@doow/cli 0.1.0

package/README.md

@@ -0,0 +1,75 @@
+# @doow/cli
+
+Doow CLI -- manage SaaS spend from your terminal and coding agents.
+
+## Install
+
+```bash
+npm install -g @doow/cli
+```
+
+Or via Homebrew (once the tap is live):
+
+```bash
+brew tap doow-co/doow
+brew install doow
+```
+
+## Quick start
+
+```bash
+doow login              # authenticate (PKCE or device flow)
+doow whoami             # verify identity
+doow apps list          # list managed applications
+doow reports expense    # generate expense report
+doow chat               # interactive chat with Derek or Mina
+```
+
+## MCP server
+
+```bash
+doow mcp                # start MCP server over stdio
+doow mcp --list-tools   # print available tools as JSON
+```
+
+Configure in your MCP client:
+
+```json
+{
+  "mcpServers": {
+    "doow": {
+      "command": "doow",
+      "args": ["mcp"]
+    }
+  }
+}
+```
+
+## Shell completion
+
+```bash
+doow completion install   # auto-detect shell and install
+doow completion bash      # output bash completion script
+doow completion zsh       # output zsh completion script
+```
+
+## Diagnostics
+
+```bash
+doow doctor   # check auth, config, network, API version
+```
+
+## Global flags
+
+| Flag | Description |
+|------|-------------|
+| `--json` | JSON output (default when piped) |
+| `--table` | Table output (default in TTY) |
+| `--profile <name>` | Multi-org profile selection |
+| `--yes` | Skip confirmation prompts |
+| `--dry-run` | Preview mutations without executing |
+| `--debug` | Verbose HTTP logging to stderr |
+
+## License
+
+MIT

package/dist/cjs/auth/api-key.js

@@ -0,0 +1,159 @@
+'use strict';
+
+var env = require('../config/env.js');
+var keyring = require('./keyring.js');
+
+/**
+ * api-key.ts
+ *
+ * PAT (Personal Access Token) authentication for CI/scripting contexts.
+ *
+ * Provides:
+ *   - validateApiKey     — pure format check (dak_ prefix, length ≥ 20)
+ *   - authenticateWithApiKey — store key + optionally verify against API
+ *   - readTokenFromStdin — read a piped token from stdin
+ *   - resolveAuth        — precedence chain: flag > env > stdin > stored > none
+ */
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const DAK_PREFIX = 'dak_';
+const DAK_MIN_LENGTH = 20;
+const REFRESH_BUFFER_SECONDS = 60;
+// ---------------------------------------------------------------------------
+// validateApiKey
+// ---------------------------------------------------------------------------
+/**
+ * Returns true if key starts with 'dak_' (case-sensitive) and is at least
+ * 20 characters total. Pure function — no network call.
+ */
+function validateApiKey(key) {
+    return key.startsWith(DAK_PREFIX) && key.length >= DAK_MIN_LENGTH;
+}
+// ---------------------------------------------------------------------------
+// authenticateWithApiKey
+// ---------------------------------------------------------------------------
+/**
+ * Validates the key format, stores it in the credential store, and optionally
+ * verifies it works by hitting GET /v1/auth/capabilities.
+ *
+ * @throws {Error} if the key does not have the dak_ prefix
+ * @throws {Error} if verify is true and the capabilities request fails
+ */
+async function authenticateWithApiKey(options) {
+    const { key, profileName = 'default', verify = true } = options;
+    const apiUrl = options.apiUrl ?? env.getApiUrl();
+    const store = options.credentialStore ?? (await keyring.createCredentialStore());
+    // Validate format first
+    if (!validateApiKey(key)) {
+        throw new Error(`Invalid API key format. Keys must start with '${DAK_PREFIX}' and be at least ${DAK_MIN_LENGTH} characters long.`);
+    }
+    // Optionally verify before storing
+    if (verify) {
+        const res = await fetch(`${apiUrl}/v1/auth/capabilities`, {
+            headers: { Authorization: `Bearer ${key}` },
+        });
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`API key verification failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);
+        }
+        await store.set(profileName, { apiKey: key });
+        return { apiKey: key, verified: true };
+    }
+    await store.set(profileName, { apiKey: key });
+    return { apiKey: key, verified: false };
+}
+// ---------------------------------------------------------------------------
+// readTokenFromStdin
+// ---------------------------------------------------------------------------
+/**
+ * Reads a token from piped stdin input.
