@gramatr/client 0.5.1

package/bin/gmtr-login.ts

@@ -0,0 +1,599 @@
+#!/usr/bin/env node
+/**
+ * gmtr-login — Authenticate with the gramatr server
+ *
+ * Opens the grāmatr dashboard login flow, captures a Firebase ID token
+ * on localhost, and stores it in ~/.gmtr.json.
+ *
+ * Usage:
+ *   bun gmtr-login.ts                    # Interactive browser login via Firebase dashboard
+ *   bun gmtr-login.ts --token <token>    # Paste a token directly (API key or Firebase token)
+ *   bun gmtr-login.ts --status           # Check current auth status
+ *   bun gmtr-login.ts --logout           # Remove stored credentials
+ *
+ * Token is stored in ~/.gmtr.json under the "token" key.
+ * The GMTRPromptEnricher hook reads this on every prompt.
+ */
+
+import { randomBytes } from 'crypto';
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { createServer, type IncomingMessage, type ServerResponse } from 'http';
+
+// ── Config ──
+
+const HOME = process.env.HOME || process.env.USERPROFILE || '';
+const CONFIG_PATH = join(HOME, '.gmtr.json');
+const DEFAULT_SERVER = process.env.GMTR_URL || 'https://api.gramatr.com/mcp';
+// Strip /mcp suffix to get base URL
+const SERVER_BASE = DEFAULT_SERVER.replace(/\/mcp\/?$/, '');
+const DASHBOARD_BASE = process.env.GMTR_DASHBOARD_URL || (() => {
+  try {
+    const url = new URL(SERVER_BASE);
+    if (url.hostname.startsWith('api.')) {
+      url.hostname = `app.${url.hostname.slice(4)}`;
+    }
+    url.pathname = '';
+    url.search = '';
+    url.hash = '';
+    return url.toString().replace(/\/$/, '');
+  } catch {
+    return 'https://app.gramatr.com';
+  }
+})();
+const CALLBACK_PORT = 58787; // Must match server's redirect_uris
+
+// ── HTML Templates ──
+
+const BRAND_CSS = `
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background: #0a0e17;
+    color: #e0e6ed;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+  }
+  .card {
+    background: #141b2d;
+    border: 1px solid #1e2940;
+    border-radius: 16px;
+    padding: 48px;
+    max-width: 440px;
+    width: 90%;
+    text-align: center;
+    box-shadow: 0 8px 32px rgba(0,0,0,0.4);
+  }
+  .logo {
+    font-size: 28px;
+    font-weight: 700;
+    letter-spacing: -0.5px;
+    margin-bottom: 8px;
+  }
+  .logo .accent { color: #00b4d8; }
+  .logo .dim { color: #5a6a8a; }
+  .subtitle {
+    color: #5a6a8a;
+    font-size: 13px;
+    margin-bottom: 32px;
+  }
+  .status {
+    font-size: 48px;
+    margin-bottom: 16px;
+  }
+  h2 {
+    font-size: 20px;
+    font-weight: 600;
+    margin-bottom: 12px;
+  }
+  h2.success { color: #00b4d8; }
+  h2.error { color: #e74c3c; }
+  p {
+    color: #7a8aaa;
+    font-size: 14px;
+    line-height: 1.6;
+  }
+  .hint {
+    margin-top: 24px;
+    padding-top: 24px;
+    border-top: 1px solid #1e2940;
+    font-size: 12px;
+    color: #4a5a7a;
+  }
+`;
+
+function htmlPage(title: string, body: string): string {
+  return `<!DOCTYPE html>
+<html lang="en"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${title} — gramatr</title>
+  <style>${BRAND_CSS}</style>
+</head><body>
+  <div class="card">
+    <div class="logo"><span class="accent">gr</span>āma<span class="accent">tr</span></div>
+    <div class="subtitle">your cross-agent AI brain</div>
+    ${body}
+  </div>
+</body></html>`;
+}
+
+function successPage(): string {
+  return htmlPage('Authenticated', `
+    <div class="status">✓</div>
+    <h2 class="success">Authenticated</h2>
+    <p>Token saved. You can close this tab and return to your terminal.</p>
+    <div class="hint">gramatr intelligence is now active across all your AI tools.</div>
+  `);
+}
+
+function errorPage(title: string, detail: string): string {
+  return htmlPage('Error', `
+    <div class="status">✗</div>
+    <h2 class="error">${title}</h2>
