@enbox/gitd 0.2.0 → 0.3.0

package/src/cli/commands/auth.ts

@@ -0,0 +1,290 @@
+/**
+ * `gitd auth` — identity and profile management.
+ *
+ * Usage:
+ *   gitd auth                          Show current identity info
+ *   gitd auth login                    Create or import an identity
+ *   gitd auth list                     List all profiles
+ *   gitd auth use <profile>            Set profile for current repo
+ *   gitd auth use <profile> --global   Set default profile
+ *   gitd auth export [profile]         Export portable identity
+ *   gitd auth import                   Import from recovery phrase
+ *   gitd auth logout [profile]         Remove a profile
+ *
+ * @module
+ */
+
+import type { AgentContext } from '../agent.js';
+
+import * as p from '@clack/prompts';
+
+import { connectAgent } from '../agent.js';
+import {
+  enboxHome,
+  listProfiles,
+  profileDataPath,
+  readConfig,
+  resolveProfile,
+  setGitConfigProfile,
+  upsertProfile,
+  writeConfig,
+} from '../../profiles/config.js';
+
+// ---------------------------------------------------------------------------
+// Sub-command dispatch
+// ---------------------------------------------------------------------------
+
+/**
+ * The auth command can run without a pre-existing AgentContext (for `login`,
+ * `list`), but some sub-commands need one (for `export`).  We accept
+ * ctx as optional and connect lazily when needed.
+ */
+export async function authCommand(ctx: AgentContext | null, args: string[]): Promise<void> {
+  const sub = args[0];
+
+  switch (sub) {
+    case 'login': return authLogin();
+    case 'list': return authList();
+    case 'use': return authUse(args.slice(1));
+    case 'logout': return authLogout(args.slice(1));
+    default: return authInfo(ctx);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth (no subcommand) — show current identity
+// ---------------------------------------------------------------------------
+
+async function authInfo(ctx: AgentContext | null): Promise<void> {
+  const config = readConfig();
+  const profileName = resolveProfile();
+
+  if (!profileName || !config.profiles[profileName]) {
+    p.log.warn('No identity configured. Run `gitd auth login` to get started.');
+    return;
+  }
+
+  const entry = config.profiles[profileName];
+
+  p.log.info(`Profile:    ${profileName}${config.defaultProfile === profileName ? ' (default)' : ''}`);
+  p.log.info(`DID:        ${entry.did}`);
+  p.log.info(`Created:    ${entry.createdAt}`);
+  p.log.info(`Data:       ${profileDataPath(profileName)}`);
+
+  if (ctx) {
+    p.log.info(`Connected:  ${ctx.did}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth login — create or import identity
+// ---------------------------------------------------------------------------
+
+async function authLogin(): Promise<void> {
+  p.intro('Identity setup');
+
+  const action = await p.select({
+    message : 'What would you like to do?',
+    options : [
+      { value: 'create', label: 'Create a new identity' },
+      { value: 'import', label: 'Import from recovery phrase' },
+    ],
+  });
+
+  if (p.isCancel(action)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  const name = await p.text({
+    message     : 'Name this profile:',
+    placeholder : 'personal',
+    validate(val) {
+      if (!val?.trim()) { return 'Profile name is required.'; }
+      if (!/^[a-zA-Z0-9_-]+$/.test(val)) { return 'Only letters, numbers, hyphens, and underscores.'; }
+      const existing = listProfiles();
+      if (existing.includes(val)) { return `Profile "${val}" already exists.`; }
+    },
+  });
+
+  if (p.isCancel(name)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  const profileName = (name as string).trim();
+
+  const password = await p.password({
+    message: 'Choose a password for your vault:',
+    validate(val) {
+      if (!val || (val as string).length < 4) { return 'Password must be at least 4 characters.'; }
+    },
+  });
+
+  if (p.isCancel(password)) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  let recoveryInput: string | undefined;
+
+  if (action === 'import') {
+    const phrase = await p.text({
+      message     : 'Enter your 12-word recovery phrase:',
+      placeholder : 'abandon ability able about above absent ...',
+      validate(val) {
+        if (!val) { return 'Recovery phrase is required.'; }
+        const words = val.trim().split(/\s+/);
