@intent-systems/nexus 2026.1.5-3 → 2026.1.5-5

package/dist/commands/credential.js

@@ -1,5 +1,10 @@
+import { execFileSync } from "node:child_process";
+import { createHash } from "node:crypto";
+import fsSync from "node:fs";
 import fs from "node:fs/promises";
-import { buildCredentialIndex, listCredentialEntries, readCredentialIndex, readCredentialRecord, resolveCredentialIndexPath, resolveCredentialPath, resolveCredentialsDir, storeKeychainSecret, writeCredentialIndex, writeCredentialRecord, } from "../credentials/store.js";
+import path from "node:path";
+import { buildCredentialIndex, listCredentialEntries, readCredentialIndex, readCredentialRecord, resolveDefaultEnvVar, resolveCredentialIndexPath, resolveCredentialPath, resolveCredentialsDir, resolveCredentialValue, storeKeychainSecret, writeCredentialIndex, writeCredentialRecord, } from "../credentials/store.js";
+import { resolveUserPath } from "../utils.js";
 const KNOWN_ENV_SPECS = [
     { env: "ANTHROPIC_API_KEY", service: "anthropic", type: "api_key" },
     { env: "OPENAI_API_KEY", service: "openai", type: "api_key" },
@@ -28,7 +33,9 @@ function looksLikePath(value) {
     const trimmed = value.trim();
     if (!trimmed)
         return false;
-    if (trimmed.startsWith("/") || trimmed.startsWith("./") || trimmed.startsWith("~/"))
+    if (trimmed.startsWith("/") ||
+        trimmed.startsWith("./") ||
+        trimmed.startsWith("~/"))
         return true;
     if (trimmed.includes(":/") || trimmed.includes("\\"))
         return true;
@@ -38,7 +45,7 @@ function detectValuePattern(value) {
     const trimmed = value.trim();
     if (!trimmed)
         return null;
-    if (/^sk-ant-/.test(trimmed)) {
+    if (trimmed.startsWith("sk-ant-")) {
         return { service: "anthropic", type: "api_key", reason: "pattern:sk-ant" };
     }
     if (/^sk-[A-Za-z0-9]/.test(trimmed)) {
@@ -135,8 +142,23 @@ export function scanCredentialEnv(opts) {
     }
     return { deep, known, discovered, missing };
 }
+function mergeIndexMetadata(params) {
+    const merged = { ...params.base };
+    if (params.existing) {
+        merged.order = params.existing.order;
+        merged.lastGood = params.existing.lastGood;
+        merged.usageStats = params.existing.usageStats;
+    }
+    return merged;
+}
 export async function listCredentials(params = {}) {
-    const index = (await readCredentialIndex()) ?? buildCredentialIndex(await listCredentialEntries());
+    const entries = await listCredentialEntries();
+    const existing = await readCredentialIndex();
+    const index = mergeIndexMetadata({
+        base: buildCredentialIndex(entries),
+        existing,
+    });
+    await writeCredentialIndex(index);
     if (params.service) {
         const key = params.service.trim();
         return {
@@ -148,7 +170,11 @@ export async function listCredentials(params = {}) {
 }
 export async function scanCredentials() {
     const entries = await listCredentialEntries();
-    const index = buildCredentialIndex(entries);
+    const existing = await readCredentialIndex();
+    const index = mergeIndexMetadata({
+        base: buildCredentialIndex(entries),
+        existing,
+    });
     await writeCredentialIndex(index);
     return index;
 }
@@ -160,49 +186,121 @@ export async function getCredential(params) {
     }
     return { filePath, record };
 }
+export async function getCredentialValue(params) {
+    const result = await getCredential(params);
+    if (!result)
+        return null;
+    const resolved = await resolveCredentialValue(result.record);
+    if (!resolved)
+        return null;
+    return { ...result, value: resolved.value, field: resolved.field };
+}
+function buildFallbackPayload(params) {
+    const value = params.value?.trim() ?? "";
+    if (!value) {
+        throw new Error("Missing credential value.");
+    }
+    if (params.type === "api_key") {
+        return { value };
+    }
+    if (params.type === "token") {
+        if (!params.refreshToken && params.expiresAt === undefined) {
+            return { value };
+        }
+        return {
+            value: JSON.stringify({
+                token: value,
+                refreshToken: params.refreshToken,
+                expiresAt: params.expiresAt,
+            }),
+            format: "json",
+        };
+    }
+    return {
+        value: JSON.stringify({
+            accessToken: value,
+            refreshToken: params.refreshToken,
+            expiresAt: params.expiresAt,
+        }),
+        format: "json",
+    };
+}
 export async function addCredential(params) {
     const authId = params.authId?.trim() || params.type;
+    let storage;
