@enbox/gitd 0.1.0 → 0.3.0

package/dist/types/git-remote/credential-main.d.ts

@@ -16,7 +16,8 @@
  *     helper = /path/to/git-remote-did-credential
  *
  * Environment:
- *   GITD_PASSWORD — vault password for the local agent
+ *   GITD_PASSWORD    — vault password for the local agent
+ *   ENBOX_PROFILE    — (optional) profile name override
  *
  * @module
  */

package/dist/types/git-remote/credential-main.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-main.d.ts","sourceRoot":"","sources":["../../../src/git-remote/credential-main.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;GAoBG"}
+{"version":3,"file":"credential-main.d.ts","sourceRoot":"","sources":["../../../src/git-remote/credential-main.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;GAqBG"}

package/dist/types/profiles/config.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Profile configuration — persistent config at `~/.enbox/config.json`.
+ *
+ * Manages the set of named identity profiles and the default selection.
+ * This module handles reading, writing, and resolving profiles across
+ * multiple selection sources (flag, env, git config, global default).
+ *
+ * Storage layout:
+ *   ~/.enbox/
+ *     config.json               Global config (this module)
+ *     profiles/
+ *       <name>/DATA/AGENT/...   Per-profile Web5 agent stores
+ *
+ * @module
+ */
+/** Base directory for all enbox data.  Override with `ENBOX_HOME`. */
+export declare function enboxHome(): string;
+/** Path to the global config file. */
+export declare function configPath(): string;
+/** Base directory for all profile agent data. */
+export declare function profilesDir(): string;
+/** Path to a specific profile's agent data directory. */
+export declare function profileDataPath(name: string): string;
+/** Metadata about a single profile stored in config.json. */
+export type ProfileEntry = {
+    /** Display name for the profile. */
+    name: string;
+    /** The DID URI associated with this profile. */
+    did: string;
+    /** ISO 8601 timestamp when the profile was created. */
+    createdAt: string;
+};
+/** Top-level config.json shape. */
+export type EnboxConfig = {
+    /** Schema version for forward-compatibility. */
+    version: number;
+    /** Name of the default profile. */
+    defaultProfile: string;
+    /** Map of profile name → metadata. */
+    profiles: Record<string, ProfileEntry>;
+};
+/** Read the global config.  Returns a default if the file doesn't exist. */
+export declare function readConfig(): EnboxConfig;
+/** Write the global config atomically. */
+export declare function writeConfig(config: EnboxConfig): void;