+    <p>${detail}</p>
+    <div class="hint">Return to your terminal and try again, or use <code>gmtr-login --token</code> to paste a token directly.</div>
+  `);
+}
+
+// ── Headless Detection ──
+
+function isHeadless(): boolean {
+  // SSH session without display forwarding
+  if (process.env.SSH_CONNECTION || process.env.SSH_TTY) {
+    if (!process.env.DISPLAY && process.platform !== 'darwin') return true;
+  }
+  // Docker / CI / no TTY
+  if (process.env.CI || process.env.DOCKER) return true;
+  // Linux without display
+  if (process.platform === 'linux' && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY) return true;
+  return false;
+}
+
+// ── Helpers ──
+
+function readConfig(): Record<string, any> {
+  try {
+    return JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
+  } catch {
+    return {};
+  }
+}
+
+function writeConfig(config: Record<string, any>): void {
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n');
+}
+
+async function checkServerHealth(): Promise<{ ok: boolean; version?: string; error?: string }> {
+  try {
+    const res = await fetch(`${SERVER_BASE}/health`, { signal: AbortSignal.timeout(5000) });
+    if (res.ok) {
+      const data = await res.json() as any;
+      return { ok: true, version: data.version };
+    }
+    return { ok: false, error: `HTTP ${res.status}` };
+  } catch (e: any) {
+    return { ok: false, error: e.message };
+  }
+}
+
+async function testToken(token: string): Promise<{ valid: boolean; user?: string; error?: string }> {
+  try {
+    const res = await fetch(`${SERVER_BASE}/mcp`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json, text/event-stream',
+        Authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        jsonrpc: '2.0',
+        id: 1,
+        method: 'tools/call',
+        params: { name: 'aggregate_stats', arguments: {} },
+      }),
+      signal: AbortSignal.timeout(10000),
+    });
+
+    const text = await res.text();
+
+    // Check for auth errors
+    if (text.includes('JWT token is required') || text.includes('signature validation failed') || text.includes('Unauthorized')) {
+      return { valid: false, error: 'Token rejected by server' };
+    }
+
+    // Check for successful response
+    for (const line of text.split('\n')) {
+      if (line.startsWith('data: ')) {
+        try {
+          const d = JSON.parse(line.slice(6));
+          if (d?.result?.isError) {
+            return { valid: false, error: d.result.content?.[0]?.text || 'Unknown error' };
+          }
+          if (d?.result?.content?.[0]?.text) {
+            return { valid: true, user: 'authenticated' };
+          }
+        } catch {
+          continue;
+        }
+      }
+    }
+
+    return { valid: false, error: 'Unexpected response' };
+  } catch (e: any) {
+    return { valid: false, error: e.message };
+  }
+}
+
+async function startDeviceAuthorization(): Promise<{
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete?: string;
+  expires_in: number;
+  interval: number;
+}> {
+  const res = await fetch(`${SERVER_BASE}/device/start`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ client_name: 'gmtr-login' }),
+    signal: AbortSignal.timeout(10000),
+  });
+
+  const payload = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(payload.error_description || payload.error || `HTTP ${res.status}`);
+  }
+  return payload;
+}
+
+async function pollDeviceAuthorization(deviceCode: string): Promise<string> {
+  while (true) {
+    const res = await fetch(`${SERVER_BASE}/device/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ device_code: deviceCode }),
+      signal: AbortSignal.timeout(10000),
+    });
+
+    const payload = await res.json().catch(() => ({}));
