@hyperdrive.bot/cli 1.0.6 → 1.0.8

package/dist/services/auth-service.js

@@ -1,240 +1,27 @@
-import { CognitoIdentityClient, GetCredentialsForIdentityCommand, GetIdCommand } from '@aws-sdk/client-cognito-identity';
-import axios from 'axios';
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
-import { homedir } from 'os';
-import { join } from 'path';
-export class AuthService {
-    cognitoConfig = {
-        clientId: process.env.HYPERDRIVE_COGNITO_CLIENT_ID || '',
-        domain: process.env.HYPERDRIVE_COGNITO_DOMAIN || 'hyperdrive.auth.us-east-1.amazoncognito.com',
-        identityPoolId: process.env.HYPERDRIVE_COGNITO_IDENTITY_POOL_ID || '',
-        region: process.env.HYPERDRIVE_AWS_REGION || 'us-east-1',
-        userPoolId: process.env.HYPERDRIVE_COGNITO_USER_POOL_ID || '',
-    };
-    credDir;
-    credPath;
-    domain;
+/**
+ * Hyperdrive Authentication Service
+ *
+ * Re-exports from @devsquad/cli-auth with hyperdrive-specific configuration.
+ */
+import { AuthService as BaseAuthService, } from '@hyperdrive.bot/cli-auth';
+// Hyperdrive-specific configuration
+const HYPERDRIVE_AUTH_CONFIG = {
+    appName: 'hyperdrive',
+    defaultCognitoClientId: process.env.HYPERDRIVE_COGNITO_CLIENT_ID || '',
+    defaultCognitoDomain: process.env.HYPERDRIVE_COGNITO_DOMAIN || 'hyperdrive.auth.us-east-1.amazoncognito.com',
+    defaultIdentityPoolId: process.env.HYPERDRIVE_COGNITO_IDENTITY_POOL_ID || '',
+    defaultUserPoolId: process.env.HYPERDRIVE_COGNITO_USER_POOL_ID || '',
+    defaultRegion: process.env.HYPERDRIVE_AWS_REGION || 'us-east-1',
+};
+/**
+ * Hyperdrive-specific AuthService
+ *
+ * Wrapper around @devsquad/cli-auth with hyperdrive defaults.
+ */
+export class AuthService extends BaseAuthService {
     constructor(domain) {
-        this.credDir = join(homedir(), '.hyperdrive');
-        this.domain = domain;
-        this.credPath = this.getCredentialsPath();
-    }
-    /**
-     * Clear stored credentials
-     */
-    clearCredentials() {
-        if (existsSync(this.credPath)) {
-            unlinkSync(this.credPath);
-        }
-    }
-    /**
-     * Ensure credentials are valid, refresh if needed
-     * Returns valid credentials or throws error
-     */
-    async ensureValidCredentials() {
-        const credentials = this.loadCredentials();
-        if (!credentials) {
-            throw new Error('Not authenticated. Please run "hd auth login" first.');
-        }
-        // Auto-refresh if needed
-        if (this.needsRefresh(credentials)) {
-            if (!credentials.cognitoConfig) {
-                throw new Error('Cognito configuration not found. Please run "hd auth login" again.');
-            }
-            console.log('⏳ Credentials expiring soon, refreshing...');
-            const newTokens = await this.refreshTokens(credentials.refresh_token, credentials.cognitoConfig);
-            const newAwsCredentials = await this.getAWSCredentials(newTokens.id_token, credentials.region, credentials.cognitoConfig);
-            const updatedCredentials = {
-                ...newTokens,
-                apiUrl: credentials.apiUrl,
-                awsCredentials: newAwsCredentials,
-                cognitoConfig: credentials.cognitoConfig,
-                obtainedAt: new Date().toISOString(),
-                region: credentials.region,
-                tenantDomain: credentials.tenantDomain,
-                tenantId: credentials.tenantId,
-            };
-            this.saveCredentials(updatedCredentials);
-            console.log('✅ Credentials refreshed automatically');
-            return updatedCredentials;
-        }
-        return credentials;
-    }
-    /**
-     * Get AWS credentials from Cognito Identity Pool using ID token
-     */
-    async getAWSCredentials(idToken, region, cognitoConfig) {
-        const client = new CognitoIdentityClient({ region });
-        try {
-            // Step 1: Get Identity ID
-            const getIdResponse = await client.send(new GetIdCommand({
-                IdentityPoolId: cognitoConfig.identityPoolId,
-                Logins: {
-                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
