop previously drove the poll loop from the renderer
+ * one fetch at a time and therefore lacked the `slow_down` backoff this owns.
+ *
+ * On success the tokens are persisted to `~/.compilr-dev/auth.json`. Fetching the
+ * user profile (account type, etc.) is left to the host — call `getProfile`
+ * afterward if needed.
+ */
+import type { AuthEndpoints } from './auth-types.js';
+export type DeviceFlowStatus = 'polling' | 'authorized' | 'expired' | 'denied';
+export interface DeviceFlowCallbacks {
+    /** Called once the user code + authorization URL are ready (show / open it). */
+    onCodeReady(userCode: string, url: string): void;
+    /** Optional progress updates as polling proceeds. */
+    onStatusUpdate?(status: DeviceFlowStatus): void;
+}
+export interface LoginResult {
+    success: boolean;
+    user?: {
+        id: string;
+        email: string;
+    };
+    error?: string;
+}
+export interface RunDeviceFlowOptions {
+    /** Override the `.compilr-dev` directory (tests / non-standard homes). */
+    dir?: string;
+    /** Override backend endpoints (tests / branch previews). */
+    endpoints?: AuthEndpoints;
+}
+/**
+ * Next poll interval after a `slow_down` response: +5s, capped at 30s.
+ * Exported for unit testing the backoff that Desktop was missing.
+ */
+export declare function nextPollInterval(currentMs: number): number;
+/**
+ * Run the full device-flow login: request a code, surface it via `onCodeReady`,
+ * then poll until authorized, denied, expired, or aborted. Persists tokens on
+ * success.
+ */
+export declare function runDeviceFlow(callbacks: DeviceFlowCallbacks, signal?: AbortSignal, opts?: RunDeviceFlowOptions): Promise<LoginResult>;