+ *
+ * @throws {Error} if stdin is a TTY (not piped)
+ * @throws {Error} if the resulting string is empty after trim
+ */
+async function readTokenFromStdin() {
+    if (process.stdin.isTTY) {
+        throw new Error('--token-stdin requires piped input (e.g., echo $TOKEN | doow login --token-stdin)');
+    }
+    const parts = [];
+    for await (const chunk of process.stdin) {
+        if (Buffer.isBuffer(chunk)) {
+            parts.push(chunk.toString('utf-8'));
+        }
+        else {
+            parts.push(String(chunk));
+        }
+    }
+    const token = parts.join('').trim();
+    if (!token) {
+        throw new Error('No token received on stdin');
+    }
+    return token;
+}
+// ---------------------------------------------------------------------------
+// resolveAuth
+// ---------------------------------------------------------------------------
+/**
+ * Resolves the active auth context by walking the precedence chain:
+ *   --api-key flag > DOOW_API_KEY env > --token-stdin > stored profile > none
+ */
+async function resolveAuth(options = {}) {
+    const { apiKeyFlag, tokenStdin = false, profileName = 'default' } = options;
+    const store = options.credentialStore ?? (await keyring.createCredentialStore());
+    // 1. --api-key flag
+    if (apiKeyFlag !== undefined && apiKeyFlag !== '') {
+        if (!validateApiKey(apiKeyFlag)) {
+            throw new Error(`Invalid API key format. Keys must start with '${DAK_PREFIX}' and be at least ${DAK_MIN_LENGTH} characters long.`);
+        }
+        return { type: 'api-key', token: apiKeyFlag, source: '--api-key flag' };
+    }
+    // 2. DOOW_API_KEY env var
+    const envKey = process.env['DOOW_API_KEY'];
+    if (envKey && validateApiKey(envKey)) {
+        return { type: 'api-key', token: envKey, source: 'DOOW_API_KEY env' };
+    }
+    // 3. --token-stdin
+    if (tokenStdin) {
+        const token = await readTokenFromStdin();
+        const type = validateApiKey(token) ? 'api-key' : 'oauth-token';
+        return { type, token, source: 'stdin' };
+    }
+    // 4. Stored credentials for the profile
+    const creds = await store.get(profileName);
+    if (creds?.apiKey) {
+        return { type: 'api-key', token: creds.apiKey, source: 'stored profile' };
+    }
+    if (creds?.accessToken) {
+        const token = creds.accessToken;
+        const needsRefresh = isTokenExpiredOrExpiring(creds.expiresAt);
+        return {
+            type: 'oauth-token',
+            token,
+            source: 'stored profile',
+            ...(needsRefresh ? { needsRefresh: true } : {}),
+        };
+    }
+    // 5. Nothing found
+    return { type: 'none', source: 'none' };
+}
+// ---------------------------------------------------------------------------
+// Private helpers
+// ---------------------------------------------------------------------------
+/**
+ * Returns true if the ISO-8601 expiresAt string is either absent, already
+ * past, or within 60 seconds of now.
