@fractary/faber-cli 1.5.48 → 1.5.50

package/dist/lib/github-app-auth.js

@@ -1,300 +0,0 @@
-/**
- * GitHub App Authentication Module
- *
- * Provides JWT generation, installation token exchange, and token caching
- * for GitHub App authentication in FABER CLI.
- */
-import jwt from 'jsonwebtoken';
-import fs from 'fs/promises';
-import path from 'path';
-import os from 'os';
-/**
- * Private Key Loader
- *
- * Loads private keys from file path or environment variable
- */
-export class PrivateKeyLoader {
-    /**
-     * Load private key from configured sources.
-     * Priority: env var > file path
-     *
-     * @param config - GitHub App configuration
-     * @returns The private key content
-     * @throws Error if private key cannot be loaded
-     */
-    static async load(config) {
-        // Try environment variable first (priority)
-        if (config.private_key_env_var) {
-            const envValue = process.env[config.private_key_env_var];
-            if (envValue) {
-                try {
-                    // Decode base64-encoded key
-                    const decoded = Buffer.from(envValue, 'base64').toString('utf-8');
-                    if (PrivateKeyLoader.validate(decoded)) {
-                        return decoded;
-                    }
-                }
-                catch {
-                    // Invalid base64, fall through to file path
-                }
-            }
-        }
-        // Try file path
-        if (config.private_key_path) {
-            try {
-                // Expand ~ to home directory
-                const expandedPath = config.private_key_path.startsWith('~')
-                    ? config.private_key_path.replace('~', os.homedir())
-                    : config.private_key_path;
-                const resolvedPath = path.resolve(expandedPath);
-                const key = await fs.readFile(resolvedPath, 'utf-8');
-                if (PrivateKeyLoader.validate(key)) {
-                    return key;
-                }
-                throw new Error('Invalid private key format. Expected PEM-encoded RSA private key');
-            }
-            catch (error) {
-                if (error instanceof Error && error.message.includes('ENOENT')) {
-                    throw new Error(`GitHub App private key not found at '${config.private_key_path}'. ` +
-                        `Check 'private_key_path' in config or set ${config.private_key_env_var || 'GITHUB_APP_PRIVATE_KEY'} env var`);
-                }
-                throw error;
-            }
-        }
-        throw new Error('GitHub App private key not found. ' +
-            "Configure 'private_key_path' in .fractary/config.yaml or set GITHUB_APP_PRIVATE_KEY env var");
-    }
-    /**
-     * Validate private key format.
-     *
-     * @param key - The private key content
-     * @returns true if valid PEM format
-     */
-    static validate(key) {
-        // Check for PEM format (RSA or PKCS#8)
-        const trimmed = key.trim();
-        return ((trimmed.startsWith('-----BEGIN RSA PRIVATE KEY-----') &&
-            trimmed.endsWith('-----END RSA PRIVATE KEY-----')) ||
-            (trimmed.startsWith('-----BEGIN PRIVATE KEY-----') &&
-                trimmed.endsWith('-----END PRIVATE KEY-----')));
-    }
-}
-/**
- * GitHub App Authentication
- *
- * Handles JWT generation, installation token exchange, and caching
- */
-export class GitHubAppAuth {
-    constructor(config) {
-        this.cache = new Map();
-        this.refreshPromise = null;
-        this.config = config;
-    }
-    /**
-     * Get a valid installation token.
-     * Returns cached token if still valid, otherwise generates new one.
-     *
-     * @returns Installation access token
-     */
-    async getToken() {
-        const cacheKey = this.config.installation_id;
-        const cached = this.cache.get(cacheKey);
-        if (cached && !this.isExpired(cached) && !this.isExpiringSoon(cached)) {
-            return cached.token;
-        }
-        // If token is expiring soon but still valid, trigger background refresh
-        if (cached && !this.isExpired(cached) && this.isExpiringSoon(cached)) {
-            this.triggerBackgroundRefresh();
-            return cached.token;
-        }
-        // Token expired or missing, must refresh synchronously
-        return this.refreshToken();
-    }
-    /**
-     * Force refresh the token.