+    if (res.ok && payload.access_token) {
+      return payload.access_token as string;
+    }
+
+    if ((res.status === 428 || res.status === 400) && payload.error === 'authorization_pending') {
+      const waitSeconds = Math.max(1, Number(payload.interval) || 5);
+      await new Promise((resolve) => setTimeout(resolve, waitSeconds * 1000));
+      continue;
+    }
+
+    throw new Error(payload.error_description || payload.error || `HTTP ${res.status}`);
+  }
+}
+
+// ── Commands ──
+
+async function showStatus(): Promise<void> {
+  console.log('\n  gramatr authentication status\n');
+
+  const config = readConfig();
+  const token = config.token;
+
+  console.log(`  Server:  ${SERVER_BASE}`);
+
+  const health = await checkServerHealth();
+  if (health.ok) {
+    console.log(`  Health:  ✓ healthy (v${health.version || 'unknown'})`);
+  } else {
+    console.log(`  Health:  ✗ ${health.error}`);
+  }
+
+  if (!token) {
+    console.log('  Token:   ✗ not configured');
+    console.log('\n  Run: bun gmtr-login.ts to authenticate\n');
+    return;
+  }
+
+  const prefix = token.substring(0, 15);
+  console.log(`  Token:   ${prefix}...`);
+
+  const result = await testToken(token);
+  if (result.valid) {
+    console.log('  Auth:    ✓ token is valid');
+  } else {
+    console.log(`  Auth:    ✗ ${result.error}`);
+    console.log('\n  Run: bun gmtr-login.ts to re-authenticate\n');
+  }
+
+  console.log('');
+}
+
+async function logout(): Promise<void> {
+  const config = readConfig();
+  delete config.token;
+  delete config.token_type;
+  delete config.token_expires;
+  delete config.authenticated_at;
+  writeConfig(config);
+  console.log('\n  ✓ Logged out. Token removed from ~/.gmtr.json\n');
+}
+
+async function loginWithToken(token: string): Promise<void> {
+  console.log('\n  Testing token...');
+
+  const result = await testToken(token);
+  if (result.valid) {
+    const config = readConfig();
+    config.token = token;
+    config.token_type = token.startsWith('aios_sk_') || token.startsWith('gmtr_sk_') ? 'api_key' : 'oauth';
+    config.authenticated_at = new Date().toISOString();
+    writeConfig(config);
+    console.log('  ✓ Token valid. Saved to ~/.gmtr.json');
+    console.log('  gramatr intelligence is now active.\n');
+  } else {
+    console.log(`  ✗ Token rejected: ${result.error}`);
+    console.log('  Token was NOT saved.\n');
+    process.exit(1);
+  }
+}
+
+async function loginBrowser(): Promise<void> {
+  console.log('\n  gramatr login\n');
+  console.log(`  Server: ${SERVER_BASE}`);
+  console.log(`  Dashboard: ${DASHBOARD_BASE}`);
+
+  // Check server health first
+  const health = await checkServerHealth();
+  if (!health.ok) {
+    console.log(`  ✗ Server unreachable: ${health.error}`);
+    console.log('  Cannot authenticate. Is the server running?\n');
+    process.exit(1);
+  }
+  console.log(`  Health: ✓ v${health.version || 'unknown'}`);
+
+  console.log('');
+
+  // Headless environments use device auth (no local server needed)
+  if (isHeadless()) {
+    console.log('  Headless environment detected. Starting device login...\n');
+    try {
+      const device = await startDeviceAuthorization();
+      console.log(`  Code: ${device.user_code}`);
+      console.log(`  Open: ${device.verification_uri_complete || device.verification_uri}`);
+      console.log('  Sign in with Google or GitHub, approve the device, then return here.\n');
+      console.log('  Waiting for authorization...');
+
+      // v0.3.63 hotfix: must clear the timeout after the race resolves,
+      // otherwise the orphan setTimeout keeps the Node event loop alive
+      // until expires_in elapses (typically 600s). Symptom: success path
+      // prints "Authenticated successfully" and then hangs until Ctrl+C.