+ */
+function isTokenExpiredOrExpiring(expiresAt) {
+    if (!expiresAt)
+        return true;
+    const expiryMs = new Date(expiresAt).getTime();
+    const nowPlusBuffer = Date.now() + REFRESH_BUFFER_SECONDS * 1000;
+    return expiryMs <= nowPlusBuffer;
+}
+
+exports.authenticateWithApiKey = authenticateWithApiKey;
+exports.readTokenFromStdin = readTokenFromStdin;
+exports.resolveAuth = resolveAuth;
+exports.validateApiKey = validateApiKey;
+//# sourceMappingURL=api-key.js.map

package/dist/cjs/auth/api-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key.js","sources":["../../../../src/auth/api-key.ts"],"sourcesContent":[null],"names":["getApiUrl","createCredentialStore"],"mappings":";;;;;AAAA;;;;;;;;;;AAUG;AAMH;AACA;AACA;AAEA,MAAM,UAAU,GAAG,MAAM;AACzB,MAAM,cAAc,GAAG,EAAE;AACzB,MAAM,sBAAsB,GAAG,EAAE;AAuCjC;AACA;AACA;AAEA;;;AAGG;AACG,SAAU,cAAc,CAAC,GAAW,EAAA;AACxC,IAAA,OAAO,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,MAAM,IAAI,cAAc;AACnE;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACI,eAAe,sBAAsB,CAC1C,OAA0B,EAAA;AAE1B,IAAA,MAAM,EAAE,GAAG,EAAE,WAAW,GAAG,SAAS,EAAE,MAAM,GAAG,IAAI,EAAE,GAAG,OAAO;IAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAIA,aAAS,EAAE;IAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,KAAK,MAAMC,6BAAqB,EAAE,CAAC;;AAGxE,IAAA,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,CAAA,8CAAA,EAAiD,UAAU,CAAA,kBAAA,EAAqB,cAAc,CAAA,iBAAA,CAAmB,CAClH;IACH;;IAGA,IAAI,MAAM,EAAE;QACV,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,MAAM,uBAAuB,EAAE;AACxD,YAAA,OAAO,EAAE,EAAE,aAAa,EAAE,CAAA,OAAA,EAAU,GAAG,EAAE,EAAE;AAC5C,SAAA,CAAC;AAEF,QAAA,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE;AACX,YAAA,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CACb,CAAA,kCAAA,EAAqC,GAAG,CAAC,MAAM,GAAG,IAAI,GAAG,CAAA,GAAA,EAAM,IAAI,CAAA,CAAE,GAAG,EAAE,CAAA,CAAE,CAC7E;QACH;AAEA,QAAA,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE;IACxC;AAEA,IAAA,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAC7C,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE;AACzC;AAEA;AACA;AACA;AAEA;;;;;AAKG;AACI,eAAe,kBAAkB,GAAA;AACtC,IAAA,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE;AACvB,QAAA,MAAM,IAAI,KAAK,CACb,mFAAmF,CACpF;IACH;IAEA,MAAM,KAAK,GAAa,EAAE;IAE1B,WAAW,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE;AACvC,QAAA,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;YAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACrC;aAAO;YACL,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B;IACF;IAEA,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE;IAEnC,IAAI,CAAC,KAAK,EAAE;AACV,QAAA,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC;IAC/C;AAEA,IAAA,OAAO,KAAK;AACd;AAEA;AACA;AACA;AAEA;;;AAGG;AACI,eAAe,WAAW,CAAC,UAA8B,EAAE,EAAA;AAChE,IAAA,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,KAAK,EAAE,WAAW,GAAG,SAAS,EAAE,GAAG,OAAO;IAC3E,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,KAAK,MAAMA,6BAAqB,EAAE,CAAC;;IAGxE,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,EAAE,EAAE;AACjD,QAAA,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,EAAE;YAC/B,MAAM,IAAI,KAAK,CACb,CAAA,8CAAA,EAAiD,UAAU,CAAA,kBAAA,EAAqB,cAAc,CAAA,iBAAA,CAAmB,CAClH;QACH;AACA,QAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,gBAAgB,EAAE;IACzE;;IAGA,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AAC1C,IAAA,IAAI,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE;AACpC,QAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE;IACvE;;IAGA,IAAI,UAAU,EAAE;AACd,QAAA,MAAM,KAAK,GAAG,MAAM,kBAAkB,EAAE;AACxC,QAAA,MAAM,IAAI,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,aAAa;QAC9D,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE;IACzC;;IAGA,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC;AAE1C,IAAA,IAAI,KAAK,EAAE,MAAM,EAAE;AACjB,QAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE;IAC3E;AAEA,IAAA,IAAI,KAAK,EAAE,WAAW,EAAE;AACtB,QAAA,