+/** Add or update a profile entry in the global config. */
+export declare function upsertProfile(name: string, entry: ProfileEntry): void;
+/** Remove a profile entry from the global config. */
+export declare function removeProfile(name: string): void;
+/** List all profile names. */
+export declare function listProfiles(): string[];
+/**
+ * Resolve which profile to use.
+ *
+ * Precedence (highest to lowest):
+ *   1. `--profile <name>` flag (passed as `flagProfile`)
+ *   2. `ENBOX_PROFILE` environment variable
+ *   3. `.git/config` → `[enbox] profile = <name>`
+ *   4. `~/.enbox/config.json` → `defaultProfile`
+ *   5. First (and only) profile, if exactly one exists
+ *
+ * Returns `null` when no profile can be resolved (i.e. none exist).
+ */
+export declare function resolveProfile(flagProfile?: string): string | null;
+/**
+ * Write the `[enbox] profile` setting to the current repo's `.git/config`.
+ */
+export declare function setGitConfigProfile(name: string): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/types/profiles/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/profiles/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAWH,sEAAsE;AACtE,wBAAgB,SAAS,IAAI,MAAM,CAElC;AAED,sCAAsC;AACtC,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAED,iDAAiD;AACjD,wBAAgB,WAAW,IAAI,MAAM,CAEpC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEpD;AAMD,6DAA6D;AAC7D,MAAM,MAAM,YAAY,GAAG;IACzB,oCAAoC;IACpC,IAAI,EAAG,MAAM,CAAC;IACd,gDAAgD;IAChD,GAAG,EAAG,MAAM,CAAC;IACb,uDAAuD;IACvD,SAAS,EAAG,MAAM,CAAC;CACpB,CAAC;AAEF,mCAAmC;AACnC,MAAM,MAAM,WAAW,GAAG;IACxB,gDAAgD;IAChD,OAAO,EAAG,MAAM,CAAC;IACjB,mCAAmC;IACnC,cAAc,EAAG,MAAM,CAAC;IACxB,sCAAsC;IACtC,QAAQ,EAAG,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;CACzC,CAAC;AAMF,4EAA4E;AAC5E,wBAAgB,UAAU,IAAI,WAAW,CAOxC;AAED,0CAA0C;AAC1C,wBAAgB,WAAW,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAIrD;AAED,0DAA0D;AAC1D,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,IAAI,CAUrE;AAED,qDAAqD;AACrD,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAWhD;AAED,8BAA8B;AAC9B,wBAAgB,YAAY,IAAI,MAAM,EAAE,CAEvC;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAqBlE;AAoBD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAKtD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/gitd",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Decentralized forge (GitHub alternative) built on DWN protocols",
   "type": "module",
   "main": "./dist/esm/index.js",
@@ -91,6 +91,7 @@
     "bun": ">=1.0.0"
   },
   "dependencies": {
+    "@clack/prompts": "^1.0.1",
     "@enbox/api": "0.3.0",
     "@enbox/crypto": "0.0.6",
     "@enbox/dids": "0.0.7",

