@jfrog/opencode-jfrog-plugin 0.0.3 → 0.0.4

package/skills/jfrog/scripts/check-environment.sh

@@ -0,0 +1,224 @@
+#!/usr/bin/env bash
+# check-environment.sh — Cached JFrog CLI environment check
+#
+# Checks if jf is installed and its version, using a 24h-TTL cache
+# at ${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}/skills-cache/jfrog-skill-state.json
+# to avoid redundant checks. The skills-cache/ dir holds only this file and
+# the OneModel schema cache — not temp API output.
+#
+# Usage:
+#   bash check-environment.sh [<model-slug>] [--force]
+#
+# stdout: bare JFROG_CLI_USER_AGENT value (one line) — agent captures it
+#         and runs `export JFROG_CLI_USER_AGENT='<v>'` once at the top of
+#         every bash invocation that calls jf
+# stderr: JSON state (informational, also written to cache file)
+#
+# Exit codes:
+#   0 — cache fresh, CLI ready
+#   1 — cache refreshed, CLI ready
+#   2 — jf not installed
+#   3 — jf below MIN_CLI_VERSION (required for `jf api`)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SKILL_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+JFROG_HOME="${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}"
+CACHE_DIR="$JFROG_HOME/skills-cache"
+CACHE_FILE="$CACHE_DIR/jfrog-skill-state.json"
+DEFAULT_TTL_HOURS=24
+FORCE=false
+
+# Minimum jf CLI version required by this skill. `jf api` (the generic
+# authenticated REST pass-through used by nearly every reference in this
+# skill) landed in 2.100.0; older CLIs fail with "unknown command: api".
+MIN_CLI_VERSION="2.100.0"
+
+MODEL_SLUG=""
+for arg in "$@"; do
+  if [[ "$arg" == "--force" ]]; then
+    FORCE=true
+  elif [[ -z "$MODEL_SLUG" ]]; then
+    MODEL_SLUG="$arg"
+  fi
+done
+
+now_epoch() {
+  date -u +%s
+}
+
+iso_now() {
+  date -u '+%Y-%m-%dT%H:%M:%SZ'
+}
+
+# Returns 0 if $1 is strictly less than $2 (semver via sort -V).
+version_lt() {
+  [[ "$1" == "$2" ]] && return 1
+  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -1)" == "$1" ]]
+}
+
+emit_min_version_error() {
+  local v="$1"
+  cat >&2 <<EOF
+{"error": "jf CLI $v is below minimum $MIN_CLI_VERSION required by this skill (needed for 'jf api'). See references/jfrog-cli-install-upgrade.md."}
+EOF
+}
+
+is_cache_fresh() {
+  if [[ ! -f "$CACHE_FILE" ]]; then
+    return 1
+  fi
+
+  if ! command -v jq &>/dev/null; then
+    return 1
+  fi
+
+  local checked_at ttl_hours checked_epoch now ttl_seconds age
+  checked_at=$(jq -r '.checked_at // empty' "$CACHE_FILE" 2>/dev/null) || return 1
+  ttl_hours=$(jq -r '.ttl_hours // 24' "$CACHE_FILE" 2>/dev/null) || return 1
+
+  if [[ -z "$checked_at" ]]; then
+    return 1
+  fi
+
+  # Parse ISO timestamp to epoch (portable: try GNU date, then BSD date)
+  if checked_epoch=$(date -d "$checked_at" +%s 2>/dev/null); then
+    : # GNU date succeeded
+  elif checked_epoch=$(date -jf '%Y-%m-%dT%H:%M:%SZ' "$checked_at" +%s 2>/dev/null); then
+    : # BSD date succeeded
+  else
+    return 1
+  fi
+
+  now=$(now_epoch)