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW;QAC/B,MAAM,YAAY,GAAG,wBAAwB,CAAC,KAAK,CAAC,SAAS,CAAC;QAE9D,OAAO;AACL,YAAA,IAAI,EAAE,aAAa;YACnB,KAAK;AACL,YAAA,MAAM,EAAE,gBAAgB;AACxB,YAAA,IAAI,YAAY,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;SAChD;IACH;;IAGA,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;AACzC;AAEA;AACA;AACA;AAEA;;;AAGG;AACH,SAAS,wBAAwB,CAAC,SAA6B,EAAA;AAC7D,IAAA,IAAI,CAAC,SAAS;AAAE,QAAA,OAAO,IAAI;IAC3B,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;IAC9C,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,sBAAsB,GAAG,IAAI;IAChE,OAAO,QAAQ,IAAI,aAAa;AAClC;;;;;;;"}

package/dist/cjs/auth/detect.js

@@ -0,0 +1,173 @@
+'use strict';
+
+var http = require('node:http');
+var env = require('../config/env.js');
+var apiKey = require('./api-key.js');
+var pkce = require('./pkce.js');
+var deviceFlow = require('./device-flow.js');
+
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var http__namespace = /*#__PURE__*/_interopNamespaceDefault(http);
+
+/**
+ * detect.ts
+ *
+ * S122 — Auth auto-detection for the Doow CLI.
+ *
+ * Determines whether to use PKCE, device, or API-key authentication based on
+ * the current runtime environment, then executes the appropriate flow.
+ *
+ * Detection order:
+ *   1. --api-key provided + valid format   → api-key
+ *   2. --device flag                       → device
+ *   3. Running inside CI ($CI set)         → device
+ *   4. Non-interactive stdout (!isTTY)     → device
+ *   5. Can bind 127.0.0.1 on a free port   → pkce
+ *   6. Fallback                            → device
+ */
+// ---------------------------------------------------------------------------
+// canBindLocalhost
+// ---------------------------------------------------------------------------
+/**
+ * Tests whether the process can bind a TCP server on 127.0.0.1 using an
+ * OS-assigned ephemeral port. The server is closed immediately on success.
+ *
+ * Returns true  → PKCE callback server will work.
+ * Returns false → Network stack can't bind (containers with restricted network
+ *                 policies, permission denied, etc.) — use device flow instead.
+ */
+function canBindLocalhost() {
+    return new Promise((resolve) => {
+        const server = http__namespace.createServer();
+        server.once('error', () => {
+            resolve(false);
+        });
+        server.listen(0, '127.0.0.1', () => {
+            server.close(() => resolve(true));
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// detectAuthMethod
+// ---------------------------------------------------------------------------
+/**
+ * Returns the best authentication method for the current environment.
+ */
+async function detectAuthMethod(options = {}) {
+    const { forceDevice = false, apiKey: apiKey$1 } = options;
+    // 1. API key provided and format-valid → skip OAuth entirely
+    if (apiKey$1 !== undefined && apiKey$1 !== '' && apiKey.validateApiKey(apiKey$1)) {
+        return 'api-key';
+    }
+    // 2. Explicit --device flag
+    if (forceDevice) {
+        return 'device';
+    }
+    // 3. CI environment — browser is not available
+    if (env.isCI()) {
+        return 'device';
+    }
+    // 4. Non-interactive (stdout is not a TTY) — can't drive a browser login
+    if (!env.isTTY()) {
+        return 'device';
+    }
+    // 5. Try to bind a local port — if it works, PKCE callback server will too
+    const canBind = await canBindLocalhost();
+    if (canBind) {
+        return 'pkce';
+    }
+    // 6. Safe fallback
+    return 'device';
+}
+// ---------------------------------------------------------------------------
+// isServerBindError
+// ---------------------------------------------------------------------------
+/**
+ * Returns true when an error looks like a localhost server bind failure —
+ * the only case where PKCE should automatically fall back to device flow.