+        if (words.length !== 12) { return 'Recovery phrase must be exactly 12 words.'; }
+      },
+    });
+
+    if (p.isCancel(phrase)) {
+      p.cancel('Cancelled.');
+      return;
+    }
+
+    recoveryInput = (phrase as string).trim();
+  }
+
+  const spin = p.spinner();
+  spin.start('Creating identity...');
+
+  try {
+    const dataPath = profileDataPath(profileName);
+    const result = await connectAgent({
+      password       : password as string,
+      dataPath,
+      recoveryPhrase : recoveryInput,
+    });
+
+    // Save profile metadata.
+    upsertProfile(profileName, {
+      name      : profileName,
+      did       : result.did,
+      createdAt : new Date().toISOString(),
+    });
+
+    spin.stop('Identity created!');
+
+    p.log.success(`DID:     ${result.did}`);
+    p.log.success(`Profile: ${profileName} (${dataPath})`);
+
+    if (result.recoveryPhrase) {
+      p.log.warn('');
+      p.log.warn('Your recovery phrase (write this down!):');
+      p.log.warn(`  ${result.recoveryPhrase}`);
+      p.log.warn('');
+      p.log.warn('This phrase can recover your identity if you lose your password.');
+      p.log.warn('Store it securely — it will NOT be shown again.');
+    }
+  } catch (err) {
+    spin.stop('Failed.');
+    p.log.error(`Failed to create identity: ${(err as Error).message}`);
+    process.exit(1);
+  }
+
+  p.outro('You\'re all set! Run `gitd whoami` to verify.');
+}
+
+// ---------------------------------------------------------------------------
+// auth list — list all profiles
+// ---------------------------------------------------------------------------
+
+function authList(): void {
+  const config = readConfig();
+  const names = Object.keys(config.profiles);
+
+  if (names.length === 0) {
+    p.log.warn('No profiles found. Run `gitd auth login` to create one.');
+    return;
+  }
+
+  p.log.info(`Profiles (${enboxHome()}):\n`);
+
+  for (const name of names) {
+    const entry = config.profiles[name];
+    const isDefault = config.defaultProfile === name ? '  (default)' : '';
+    p.log.info(`  ${name}${isDefault}`);
+    p.log.info(`    DID:     ${entry.did}`);
+    p.log.info(`    Created: ${entry.createdAt}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth use — set active profile
+// ---------------------------------------------------------------------------
+
+async function authUse(args: string[]): Promise<void> {
+  const name = args[0];
+  const isGlobal = args.includes('--global');
+
+  if (!name) {
+    p.log.error('Usage: gitd auth use <profile> [--global]');
+    process.exit(1);
+  }
+
+  const config = readConfig();
+  if (!config.profiles[name]) {
+    p.log.error(`Profile "${name}" not found. Run \`gitd auth list\` to see available profiles.`);
+    process.exit(1);
+  }
+
+  if (isGlobal) {
+    config.defaultProfile = name;
+    writeConfig(config);
+    p.log.success(`Default profile set to "${name}".`);
+  } else {
+    try {
+      setGitConfigProfile(name);
+      p.log.success(`Profile "${name}" set for this repository.`);
+    } catch {
+      p.log.error('Not in a git repository. Use --global to set the default profile.');
+      process.exit(1);
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// auth logout — remove a profile
+// ---------------------------------------------------------------------------
+
+async function authLogout(args: string[]): Promise<void> {
+  let name = args[0];
+
+  if (!name) {
+    name = resolveProfile() ?? '';
+  }
+
+  if (!name) {
+    p.log.error('No profile specified and no default profile found.');
+    process.exit(1);
+  }
+
+  const config = readConfig();
+  if (!config.profiles[name]) {
+    p.log.error(`Profile "${name}" not found.`);
+    process.exit(1);
+  }
+
+  const confirm = await p.confirm({
+    message: `Remove profile "${name}"? This will delete all local data for this identity.`,
+  });
+
+  if (p.isCancel(confirm) || !confirm) {
+    p.cancel('Cancelled.');
+    return;
+  }
+
+  // Remove from config (we don't delete the data directory — user can do that).
+  delete config.profiles[name];
+  if (config.defaultProfile === name) {
+    const remaining = Object.keys(config.profiles);
+    config.defaultProfile = remaining[0] ?? '';
+  }
+  writeConfig(config);
+
+  p.log.success(`Profile "${name}" removed.`);
+  p.log.info(`Data directory preserved at: ${profileDataPath(name)}`);
+  p.log.info('Delete it manually if you want to free disk space.');
+}