-     *
-     * @returns New installation access token
-     */
-    async refreshToken() {
-        // Deduplicate concurrent refresh requests
-        if (this.refreshPromise) {
-            return this.refreshPromise;
-        }
-        this.refreshPromise = this.doRefresh();
-        try {
-            return await this.refreshPromise;
-        }
-        finally {
-            this.refreshPromise = null;
-        }
-    }
-    /**
-     * Check if token needs refresh (within 5 minutes of expiration).
-     *
-     * @returns true if token should be refreshed
-     */
-    isTokenExpiringSoon() {
-        const cached = this.cache.get(this.config.installation_id);
-        return cached ? this.isExpiringSoon(cached) : true;
-    }
-    /**
-     * Validate the configuration and private key.
-     *
-     * @throws Error if configuration is invalid
-     */
-    async validate() {
-        // Validate required fields
-        if (!this.config.id) {
-            throw new Error("GitHub App ID is required. Configure 'app.id' in .fractary/config.yaml");
-        }
-        if (!this.config.installation_id) {
-            throw new Error("GitHub App Installation ID is required. Configure 'app.installation_id' in .fractary/config.yaml");
-        }
-        // Validate private key can be loaded
-        await PrivateKeyLoader.load(this.config);
-        // Attempt to generate JWT to validate key
-        await this.generateJWT();
-    }
-    /**
-     * Perform the actual token refresh
-     */
-    async doRefresh() {
-        console.error('[DEBUG] GitHub App auth - App ID:', this.config.id);
-        console.error('[DEBUG] GitHub App auth - Installation ID:', this.config.installation_id);
-        console.error('[DEBUG] GitHub App auth - Private key path:', this.config.private_key_path);
-        const jwtToken = await this.generateJWT();
-        console.error('[DEBUG] GitHub App auth - JWT generated successfully');
-        const installationToken = await this.exchangeForInstallationToken(jwtToken);
-        console.error('[DEBUG] GitHub App auth - Installation token received');
-        // Cache the token
-        this.cache.set(this.config.installation_id, {
-            token: installationToken.token,
-            expires_at: new Date(installationToken.expires_at),
-            installation_id: this.config.installation_id,
-        });
-        return installationToken.token;
-    }
-    /**
-     * Generate a JWT for GitHub App authentication
-     */
-    async generateJWT() {
-        const privateKey = await PrivateKeyLoader.load(this.config);
-        const now = Math.floor(Date.now() / 1000);
-        const payload = {
-            iat: now - 60, // Issued 60 seconds ago to allow for clock drift
-            exp: now + GitHubAppAuth.JWT_EXPIRY_SECONDS,
-            iss: this.config.id,
-        };
-        try {
-            return jwt.sign(payload, privateKey, { algorithm: 'RS256' });
-        }
-        catch (error) {
-            if (error instanceof Error) {
-                throw new Error(`Failed to generate JWT: ${error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Exchange JWT for installation access token
-     */
-    async exchangeForInstallationToken(jwtToken) {
-        const url = `${GitHubAppAuth.GITHUB_API_URL}/app/installations/${this.config.installation_id}/access_tokens`;
-        let response;
-        try {
-            response = await fetch(url, {
-                method: 'POST',
-                headers: {
-                    Accept: 'application/vnd.github+json',
-                    Authorization: `Bearer ${jwtToken}`,
-                    'X-GitHub-Api-Version': '2022-11-28',
-                },
-            });
-        }
-        catch (error) {
-            if (error instanceof Error) {
-                throw new Error(`Failed to connect to GitHub API: ${error.message}`);
-            }
-            throw error;
-        }
-        if (!response.ok) {
-            const errorBody = await response.text().catch(() => 'Unknown error');
-            console.error('[DEBUG] GitHub API error:', response.status, errorBody);
-            if (response.status === 401) {
-                throw new Error(`Failed to authenticate with GitHub App. Status: ${response.status}, Response: ${errorBody}`);
-            }
-            if (response.status === 404) {
-                throw new Error(`GitHub App installation not found (ID: ${this.config.installation_id}). ` +