+ *
+ * We intentionally do NOT fall back on application-level errors such as
+ * CSRF mismatch, token exchange failures, or user cancellation.
+ */
+function isServerBindError(err) {
+    if (!(err instanceof Error))
+        return false;
+    const msg = err.message.toLowerCase();
+    return (msg.includes('failed to start local callback server') ||
+        msg.includes('failed to determine callback server port') ||
+        msg.includes('failed to open browser') ||
+        msg.includes('eaddrinuse') ||
+        msg.includes('eacces') ||
+        msg.includes('permission denied'));
+}
+// ---------------------------------------------------------------------------
+// executeAutoLogin
+// ---------------------------------------------------------------------------
+/**
+ * The main login orchestrator.
+ *
+ * 1. Detects the best auth method.
+ * 2. Executes the corresponding flow.
+ * 3. If PKCE fails with a server bind error, automatically retries with device flow.
+ */
+async function executeAutoLogin(options = {}) {
+    const { forceDevice, apiKey: apiKey$1, apiUrl, profileName, credentialStore, timeout } = options;
+    const method = await detectAuthMethod({ forceDevice, apiKey: apiKey$1 });
+    if (method === 'api-key') {
+        // apiKey is guaranteed non-empty here (detectAuthMethod validated it)
+        await apiKey.authenticateWithApiKey({
+            key: apiKey$1,
+            apiUrl,
+            profileName,
+            credentialStore,
+        });
+        return { method: 'api-key', apiKey: apiKey$1 };
+    }
+    if (method === 'pkce') {
+        try {
+            const result = await pkce.executePkceFlow({ apiUrl, profileName, credentialStore, timeout });
+            return {
+                method: 'pkce',
+                accessToken: result.accessToken,
+                refreshToken: result.refreshToken,
+                expiresAt: result.expiresAt,
+            };
+        }
+        catch (err) {
+            // Only fall back on server bind errors — not on CSRF or token exchange errors
+            if (!isServerBindError(err)) {
+                throw err;
+            }
+            // Fall through to device flow below
+        }
+    }
+    // device flow (either detected or PKCE fallback)
+    const result = await deviceFlow.executeDeviceFlow({ apiUrl, profileName, credentialStore });
+    return {
+        method: 'device',
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        expiresAt: result.expiresAt,
+    };
+}
+
+exports.canBindLocalhost = canBindLocalhost;
+exports.detectAuthMethod = detectAuthMethod;
+exports.executeAutoLogin = executeAutoLogin;
+//# sourceMappingURL=detect.js.map

package/dist/cjs/auth/detect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.js","sources":["../../../../src/auth/detect.ts"],"sourcesContent":[null],"names":["http","apiKey","validateApiKey","isCI","isTTY","authenticateWithApiKey","executePkceFlow","executeDeviceFlow"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;AAeG;AAwCH;AACA;AACA;AAEA;;;;;;;AAOG;SACa,gBAAgB,GAAA;AAC9B,IAAA,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,KAAI;AAC7B,QAAA,MAAM,MAAM,GAAGA,eAAI,CAAC,YAAY,EAAE;AAElC,QAAA,