@cybedefend/vibedefend 1.1.1

package/LICENSE

@@ -0,0 +1,77 @@
+Business Source License 1.1
+
+Licensor: CybeDefend
+Licensed Work: @cybedefend/vibedefend
+Additional Use Grant: Production use is permitted except to offer a service that competes with CybeDefend.
+Change Date: 2030-05-25
+Change License: Apache-2.0
+
+License text copyright (c) 2024 MariaDB plc, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB plc.
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production
+use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under the
+terms of the Change License, and the rights granted in the paragraph above
+terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently
+in effect as described in this License, you must purchase a commercial license
+from the Licensor, its affiliated entities, or authorized resellers, or you must
+refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of
+the Licensed Work, are subject to this License. This License applies separately
+for each version of the Licensed Work and the Change Date may vary for each
+version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or modified
+form from a third party, the terms and conditions set forth in this License
+apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other versions
+of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor
+or its affiliates (provided that you may use a trademark or logo of Licensor as
+expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN
+"AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS
+OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
+
+MariaDB hereby grants you permission to use this License's text to license your
+works, and to refer to it using the trademark "Business Source License", as
+long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License's text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+To specify as the Change License the GPL Version 2.0 or any later version, or a
+license that is compatible with GPL Version 2.0 or a later version, where
+"compatible" means that software provided under the Change License can be
+included in a program with software provided under GPL Version 2.0 or a later
+version. Licensor may specify additional Change Licenses without limitation.
+
+To either: (a) specify an additional grant of rights to use that does not impose
+any additional restriction on the right granted in this License, as the
+Additional Use Grant; or (b) insert the text "None".
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.

package/README.md

@@ -0,0 +1,120 @@
+# `@cybedefend/vibedefend`
+
+[![npm version](https://img.shields.io/npm/v/@cybedefend/vibedefend.svg)](https://www.npmjs.com/package/@cybedefend/vibedefend)
+[![node](https://img.shields.io/badge/node-%3E%3D18.17-brightgreen.svg)](https://nodejs.org)
+[![license](https://img.shields.io/badge/license-BUSL--1.1-yellow.svg)](./LICENSE)
+
+> **VibeDefend** — one-shot installer that connects your AI coding agent
+> to CybeDefend. Each time the agent edits code, the right business and
+> security rules for the change land in its context. Each time you commit
+> work, a quick gap analysis catches the rules you never wrote down.
+
+## Install
+
+```bash
+npx -y @cybedefend/vibedefend@latest install
+```
+
+Works on **macOS, Linux, and Windows** (PowerShell, cmd, bash, zsh, fish,
+Git Bash — pick any). Requires **Node 18.17 or later** — most users already
+have it because Claude Code / Cursor / Codex ship with a bundled Node.
+
+The installer is fully interactive: pick a region, pick which agents to
+wire (auto-detected), confirm. That's it.
+
+Prefer a global install?
+
+```bash
+npm  install -g @cybedefend/vibedefend && vibedefend install
+# or pnpm / yarn — same package
+```
+
+## Supported agents
+
+VibeDefend auto-detects and wires whichever of these you have installed.
+
+| Capability | Claude Code | Cursor | OpenAI Codex | Windsurf | VS Code Copilot |
+|---|:---:|:---:|:---:|:---:|:---:|
+| **MCP server install** | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **Business + Security Rules** *(injected pre-edit)* | ✅ | ✅ | ✅ | ⚠️ writes only | ✅ |
+| **Action Guards** *(hard block on deny)* | ✅ all tools | ✅ all tools | ✅ all tools | ⚠️ writes + MCP fallback¹ | ❌ not yet wired |
+| **Session Start** *(loads doctrine + proposals inbox)* | ✅ | ✅ | ✅ | ⚠️ proxied² | ✅ |
+| **Session Review** *(end-of-session gap analysis)* | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **PreCompact** *(long-session gap analysis)* | ✅ | ✅ | ❌ no event | ❌ no event | ✅ |
+| **Doctrine backstop** *(per-prompt reminder)* | ✅ | ❌ | ✱ via MCP³ | ❌ | ❌ |
+| **Min version** | latest | ≥ 1.7 | latest | latest | ≥ 1.110 |
+
+**Legend** — ✅ supported · ⚠️ supported with caveats · ❌ not exposed by the agent · ✱ alternate mechanism
+
+¹ Windsurf's `pre_write_code` hook hard-blocks on file writes only. For non-write tool calls (Read / Bash / WebFetch) the installer drops a snippet into `.windsurfrules` instructing the agent to call `cybe_guards_check` via MCP before sensitive actions — soft enforcement that relies on the model following its rules file.