package/src/cli/agent.ts

@@ -6,12 +6,16 @@
  * the existing vault and return a ready-to-use `TypedWeb5` instance for
  * each protocol.
  *
+ * Agent data is stored under the resolved profile path:
+ *   `~/.enbox/profiles/<profile>/DATA/AGENT/`
+ *
  * @module
  */
 
 import type { TypedWeb5 } from '@enbox/api';
 
 import { Web5 } from '@enbox/api';
+import { Web5UserAgent } from '@enbox/agent';
 
 import type { ForgeCiSchemaMap } from '../ci.js';
 import type { ForgeIssuesSchemaMap } from '../issues.js';
@@ -58,6 +62,24 @@ export type AgentContext = {
   web5 : Web5;
 };
 
+/** Options for connecting to the agent. */
+export type ConnectOptions = {
+  /** Vault password. */
+  password : string;
+  /**
+   * Agent data path.  When provided, the agent stores all data under
+   * this directory instead of the default `DATA/AGENT` relative to CWD.
+   *
+   * The profile system sets this to `~/.enbox/profiles/<name>/DATA/AGENT`.
+   */
+  dataPath? : string;
+  /**
+   * Optional recovery phrase (12-word BIP-39 mnemonic) for initializing
+   * a new vault.  When omitted, a new phrase is generated automatically.
+   */
+  recoveryPhrase? : string;
+};
+
 // ---------------------------------------------------------------------------
 // Agent bootstrap
 // ---------------------------------------------------------------------------
@@ -65,24 +87,85 @@ export type AgentContext = {
 /**
  * Connect to the local Web5 agent, initializing on first launch.
  *
- * The agent's persistent data lives under `dataPath` (default:
- * `~/.gitd/agent`).  Sync is disabled — the CLI operates against
- * the local DWN only.
+ * When `dataPath` is provided, the agent's persistent data lives there.
+ * Otherwise, it falls back to `DATA/AGENT` relative to CWD (legacy).
+ *
+ * Sync is disabled — the CLI operates against the local DWN only.
  */
-export async function connectAgent(password: string): Promise<AgentContext> {
-  const { web5, did, recoveryPhrase } = await Web5.connect({
-    password,
-    sync: 'off',
-  });
+export async function connectAgent(options: ConnectOptions): Promise<AgentContext & { recoveryPhrase?: string }> {
+  const { password, dataPath, recoveryPhrase: inputPhrase } = options;
+
+  let agent: Web5UserAgent;
+  let recoveryPhrase: string | undefined;
+
+  if (dataPath) {
+    // Profile-based: create agent with explicit data path.
+    agent = await Web5UserAgent.create({ dataPath });
+
+    if (await agent.firstLaunch()) {
+      recoveryPhrase = await agent.initialize({
+        password,
+        recoveryPhrase : inputPhrase,
+        dwnEndpoints   : ['https://enbox-dwn.fly.dev'],
+      });
+    }
+    await agent.start({ password });
+
+    // Ensure at least one identity exists.
+    const identities = await agent.identity.list();
+    let identity = identities[0];
+    if (!identity) {
+      identity = await agent.identity.create({
+        didMethod  : 'dht',
+        metadata   : { name: 'Default' },
+        didOptions : {
+          services: [{
+            id              : 'dwn',
+            type            : 'DecentralizedWebNode',
+            serviceEndpoint : ['https://enbox-dwn.fly.dev'],
+            enc             : '#enc',
+            sig             : '#sig',
+          }],
+          verificationMethods: [
+            { algorithm: 'Ed25519', id: 'sig', purposes: ['assertionMethod', 'authentication'] },
+            { algorithm: 'X25519', id: 'enc', purposes: ['keyAgreement'] },
+          ],
+        },
+      });
+    }
+
+    const result = await Web5.connect({
+      agent,
+      connectedDid : identity.did.uri,
+      sync         : 'off',
+    });
 
-  if (recoveryPhrase) {
+    return bindProtocols(result.web5, result.did, recoveryPhrase);
+  }
+
+  // Legacy: let Web5.connect() manage the agent (uses CWD-relative path).
+  const result = await Web5.connect({ password, sync: 'off' });
+
+  if (result.recoveryPhrase) {
     console.log('');
     console.log('  Recovery phrase (save this — it cannot be shown again):');
-    console.log(`  ${recoveryPhrase}`);
+    console.log(`  ${result.recoveryPhrase}`);
     console.log('');
   }
 
-  // Bind typed protocol handles.
+  return bindProtocols(result.web5, result.did, result.recoveryPhrase);
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+/** Bind typed protocol handles and configure all protocols. */
+async function bindProtocols(
+  web5: Web5,
+  did: string,
+  recoveryPhrase?: string,
+): Promise<AgentContext & { recoveryPhrase?: string }> {
   const repo = web5.using(ForgeRepoProtocol);
   const refs = web5.using(ForgeRefsProtocol);
   const issues = web5.using(ForgeIssuesProtocol);
@@ -113,5 +196,6 @@ export async function connectAgent(password: string): Promise<AgentContext> {
   return {
     did, repo, refs, issues, patches, ci, releases,
     registry, social, notifications, wiki, org, web5,
+    recoveryPhrase,
   };
 }