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAK;YACxB,OAAO,CAAC,KAAK,CAAC;AAChB,QAAA,CAAC,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,MAAK;YACjC,MAAM,CAAC,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;AACnC,QAAA,CAAC,CAAC;AACJ,IAAA,CAAC,CAAC;AACJ;AAEA;AACA;AACA;AAEA;;AAEG;AACI,eAAe,gBAAgB,CAAC,UAAyB,EAAE,EAAA;IAChE,MAAM,EAAE,WAAW,GAAG,KAAK,UAAEC,QAAM,EAAE,GAAG,OAAO;;AAG/C,IAAA,IAAIA,QAAM,KAAK,SAAS,IAAIA,QAAM,KAAK,EAAE,IAAIC,qBAAc,CAACD,QAAM,CAAC,EAAE;AACnE,QAAA,OAAO,SAAS;IAClB;;IAGA,IAAI,WAAW,EAAE;AACf,QAAA,OAAO,QAAQ;IACjB;;IAGA,IAAIE,QAAI,EAAE,EAAE;AACV,QAAA,OAAO,QAAQ;IACjB;;AAGA,IAAA,IAAI,CAACC,SAAK,EAAE,EAAE;AACZ,QAAA,OAAO,QAAQ;IACjB;;AAGA,IAAA,MAAM,OAAO,GAAG,MAAM,gBAAgB,EAAE;IACxC,IAAI,OAAO,EAAE;AACX,QAAA,OAAO,MAAM;IACf;;AAGA,IAAA,OAAO,QAAQ;AACjB;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACH,SAAS,iBAAiB,CAAC,GAAY,EAAA;AACrC,IAAA,IAAI,EAAE,GAAG,YAAY,KAAK,CAAC;AAAE,QAAA,OAAO,KAAK;IACzC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE;AACrC,IAAA,QACE,GAAG,CAAC,QAAQ,CAAC,uCAAuC,CAAC;AACrD,QAAA,GAAG,CAAC,QAAQ,CAAC,0CAA0C,CAAC;AACxD,QAAA,GAAG,CAAC,QAAQ,CAAC,wBAAwB,CAAC;AACtC,QAAA,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;AAC1B,QAAA,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;AACtB,QAAA,GAAG,CAAC,QAAQ,CAAC,mBAAmB,CAAC;AAErC;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACI,eAAe,gBAAgB,CAAC,UAA4B,EAAE,EAAA;AACnE,IAAA,MAAM,EAAE,WAAW,UAAEH,QAAM,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,OAAO;IAEtF,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,EAAE,WAAW,UAAEA,QAAM,EAAE,CAAC;AAE9D,IAAA,IAAI,MAAM,KAAK,SAAS,EAAE;;AAExB,QAAA,MAAMI,6BAAsB,CAAC;AAC3B,YAAA,GAAG,EAAEJ,QAAO;YACZ,MAAM;YACN,WAAW;YACX,eAAe;AAChB,SAAA,CAAC;AACF,QAAA,OAAO,EAAE,MAAM,EAAE,SAAS,UAAEA,QAAM,EAAE;IACtC;AAEA,IAAA,IAAI,MAAM,KAAK,MAAM,EAAE;AACrB,QAAA,IAAI;AACF,YAAA,MAAM,MAAM,GAAG,MAAMK,oBAAe,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC;YACvF,OAAO;AACL,gBAAA,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B;QACH;QAAE,OAAO,GAAG,EAAE;;AAEZ,YAAA,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE;AAC3B,gBAAA,MAAM,GAAG;YACX;;QAEF;IACF;;AAGA,IAAA,MAAM,MAAM,GAAG,MAAMC,4BAAiB,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC;IAChF,OAAO;AACL,QAAA,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B;AACH;;;;;;"}

package/dist/cjs/auth/device-flow.js

@@ -0,0 +1,135 @@
+'use strict';
+
+var env = require('../config/env.js');
+var keyring = require('./keyring.js');
+
+/**
+ * device-flow.ts
+ *
+ * RFC 8628 OAuth 2.0 Device Authorization flow for headless/SSH/container
+ * environments where a browser cannot be opened on the same machine.
+ *
+ * Steps:
+ *   1. POST /v1/auth/device/authorize  → get device_code + user_code
+ *   2. Display verification URI + user_code on stderr
+ *   3. Optionally open the browser (best-effort)
+ *   4. Poll POST /v1/auth/device/token until granted or expired
+ *   5. Store tokens in the credential store
+ */
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Sleep for `ms` milliseconds — real timer in production, override in tests. */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Build an ISO-8601 expiry timestamp from a seconds-from-now value.
+ * Exported for test visibility only.