+
+² Windsurf has no native SessionStart event. We wire `pre_user_prompt`, which fires on every turn. The hook is idempotent and cheap (one GET to the proposals endpoint, returns "0 pending" once the inbox is empty), so the per-turn cost is negligible.
+
+³ Codex follows the doctrine via the MCP server's `Server.instructions` field on each session, removing the need for a per-prompt reminder hook.
+
+**Codex setup gotcha:** Codex 0.131+ requires you to approve each hook via the `/hooks` panel inside Codex *before* they fire. After running `vibedefend install`, open Codex, run `/hooks`, and trust the `cybedefend` entries — until you do that the panel will show `Installed N / Active 0`.
+
+Unchecked agents stay untouched. Re-run `vibedefend install` later to
+toggle any on or off.
+
+## Commands
+
+```
+vibedefend install            Set up MCP + hooks (interactive)
+vibedefend update             Refresh hooks to the latest version
+vibedefend update --self      Upgrade the CLI itself
+vibedefend status             Read-only install report
+vibedefend doctor             Diagnose and repair common issues
+vibedefend login              (Re-)authenticate against the CybeDefend API
+vibedefend uninstall          Remove every VibeDefend-installed file
+vibedefend --help             Full help
+```
+
+After install you have one tiny file to drop in each repo you want
+monitored — a `.cybedefend/config.json` with your project UUID:
+
+```json
+{ "projectId": "<your-cybedefend-project-uuid>" }
+```
+
+You can grab the UUID from the project page on the EU dashboard
+([eu.cybedefend.com](https://eu.cybedefend.com)) or the US dashboard
+([us.cybedefend.com](https://us.cybedefend.com)).
+
+## Updating
+
+Every time you run `vibedefend …`, a non-blocking check runs against npm
+in the background. When a newer version is available you get a one-line
+notice; run `vibedefend update --self` whenever you feel like it. Already-
+installed hooks pull rule changes live, so most updates are silent.
+
+## Uninstalling
+
+```bash
+vibedefend uninstall
+# Then drop the global package if you installed it:
+npm uninstall -g @cybedefend/vibedefend
+```
+
+## Sibling: `cybedefend-cli`
+
+[`cybedefend-cli`](https://github.com/CybeDefend/cybedefend-cli) is the
+platform CLI (scan, list vulnerabilities, manage projects from your
+terminal or CI). VibeDefend handles the AI-agent integration side; the
+two are complementary and unaware of each other.
+
+## Documentation
+
+Full documentation, configuration reference, and troubleshooting at
+**[docs.cybedefend.com](https://docs.cybedefend.com)**.
+
+## Support
+
+- Bug reports / feature requests:
+  [support@cybedefend.com](mailto:support@cybedefend.com)
+- Email: [support@cybedefend.com](mailto:support@cybedefend.com)
+- Status: [status.cybedefend.com](https://status.cybedefend.com)
+
+## License
+
+BUSL-1.1 — see [LICENSE](./LICENSE). Copyright 2026 CybeDefend. Converts to Apache-2.0 on 2030-05-25.

package/bin/vibedefend.js

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+// Thin shim — calls the compiled dist or runs from src in dev. Published
+// builds ship `dist/index.js`; local `pnpm dev` uses tsx via the package's
+// `dev` script.