-                    'Verify the Installation ID is correct and the app is installed.');
-            }
-            if (response.status === 403) {
-                // Check for rate limiting
-                const rateLimitRemaining = response.headers.get('x-ratelimit-remaining');
-                const rateLimitReset = response.headers.get('x-ratelimit-reset');
-                if (rateLimitRemaining === '0' && rateLimitReset) {
-                    const resetTime = new Date(parseInt(rateLimitReset) * 1000);
-                    const secondsUntilReset = Math.ceil((resetTime.getTime() - Date.now()) / 1000);
-                    throw new Error(`GitHub API rate limited. Retry after ${secondsUntilReset} seconds.`);
-                }
-            }
-            throw new Error(`Failed to get installation token: ${response.status} ${errorBody}`);
-        }
-        return response.json();
-    }
-    /**
-     * Check if token is expired
-     */
-    isExpired(cached) {
-        return cached.expires_at.getTime() <= Date.now();
-    }
-    /**
-     * Check if token is expiring soon
-     */
-    isExpiringSoon(cached) {
-        return cached.expires_at.getTime() - Date.now() < GitHubAppAuth.REFRESH_THRESHOLD_MS;
-    }
-    /**
-     * Trigger background token refresh (non-blocking)
-     */
-    triggerBackgroundRefresh() {
-        if (this.refreshPromise) {
-            return; // Already refreshing
-        }
-        // Fire and forget - errors logged but not thrown
-        this.refreshToken().catch(error => {
-            console.error('[GitHubAppAuth] Background token refresh failed:', error.message);
-        });
-    }
-}
-// Token refresh threshold (5 minutes before expiration)
-GitHubAppAuth.REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
-// JWT validity period (reduced to 5 minutes to handle clock skew)
-GitHubAppAuth.JWT_EXPIRY_SECONDS = 300;
-// GitHub API base URL
-GitHubAppAuth.GITHUB_API_URL = 'https://api.github.com';
-/**
- * Static Token Provider
- *
- * Simple provider for static PAT tokens
- */
-export class StaticTokenProvider {
-    constructor(token) {
-        this.token = token;
-    }
-    async getToken() {
-        return this.token;
-    }
-}
-/**
- * GitHub App Token Provider
- *
- * Provider that uses GitHubAppAuth for dynamic token generation
- */
-export class GitHubAppTokenProvider {
-    constructor(auth) {
-        this.auth = auth;
-    }
-    async getToken() {
-        return this.auth.getToken();
-    }
-}

package/dist/lib/sdk-config-adapter.d.ts

@@ -1,76 +0,0 @@
-/**
- * SDK Configuration Adapter
- *
- * Converts FABER CLI configuration to @fractary/core SDK configuration format
- * Supports both PAT and GitHub App authentication methods.
- */
-import type { LoadedFaberConfig } from '../types/config.js';
-import type { WorkConfig, RepoConfig } from '@fractary/core';
-import { TokenProvider } from './github-app-auth.js';
-/**
- * Get the current token from the provider
- * Used internally and for SDK configuration
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to the current token
- */
-export declare function getToken(faberConfig: LoadedFaberConfig): Promise<string>;
-/**
- * Get the token provider for dynamic token refresh
- * Useful for long-running operations that need fresh tokens
- *
- * @param faberConfig - FABER CLI configuration
- * @returns TokenProvider instance
- */
-export declare function getTokenProviderInstance(faberConfig: LoadedFaberConfig): TokenProvider;
-/**
- * Validate GitHub authentication configuration
- *
- * @param faberConfig - FABER CLI configuration
- * @throws Error if configuration is invalid
- */
-export declare function validateGitHubAuth(faberConfig: LoadedFaberConfig): Promise<void>;
-/**
- * Check if GitHub App authentication is configured
- *
- * @param faberConfig - FABER CLI configuration
- * @returns true if GitHub App is configured
- */
-export declare function isGitHubAppConfigured(faberConfig: LoadedFaberConfig): boolean;
-/**
- * Create WorkConfig for WorkManager from FaberConfig
- *
- * @param faberConfig - FABER CLI configuration
- * @returns WorkConfig for @fractary/core WorkManager
- * @throws Error if required fields are missing
- */
-export declare function createWorkConfig(faberConfig: LoadedFaberConfig): WorkConfig;
-/**
- * Create WorkConfig for WorkManager from FaberConfig (async version)
- *
- * This version supports both PAT and GitHub App authentication.