package/src/cli/main.ts

@@ -66,11 +66,13 @@
  * @module
  */
 
+import { authCommand } from './commands/auth.js';
 import { ciCommand } from './commands/ci.js';
 import { cloneCommand } from './commands/clone.js';
 import { connectAgent } from './agent.js';
 import { createRequire } from 'node:module';
 import { daemonCommand } from './commands/daemon.js';
+import { flagValue } from './flags.js';
 import { githubApiCommand } from './commands/github-api.js';
 import { indexerCommand } from '../indexer/main.js';
 import { initCommand } from './commands/init.js';
@@ -89,6 +91,7 @@ import { shimCommand } from './commands/shim.js';
 import { socialCommand } from './commands/social.js';
 import { webCommand } from './commands/web.js';
 import { wikiCommand } from './commands/wiki.js';
+import { profileDataPath, resolveProfile } from '../profiles/config.js';
 
 // ---------------------------------------------------------------------------
 // Arg parsing
@@ -105,6 +108,11 @@ const rest = args.slice(1);
 function printUsage(): void {
   console.log('gitd — decentralized forge powered by DWN protocols\n');
   console.log('Commands:');
+  console.log('  auth                                        Show current identity info');
+  console.log('  auth login                                  Create or import an identity');
+  console.log('  auth list                                   List all profiles');
+  console.log('  auth use <profile> [--global]               Set active profile');
+  console.log('');
   console.log('  setup                                       Configure git for DID-based remotes');
   console.log('  clone <did>/<repo>                          Clone a repository via DID');
   console.log('  init <name>                                 Create a repo record + bare git repo');
@@ -302,11 +310,19 @@ async function main(): Promise<void> {
     case 'clone':
       await cloneCommand(rest);
       return;
+
+    case 'auth':
+      // Auth can run without a pre-existing profile (for `login`).
+      await authCommand(null, rest);
+      return;
   }
 
   // Commands that require the Web5 agent.
   const password = await getPassword();
-  const ctx = await connectAgent(password);
+  const profileFlag = flagValue(rest, '--profile');
+  const profileName = resolveProfile(profileFlag);
+  const dataPath = profileName ? profileDataPath(profileName) : undefined;
+  const ctx = await connectAgent({ password, dataPath });
 
   switch (command) {
     case 'init':

package/src/git-remote/credential-main.ts

@@ -16,12 +16,15 @@
  *     helper = /path/to/git-remote-did-credential
  *
  * Environment:
- *   GITD_PASSWORD — vault password for the local agent
+ *   GITD_PASSWORD    — vault password for the local agent
+ *   ENBOX_PROFILE    — (optional) profile name override
  *
  * @module
  */
 
-import { Web5 } from '@enbox/api';
+import type { BearerDid } from '@enbox/dids';
+
+import { Web5UserAgent } from '@enbox/agent';
 
 import {
   createPushTokenPayload,
@@ -33,6 +36,7 @@ import {
   formatCredentialResponse,
   parseCredentialRequest,
 } from './credential-helper.js';
+import { profileDataPath, resolveProfile } from '../profiles/config.js';
 
 // ---------------------------------------------------------------------------
 // Main
@@ -63,10 +67,7 @@ async function main(): Promise<void> {
     return;
   }
 