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import { existsSync } from 'node:fs';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const distEntry = join(here, '..', 'dist', 'index.js');
+
+if (existsSync(distEntry)) {
+  await import(distEntry);
+} else {
+  console.error(
+    'vibedefend: dist/ not found. Run `pnpm run build` first, or use `pnpm dev` for source-mode.',
+  );
+  process.exit(1);
+}

package/dist/auth/auth-store.js

@@ -0,0 +1,170 @@
+/**
+ * Persistent storage for the OAuth token bundle.
+ *
+ * Storage strategy (most secure first):
+ *   macOS   → macOS Keychain via `security` CLI (no install required).
+ *   Linux   → ~/.cybedefend/auth.json with mode 0600.
+ *   Windows → ~/.cybedefend/auth.json with mode 0600 (best-effort; NTFS ACLs
+ *             are not set by Node's writeFileSync, but it is an improvement
+ *             over environment variables for interactive use).
+ *
+ * The entire StoredAuth object is JSON-serialised and stored as the keychain
+ * password blob, so all PKCE / OIDC state travels with it. On macOS the OS
+ * provides the encryption; on Linux the file permissions are the only control.
+ *
+ * Service name: "Codex MCP Credentials" — intentionally the same service that
+ * `resolveTokenCodexMacOS` reads in resolve.ts, so a Codex-style lookup
+ * (account = "<mcpName>|vibedefend") also picks up the new bundle and the
+ * existing `resolveToken` path still works without modification during
+ * the migration period.
+ */
+import { execFileSync } from 'node:child_process';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync, } from 'node:fs';
+// ─── Constants ───────────────────────────────────────────────────────────────
+const KEYCHAIN_SERVICE = 'Codex MCP Credentials';
+/** Account shape: "<mcpName>|vibedefend" — matches resolveTokenCodexMacOS. */
+function accountFor(mcpName) {
+    return `${mcpName}|vibedefend`;
+}
+// ─── Public API ───────────────────────────────────────────────────────────────
+/** Persist an auth bundle for the given MCP name. */
+export function storeAuth(mcpName, auth) {
+    const blob = JSON.stringify(auth);
+    if (process.platform === 'darwin') {
+        storeMacOSKeychain(mcpName, blob);
+    }
+    else {
+        storeFileFallback(blob);
+    }
+}
+/**
+ * Load the stored auth bundle for the given MCP name.
+ * Returns null if nothing is stored or the blob is invalid.
+ */
+export function loadAuth(mcpName) {
+    let blob = null;
+    if (process.platform === 'darwin') {
+        blob = readMacOSKeychain(mcpName);
+    }
+    // File fallback — also checked on Linux/Windows and as fallback on macOS
+    // when the keychain entry is absent.
+    if (!blob)
+        blob = readFileFallback();
+    if (!blob)
+        return null;
+    try {
+        const parsed = JSON.parse(blob);
+        // refreshToken is OPTIONAL: Logto only emits one when the client app has
+        // the Refresh Token grant explicitly enabled AND the user requested
+        // offline_access. If absent, we can still operate — the user just has to
+        // `vibedefend login` again when access_token expires (no transparent refresh).
+        if (typeof parsed.accessToken === 'string' &&
+            typeof parsed.expiresAt === 'number' &&
+            typeof parsed.logtoEndpoint === 'string' &&
+            typeof parsed.cliAppId === 'string' &&
+            typeof parsed.logtoResource === 'string') {
+            return parsed;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Remove stored credentials for the given MCP name. */
+export function clearAuth(mcpName) {
+    if (process.platform === 'darwin') {
+        try {
+            execFileSync('security', [
+                'delete-generic-password',
+                '-s', KEYCHAIN_SERVICE,
+                '-a', accountFor(mcpName),
+            ], { stdio: 'ignore' });
+        }
+        catch {
+            // Not found — that is fine.
+        }
+    }
+    // Also clear the file fallback (it may hold an older copy on non-macOS).
+    const filePath = fileFallbackPath();
+    if (existsSync(filePath)) {
+        try {
+            writeFileSync(filePath, '', { mode: 0o600 });
+        }
+        catch {
+            // Best-effort.
