@eightstate/escli 0.5.0

package/dist/services/auth.js

@@ -0,0 +1,329 @@
+import { chmod, mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { spawn } from 'node:child_process';
+import { writeStderr } from '../io/io.js';
+import { ErrorCode } from '@eightstate/contracts/errors';
+import { ExitCodes } from '@eightstate/contracts/exit-codes';
+import { EscliError } from '../lib/escli-error.js';
+import { DEFAULT_ENDPOINT } from './credentials.js';
+const DEFAULT_GATE_URL = 'https://internal.eightstate.co';
+const DEVICE_TIMEOUT_NON_TTY_MS = 250;
+const DEVICE_TIMEOUT_TTY_MS = 900_000;
+export async function authStatus() {
+    const config = await loadConfig();
+    const profileName = activeProfileName(config);
+    const stored = config.profiles?.[profileName] ?? {};
+    const apiKey = nonEmpty(stored.api_key) ?? nonEmpty(process.env.ESCLI_API_KEY);
+    const cliToken = nonEmpty(stored.cli_token);
+    const endpoint = nonEmpty(stored.endpoint) ?? nonEmpty(process.env.ESCLI_BASE_URL) ?? DEFAULT_ENDPOINT;
+    if (!apiKey && !cliToken) {
+        throw new EscliError('not authenticated', {
+            code: ErrorCode.AuthRequired,
+            exitCode: ExitCodes.Auth,
+            remediation: { command: 'escli auth login' },
+        });
+    }
+    return {
+        authenticated: true,
+        profile: profileName,
+        auth_type: cliToken ? 'gate' : 'api_key',
+        endpoint,
+        config_path: configPath(),
+        ...(apiKey ? { key: maskKey(apiKey) } : {}),
+    };
+}
+export async function authProfiles() {
+    const config = await loadConfig();
+    const active = activeProfileName(config);
+    const profiles = Object.entries(config.profiles ?? {}).map(([name, profile]) => {
+        const apiKey = nonEmpty(profile.api_key);
+        const cliToken = nonEmpty(profile.cli_token);
+        return {
+            name,
+            label: profile.label ?? name,
+            key: apiKey ? maskKey(apiKey) : cliToken ? 'gate' : '***',
+            auth_type: cliToken ? 'gate' : 'api_key',
+            endpoint: profile.endpoint ?? DEFAULT_ENDPOINT,
+            active: name === active,
+            created: profile.created ?? '',
+        };
+    });
+    return { profiles, count: profiles.length };
+}
+export async function authSwitch(profileName) {
+    const config = await loadConfig();
+    if (!config.profiles?.[profileName])
+        throw profileNotFound(profileName);
+    config.active_profile = profileName;
+    await saveConfig(config);
+    return { active_profile: profileName };
+}
+export async function authLogout(options) {
+    if (options.all) {
+        await rm(configPath(), { force: true });
+        return { message: 'all profiles removed' };
+    }
+    const config = await loadConfig();
+    const profileName = options.profile ?? activeProfileName(config);
+    if (!config.profiles?.[profileName])
+        return { profile: profileName, deleted: false };
+    delete config.profiles[profileName];
+    if (config.active_profile === profileName) {
+        config.active_profile = Object.keys(config.profiles)[0] ?? '';
+    }
+    await saveConfig(config);
+    return { profile: profileName, deleted: true };
+}
+export async function authLogin(options) {
+    const stdinKey = options.key ? undefined : await readPipedKey();
+    const apiKey = options.key ?? stdinKey;
+    if (apiKey)
+        return keyLogin({ ...options, key: apiKey });
+    return deviceLogin(options);
+}
+async function keyLogin(options) {
+    const endpoint = options.endpoint ?? DEFAULT_ENDPOINT;
+    const profileName = options.profile ?? 'default';
+    const label = options.label ?? profileName;
+    const models = await validateKey(options.key, endpoint, (options.timeoutSeconds ?? 15) * 1000);
+    const config = await loadConfig();
+    config.profiles = config.profiles ?? {};
+    config.profiles[profileName] = {
+        api_key: options.key,
+        endpoint,
+        label,
+        created: createdTimestamp(),
+    };
+    config.active_profile = profileName;
+    await saveConfig(config);
+    return {
+        profile: profileName,
+        auth_type: 'api_key',
+        key: maskKey(options.key),
+        endpoint,
+        models: `${models} models`,
+        config_path: configPath(),
+    };
+}
+async function deviceLogin(options) {
+    const gate = gateUrl();
+    const device = await gateJson(`${gate}/api/auth/device`, undefined, ErrorCode.GateUnavailable);
+    const deviceCode = stringValue(device.device_code);