-                },
-            }));
-            if (!getIdResponse.IdentityId) {
-                throw new Error('Failed to get Identity ID from Cognito');
-            }
-            // Step 2: Get temporary AWS credentials
-            const getCredentialsResponse = await client.send(new GetCredentialsForIdentityCommand({
-                IdentityId: getIdResponse.IdentityId,
-                Logins: {
-                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
-                },
-            }));
-            if (!getCredentialsResponse.Credentials) {
-                throw new Error('Failed to get AWS credentials from Cognito');
-            }
-            const { AccessKeyId, Expiration, SecretKey, SessionToken } = getCredentialsResponse.Credentials;
-            if (!AccessKeyId || !SecretKey || !SessionToken || !Expiration) {
-                throw new Error('Incomplete AWS credentials received from Cognito');
-            }
-            return {
-                accessKeyId: AccessKeyId,
-                expiration: Expiration,
-                secretAccessKey: SecretKey,
-                sessionToken: SessionToken,
-            };
-        }
-        catch (error) {
-            if (error instanceof Error) {
-                throw new Error(`Failed to obtain AWS credentials: ${error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Get all domains with stored credentials
-     */
-    getCredentialDomains() {
-        try {
-            if (!existsSync(this.credDir)) {
-                return [];
-            }
-            const files = require('fs').readdirSync(this.credDir);
-            const domains = [];
-            for (const file of files) {
-                // Match files like "credentials.example.com"
-                const match = file.match(/^credentials\.(.+)$/);
-                if (match) {
-                    domains.push(match[1]);
-                }
-            }
-            return domains;
-        }
-        catch (error) {
-            return [];
-        }
-    }
-    /**
-     * Check if credentials are expired
-     */
-    isExpired(credentials) {
-        const expiration = new Date(credentials.awsCredentials.expiration);
-        return new Date() >= expiration;
-    }
-    /**
-     * Load stored credentials from domain-specific path
-     *
-     * Always uses domain-specific credentials (credentials.<domain>)
-     * Domain is either explicitly specified or uses default domain
-     */
-    loadCredentials() {
-        try {
-            if (!existsSync(this.credPath)) {
-                return null;
-            }
-            const data = readFileSync(this.credPath, 'utf8');
-            const credentials = JSON.parse(data);
-            // Convert expiration string back to Date object
-            credentials.awsCredentials.expiration = new Date(credentials.awsCredentials.expiration);
-            return credentials;
-        }
-        catch (error) {
-            console.error('Failed to load credentials:', error);
-            return null;
-        }
-    }
-    /**
-     * Check if credentials need refresh
-     * Returns true if AWS credentials expire in less than 5 minutes
-     */
-    needsRefresh(credentials) {
-        const expiration = new Date(credentials.awsCredentials.expiration);
-        const now = new Date();
-        const timeUntilExpiry = expiration.getTime() - now.getTime();
-        const fiveMinutes = 5 * 60 * 1000;
-        return timeUntilExpiry < fiveMinutes;
-    }
-    /**
-     * Refresh Cognito tokens using refresh token
-     */
-    async refreshTokens(refreshToken, cognitoConfig) {
-        try {
-            const response = await axios.post(`https://${cognitoConfig.domain}/oauth2/token`, new URLSearchParams({
-                client_id: cognitoConfig.clientId,
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-            }), {
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            });
-            // Cognito doesn't return a new refresh token on refresh, so we need to keep the old one
-            return {
-                ...response.data,