+        }
+    }
+}
+// ─── macOS Keychain helpers ───────────────────────────────────────────────────
+function storeMacOSKeychain(mcpName, blob) {
+    // Delete any existing entry first — `add-generic-password` fails if the
+    // account already exists.
+    try {
+        execFileSync('security', [
+            'delete-generic-password',
+            '-s', KEYCHAIN_SERVICE,
+            '-a', accountFor(mcpName),
+        ], { stdio: 'ignore' });
+    }
+    catch {
+        // Not found — that is fine.
+    }
+    execFileSync('security', [
+        'add-generic-password',
+        '-s', KEYCHAIN_SERVICE,
+        '-a', accountFor(mcpName),
+        '-w', blob,
+    ], { stdio: 'ignore' });
+}
+function readMacOSKeychain(mcpName) {
+    try {
+        const out = execFileSync('security', [
+            'find-generic-password',
+            '-s', KEYCHAIN_SERVICE,
+            '-a', accountFor(mcpName),
+            '-w',
+        ], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            timeout: 3000,
+        });
+        return out.trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+// ─── File fallback (Linux / Windows) ─────────────────────────────────────────
+function fileFallbackPath() {
+    return join(homedir(), '.cybedefend', 'auth.json');
+}
+function storeFileFallback(blob) {
+    const dir = join(homedir(), '.cybedefend');
+    mkdirSync(dir, { recursive: true });
+    const p = fileFallbackPath();
+    writeFileSync(p, blob, { mode: 0o600 });
+    try {
+        // Belt-and-suspenders: explicitly chmod after write (some umask configs
+        // ignore the mode option on writeFileSync).
+        chmodSync(p, 0o600);
+    }
+    catch {
+        // Non-fatal on Windows (no POSIX perms).
+    }
+}
+function readFileFallback() {
+    const p = fileFallbackPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        const content = readFileSync(p, 'utf8');
+        return content || null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/auth/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../../src/auth/auth-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,EACT,SAAS,GACV,MAAM,SAAS,CAAC;AA0BjB,gFAAgF;AAEhF,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;AAEjD,8EAA8E;AAC9E,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,GAAG,OAAO,aAAa,CAAC;AACjC,CAAC;AAED,iFAAiF;AAEjF,qDAAqD;AACrD,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,IAAgB;IACzD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACtC,IAAI,IAAI,GAAkB,IAAI,CAAC;IAE/B,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAED,yEAAyE;IACzE,qCAAqC;IACrC,IAAI,CAAC,IAAI;QAAE,IAAI,GAAG,gBAAgB,EAAE,CAAC;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAwB,CAAC;QACvD,yEAAyE;QACzE,oEAAoE;QACpE,yEAAyE;QACzE,+EAA+E;QAC/E,IACE,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YACtC,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YACpC,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ;YACxC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;YACnC,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,EACxC,CAAC;YACD,OAAO,MAAoB,CAAC;QAC9B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,SAAS,CAAC,OAAe;IACvC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,YAAY,CACV,UAAU,EACV;gBACE,yBAAyB;gBACzB,IAAI,EAAE,gBAAgB;gBACtB,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC;aAC1B,EACD,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,4BAA4B;QAC9B,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,aAAa,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,SAAS,kBAAkB,CAAC,OAAe,EAAE,IAAY;IACvD,wEAAwE;IACxE,0BAA0B;IAC1B,IAAI,CAAC;QACH,YAAY,CACV,UAAU,EACV;YACE,yBAAyB;YACzB,IAAI,EAAE,gBAAgB;YACtB,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC;SAC1B,EACD,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,4BAA4B;IAC9B,CAAC;IAED,YAAY,CACV,UAAU,EACV;QACE,sBAAsB;QACtB,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC;QACzB,IAAI,EAAE,IAAI;KACX,EACD,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CACtB,UAAU,EACV;YACE,uBAAuB;YACvB,IAAI,EAAE,gBAAgB;YACtB,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC;YACzB,IAAI;SACL,EACD;YACE,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;YACnC,OAAO,EAAE,IAAI;SACd,CACF,CAAC;QACF,OAAO,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;IAC3C,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,gBAAgB,EAAE,CAAC;IAC7B,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,wEAAwE;QACxE,4CAA4C;QAC5C,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,yCAAyC;IAC3C,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,CAAC,GAAG,gBAAgB,EAAE,CAAC;IAC7B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,IAAI,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/auth.js

@@ -0,0 +1,125 @@
+/**
+ * Single entry point for auth state used by all hook callers.