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to WorkConfig for @fractary/core WorkManager
- * @throws Error if required fields are missing
- */
-export declare function createWorkConfigAsync(faberConfig: LoadedFaberConfig): Promise<WorkConfig>;
-/**
- * Create RepoConfig for RepoManager from FaberConfig
- *
- * @param faberConfig - FABER CLI configuration
- * @returns RepoConfig for @fractary/core RepoManager
- * @throws Error if required fields are missing
- */
-export declare function createRepoConfig(faberConfig: LoadedFaberConfig): RepoConfig;
-/**
- * Create RepoConfig for RepoManager from FaberConfig (async version)
- *
- * This version supports both PAT and GitHub App authentication.
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to RepoConfig for @fractary/core RepoManager
- * @throws Error if required fields are missing
- */
-export declare function createRepoConfigAsync(faberConfig: LoadedFaberConfig): Promise<RepoConfig>;
-//# sourceMappingURL=sdk-config-adapter.d.ts.map

package/dist/lib/sdk-config-adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sdk-config-adapter.d.ts","sourceRoot":"","sources":["../../src/lib/sdk-config-adapter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAmB,MAAM,oBAAoB,CAAC;AAC7E,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAEL,aAAa,EAGd,MAAM,sBAAsB,CAAC;AAuD9B;;;;;;GAMG;AACH,wBAAsB,QAAQ,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAG9E;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,iBAAiB,GAAG,aAAa,CAEtF;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAgBtF;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAG7E;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,iBAAiB,GAAG,UAAU,CAmC3E;AAED;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC,CAkB/F;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,iBAAiB,GAAG,UAAU,CAyB3E;AAED;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC,CAY/F"}

package/dist/lib/sdk-config-adapter.js

@@ -1,207 +0,0 @@
-/**
- * SDK Configuration Adapter
- *
- * Converts FABER CLI configuration to @fractary/core SDK configuration format
- * Supports both PAT and GitHub App authentication methods.
- */
-import { GitHubAppAuth, StaticTokenProvider, GitHubAppTokenProvider, } from './github-app-auth.js';
-// Singleton token provider for reuse across SDK instances
-let tokenProvider = null;
-let tokenProviderConfig = null;
-/**
- * Get or create a token provider based on configuration
- *
- * @param faberConfig - FABER CLI configuration
- * @returns TokenProvider instance
- */
-function getTokenProvider(faberConfig) {
-    const appConfig = faberConfig.github?.app;
-    const patToken = faberConfig.github?.token;
-    // Determine which auth method to use
-    // GitHub App takes precedence over PAT if configured
-    if (appConfig?.id && appConfig?.installation_id) {
-        // Check if we can reuse existing provider
-        if (tokenProvider && tokenProviderConfig === appConfig) {
-            return tokenProvider;
-        }
-        // Create new GitHub App token provider
-        const auth = new GitHubAppAuth(appConfig);
-        tokenProvider = new GitHubAppTokenProvider(auth);
-        tokenProviderConfig = appConfig;
-        return tokenProvider;
-    }
-    // Fall back to PAT
-    if (patToken) {
-        // Check if we can reuse existing provider
-        if (tokenProvider && tokenProviderConfig === patToken) {
-            return tokenProvider;
-        }
-        tokenProvider = new StaticTokenProvider(patToken);
-        tokenProviderConfig = patToken;
-        return tokenProvider;
-    }
-    throw new Error('GitHub authentication not configured. Either:\n' +
-        '  1. Set GITHUB_TOKEN environment variable, or\n' +
-        '  2. Configure GitHub App in .fractary/config.yaml:\n' +
-        '     github:\n' +
-        '       app:\n' +
-        '         id: "<app-id>"\n' +
-        '         installation_id: "<installation-id>"\n' +
-        '         private_key_path: "~/.github/your-app.pem"');
-}
-/**
- * Get the current token from the provider
- * Used internally and for SDK configuration
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to the current token
- */
-export async function getToken(faberConfig) {
-    const provider = getTokenProvider(faberConfig);
-    return provider.getToken();
-}
-/**
- * Get the token provider for dynamic token refresh
- * Useful for long-running operations that need fresh tokens
- *
- * @param faberConfig - FABER CLI configuration
- * @returns TokenProvider instance
- */
-export function getTokenProviderInstance(faberConfig) {
-    return getTokenProvider(faberConfig);
-}
-/**