+    if (params.storage.provider === "keychain") {
+        storage = {
+            provider: "keychain",
+            service: params.storage.serviceName ?? `nexus.${params.service}`,
+            account: params.storage.accountName ?? params.account,
+        };
+    }
+    else if (params.storage.provider === "1password") {
+        storage = {
+            provider: "1password",
+            vault: params.storage.vault,
+            item: params.storage.item,
+            fields: params.storage.fields,
+        };
+    }
+    else if (params.storage.provider === "env") {
+        storage = {
+            provider: "env",
+            var: params.storage.var,
+        };
+    }
+    else {
+        const command = params.storage.command ?? params.storage.syncCommand;
+        if (!command || !command.trim()) {
+            throw new Error("External storage requires --command or --sync-command.");
+        }
+        storage = {
+            provider: "external",
+            command,
+            format: params.storage.format,
+            jsonPath: params.storage.jsonPath,
+        };
+    }
     const record = {
         owner: params.owner ?? "user",
         type: params.type,
         configuredAt: new Date().toISOString(),
-        storage: params.storage.provider === "plaintext"
-            ? { provider: "plaintext" }
-            : params.storage.provider === "keychain"
-                ? {
-                    provider: "keychain",
-                    service: params.storage.serviceName ?? `nexus.${params.service}`,
-                    account: params.storage.accountName ?? params.account,
-                }
-                : params.storage.provider === "1password"
-                    ? {
-                        provider: "1password",
-                        vault: params.storage.vault,
-                        item: params.storage.item,
-                        fields: params.storage.fields,
-                    }
-                    : { provider: "external", syncCommand: params.storage.syncCommand },
+        storage,
         ...(params.expiresAt ? { expiresAt: params.expiresAt } : {}),
     };
-    if (params.storage.provider === "plaintext") {
-        const value = params.storage.value?.trim();
-        if (params.type === "api_key")
-            record.key = value;
-        if (params.type === "token")
-            record.token = value;
-        if (params.type === "oauth")
-            record.accessToken = value;
-        if (params.refreshToken)
-            record.refreshToken = params.refreshToken;
-    }
     if (params.storage.provider === "keychain") {
-        const stored = await storeKeychainSecret({
-            service: record.storage.provider === "keychain" ? record.storage.service : `nexus.${params.service}`,
-            account: record.storage.provider === "keychain" ? record.storage.account : params.account,
+        const payload = buildFallbackPayload({
+            type: params.type,
             value: params.storage.value,
+            refreshToken: params.refreshToken,
+            expiresAt: params.expiresAt,
+        });
+        const stored = await storeKeychainSecret({
+            service: record.storage.provider === "keychain"
+                ? record.storage.service
+                : `nexus.${params.service}`,
+            account: record.storage.provider === "keychain"
+                ? record.storage.account
+                : params.account,
+            value: payload.value,
         });
         if (!stored) {
-            throw new Error("Failed to store keychain secret.");
+            const envVar = resolveDefaultEnvVar({
+                service: params.service,
+                type: params.type,
+            });
+            process.env[envVar] = payload.value;
+            record.storage = {
+                provider: "env",
+                var: envVar,
+                ...(payload.format ? { format: payload.format } : {}),
+            };
+        }
+        else if (payload.format === "json") {
+            record.storage = {
+                ...record.storage,
+                format: "json",
+            };
         }
     }
     const filePath = resolveCredentialPath(params.service, params.account, authId);
@@ -210,6 +308,180 @@ export async function addCredential(params) {
     await scanCredentials();
     return { filePath, record };
 }
+function quoteShellValue(value) {
+    return `'${value.replace(/'/g, `'"'"'`)}'`;
+}
+function resolveClaudeCliCredentialsPath() {
+    return path.join(resolveUserPath("~"), ".claude", ".credentials.json");
+}
+function resolveCodexHomePath() {