-  const { web5, did } = await Web5.connect({
-    password,
-    sync: 'off',
-  });
+  const { did, bearerDid } = await connectForCredentials(password);
 
   // Extract the owner DID and repo from the URL path.
   const path = request.path ?? '';
@@ -82,8 +83,8 @@ async function main(): Promise<void> {
   const payload = createPushTokenPayload(did, ownerDid, repo);
   const token = encodePushToken(payload);
 
-  // Sign the token using the agent's DID signer.
-  const signer = await web5.agent.agentDid.getSigner();
+  // Sign the token using the identity's DID signer (not the agent DID).
+  const signer = await bearerDid.getSigner();
   const tokenBytes = new TextEncoder().encode(token);
   const signature = await signer.sign({ data: tokenBytes });
   const signatureBase64url = Buffer.from(signature).toString('base64url');
@@ -96,6 +97,38 @@ async function main(): Promise<void> {
   process.stdout.write(formatCredentialResponse(creds));
 }
 
+// ---------------------------------------------------------------------------
+// Agent connection
+// ---------------------------------------------------------------------------
+
+/**
+ * Connect to the Web5 agent and return the identity DID and its BearerDid.
+ *
+ * Resolves the active profile (env, git config, global default, or single
+ * fallback) and connects using the profile's agent data path.  Falls back
+ * to the legacy CWD-relative `DATA/AGENT` path when no profile exists.
+ */
+async function connectForCredentials(
+  password: string,
+): Promise<{ did: string; bearerDid: BearerDid }> {
+  // Resolve profile (env, git config, global default, single fallback).
+  // When a profile exists, the agent lives at ~/.enbox/profiles/<name>/DATA/AGENT.
+  // Otherwise, fall back to the CWD-relative default path (legacy).
+  const profileName = resolveProfile();
+  const dataPath = profileName ? profileDataPath(profileName) : undefined;
+
+  const agent = await Web5UserAgent.create(dataPath ? { dataPath } : undefined);
+  await agent.start({ password });
+
+  const identities = await agent.identity.list();
+  const identity = identities[0];
+  if (!identity) {
+    throw new Error('No identity found in agent');
+  }
+
+  return { did: identity.did.uri, bearerDid: identity.did };
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/src/profiles/config.ts