+ */
+function expiresAtFromSecondsIn(secondsIn) {
+    return new Date(Date.now() + secondsIn * 1000).toISOString();
+}
+// ---------------------------------------------------------------------------
+// Core function
+// ---------------------------------------------------------------------------
+/**
+ * Execute the RFC 8628 device authorization flow.
+ *
+ * All user-facing output goes to stderr so stdout stays clean for piping.
+ *
+ * @throws {Error} if authorization fails or the device code expires.
+ */
+async function executeDeviceFlow(options = {}) {
+    const apiUrl = options.apiUrl ?? env.getApiUrl();
+    const profileName = options.profileName ?? 'default';
+    const store = options.credentialStore ?? (await keyring.createCredentialStore());
+    const openUrl = options.openUrl ??
+        (async (url) => {
+            const { default: open } = await import('open');
+            await open(url);
+        });
+    // -------------------------------------------------------------------------
+    // Step 1: Request device authorization
+    // -------------------------------------------------------------------------
+    const authorizeRes = await fetch(`${apiUrl}/v1/auth/device/authorize`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ client_id: 'doow-cli' }),
+    });
+    if (!authorizeRes.ok) {
+        const body = await authorizeRes.text().catch(() => '');
+        throw new Error(`Device authorization request failed: HTTP ${authorizeRes.status}${body ? ` — ${body}` : ''}`);
+    }
+    const auth = (await authorizeRes.json());
+    // -------------------------------------------------------------------------
+    // Step 2: Display instructions on stderr
+    // -------------------------------------------------------------------------
+    process.stderr.write(`\nTo sign in, open this URL in any browser:\n  ${auth.verification_uri}\n\nThen enter code: ${auth.user_code}\n\n`);
+    // Step 2b: Best-effort browser open — never throw on failure
+    if (env.shouldShowUI()) {
+        try {
+            await openUrl(auth.verification_uri);
+        }
+        catch {
+            // Silently ignore — user can open manually
+        }
+    }
+    // -------------------------------------------------------------------------
+    // Step 3: Poll for token
+    // -------------------------------------------------------------------------
+    let pollInterval = auth.interval; // seconds; RFC 8628 §3.5
+    while (true) {
+        await sleep(pollInterval * 1000);
+        const tokenRes = await fetch(`${apiUrl}/v1/auth/device/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                device_code: auth.device_code,
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+            }),
+        });
+        if (tokenRes.ok) {
+            // Success — stop polling
+            const tokens = (await tokenRes.json());
+            // -----------------------------------------------------------------------
+            // Step 4: Store tokens
+            // -----------------------------------------------------------------------
+            const expiresAt = expiresAtFromSecondsIn(tokens.expires_in);
+            await store.set(profileName, {
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                expiresAt,
+            });
+            // -----------------------------------------------------------------------
+            // Step 5: Return result
+            // -----------------------------------------------------------------------
+            return {
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                expiresAt,
+            };
+        }
+        // Non-200 — parse RFC 8628 error body
+        const errBody = (await tokenRes.json().catch(() => ({ error: 'unknown' })));
+        switch (errBody.error) {
+            case 'authorization_pending':
+                // User hasn't approved yet — keep polling at current interval