+ *
+ * Responsibilities:
+ *   - Return a valid access_token, refreshing transparently when near expiry.
+ *   - Deduplicate concurrent refresh calls (many hooks may fire simultaneously
+ *     at session start; we must not hammer Logto with N refresh requests).
+ *   - On refresh_token rejection, purge local credentials and throw
+ *     LoginRequiredError so the caller can trigger the fail-open UNVERIFIED
+ *     banner.
+ *
+ * This module is intentionally side-effect-free at import time — the
+ * in-flight deduplication state is module-level, but nothing fires until
+ * getValidAccessToken() is called.
+ */
+import { loadAuth, storeAuth, clearAuth, } from './auth-store.js';
+import { refreshAccessToken, RefreshTokenInvalidError } from './token-exchange.js';
+// ─── Errors ───────────────────────────────────────────────────────────────────
+/**
+ * Thrown when a valid access_token cannot be obtained because:
+ *   - No credentials are stored at all, OR
+ *   - The refresh_token has been rejected / revoked by Logto.
+ *
+ * Hook callers that catch this should fall back to the loud UNVERIFIED
+ * banner (fail-open semantics) so the dev session is never hard-blocked.
+ */
+export class LoginRequiredError extends Error {
+    constructor(msg = 'VibeDefend login required. Run `vibedefend login`.') {
+        super(msg);
+        this.name = 'LoginRequiredError';
+    }
+}
+// ─── In-flight deduplication ──────────────────────────────────────────────────
+/**
+ * When multiple hooks fire in the same millisecond (session-start, guard-check,
+ * fetch-rules all launching concurrently) and the token is stale, they would all
+ * attempt a refresh simultaneously. We de-duplicate by keeping a single promise
+ * while a refresh is in flight and having every concurrent waiter share it.
+ */
+let inFlightRefresh = null;
+// ─── Public API ───────────────────────────────────────────────────────────────
+/**
+ * Return a valid access_token for the given MCP name.
+ *
+ * - If the stored token is fresh (now < expiresAt), return it immediately.
+ * - If stale, initiate (or join an in-flight) refresh.
+ * - If the refresh_token is rejected, purge credentials and throw
+ *   LoginRequiredError.
+ * - If no credentials are stored, throw LoginRequiredError immediately.
+ *
+ * Concurrent calls share a single in-flight refresh promise — Logto sees
+ * exactly one refresh request per expiry cycle.
+ */
+export async function getValidAccessToken(mcpName) {
+    const stored = loadAuth(mcpName);
+    if (!stored) {
+        throw new LoginRequiredError('No stored credentials. Run `vibedefend login`.');
+    }
+    const now = Date.now();
+    if (now < stored.expiresAt) {
+        // Token is still valid.
+        return stored.accessToken;
+    }
+    // Token is stale. If we don't have a refresh_token (Logto didn't issue one
+    // because offline_access wasn't granted on this client), we cannot refresh
+    // silently — the user must `vibedefend login` again.
+    if (!stored.refreshToken) {
+        throw new LoginRequiredError('Access token expired and no refresh_token is available. Run `vibedefend login` again.');
+    }
+    // Token is stale — refresh (deduped).
+    if (!inFlightRefresh) {
+        inFlightRefresh = doRefresh(mcpName, stored).finally(() => {
+            inFlightRefresh = null;
+        });
+    }
+    return await inFlightRefresh;
+}
+/**
+ * Synchronous check: does the given MCP name have any stored credentials?
+ * Used by the install chain to skip the login prompt on re-install when
+ * credentials are already present.