package/src/cli/commands/auth.ts

@@ -0,0 +1,290 @@
+/**
+ * `gitd auth` — identity and profile management.
+ *
+ * Usage:
+ *   gitd auth                          Show current identity info
+ *   gitd auth login                    Create or import an identity
+ *   gitd auth list                     List all profiles
+ *   gitd auth use <profile>            Set profile for current repo
+ *   gitd auth use <profile> --global   Set default profile
+ *   gitd auth export [profile]         Export portable identity
+ *   gitd auth import                   Import from recovery phrase
+ *   gitd auth logout [profile]         Remove a profile
+ *
+ * @module
+ */
+
+import type { AgentContext } from '../agent.js';
+
+import * as p from '@clack/prompts';
+
+import { connectAgent } from '../agent.js';
+import {
+  enboxHome,
+  listProfiles,
+  profileDataPath,
+  readConfig,
+  resolveProfile,
+  setGitConfigProfile,
+  upsertProfile,
+  writeConfig,
+} from '../../profiles/config.js';
+
+// ---------------------------------------------------------------------------
+// Sub-command dispatch
+// ---------------------------------------------------------------------------
+
+/**
+ * The auth command can run without a pre-existing AgentContext (for `login`,
+ * `list`), but some sub-commands need one (for `export`).  We accept
+ * ctx as optional and connect lazily when needed.
+ */
+export async function authCommand(ctx: AgentContext | null, args: string[]): Promise<void> {
+  const sub = args[0];
+
+  switch (sub) {
+    case 'login': return authLogin();
+    case 'list': return authList();
+    case 'use': return authUse(args.slice(1));
+    case 'logout': return authLogout(args.slice(1));
+    default: return authInfo(ctx);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth (no subcommand) — show current identity
+// ---------------------------------------------------------------------------
+
+async function authInfo(ctx: AgentContext | null): Promise<void> {
+  const config = readConfig();
+  const profileName = resolveProfile();
+
+  if (!profileName || !config.profiles[profileName]) {
+    p.log.warn('No identity configured. Run `gitd auth login` to get started.');
+    return;
+  }
+
+  const entry = config.profiles[profileName];
+
+  p.log.info(`Profile:    ${profileName}${config.defaultProfile === profileName ? ' (default)' : ''}`);
+  p.log.info(`DID:        ${entry.did}`);
+  p.log.info(`Created:    ${entry.createdAt}`);
+  p.log.info(`Data:       ${profileDataPath(profileName)}`);
+
+  if (ctx) {
+    p.log.info(`Connected:  ${ctx.did}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth login — create or import identity
+// ---------------------------------------------------------------------------
+
+async function authLogin(): Promise<void> {
+  p.intro('Identity setup');
+
+  const action = await p.select({
+    message : 'What would you like to do?',
+    options : [
+      { value: 'create', label: 'Create a new identity' },
+      { value: 'import', label: 'Import from recovery phrase' },
+    ],
+  });
+
+  if (p.isCancel(action)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  const name = await p.text({
+    message     : 'Name this profile:',
+    placeholder : 'personal',
+    validate(val) {
+      if (!val?.trim()) { return 'Profile name is required.'; }
+      if (!/^[a-zA-Z0-9_-]+$/.test(val)) { return 'Only letters, numbers, hyphens, and underscores.'; }
+      const existing = listProfiles();
+      if (existing.includes(val)) { return `Profile "${val}" already exists.`; }
+    },
+  });
+
+  if (p.isCancel(name)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  const profileName = (name as string).trim();
+
+  const password = await p.password({
+    message: 'Choose a password for your vault:',
+    validate(val) {
+      if (!val || (val as string).length < 4) { return 'Password must be at least 4 characters.'; }
+    },
+  });
+
+  if (p.isCancel(password)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  let recoveryInput: string | undefined;
+
+  if (action === 'import') {
+    const phrase = await p.text({
+      message     : 'Enter your 12-word recovery phrase:',
+      placeholder : 'abandon ability able about above absent ...',
+      validate(val) {
+        if (!val) { return 'Recovery phrase is required.'; }
+        const words = val.trim().split(/\s+/);