@@ -0,0 +1,188 @@
+/**
+ * Profile configuration — persistent config at `~/.enbox/config.json`.
+ *
+ * Manages the set of named identity profiles and the default selection.
+ * This module handles reading, writing, and resolving profiles across
+ * multiple selection sources (flag, env, git config, global default).
+ *
+ * Storage layout:
+ *   ~/.enbox/
+ *     config.json               Global config (this module)
+ *     profiles/
+ *       <name>/DATA/AGENT/...   Per-profile Web5 agent stores
+ *
+ * @module
+ */
+
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+/** Base directory for all enbox data.  Override with `ENBOX_HOME`. */
+export function enboxHome(): string {
+  return process.env.ENBOX_HOME ?? join(homedir(), '.enbox');
+}
+
+/** Path to the global config file. */
+export function configPath(): string {
+  return join(enboxHome(), 'config.json');
+}
+
+/** Base directory for all profile agent data. */
+export function profilesDir(): string {
+  return join(enboxHome(), 'profiles');
+}
+
+/** Path to a specific profile's agent data directory. */
+export function profileDataPath(name: string): string {
+  return join(profilesDir(), name, 'DATA', 'AGENT');
+}
+
+// ---------------------------------------------------------------------------
+// Config types
+// ---------------------------------------------------------------------------
+
+/** Metadata about a single profile stored in config.json. */
+export type ProfileEntry = {
+  /** Display name for the profile. */
+  name : string;
+  /** The DID URI associated with this profile. */
+  did : string;
+  /** ISO 8601 timestamp when the profile was created. */
+  createdAt : string;
+};
+
+/** Top-level config.json shape. */
+export type EnboxConfig = {
+  /** Schema version for forward-compatibility. */
+  version : number;
+  /** Name of the default profile. */
+  defaultProfile : string;
+  /** Map of profile name → metadata. */
+  profiles : Record<string, ProfileEntry>;
+};
+
+// ---------------------------------------------------------------------------
+// Config I/O
+// ---------------------------------------------------------------------------
+
+/** Read the global config.  Returns a default if the file doesn't exist. */
+export function readConfig(): EnboxConfig {
+  const path = configPath();
+  if (!existsSync(path)) {
+    return { version: 1, defaultProfile: '', profiles: {} };
+  }
+  const raw = readFileSync(path, 'utf-8');
+  return JSON.parse(raw) as EnboxConfig;
+}
+
+/** Write the global config atomically. */
+export function writeConfig(config: EnboxConfig): void {
+  const path = configPath();
+  mkdirSync(join(path, '..'), { recursive: true });
+  writeFileSync(path, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+}
+
+/** Add or update a profile entry in the global config. */
+export function upsertProfile(name: string, entry: ProfileEntry): void {
+  const config = readConfig();
+  config.profiles[name] = entry;
+
+  // If this is the first profile, make it the default.
+  if (!config.defaultProfile || Object.keys(config.profiles).length === 1) {
+    config.defaultProfile = name;
+  }
+
+  writeConfig(config);
+}
+
+/** Remove a profile entry from the global config. */
+export function removeProfile(name: string): void {
+  const config = readConfig();
+  delete config.profiles[name];
+
+  // If we removed the default, pick the first remaining (or clear).
+  if (config.defaultProfile === name) {
+    const remaining = Object.keys(config.profiles);
+    config.defaultProfile = remaining[0] ?? '';
+  }
+
+  writeConfig(config);
+}
+
+/** List all profile names. */
+export function listProfiles(): string[] {
+  return Object.keys(readConfig().profiles);
+}
+
+// ---------------------------------------------------------------------------
+// Profile resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve which profile to use.
+ *
+ * Precedence (highest to lowest):
+ *   1. `--profile <name>` flag (passed as `flagProfile`)
+ *   2. `ENBOX_PROFILE` environment variable
+ *   3. `.git/config` → `[enbox] profile = <name>`
+ *   4. `~/.enbox/config.json` → `defaultProfile`
+ *   5. First (and only) profile, if exactly one exists
+ *
+ * Returns `null` when no profile can be resolved (i.e. none exist).
+ */
+export function resolveProfile(flagProfile?: string): string | null {
+  // 1. Explicit flag.
+  if (flagProfile) { return flagProfile; }
+
+  // 2. Environment variable.
+  const envProfile = process.env.ENBOX_PROFILE;
+  if (envProfile) { return envProfile; }
+
+  // 3. Per-repo git config.
+  const gitProfile = readGitConfigProfile();
+  if (gitProfile) { return gitProfile; }
+
+  // 4. Global default.
+  const config = readConfig();
+  if (config.defaultProfile) { return config.defaultProfile; }
+
+  // 5. Single profile fallback.
+  const names = Object.keys(config.profiles);
+  if (names.length === 1) { return names[0]; }
+
+  return null;
+}
+
+/**
+ * Read the `[enbox] profile` setting from the current repo's `.git/config`.
+ * Returns `null` if not in a git repo or the setting is absent.
+ */
+function readGitConfigProfile(): string | null {
+  try {
+    const result = spawnSync('git', ['config', '--local', 'enbox.profile'], {
+      stdio   : ['pipe', 'pipe', 'pipe'],
+      timeout : 2_000,
+    });
+    const value = result.stdout?.toString().trim();
+    if (result.status === 0 && value) { return value; }
+  } catch {
+    // Not in a git repo or git not available.
+  }
+  return null;
+}
+
+/**
+ * Write the `[enbox] profile` setting to the current repo's `.git/config`.
+ */
+export function setGitConfigProfile(name: string): void {
+  spawnSync('git', ['config', '--local', 'enbox.profile', name], {
+    stdio   : ['pipe', 'pipe', 'pipe'],
+    timeout : 2_000,
+  });
+}