+      let timeoutHandle: ReturnType<typeof setTimeout> | undefined;
+      const timeoutPromise = new Promise<string>((_, reject) => {
+        timeoutHandle = setTimeout(
+          () => reject(new Error('Device login timed out')),
+          device.expires_in * 1000,
+        );
+      });
+      let accessToken: string;
+      try {
+        accessToken = await Promise.race([
+          pollDeviceAuthorization(device.device_code),
+          timeoutPromise,
+        ]);
+      } finally {
+        if (timeoutHandle) clearTimeout(timeoutHandle);
+      }
+
+      const config = readConfig();
+      config.token = accessToken;
+      config.token_type = 'oauth';
+      config.authenticated_at = new Date().toISOString();
+      config.server_url = SERVER_BASE;
+      config.dashboard_url = DASHBOARD_BASE;
+      writeConfig(config);
+
+      console.log('');
+      console.log('  ✓ Authenticated successfully');
+      console.log('  Token saved to ~/.gmtr.json');
+      console.log('  gramatr intelligence is now active.\n');
+      return;
+    } catch (e: any) {
+      console.log(`  ✗ Device login failed: ${e.message}`);
+      console.log('  Fallback: gmtr-login --token\n');
+      process.exit(1);
+    }
+  }
+
+  // Browser environments use local callback server
+  const state = randomBytes(16).toString('base64url');
+  const callbackUrl = `http://localhost:${CALLBACK_PORT}/callback`;
+
+  const tokenPromise = new Promise<string>((resolve, reject) => {
+    const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url || '/', `http://localhost:${CALLBACK_PORT}`);
+
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+
+      const token = url.searchParams.get('token');
+      const returnedState = url.searchParams.get('state');
+      const error = url.searchParams.get('error');
+
+      if (error) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Authentication Failed', error));
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+
+      if (!token || returnedState !== state) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Invalid Callback', 'Missing Firebase token or state mismatch. Please try again.'));
+        server.close();
+        reject(new Error('Invalid callback'));
+        return;
+      }
+
+      try {
+        const validation = await testToken(token);
+        if (!validation.valid) {
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(errorPage('Token Validation Failed', validation.error || 'Server rejected token'));
+          server.close();
+          reject(new Error(validation.error || 'Server rejected token'));
+          return;
+        }
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(successPage());
+        server.close();
+        resolve(token);
+      } catch (e: any) {
+        res.writeHead(500, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Unexpected Error', e.message));
+        server.close();
+        reject(e);
+      }
+    });
+
+    server.listen(CALLBACK_PORT, () => {
+      // Server ready
+    });
+
+    // Timeout after 2 minutes
+    setTimeout(() => {
+      server.close();
+      reject(new Error('Login timed out after 2 minutes'));
+    }, 120000);
+  });
+
+  const authorizeUrl = new URL('/login', `${DASHBOARD_BASE}/`);
+  authorizeUrl.searchParams.set('callback', callbackUrl);
+  authorizeUrl.searchParams.set('state', state);
+
+  console.log('  Opening browser for authentication...');
+  console.log(`  If it doesn't open, visit:`);
+  console.log(`  ${authorizeUrl.toString()}`);
+  console.log('');
+
+  // Open browser
+  const { exec } = await import('child_process');
+  const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+  exec(`${openCmd} "${authorizeUrl.toString()}"`);
+
+  console.log('  Waiting for authorization...');
+
+  try {
+    const accessToken = await tokenPromise;
+
+    // Save token
+    const config = readConfig();
+    config.token = accessToken;
+    config.token_type = 'firebase';
+    config.authenticated_at = new Date().toISOString();
+    config.server_url = SERVER_BASE;
+    config.dashboard_url = DASHBOARD_BASE;
+    writeConfig(config);
+
+    console.log('');
+    console.log('  ✓ Authenticated successfully');
+    console.log('  Token saved to ~/.gmtr.json');
+    console.log('  gramatr intelligence is now active.\n');
+  } catch (e: any) {
+    console.log(`\n  ✗ Authentication failed: ${e.message}\n`);
+    process.exit(1);
+  }
+}
+
+// ── CLI ──
+//
+// Defense in depth (Fix A' for Windows top-level await crash):
+// All CLI code is wrapped in an async `main()` and invoked via a
+// module-run guard. This keeps the module importable without firing
+// side effects and avoids top-level await entirely, so the file stays
+// safe even if the package ever loses `"type": "module"` or tsx
+// changes its default target to CJS.