+    const userCode = stringValue(device.user_code);
+    const verificationUrl = stringValue(device.verification_url);
+    const interval = numberValue(device.interval) ?? 5;
+    if (!deviceCode || !verificationUrl)
+        throw new EscliError('invalid gate device response', { code: ErrorCode.GateInvalidResponse, exitCode: ExitCodes.Transient, details: device });
+    if (browserDisabled())
+        await writeManualDeviceInstructions(verificationUrl, userCode);
+    else
+        openBrowser(verificationUrl);
+    const deadline = Date.now() + (process.stdin.isTTY ? DEVICE_TIMEOUT_TTY_MS : DEVICE_TIMEOUT_NON_TTY_MS);
+    while (Date.now() < deadline) {
+        await sleep(Math.max(0, interval) * 1000);
+        const poll = await gateJson(`${gate}/api/auth/poll`, { device_code: deviceCode }, ErrorCode.GateUnavailable);
+        const status = stringValue(poll.status);
+        if (status === 'authorized') {
+            const token = stringValue(poll.token);
+            if (!token)
+                throw new EscliError('invalid gate poll response', { code: ErrorCode.GateInvalidResponse, exitCode: ExitCodes.Transient, details: poll });
+            const profileName = options.profile ?? 'default';
+            const config = await loadConfig();
+            config.profiles = config.profiles ?? {};
+            config.profiles[profileName] = {
+                cli_token: token,
+                endpoint: gate,
+                label: options.label ?? profileName,
+                created: createdTimestamp(),
+            };
+            config.active_profile = profileName;
+            await saveConfig(config);
+            return { profile: profileName, auth_type: 'gate', gate };
+        }
+        if (status === 'expired')
+            throw new EscliError('session expired', { code: ErrorCode.AuthSessionExpired, exitCode: ExitCodes.Auth });
+    }
+    throw new EscliError('timed out waiting for auth', {
+        code: ErrorCode.AuthTimeout,
+        exitCode: ExitCodes.Transient,
+        remediation: { command: 'escli auth login --key <key>' },
+    });
+}
+async function validateKey(apiKey, endpoint, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const response = await fetch(`${endpoint.replace(/\/+$/u, '')}/models`, {
+            method: 'GET',
+            headers: { 'authorization': `Bearer ${apiKey}`, 'accept': 'application/json' },
+            signal: controller.signal,
+        });
+        const body = await parseBody(response);
+        if (response.status === 401)
+            throw new EscliError('invalid key', { code: ErrorCode.AuthInvalid, exitCode: ExitCodes.Auth, details: body });
+        if (response.status === 403)
+            throw new EscliError('not authorized', { code: ErrorCode.AuthForbidden, exitCode: ExitCodes.Auth, details: body });
+        if (!response.ok)
+            throw new EscliError(`key validation failed (${response.status})`, { code: ErrorCode.AuthLoginFailed, details: body });
+        const data = recordValue(body)?.data;
+        return Array.isArray(data) ? data.length : 0;
+    }
+    catch (error) {
+        if (error instanceof EscliError)
+            throw error;
+        const isAbort = error instanceof Error && error.name === 'AbortError';
+        throw new EscliError(isAbort ? 'key validation timed out' : 'key validation failed', {
+            code: isAbort ? ErrorCode.NetworkTimeout : ErrorCode.NetworkError,
+            exitCode: ExitCodes.Transient,
+            details: error instanceof Error ? error.message : error,
+        });
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+async function gateJson(url, body, code) {
+    try {
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json', 'accept': 'application/json' },
+            body: body === undefined ? undefined : JSON.stringify(body),
+        });
+        const data = await parseBody(response);
+        if (!response.ok)
+            throw new EscliError(`gate request failed (${response.status})`, { code, exitCode: ExitCodes.Transient, details: data });
+        const record = recordValue(data);
+        if (!record)
+            throw new EscliError('invalid gate response', { code: ErrorCode.GateInvalidResponse, exitCode: ExitCodes.Transient, details: data });
+        return record;
+    }
+    catch (error) {
+        if (error instanceof EscliError)
+            throw error;
+        throw new EscliError('gate unavailable', { code, exitCode: ExitCodes.Transient, details: error instanceof Error ? error.message : error });