+  ttl_seconds=$((ttl_hours * 3600))
+  age=$((now - checked_epoch))
+
+  if (( age < ttl_seconds )); then
+    return 0
+  fi
+  return 1
+}
+
+check_cli() {
+  local cli_path cli_version
+
+  if ! cli_path=$(command -v jf 2>/dev/null); then
+    echo '{"cli_installed": false}' >&2
+    return 2
+  fi
+
+  cli_version=$(jf --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' || echo "unknown")
+
+  # Check for latest version (best-effort, non-blocking)
+  local latest_version="unknown"
+  if command -v curl &>/dev/null; then
+    latest_version=$(curl -sf --max-time 5 "https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/" 2>/dev/null \
+      | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -1 || echo "unknown")
+  fi
+
+  local meets_minimum="true"
+  if [[ "$cli_version" == "unknown" ]] || version_lt "$cli_version" "$MIN_CLI_VERSION"; then
+    meets_minimum="false"
+  fi
+
+  mkdir -p "$CACHE_DIR"
+  local state
+  state=$(cat <<EOF
+{
+  "checked_at": "$(iso_now)",
+  "ttl_hours": $DEFAULT_TTL_HOURS,
+  "cli_installed": true,
+  "cli_path": "$cli_path",
+  "cli_version": "$cli_version",
+  "minimum_version": "$MIN_CLI_VERSION",
+  "meets_minimum_version": $meets_minimum,
+  "latest_version_available": "$latest_version"
+}
+EOF
+)
+  echo "$state" > "$CACHE_FILE"
+  echo "$state" >&2
+  return 1
+}
+
+# Detect the calling harness from environment signals. Output is one of:
+# claude, cursor, gemini, goose, copilot, codex, unknown — or empty
+# string when no agent signal is present (direct CLI/CI invocation).
+# Naming matches the JFrog CLI's DetectExecutionContext() vocabulary.
+detect_harness() {
+  if [[ -n "${CLAUDECODE:-}" || -n "${CLAUDE_CODE_ENTRYPOINT:-}" ]]; then
+    echo "claude"
+  elif [[ -n "${CURSOR_AGENT:-}" || -n "${CURSOR_CLI:-}" || -n "${CURSOR_TRACE_ID:-}" ]]; then
+    echo "cursor"
+  elif [[ -n "${GEMINI_CLI:-}" ]]; then
+    echo "gemini"
+  elif [[ -n "${GOOSE_TERMINAL:-}" ]]; then
+    echo "goose"
+  elif [[ -n "${COPILOT_CLI:-}" ]]; then
+    echo "copilot"
+  elif [[ -n "${CODEX_CI:-}" || -n "${CODEX_THREAD_ID:-}" || -n "${CODEX_SANDBOX:-}" ]]; then
+    echo "codex"
+  elif [[ -n "${AGENT:-}" || -n "$MODEL_SLUG" ]]; then
+    # Agent invoked us but we can't name it.
+    echo "unknown"
+  fi
+  # No match → print nothing; emitter omits the parens block entirely.
+}
+
+# Emit skill-level env vars to stdout (for eval by the caller)
+emit_skill_env() {
+  local skill_version cli_version ua harness
+  # Parse version from SKILL.md YAML frontmatter (metadata.version)
+  skill_version="$(awk '/^---$/{n++; next} n==1 && /^[[:space:]]*version:/{gsub(/["'"'"']/, "", $2); print $2; exit}' "$SKILL_ROOT/SKILL.md" 2>/dev/null | tr -d '[:space:]')"
+  skill_version="${skill_version:-unknown}"
+  cli_version=$(jq -r '.cli_version // "unknown"' "$CACHE_FILE" 2>/dev/null || echo "unknown")
+  harness=$(detect_harness)
+  # Build the parens block: semicolon-separated key=value pairs.