-                refresh_token: refreshToken, // Preserve original refresh token
-            };
-        }
-        catch (error) {
-            if (axios.isAxiosError(error)) {
-                throw new Error(`Token refresh failed: ${error.response?.data?.error_description || error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Save credentials to ~/.hyperdrive/credentials
-     */
-    saveCredentials(credentials) {
-        // Prevent saving test/mock credentials to production path
-        const testPatterns = ['test-client-id', 'us-east-1_TEST', 'test-identity', 'test.auth.amazoncognito'];
-        const credString = JSON.stringify(credentials);
-        for (const pattern of testPatterns) {
-            if (credString.includes(pattern)) {
-                throw new Error(`Refusing to save credentials containing test value: "${pattern}". This looks like test data.`);
-            }
-        }
-        // Ensure directory exists
-        if (!existsSync(this.credDir)) {
-            mkdirSync(this.credDir, { recursive: true });
-        }
-        // Write with secure permissions (owner read/write only)
-        writeFileSync(this.credPath, JSON.stringify(credentials, null, 2), { mode: 0o600 });
-    }
-    /**
-     * Get the credentials file path (always domain-specific)
-     */
-    getCredentialsPath() {
-        const domain = this.domain || this.getDefaultDomain();
-        if (!domain) {
-            throw new Error('No domain specified and no default domain configured');
-        }
-        // Domain-specific credentials: ~/.hyperdrive/credentials.{domain}
-        return join(this.credDir, `credentials.${domain}`);
-    }
-    /**
-     * Get default domain from TenantService (avoid circular dependency by reading file directly)
-     */
-    getDefaultDomain() {
-        try {
-            const defaultDomainPath = join(this.credDir, 'default-domain');
-            if (!existsSync(defaultDomainPath)) {
-                return null;
-            }
-            return readFileSync(defaultDomainPath, 'utf8').trim();
-        }
-        catch (error) {
-            return null;
-        }
+        super(HYPERDRIVE_AUTH_CONFIG, domain);
     }
 }
+// Export config for use by HyperdriveSigV4Service
+export { HYPERDRIVE_AUTH_CONFIG };

package/dist/services/hyperdrive-sigv4.d.ts

@@ -1,3 +1,10 @@
+/**
+ * Hyperdrive API Service with AWS SigV4 authentication
+ *
+ * This service extends @devsquad/cli-auth SigV4ApiClient to provide
+ * hyperdrive-specific API methods with AWS Signature V4 signing.
+ */
+import { SigV4ApiClient, type OutdatedRoleErrorResponse } from '@hyperdrive.bot/cli-auth';
 import { LoggingConfig } from './log-tailer.js';
 interface DeploymentCheckResponse {
     commit?: string;
@@ -129,18 +136,47 @@ interface GitAuthInitiateResponse {
     installUrl: string;
     state: string;
 }
+export type HookActionType = 'adhb-enrich' | 'ci-trigger' | 'slack-notify' | 'webhook';
+export interface SlackNotifyConfig {
+    channel: string;
+    template?: string;
+}
+export interface AdhbEnrichConfig {
+    priority?: 'high' | 'low' | 'normal';
+}
+export interface WebhookConfig {
+    headers?: Record<string, string>;
+    method: 'POST' | 'PUT';
+    url: string;
+}
+export interface CiTriggerConfig {
+    pipeline: string;
+    provider: 'github' | 'gitlab';
+    ref?: string;
+}
+export type HookActionConfig = AdhbEnrichConfig | CiTriggerConfig | SlackNotifyConfig | WebhookConfig;
+export interface HookResponse {
+    actionConfig: HookActionConfig;
+    actionType: HookActionType;
+    createdAt: string;
+    enabled: boolean;
+    hookId: string;
+    triggerStatus: string;
+    updatedAt: string;
+}
+export interface HookListResponse {
+    hooks: HookResponse[];
+}
+export interface HookCreateRequest {
+    actionConfig: HookActionConfig;
+    actionType: HookActionType;
+    triggerStatus: string;
+}
 /**
  * Hyperdrive API Service with AWS SigV4 authentication
- *
- * This service signs all API requests using AWS Signature Version 4,
- * which allows both CLI and web frontend to use the same endpoints
- * with unified AWS IAM authentication via Cognito.