+    const configured = process.env.CODEX_HOME;
+    const home = configured
+        ? resolveUserPath(configured)
+        : resolveUserPath("~/.codex");
+    try {
+        return fsSync.realpathSync.native(home);
+    }
+    catch {
+        return home;
+    }
+}
+function computeCodexKeychainAccount(codexHome) {
+    const hash = createHash("sha256").update(codexHome).digest("hex");
+    return `cli|${hash.slice(0, 16)}`;
+}
+function extractClaudeAccessToken(payload) {
+    if (!payload || typeof payload !== "object")
+        return null;
+    const claudeOauth = payload.claudeAiOauth;
+    if (!claudeOauth || typeof claudeOauth !== "object")
+        return null;
+    const access = claudeOauth.accessToken;
+    if (typeof access !== "string" || !access.trim())
+        return null;
+    return access.trim();
+}
+function extractCodexAccessToken(payload) {
+    if (!payload || typeof payload !== "object")
+        return null;
+    const tokens = payload.tokens;
+    if (!tokens || typeof tokens !== "object")
+        return null;
+    const access = tokens.access_token;
+    if (typeof access !== "string" || !access.trim())
+        return null;
+    return access.trim();
+}
+function safeParseJson(raw) {
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function readJsonFile(filePath) {
+    try {
+        const raw = await fs.readFile(filePath, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function resolveClaudeCliExternalStorage(params) {
+    const jsonPath = "claudeAiOauth.accessToken";
+    if (process.platform === "darwin" && params.allowKeychainPrompt !== false) {
+        try {
+            const raw = execFileSync("security", ["find-generic-password", "-s", "Claude Code-credentials", "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+            const parsed = safeParseJson(raw);
+            if (extractClaudeAccessToken(parsed)) {
+                return {
+                    command: `security find-generic-password -s ${quoteShellValue("Claude Code-credentials")} -w`,
+                    format: "json",
+                    jsonPath,
+                };
+            }
+        }
+        catch {
+            // ignore
+        }
+    }
+    const filePath = resolveClaudeCliCredentialsPath();
+    const parsed = await readJsonFile(filePath);
+    if (extractClaudeAccessToken(parsed)) {
+        return {
+            command: `cat ${quoteShellValue(filePath)}`,
+            format: "json",
+            jsonPath,
+        };
+    }
+    return null;
+}
+async function resolveCodexCliExternalStorage(params) {
+    const jsonPath = "tokens.access_token";
+    const codexHome = resolveCodexHomePath();
+    if (process.platform === "darwin" && params.allowKeychainPrompt !== false) {
+        const account = computeCodexKeychainAccount(codexHome);
+        try {
+            const raw = execFileSync("security", ["find-generic-password", "-s", "Codex Auth", "-a", account, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+            const parsed = safeParseJson(raw);
+            if (extractCodexAccessToken(parsed)) {
+                return {
+                    command: `security find-generic-password -s ${quoteShellValue("Codex Auth")} -a ${quoteShellValue(account)} -w`,
+                    format: "json",
+                    jsonPath,
+                };
+            }
+        }
+        catch {
+            // ignore
+        }
+    }
+    const authPath = path.join(codexHome, "auth.json");
+    const parsed = await readJsonFile(authPath);
+    if (extractCodexAccessToken(parsed)) {
+        return {
+            command: `cat ${quoteShellValue(authPath)}`,
+            format: "json",
+            jsonPath,
+        };
+    }
+    return null;
+}
+export async function importCliCredential(params) {
+    const source = params.source;
+    const owner = params.owner ?? "user";
+    const service = source === "claude-cli" ? "anthropic" : "openai-codex";
+    const accountDefault = source === "claude-cli" ? "claude-cli" : "codex-cli";
+    const account = params.account?.trim() || accountDefault;
+    if (!account) {
+        throw new Error("Account is required to import CLI credentials.");
+    }
+    const storage = source === "claude-cli"
+        ? await resolveClaudeCliExternalStorage({
+            allowKeychainPrompt: params.allowKeychainPrompt,
+        })
+        : await resolveCodexCliExternalStorage({
+            allowKeychainPrompt: params.allowKeychainPrompt,
+        });
+    if (!storage) {
+        throw new Error(source === "claude-cli"
+            ? "No Claude CLI credentials found in Keychain or ~/.claude/.credentials.json."