+
+export async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--status') || args.includes('status')) {
+    await showStatus();
+    return;
+  }
+
+  if (args.includes('--logout') || args.includes('logout')) {
+    await logout();
+    return;
+  }
+
+  if (args.includes('--token') || args.includes('-t')) {
+    const tokenIdx = args.indexOf('--token') !== -1 ? args.indexOf('--token') : args.indexOf('-t');
+    const token = args[tokenIdx + 1];
+    if (!token) {
+      // Interactive paste mode — like Claude's login
+      console.log('\n  Paste your gramatr token below.');
+      console.log('  (API keys start with aios_sk_ or gmtr_sk_)\n');
+      process.stdout.write('  Token: ');
+
+      const { createInterface } = await import('readline');
+      const rl = createInterface({ input: process.stdin, output: process.stdout });
+      const pastedToken = await new Promise<string>((resolve) => {
+        rl.on('line', (line: string) => { rl.close(); resolve(line.trim()); });
+      });
+      if (!pastedToken) {
+        console.log('  No token provided.\n');
+        process.exit(1);
+      }
+      await loginWithToken(pastedToken);
+    } else {
+      await loginWithToken(token);
+    }
+    return;
+  }
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`
+  gmtr-login — Authenticate with the gramatr server
+
+  Usage:
+    gmtr-login              Interactive dashboard login (browser or headless device flow)
+    gmtr-login --token      Paste a token (API key or Firebase token)
+    gmtr-login --token <t>  Provide token directly
+    gmtr-login --status     Check authentication status
+    gmtr-login --logout     Remove stored credentials
+    gmtr-login --help       Show this help
+
+  Token storage: ~/.gmtr.json
+  Server: ${SERVER_BASE}
+  Dashboard: ${DASHBOARD_BASE}
+`);
+    return;
+  }
+
+  // Default: browser login flow
+  await loginBrowser();
+}
+
+// Module-run guard. Works both when invoked directly via
+// `tsx bin/gmtr-login.ts` and when imported from another module
+// (tests, programmatic use). Under ESM, import.meta.url is the
+// canonical check; we also accept a path-suffix match as a belt.
+const invokedAs = process.argv[1] || '';
+const isMain =
+  import.meta.url === `file://${invokedAs}` ||
+  invokedAs.endsWith('gmtr-login.ts') ||
+  invokedAs.endsWith('gmtr-login.js');
+
+if (isMain) {
+  main().catch((err) => {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  });
+}

package/bin/gramatr.js

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+/**
+ * gramatr CLI entry point — thin JS wrapper that bootstraps TypeScript.
+ * tsx is a production dependency, resolved directly from node_modules.
+ *
+ * ESM module: packages/client/package.json has "type": "module" (added in
+ * PR #487 to support top-level await in bin/gmtr-login.ts). This file must
+ * use ESM imports — bare `require()` will throw ReferenceError at load time.
+ * v0.3.60 hotfix: #487 converted the .ts bin files but missed this .js twin.
+ */
+import { spawnSync } from 'node:child_process';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const script = join(__dirname, 'gramatr.ts');
+const args = process.argv.slice(2);
+
+// gramatr standardizes on `npx tsx` — see issue #468 for the architectural
+// rationale. bun detection was removed because it silently produced broken
+// hook + statusline configs on hosts where the install-time PATH did not
+// match the runtime PATH of spawned subprocesses.
+
+// Resolve tsx from node_modules (tsx is a production dependency)
+try {
+  const tsxBin = join(dirname(require.resolve('tsx/package.json')), 'dist', 'cli.mjs');
+  const r = spawnSync(process.execPath, [tsxBin, script, ...args], { stdio: 'inherit' });
+  process.exit(r.status ?? 1);
+} catch {}
+
+// Last resort: npx tsx
+const r = spawnSync('npx', ['--yes', 'tsx', script, ...args], { stdio: 'inherit', shell: true });
+process.exit(r.status ?? 1);