  */
-export declare class HyperdriveSigV4Service {
-    private apiUrl;
-    private authService;
-    private region;
-    private tenantDomain;
+export declare class HyperdriveSigV4Service extends SigV4ApiClient {
+    private readonly userGroupsApiUrl?;
     constructor(domain?: string);
     accountAdd(params: {
         accountId: string;
@@ -253,6 +289,28 @@ export declare class HyperdriveSigV4Service {
         repos: GitRepoInfo[];
         totalCount: number;
     }>;
+    hookCreate(projectId: string, body: HookCreateRequest): Promise<HookResponse>;
+    hookDelete(projectId: string, hookId: string): Promise<{
+        message: string;
+    }>;
+    hookList(projectId: string): Promise<HookListResponse>;
+    hookUpdate(projectId: string, hookId: string, body: Partial<HookCreateRequest> & {
+        enabled?: boolean;
+    }): Promise<HookResponse>;
+    projectGetJiraStatuses(projectId: string): Promise<{
+        statuses: Array<{
+            id: string;
+            name: string;
+            category?: string;
+        }>;
+    }>;
+    jiraGetProjectStatuses(jiraProjectKey: string): Promise<{
+        statuses: Array<{
+            id: string;
+            name: string;
+            category?: string;
+        }>;
+    }>;
     jiraPreRegister(params: {
         jiraDomain: string;
     }): Promise<{
@@ -268,9 +326,73 @@ export declare class HyperdriveSigV4Service {
         };
         success: boolean;
     }>;
-    /**
-     * Test API connection
-     */
+    projectAddRepo(projectId: string, repo: {
+        defaultBranch: string;
+        gitProvider: string;
+        gitRemote: string;
+        name: string;
+    }): Promise<{
+        defaultBranch: string;
+        gitProvider: string;
+        gitRemote: string;
+        name: string;
+        repoId: string;
+    }>;
+    projectFindByJiraKey(jiraProjectKey: string): Promise<{
+        jiraProjectKey: string;
+        projectId: string;
+        slug: string;
+    }>;
+    projectGetJiraConfig(projectId: string): Promise<{
+        createdAt: string;
+        jiraProjectKey: string;
+        statusMapping: Record<string, string>;
+        updatedAt: string;
+    }>;
+    projectListRepos(projectId: string): Promise<Array<{
+        architectureSummary?: string | null;
+        architectureSummaryUpdatedAt?: string | null;
+        createdAt: string;
+        defaultBranch: string;
+        gitRemote: string;
+        name: string;
+        provider: string;
+        repoId: string;
+        updatedAt: string;
+    }>>;
+    projectSetJiraConfig(projectId: string, config: {
+        jiraProjectKey: string;
+        statusMapping: Record<string, string>;
+    }): Promise<{
+        jiraProjectKey: string;
+        projectId: string;
+        statusMapping: Record<string, string>;
+    }>;
+    projectUpdateRepo(projectId: string, repoId: string, updateData: {
+        architectureSummary?: string | null;
+        defaultBranch?: string;
+        lastSyncedAt?: string;
+    }): Promise<{
+        architectureSummary?: string | null;
+        defaultBranch: string;
+        gitRemote: string;
+        lastSyncedAt?: string;
+        provider: string;
+        repoId: string;
+    }>;
+    projectUpdateEntities(projectId: string, repoId: string, entities: Array<{
+        name: string;
+        type: string;
+        path: string;
+        repository?: string;
+        description?: string;
+    }>): Promise<Array<{
+        name: string;
+        type: string;
+        path: string;
+        repository?: string;
+        description?: string;
+    }>>;
     makeTestRequest(): Promise<Record<string, unknown>>;
     moduleAnalyze(slug: string): Promise<{
         jobId: string;
@@ -433,17 +555,33 @@ export declare class HyperdriveSigV4Service {
         name: string;
     }): Promise<StageResponse>;
     stageList(): Promise<StageResponse[]>;
-    private handleError;
-    private handleOutdatedCLI;
-    private handleOutdatedRole;
-    private handleResponse;
-    /**
-     * Make a signed API request
-     */
-    private makeSignedRequest;
-    /**
-     * Sign an HTTP request using AWS Signature V4
-     */
-    private signRequest;
+    stageAccessGet(stageName: string): Promise<{
+        access: Array<{
+            role: string;
+            targetId: string;
+            targetType: 'user' | 'group';
+        }>;
+        stageId: string;
+        stageName: string;
+    }>;
+    stageAccessGrant(stageName: string, access: Array<{
+        role: 'viewer' | 'deployer' | 'manager';
+        targetId: string;
+        targetType: 'user' | 'group';
+    }>): Promise<{
+        added: number;
+        message: string;
+    }>;
+    stageAccessRevoke(stageName: string, targetType: 'user' | 'group', targetId: string): Promise<{
+        message: string;
+    }>;
+    groupList(): Promise<Array<{
+        groupId: string;
+        name: string;
+        description?: string;
+        memberCount: number;
+        isSystemGroup: boolean;
+    }>>;
+    protected handleOutdatedRole(errorData: OutdatedRoleErrorResponse): Promise<void>;
 }
 export {};