+    }
+}
+async function parseBody(response) {
+    const text = await response.text();
+    if (!text)
+        return {};
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+}
+async function loadConfig() {
+    const path = configPath();
+    let raw;
+    try {
+        raw = await readFile(path, 'utf8');
+    }
+    catch (error) {
+        if (isNodeError(error) && error.code === 'ENOENT')
+            return {};
+        throw new EscliError('failed to read config', { code: ErrorCode.Internal, details: path });
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        return recordValue(parsed) ?? {};
+    }
+    catch {
+        throw new EscliError('invalid config file', { code: ErrorCode.ConfigInvalid, details: path });
+    }
+}
+async function saveConfig(config) {
+    await mkdir(configDir(), { recursive: true });
+    await writeFile(configPath(), `${JSON.stringify(config, null, 2)}\n`);
+    await chmod(configPath(), 0o600);
+}
+async function readPipedKey() {
+    if (process.stdin.isTTY)
+        return undefined;
+    const chunks = [];
+    return new Promise((resolve) => {
+        const timer = setTimeout(() => {
+            cleanup();
+            resolve(nonEmpty(chunks.join('').trim()));
+        }, 25);
+        const cleanup = () => {
+            clearTimeout(timer);
+            process.stdin.off('data', onData);
+            process.stdin.off('end', onEnd);
+            process.stdin.pause();
+        };
+        const onData = (chunk) => chunks.push(String(chunk));
+        const onEnd = () => {
+            cleanup();
+            resolve(nonEmpty(chunks.join('').trim()));
+        };
+        process.stdin.on('data', onData);
+        process.stdin.once('end', onEnd);
+        process.stdin.resume();
+    });
+}
+function openBrowser(url) {
+    const command = process.env.BROWSER ?? (process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'cmd' : 'xdg-open');
+    const args = process.env.BROWSER ? [url] : process.platform === 'win32' ? ['/c', 'start', '', url] : [url];
+    try {
+        const child = spawn(command, args, { stdio: 'ignore', detached: true });
+        child.unref();
+    }
+    catch {
+        // Browser launch is best-effort; the device flow can still complete if the user opens the URL manually.
+    }
+}
+function browserDisabled() {
+    return envFlagSet(process.env.ESCLI_NO_BROWSER) || envFlagSet(process.env.ESCLI_DISABLE_BROWSER);
+}
+function envFlagSet(value) {
+    if (value === undefined)
+        return false;
+    return !['', '0', 'false', 'no'].includes(value.toLowerCase());
+}
+async function writeManualDeviceInstructions(verificationUrl, userCode) {
+    const codeLine = userCode ? `\nUser code: ${userCode}` : '';
+    await writeStderr(`Open this URL to authenticate:${codeLine}\n${verificationUrl}\n`);
+}
+function activeProfileName(config) {
+    return config.active_profile || 'default';
+}
+function profileNotFound(profileName) {
+    return new EscliError(`profile '${profileName}' not found`, { code: ErrorCode.AuthProfileNotFound, exitCode: ExitCodes.NotFound });
+}
+function maskKey(key) {
+    return key.length > 12 ? `${key.slice(0, 8)}...${key.slice(-4)}` : '***';
+}
+function createdTimestamp() {
+    return new Date().toISOString().replace(/Z$/u, '');
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function configDir() {
+    return process.env.ESCLI_CONFIG_DIR ?? join(homedir(), '.escli');
+}
+function configPath() {
+    return join(configDir(), 'config.json');
+}
+function gateUrl() {
+    return process.env.ESCLI_GATE_URL ?? DEFAULT_GATE_URL;
+}
+function recordValue(value) {
+    return value && typeof value === 'object' && !Array.isArray(value) ? value : undefined;
+}
+function isNodeError(error) {
+    return error instanceof Error && 'code' in error;
+}
+function stringValue(value) {
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+}
+function numberValue(value) {
+    return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
+}
+function nonEmpty(value) {
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+}
+//# sourceMappingURL=auth.js.map

package/dist/services/credentials.js

@@ -0,0 +1,137 @@
+import { readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+export const DEFAULT_ENDPOINT = 'https://ai.eightstate.co/v1';
+const DEFAULT_GATE_URL = 'https://internal.eightstate.co';
+const RETRYABLE_STATUSES = new Set([402, 429]);
+export class ServiceCallError extends Error {
