@hyperdrive.bot/cli 1.0.2

package/dist/services/auth-service.js

@@ -0,0 +1,240 @@
+import { CognitoIdentityClient, GetCredentialsForIdentityCommand, GetIdCommand } from '@aws-sdk/client-cognito-identity';
+import axios from 'axios';
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+export class AuthService {
+    cognitoConfig = {
+        clientId: process.env.HYPERDRIVE_COGNITO_CLIENT_ID || '',
+        domain: process.env.HYPERDRIVE_COGNITO_DOMAIN || 'hyperdrive.auth.us-east-1.amazoncognito.com',
+        identityPoolId: process.env.HYPERDRIVE_COGNITO_IDENTITY_POOL_ID || '',
+        region: process.env.HYPERDRIVE_AWS_REGION || 'us-east-1',
+        userPoolId: process.env.HYPERDRIVE_COGNITO_USER_POOL_ID || '',
+    };
+    credDir;
+    credPath;
+    domain;
+    constructor(domain) {
+        this.credDir = join(homedir(), '.hyperdrive');
+        this.domain = domain;
+        this.credPath = this.getCredentialsPath();
+    }
+    /**
+     * Clear stored credentials
+     */
+    clearCredentials() {
+        if (existsSync(this.credPath)) {
+            unlinkSync(this.credPath);
+        }
+    }
+    /**
+     * Ensure credentials are valid, refresh if needed
+     * Returns valid credentials or throws error
+     */
+    async ensureValidCredentials() {
+        const credentials = this.loadCredentials();
+        if (!credentials) {
+            throw new Error('Not authenticated. Please run "hd auth login" first.');
+        }
+        // Auto-refresh if needed
+        if (this.needsRefresh(credentials)) {
+            if (!credentials.cognitoConfig) {
+                throw new Error('Cognito configuration not found. Please run "hd auth login" again.');
+            }
+            console.log('⏳ Credentials expiring soon, refreshing...');
+            const newTokens = await this.refreshTokens(credentials.refresh_token, credentials.cognitoConfig);
+            const newAwsCredentials = await this.getAWSCredentials(newTokens.id_token, credentials.region, credentials.cognitoConfig);
+            const updatedCredentials = {
+                ...newTokens,
+                apiUrl: credentials.apiUrl,
+                awsCredentials: newAwsCredentials,
+                cognitoConfig: credentials.cognitoConfig,
+                obtainedAt: new Date().toISOString(),
+                region: credentials.region,
+                tenantDomain: credentials.tenantDomain,
+                tenantId: credentials.tenantId,
+            };
+            this.saveCredentials(updatedCredentials);
+            console.log('✅ Credentials refreshed automatically');
+            return updatedCredentials;
+        }
+        return credentials;
+    }
+    /**
+     * Get AWS credentials from Cognito Identity Pool using ID token
+     */
+    async getAWSCredentials(idToken, region, cognitoConfig) {
+        const client = new CognitoIdentityClient({ region });
+        try {
+            // Step 1: Get Identity ID
+            const getIdResponse = await client.send(new GetIdCommand({
+                IdentityPoolId: cognitoConfig.identityPoolId,
+                Logins: {
+                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
+                },
+            }));
+            if (!getIdResponse.IdentityId) {
+                throw new Error('Failed to get Identity ID from Cognito');
+            }
+            // Step 2: Get temporary AWS credentials
+            const getCredentialsResponse = await client.send(new GetCredentialsForIdentityCommand({
+                IdentityId: getIdResponse.IdentityId,
+                Logins: {
+                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
+                },
+            }));
+            if (!getCredentialsResponse.Credentials) {
+                throw new Error('Failed to get AWS credentials from Cognito');
+            }
+            const { AccessKeyId, Expiration, SecretKey, SessionToken } = getCredentialsResponse.Credentials;
+            if (!AccessKeyId || !SecretKey || !SessionToken || !Expiration) {
+                throw new Error('Incomplete AWS credentials received from Cognito');
+            }
+            return {
+                accessKeyId: AccessKeyId,
+                expiration: Expiration,
+                secretAccessKey: SecretKey,
+                sessionToken: SessionToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw new Error(`Failed to obtain AWS credentials: ${error.message}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Get all domains with stored credentials
+     */
+    getCredentialDomains() {
+        try {
+            if (!existsSync(this.credDir)) {
+                return [];
+            }
+            const files = require('fs').readdirSync(this.credDir);
+            const domains = [];
+            for (const file of files) {
+                // Match files like "credentials.example.com"
+                const match = file.match(/^credentials\.(.+)$/);
+                if (match) {
+                    domains.push(match[1]);
+                }
+            }
+            return domains;
+        }
+        catch (error) {
+            return [];
+        }
+    }
+    /**
+     * Check if credentials are expired
+     */
+    isExpired(credentials) {
+        const expiration = new Date(credentials.awsCredentials.expiration);
+        return new Date() >= expiration;
+    }
+    /**
+     * Load stored credentials from domain-specific path
+     *
+     * Always uses domain-specific credentials (credentials.<domain>)
+     * Domain is either explicitly specified or uses default domain
+     */
+    loadCredentials() {
+        try {
+            if (!existsSync(this.credPath)) {
+                return null;
+            }
+            const data = readFileSync(this.credPath, 'utf8');
+            const credentials = JSON.parse(data);
+            // Convert expiration string back to Date object
+            credentials.awsCredentials.expiration = new Date(credentials.awsCredentials.expiration);
+            return credentials;
+        }
+        catch (error) {
+            console.error('Failed to load credentials:', error);
+            return null;
+        }
+    }
+    /**
+     * Check if credentials need refresh
+     * Returns true if AWS credentials expire in less than 5 minutes
+     */
+    needsRefresh(credentials) {
+        const expiration = new Date(credentials.awsCredentials.expiration);
+        const now = new Date();
+        const timeUntilExpiry = expiration.getTime() - now.getTime();
+        const fiveMinutes = 5 * 60 * 1000;
+        return timeUntilExpiry < fiveMinutes;
+    }
+    /**
+     * Refresh Cognito tokens using refresh token
+     */
+    async refreshTokens(refreshToken, cognitoConfig) {
+        try {
+            const response = await axios.post(`https://${cognitoConfig.domain}/oauth2/token`, new URLSearchParams({
+                client_id: cognitoConfig.clientId,
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+            }), {
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            });
+            // Cognito doesn't return a new refresh token on refresh, so we need to keep the old one
+            return {
+                ...response.data,
+                refresh_token: refreshToken, // Preserve original refresh token
+            };
+        }
+        catch (error) {
+            if (axios.isAxiosError(error)) {
+                throw new Error(`Token refresh failed: ${error.response?.data?.error_description || error.message}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Save credentials to ~/.hyperdrive/credentials
+     */
+    saveCredentials(credentials) {
+        // Prevent saving test/mock credentials to production path
+        const testPatterns = ['test-client-id', 'us-east-1_TEST', 'test-identity', 'test.auth.amazoncognito'];
+        const credString = JSON.stringify(credentials);
+        for (const pattern of testPatterns) {
+            if (credString.includes(pattern)) {
+                throw new Error(`Refusing to save credentials containing test value: "${pattern}". This looks like test data.`);
+            }
+        }
+        // Ensure directory exists
+        if (!existsSync(this.credDir)) {
+            mkdirSync(this.credDir, { recursive: true });
+        }
+        // Write with secure permissions (owner read/write only)
+        writeFileSync(this.credPath, JSON.stringify(credentials, null, 2), { mode: 0o600 });
+    }
+    /**
+     * Get the credentials file path (always domain-specific)
+     */
+    getCredentialsPath() {
+        const domain = this.domain || this.getDefaultDomain();
+        if (!domain) {
+            throw new Error('No domain specified and no default domain configured');
+        }
+        // Domain-specific credentials: ~/.hyperdrive/credentials.{domain}
+        return join(this.credDir, `credentials.${domain}`);
+    }
+    /**
+     * Get default domain from TenantService (avoid circular dependency by reading file directly)
+     */
+    getDefaultDomain() {
+        try {
+            const defaultDomainPath = join(this.credDir, 'default-domain');
+            if (!existsSync(defaultDomainPath)) {
+                return null;
+            }
+            return readFileSync(defaultDomainPath, 'utf8').trim();
+        }
+        catch (error) {
+            return null;
+        }
+    }
+}