+            : `No Codex CLI credentials found in Keychain or ${path.join(resolveCodexHomePath(), "auth.json")}.`);
+    }
+    const authId = "oauth";
+    const filePath = resolveCredentialPath(service, account, authId);
+    const existing = await readCredentialRecord(filePath);
+    if (existing && !params.force) {
+        const existingSource = existing.metadata?.externalSource;
+        if (existing.storage.provider !== "external" || existingSource !== source) {
+            throw new Error(`Credential already exists at ${filePath}. Use --force to overwrite.`);
+        }
+    }
+    const record = {
+        owner,
+        type: "oauth",
+        configuredAt: new Date().toISOString(),
+        storage: {
+            provider: "external",
+            command: storage.command,
+            format: storage.format,
+            jsonPath: storage.jsonPath,
+        },
+        metadata: {
+            externalSource: source,
+        },
+    };
+    await writeCredentialRecord(service, account, authId, record);
+    await scanCredentials();
+    return {
+        filePath,
+        record,
+        profileId: `${service}:${account}`,
+        source,
+    };
+}
 export async function removeCredential(params) {
     const filePath = resolveCredentialPath(params.service, params.account, params.authId);
     await fs.rm(filePath, { force: true });
@@ -234,3 +506,192 @@ export function getCredentialPaths() {
         indexPath: resolveCredentialIndexPath(),
     };
 }
+async function fetchWithTimeout(input, init, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(input, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+async function verifyTokenAgainstApi(params) {
+    const service = params.service.toLowerCase();
+    const token = params.token;
+    try {
+        if (service === "anthropic") {
+            const res = await fetchWithTimeout("https://api.anthropic.com/v1/models", {
+                method: "GET",
+                headers: {
+                    "x-api-key": token,
+                    "anthropic-version": "2023-06-01",
+                },
+            }, 10_000);
+            if (!res.ok) {
+                return { ok: false, error: `anthropic ${res.status}`, status: res.status };
+            }
+            return { ok: true };
+        }
+        if (service === "openai" || service === "openai-codex") {
+            const res = await fetchWithTimeout("https://api.openai.com/v1/models", {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            }, 10_000);
+            if (!res.ok) {
+                return { ok: false, error: `openai ${res.status}`, status: res.status };
+            }
+            return { ok: true };
+        }
+        if (service === "gemini") {
+            const res = await fetchWithTimeout(`https://generativelanguage.googleapis.com/v1beta/models?key=${encodeURIComponent(token)}`, { method: "GET" }, 10_000);
+            if (!res.ok) {
+                return { ok: false, error: `gemini ${res.status}`, status: res.status };
+            }
+            return { ok: true };
+        }
+        if (service === "github") {
+            const res = await fetchWithTimeout("https://api.github.com/user", {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    "User-Agent": "nexus",
+                },
+            }, 10_000);
+            if (!res.ok) {
+                return { ok: false, error: `github ${res.status}`, status: res.status };
+            }
+            return { ok: true };
+        }
+        if (service === "slack") {
+            const res = await fetchWithTimeout("https://slack.com/api/auth.test", {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            }, 10_000);
+            const body = (await res.json().catch(() => ({})));
+            if (!res.ok || body.ok === false) {
+                return { ok: false, error: "slack auth failed", status: res.status };
+            }
+            return { ok: true };
+        }
+        if (service === "discord") {
+            const attempt = async (auth) => {
+                const res = await fetchWithTimeout("https://discord.com/api/v10/users/@me", {