+                continue;
+            case 'slow_down':
+                // RFC 8628 §3.5: increase interval by 5 seconds
+                pollInterval += 5;
+                continue;
+            case 'expired_token':
+                throw new Error('Device code expired. Run doow login --device again.');
+            case 'access_denied':
+                throw new Error('Authorization denied by user.');
+            default:
+                throw new Error(`Token polling failed: ${errBody.error}${errBody.error_description ? ` — ${errBody.error_description}` : ''}`);
+        }
+    }
+}
+
+exports.executeDeviceFlow = executeDeviceFlow;
+exports.expiresAtFromSecondsIn = expiresAtFromSecondsIn;
+//# sourceMappingURL=device-flow.js.map

package/dist/cjs/auth/device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-flow.js","sources":["../../../../src/auth/device-flow.ts"],"sourcesContent":[null],"names":["getApiUrl","createCredentialStore","shouldShowUI"],"mappings":";;;;;AAAA;;;;;;;;;;;;AAYG;AAuDH;AACA;AACA;AAEA;AACA,SAAS,KAAK,CAAC,EAAU,EAAA;AACvB,IAAA,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC1D;AAEA;;;AAGG;AACG,SAAU,sBAAsB,CAAC,SAAiB,EAAA;AACtD,IAAA,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;AAC9D;AAEA;AACA;AACA;AAEA;;;;;;AAMG;AACI,eAAe,iBAAiB,CACrC,UAA6B,EAAE,EAAA;IAE/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAIA,aAAS,EAAE;AAC5C,IAAA,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,SAAS;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,KAAK,MAAMC,6BAAqB,EAAE,CAAC;AACxE,IAAA,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;AACf,SAAC,OAAO,GAAW,KAAI;YACrB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,MAAM,CAAC;AAC9C,YAAA,MAAM,IAAI,CAAC,GAAG,CAAC;AACjB,QAAA,CAAC,CAAC;;;;IAMJ,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,MAAM,2BAA2B,EAAE;AACrE,QAAA,MAAM,EAAE,MAAM;AACd,QAAA,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AAChD,KAAA,CAAC;AAEF,IAAA,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE;AACpB,QAAA,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,CAAA,0CAAA,EAA6C,YAAY,CAAC,MAAM,GAAG,IAAI,GAAG,CAAA,GAAA,EAAM,IAAI,CAAA,CAAE,GAAG,EAAE,CAAA,CAAE,CAC9F;IACH;IAEA,MAAM,IAAI,IAAI,MAAM,YAAY,CAAC,IAAI,EAAE,CAAuB;;;;AAM9D,IAAA,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,CAAA,+CAAA,EAAkD,IAAI,CAAC,gBAAgB,wBAAwB,IAAI,CAAC,SAAS,CAAA,IAAA,CAAM,CACpH;;IAGD,IAAIC,gBAAY,EAAE,EAAE;AAClB,QAAA,IAAI;AACF,YAAA,MAAM,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC;QACtC;AAAE,QAAA,MAAM;;QAER;IACF;;;;AAMA,IAAA,IAAI,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC;IAEjC,OAAO,IAAI,EAAE;AACX,QAAA,MAAM,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC;QAEhC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAA,EAAG,MAAM,uBAAuB,EAAE;AAC7D,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;AAC/C,YAAA,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,WAAW,EAAE,IAAI,CAAC,WAAW;AAC7B,gBAAA,UAAU,EAAE,8CAA8C;aAC3D,CAAC;AACH,SAAA,CAAC;AAEF,QAAA,IAAI,QAAQ,CAAC,EAAE,EAAE;;YAEf,MAAM,MAAM,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB;;;;YAM9D,MAAM,SAAS,GAAG,sBAAsB,CAAC,MAAM,CAAC,UAAU,CAAC;AAE3D,YAAA,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE;gBAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa;gBAClC,SAAS;AACV,aAAA,CAAC;;;;YAMF,OAAO;gBACL,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa;gBAClC,SAAS;aACV;QACH;;QAGA,MAAM,OAAO,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAuB;AAEjG,QAAA,QAAQ,OAAO,CAAC,KAAK;AACnB,YAAA,KAAK,uBAAuB;;gBAE1B;AAEF,YAAA,KAAK,WAAW;;gBAEd,YAAY,IAAI,CAAC;gBACjB;AAEF,YAAA,KAAK,eAAe;AAClB,gBAAA,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC;AAExE,YAAA,KAAK,eAAe;AAClB,gBAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC;AAElD,YAAA;gBACE,MAAM,IAAI,KAAK,CACb,CAAA,sBAAA,EAAyB,OAAO,CAAC,KAAK,CAAA,EAAG,OAAO,CAAC,iBAAiB,GAAG,CAAA,GAAA,EAAM,OAAO,CAAC,iBAAiB,CAAA,CAAE,GAAG,EAAE,CAAA,CAAE,CAC9G;;IAEP;AACF;;;;;"}