+        if (words.length !== 12) { return 'Recovery phrase must be exactly 12 words.'; }
+      },
+    });
+
+    if (p.isCancel(phrase)) {
+      p.cancel('Cancelled.');
+      return;
+    }
+
+    recoveryInput = (phrase as string).trim();
+  }
+
+  const spin = p.spinner();
+  spin.start('Creating identity...');
+
+  try {
+    const dataPath = profileDataPath(profileName);
+    const result = await connectAgent({
+      password       : password as string,
+      dataPath,
+      recoveryPhrase : recoveryInput,
+    });
+
+    // Save profile metadata.
+    upsertProfile(profileName, {
+      name      : profileName,
+      did       : result.did,
+      createdAt : new Date().toISOString(),
+    });
+
+    spin.stop('Identity created!');
+
+    p.log.success(`DID:     ${result.did}`);
+    p.log.success(`Profile: ${profileName} (${dataPath})`);
+
+    if (result.recoveryPhrase) {
+      p.log.warn('');
+      p.log.warn('Your recovery phrase (write this down!):');
+      p.log.warn(`  ${result.recoveryPhrase}`);
+      p.log.warn('');
+      p.log.warn('This phrase can recover your identity if you lose your password.');
+      p.log.warn('Store it securely — it will NOT be shown again.');
+    }
+  } catch (err) {
+    spin.stop('Failed.');
+    p.log.error(`Failed to create identity: ${(err as Error).message}`);
+    process.exit(1);
+  }
+
+  p.outro('You\'re all set! Run `gitd whoami` to verify.');
+}
+
+// ---------------------------------------------------------------------------
+// auth list — list all profiles
+// ---------------------------------------------------------------------------
+
+function authList(): void {
+  const config = readConfig();
+  const names = Object.keys(config.profiles);
+
+  if (names.length === 0) {
+    p.log.warn('No profiles found. Run `gitd auth login` to create one.');
+    return;
+  }
+
+  p.log.info(`Profiles (${enboxHome()}):\n`);
+
+  for (const name of names) {
+    const entry = config.profiles[name];
+    const isDefault = config.defaultProfile === name ? '  (default)' : '';
+    p.log.info(`  ${name}${isDefault}`);
+    p.log.info(`    DID:     ${entry.did}`);
+    p.log.info(`    Created: ${entry.createdAt}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth use — set active profile
+// ---------------------------------------------------------------------------
+
+async function authUse(args: string[]): Promise<void> {
+  const name = args[0];
+  const isGlobal = args.includes('--global');
+
+  if (!name) {
+    p.log.error('Usage: gitd auth use <profile> [--global]');
+    process.exit(1);
+  }
+
+  const config = readConfig();
+  if (!config.profiles[name]) {
+    p.log.error(`Profile "${name}" not found. Run \`gitd auth list\` to see available profiles.`);
+    process.exit(1);
+  }
+
+  if (isGlobal) {
+    config.defaultProfile = name;
+    writeConfig(config);
+    p.log.success(`Default profile set to "${name}".`);
+  } else {
+    try {
+      setGitConfigProfile(name);
+      p.log.success(`Profile "${name}" set for this repository.`);
+    } catch {
+      p.log.error('Not in a git repository. Use --global to set the default profile.');
+      process.exit(1);
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth logout — remove a profile
+// ---------------------------------------------------------------------------
+
+async function authLogout(args: string[]): Promise<void> {
+  let name = args[0];
+
+  if (!name) {
+    name = resolveProfile() ?? '';
+  }
+
+  if (!name) {
+    p.log.error('No profile specified and no default profile found.');
+    process.exit(1);
+  }
+
+  const config = readConfig();
+  if (!config.profiles[name]) {
+    p.log.error(`Profile "${name}" not found.`);
+    process.exit(1);
+  }
+
+  const confirm = await p.confirm({
+    message: `Remove profile "${name}"? This will delete all local data for this identity.`,
+  });
+
+  if (p.isCancel(confirm) || !confirm) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  // Remove from config (we don't delete the data directory — user can do that).
+  delete config.profiles[name];
+  if (config.defaultProfile === name) {
+    const remaining = Object.keys(config.profiles);
+    config.defaultProfile = remaining[0] ?? '';
+  }
+  writeConfig(config);
+
+  p.log.success(`Profile "${name}" removed.`);
+  p.log.info(`Data directory preserved at: ${profileDataPath(name)}`);
+  p.log.info('Delete it manually if you want to free disk space.');
+}