+    statusCode;
+    constructor(statusCode, message = '') {
+        super(`keys exhausted (last status ${statusCode}): ${message}`);
+        this.name = 'ServiceCallError';
+        this.statusCode = statusCode;
+    }
+}
+export function resolveApiKey(apiKeyOverride) {
+    if (apiKeyOverride)
+        return apiKeyOverride;
+    if (process.env.ESCLI_API_KEY)
+        return process.env.ESCLI_API_KEY;
+    return getActiveProfile().apiKey ?? '';
+}
+export function resolveEndpoint(baseUrlOverride) {
+    if (baseUrlOverride)
+        return baseUrlOverride;
+    if (process.env.ESCLI_BASE_URL)
+        return process.env.ESCLI_BASE_URL;
+    return getActiveProfile().endpoint ?? DEFAULT_ENDPOINT;
+}
+export async function callWithRetry(service, fn, maxAttempts = 3) {
+    let lastError;
+    for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+        const key = await vendKey(service);
+        if (!key)
+            break;
+        try {
+            return await fn(key);
+        }
+        catch (error) {
+            const status = extractStatus(error);
+            if (status !== undefined && RETRYABLE_STATUSES.has(status)) {
+                await reportKey(service, key.fingerprint, status);
+                lastError = new ServiceCallError(status, error instanceof Error ? error.message.slice(0, 200) : '');
+                continue;
+            }
+            throw error;
+        }
+    }
+    if (lastError)
+        throw lastError;
+    return null;
+}
+export async function vendKeyForService(service) {
+    return vendKey(service);
+}
+function getActiveProfile() {
+    const config = loadConfig();
+    const activeProfile = stringValue(config.active_profile) ?? 'default';
+    const profiles = recordValue(config.profiles);
+    const profile = profiles ? recordValue(profiles[activeProfile]) : undefined;
+    return {
+        apiKey: stringValue(profile?.api_key),
+        cliToken: stringValue(profile?.cli_token),
+        endpoint: stringValue(profile?.endpoint),
+    };
+}
+export function resolveCliToken() {
+    return getActiveProfile().cliToken;
+}
+async function vendKey(service) {
+    const token = resolveCliToken();
+    if (!token)
+        return null;
+    try {
+        const response = await fetch(`${gateUrl()}/api/keys/vend`, {
+            method: 'POST',
+            headers: { 'authorization': `Bearer ${token}`, 'content-type': 'application/json' },
+            body: JSON.stringify({ service }),
+        });
+        if (response.status !== 200)
+            return null;
+        const data = recordValue(await response.json());
+        if (!data || data['success'] !== true)
+            return null;
+        const apiKey = stringValue(data['api_key']);
+        const fingerprint = stringValue(data.fingerprint);
+        if (!apiKey || !fingerprint)
+            return null;
+        return { apiKey, fingerprint, baseUrl: stringValue(data['base_url']) };
+    }
+    catch {
+        return null;
+    }
+}
+async function reportKey(service, fingerprint, status) {
+    const token = resolveCliToken();
+    if (!token)
+        return;
+    try {
+        await fetch(`${gateUrl()}/api/keys/report`, {
+            method: 'POST',
+            headers: { 'authorization': `Bearer ${token}`, 'content-type': 'application/json' },
+            body: JSON.stringify({ service, fingerprint, status }),
+        });
+    }
+    catch {
+        // gate-reporting failures are intentionally swallowed: the
+        // credential vend was the user-facing operation and already
+        // completed; reporting is best-effort telemetry.
+    }
+}
+function extractStatus(error) {
+    const maybe = recordValue(error);
+    const status = maybe ? maybe.status ?? maybe.statusCode ?? maybe.status_code : undefined;
+    return typeof status === 'number' ? status : undefined;
+}
+function loadConfig() {
+    try {
+        const raw = readFileSync(join(configDir(), 'config.json'), 'utf8');
+        return recordValue(JSON.parse(raw)) ?? {};
+    }
+    catch {
+        return {};
+    }
+}
+function configDir() {
+    return process.env.ESCLI_CONFIG_DIR ?? join(homedir(), '.escli');
+}
+function gateUrl() {
+    return process.env.ESCLI_GATE_URL ?? DEFAULT_GATE_URL;
+}
+function recordValue(value) {
+    return value && typeof value === 'object' && !Array.isArray(value) ? value : undefined;
+}
+function stringValue(value) {
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+}
+//# sourceMappingURL=credentials.js.map