+ */
+export function hasStoredAuth(mcpName) {
+    return loadAuth(mcpName) !== null;
+}
+// ─── Internal refresh logic ───────────────────────────────────────────────────
+async function doRefresh(mcpName, stored) {
+    // Safety net: getValidAccessToken already checks this, but type-narrow here
+    // too so the call below doesn't pass undefined as a string.
+    if (!stored.refreshToken) {
+        throw new LoginRequiredError('No refresh_token available; re-login required.');
+    }
+    try {
+        const fresh = await refreshAccessToken({
+            logtoEndpoint: stored.logtoEndpoint,
+            clientId: stored.cliAppId,
+            refreshToken: stored.refreshToken,
+            resource: stored.logtoResource,
+        });
+        const updated = {
+            ...stored,
+            accessToken: fresh.access_token,
+            // Logto issues a new refresh_token on every refresh (rolling tokens).
+            // Fall back to the existing one if the response omits it.
+            refreshToken: fresh.refresh_token ?? stored.refreshToken,
+            idToken: fresh.id_token ?? stored.idToken,
+            expiresAt: Date.now() + (fresh.expires_in - 30) * 1000,
+        };
+        storeAuth(mcpName, updated);
+        return updated.accessToken;
+    }
+    catch (e) {
+        if (e instanceof RefreshTokenInvalidError) {
+            // Refresh token revoked / expired — nuke local state so the next
+            // `vibedefend login` starts from a clean slate.
+            clearAuth(mcpName);
+            throw new LoginRequiredError('Your session has expired. Run `vibedefend login` to re-authenticate.');
+        }
+        // Transient (network, DNS, Logto down): re-throw so the caller can
+        // trigger the fail-open banner. Do NOT clear credentials — the user
+        // should not be forced to log in again for a transient failure.
+        throw e;
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EACL,QAAQ,EACR,SAAS,EACT,SAAS,GAEV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAEnF,iFAAiF;AAEjF;;;;;;;GAOG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,GAAG,GAAG,oDAAoD;QACpE,KAAK,CAAC,GAAG,CAAC,CAAC;QACX,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,iFAAiF;AAEjF;;;;;GAKG;AACH,IAAI,eAAe,GAA2B,IAAI,CAAC;AAEnD,iFAAiF;AAEjF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,OAAe;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,kBAAkB,CAAC,gDAAgD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3B,wBAAwB;QACxB,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED,2EAA2E;IAC3E,2EAA2E;IAC3E,qDAAqD;IACrD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,kBAAkB,CAC1B,uFAAuF,CACxF,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,eAAe,GAAG,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE;YACxD,eAAe,GAAG,IAAI,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,eAAe,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,OAAO,QAAQ,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;AACpC,CAAC;AAED,iFAAiF;AAEjF,KAAK,UAAU,SAAS,CAAC,OAAe,EAAE,MAAkB;IAC1D,4EAA4E;IAC5E,4DAA4D;IAC5D,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,kBAAkB,CAAC,gDAAgD,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC;YACrC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,QAAQ,EAAE,MAAM,CAAC,aAAa;SAC/B,CAAC,CAAC;QAEH,MAAM,OAAO,GAAe;YAC1B,GAAG,MAAM;YACT,WAAW,EAAE,KAAK,CAAC,YAAY;YAC/B,sEAAsE;YACtE,0DAA0D;YAC1D,YAAY,EAAE,KAAK,CAAC,aAAa,IAAI,MAAM,CAAC,YAAY;YACxD,OAAO,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM,CAAC,OAAO;YACzC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,EAAE,CAAC,GAAG,IAAI;SACvD,CAAC;QAEF,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5B,OAAO,OAAO,CAAC,WAAW,CAAC;IAC7B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,wBAAwB,EAAE,CAAC;YAC1C,iEAAiE;YACjE,gDAAgD;YAChD,SAAS,CAAC,OAAO,CAAC,CAAC;YACnB,MAAM,IAAI,kBAAkB,CAC1B,sEAAsE,CACvE,CAAC;QACJ,CAAC;QACD,mEAAmE;QACnE,oEAAoE;QACpE,gEAAgE;QAChE,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC"}