- * Validate GitHub authentication configuration
- *
- * @param faberConfig - FABER CLI configuration
- * @throws Error if configuration is invalid
- */
-export async function validateGitHubAuth(faberConfig) {
-    const appConfig = faberConfig.github?.app;
-    if (appConfig?.id && appConfig?.installation_id) {
-        // Validate GitHub App configuration
-        const auth = new GitHubAppAuth(appConfig);
-        await auth.validate();
-        return;
-    }
-    // Validate PAT
-    if (!faberConfig.github?.token) {
-        throw new Error('GitHub token not found. Set GITHUB_TOKEN environment variable or configure in .fractary/config.yaml');
-    }
-}
-/**
- * Check if GitHub App authentication is configured
- *
- * @param faberConfig - FABER CLI configuration
- * @returns true if GitHub App is configured
- */
-export function isGitHubAppConfigured(faberConfig) {
-    const appConfig = faberConfig.github?.app;
-    return !!(appConfig?.id && appConfig?.installation_id);
-}
-/**
- * Create WorkConfig for WorkManager from FaberConfig
- *
- * @param faberConfig - FABER CLI configuration
- * @returns WorkConfig for @fractary/core WorkManager
- * @throws Error if required fields are missing
- */
-export function createWorkConfig(faberConfig) {
-    const owner = faberConfig.github?.organization;
-    const repo = faberConfig.github?.project;
-    if (!owner || !repo) {
-        throw new Error('GitHub organization and project must be configured in .fractary/config.yaml');
-    }
-    // Get token provider (validates auth config)
-    const provider = getTokenProvider(faberConfig);
-    // For SDK config, we need a synchronous token
-    // The SDK will use this initially; for long-running operations,
-    // use createWorkConfigAsync or the token provider directly
-    let token;
-    if (provider instanceof StaticTokenProvider) {
-        // For PAT, we can get token synchronously via internal access
-        token = faberConfig.github?.token || '';
-    }
-    else {
-        // For GitHub App, throw helpful error - use async version
-        throw new Error('GitHub App authentication requires async initialization. ' +
-            'Use createWorkConfigAsync() instead of createWorkConfig().');
-    }
-    return {
-        platform: 'github',
-        owner,
-        repo,
-        token,
-    };
-}
-/**
- * Create WorkConfig for WorkManager from FaberConfig (async version)
- *
- * This version supports both PAT and GitHub App authentication.
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to WorkConfig for @fractary/core WorkManager
- * @throws Error if required fields are missing
- */
-export async function createWorkConfigAsync(faberConfig) {
-    const owner = faberConfig.github?.organization;
-    const repo = faberConfig.github?.project;
-    if (!owner || !repo) {
-        throw new Error('GitHub organization and project must be configured in .fractary/config.yaml');
-    }
-    const token = await getToken(faberConfig);
-    return {
-        platform: 'github',
-        owner,
-        repo,
-        token,
-    };
-}
-/**
- * Create RepoConfig for RepoManager from FaberConfig
- *
- * @param faberConfig - FABER CLI configuration
- * @returns RepoConfig for @fractary/core RepoManager
- * @throws Error if required fields are missing
- */
-export function createRepoConfig(faberConfig) {
-    const owner = faberConfig.github?.organization;
-    const repo = faberConfig.github?.project;
-    // Get token provider (validates auth config)
-    const provider = getTokenProvider(faberConfig);
-    // For SDK config, we need a synchronous token
-    let token;
-    if (provider instanceof StaticTokenProvider) {
-        token = faberConfig.github?.token || '';
-    }
-    else {
-        throw new Error('GitHub App authentication requires async initialization. ' +
-            'Use createRepoConfigAsync() instead of createRepoConfig().');
-    }
-    return {
-        platform: 'github',
-        owner,
-        repo,
-        token,
-    };
-}
-/**
- * Create RepoConfig for RepoManager from FaberConfig (async version)
- *
- * This version supports both PAT and GitHub App authentication.
- *
- * @param faberConfig - FABER CLI configuration
- * @returns Promise resolving to RepoConfig for @fractary/core RepoManager
- * @throws Error if required fields are missing
- */
-export async function createRepoConfigAsync(faberConfig) {
-    const owner = faberConfig.github?.organization;
-    const repo = faberConfig.github?.project;
-    const token = await getToken(faberConfig);
-    return {
-        platform: 'github',
-        owner,
-        repo,
-        token,
-    };
-}