package/dist/services/git.d.ts

@@ -0,0 +1,46 @@
+export interface SyncBranchResult {
+    branch: string;
+    conflicts?: boolean;
+    error?: string;
+    success: boolean;
+}
+export interface SyncOptions {
+    all: boolean;
+    mergeStrategy: string;
+    remote: string;
+    sourceBranch: string;
+    targetBranches?: string[];
+    tmpDir?: string;
+    verbose?: boolean;
+}
+export declare class GitService {
+    private readonly DEFAULT_EXCLUDES;
+    branchExists(tmpProjectPath: string, branchName: string, remote: string): Promise<boolean>;
+    checkoutBranch(tmpProjectPath: string, branchName: string, remote: string): Promise<{
+        error?: string;
+        success: boolean;
+    }>;
+    cleanupTmpDir(tmpDir: string): Promise<void>;
+    copyProjectToTmp(sourcePath: string, tmpDir: string, verbose?: boolean, progressCallback?: (emoji: string, color: string, step: string) => void): Promise<void>;
+    createTmpDir(): Promise<string>;
+    fetchRemote(tmpProjectPath: string, remote: string): Promise<void>;
+    getAllRemoteBranches(tmpProjectPath: string, remote: string): Promise<string[]>;
+    getCurrentBranch(tmpProjectPath: string): Promise<string>;
+    mergeBranch(tmpProjectPath: string, sourceBranch: string, remote: string, mergeStrategy: string): Promise<{
+        error?: string;
+        hasConflicts: boolean;
+        success: boolean;
+    }>;
+    pushBranch(tmpProjectPath: string, branchName: string, remote: string): Promise<{
+        error?: string;
+        success: boolean;
+    }>;
+    syncBranches(options: SyncOptions, progressCallback?: (emoji: string, color: string, step: string) => void): Promise<SyncBranchResult[]>;
+    private copyDirectoryRecursive;
+    private copyWithExclusions;
+    private executeCommand;
+    private getExcludePatterns;
+    private gitignorePatternToRegex;
+    private parseGitignore;
+    private tryRsyncCopy;
+}