+                    method: "GET",
+                    headers: { Authorization: auth },
+                }, 10_000);
+                return res;
+            };
+            const botRes = await attempt(`Bot ${token}`);
+            if (botRes.ok)
+                return { ok: true };
+            const userRes = await attempt(`Bearer ${token}`);
+            if (userRes.ok)
+                return { ok: true };
+            return {
+                ok: false,
+                error: `discord ${userRes.status}`,
+                status: userRes.status,
+            };
+        }
+        if (service === "brave-search") {
+            const res = await fetchWithTimeout("https://api.search.brave.com/res/v1/web/search?q=nexus&count=1", {
+                method: "GET",
+                headers: {
+                    "X-Subscription-Token": token,
+                },
+            }, 10_000);
+            if (!res.ok) {
+                return {
+                    ok: false,
+                    error: `brave-search ${res.status}`,
+                    status: res.status,
+                };
+            }
+            return { ok: true };
+        }
+        if (service === "google-oauth" || service === "gog" || service === "google") {
+            const res = await fetchWithTimeout(`https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${encodeURIComponent(token)}`, { method: "GET" }, 10_000);
+            if (!res.ok) {
+                return {
+                    ok: false,
+                    error: `google-oauth ${res.status}`,
+                    status: res.status,
+                };
+            }
+            return { ok: true };
+        }
+    }
+    catch (err) {
+        return { ok: false, error: err instanceof Error ? err.message : String(err) };
+    }
+    return { ok: true };
+}
+export async function verifyCredentials(params) {
+    const service = params.service.trim();
+    if (!service)
+        return null;
+    const entries = await listCredentialEntries();
+    const matching = entries.filter((entry) => entry.service.toLowerCase() === service.toLowerCase());
+    if (matching.length === 0)
+        return null;
+    const verifiedAt = new Date().toISOString();
+    const checked = [];
+    for (const entry of matching) {
+        const record = entry.record;
+        if (record.type === "config") {
+            checked.push({
+                account: entry.account,
+                authId: entry.authId,
+                status: "skipped",
+            });
+            continue;
+        }
+        const resolved = await resolveCredentialValue(record);
+        if (!resolved) {
+            record.lastError = "missing credential value";
+            record.lastVerified = verifiedAt;
+            await writeCredentialRecord(entry.service, entry.account, entry.authId, record);
+            checked.push({
+                account: entry.account,
+                authId: entry.authId,
+                status: "error",
+                error: "missing credential value",
+            });
+            continue;
+        }
+        const outcome = await verifyTokenAgainstApi({
+            service,
+            token: resolved.value,
+        });
+        record.lastVerified = verifiedAt;
+        record.lastError = outcome.ok ? null : outcome.error ?? "verification failed";
+        await writeCredentialRecord(entry.service, entry.account, entry.authId, record);
+        checked.push({
+            account: entry.account,
+            authId: entry.authId,
+            status: outcome.ok ? "ok" : "error",
+            error: outcome.ok ? undefined : record.lastError ?? undefined,
+        });
+    }
+    await scanCredentials();
+    const broken = checked
+        .filter((item) => item.status === "error")
+        .map((item) => ({
+        account: item.account,
+        auths: [item.authId],
+        lastError: item.error,
+    }));
+    return {
+        ok: broken.length === 0,
+        service,
+        accounts: matching.length,
+        broken,
+        checked,
+        verifiedAt,
+    };
+}