+  local meta=""
+  if [[ -n "$harness" ]]; then
+    meta="tool=${harness}"
+  fi
+  if [[ -n "$MODEL_SLUG" ]]; then
+    if [[ -n "$meta" ]]; then
+      meta="${meta}; model=${MODEL_SLUG}"
+    else
+      meta="model=${MODEL_SLUG}"
+    fi
+  fi
+  ua="jfrog-skills/${skill_version}"
+  if [[ -n "$meta" ]]; then
+    ua="${ua} (${meta})"
+  fi
+  ua="${ua} jfrog-cli-go/${cli_version}"
+  printf '%s\n' "$ua"
+}
+
+# Main
+if [[ "$FORCE" == "false" ]] && is_cache_fresh; then
+  cat "$CACHE_FILE" >&2
+  # Re-evaluate the minimum on every run so a bumped MIN_CLI_VERSION
+  # is enforced without waiting for the 24h cache to expire.
+  cached_version=$(jq -r '.cli_version // "unknown"' "$CACHE_FILE" 2>/dev/null)
+  if [[ "$cached_version" != "unknown" ]] && version_lt "$cached_version" "$MIN_CLI_VERSION"; then
+    emit_min_version_error "$cached_version"
+    exit 3
+  fi
+  emit_skill_env
+  exit 0
+fi
+
+check_cli || exit_code=$?
+exit_code=${exit_code:-0}
+if (( exit_code == 2 )); then
+  exit 2
+fi
+
+refreshed_version=$(jq -r '.cli_version // "unknown"' "$CACHE_FILE" 2>/dev/null)
+if [[ "$refreshed_version" != "unknown" ]] && version_lt "$refreshed_version" "$MIN_CLI_VERSION"; then
+  emit_min_version_error "$refreshed_version"
+  exit 3
+fi
+emit_skill_env
+exit 1

package/skills/jfrog/scripts/jfrog-login-register-session.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# jfrog-login-register-session.sh — Verify a JFrog server and start a web login session
+#
+# Pings the server, generates a session UUID, and registers it with
+# the Access API for browser-based authentication (bootstrap HTTP via
+# `jf api --url`).
+#
+# Usage:
+#   bash jfrog-login-register-session.sh <platform-url>
+#
+# Arguments:
+#   platform-url  — Full JFrog Platform URL (e.g. https://mycompany.jfrog.io)
+#
+# Output (stdout, one key=value per line):
+#   SESSION_UUID=<uuid>
+#   VERIFY_CODE=<last 4 chars of uuid>
+#
+# Exit codes:
+#   0 — Session registered successfully
+#   1 — Missing arguments or prerequisites
+#   2 — Server not reachable (ping failed)
+#   3 — Session registration request failed
+
+set -euo pipefail
+
+jf_api_http_status() {
+  # Parses "Http Status: NNN" from jf api stderr.
+  local err_file="$1"
+  local line
+  line=$(grep -F 'Http Status:' "$err_file" 2>/dev/null | tail -1 || true)
+  if [[ "$line" =~ Http\ Status:\ ([0-9]+) ]]; then
+    echo "${BASH_REMATCH[1]}"
+  else
+    echo "0"
+  fi
+}
+
+JFROG_PLATFORM_URL="${1:-}"
+
+if [[ -z "$JFROG_PLATFORM_URL" ]]; then
+  echo "Usage: bash $0 <platform-url>" >&2
+  exit 1
+fi
+
+JFROG_PLATFORM_URL="${JFROG_PLATFORM_URL%/}"
+
+if ! command -v jf &>/dev/null; then
+  echo "ERROR: jf is not installed" >&2
+  exit 1
+fi
+
+if ! command -v uuidgen &>/dev/null; then
+  echo "ERROR: uuidgen is not installed" >&2
+  exit 1
+fi
+
+TMPERR="$(mktemp)"
+trap 'rm -f "$TMPERR"' EXIT
+
+# Verify server is reachable (unauthenticated ping)
+if ! jf api /artifactory/api/system/ping --url "$JFROG_PLATFORM_URL" >/dev/null 2>"$TMPERR"; then
+  PING_CODE=$(jf_api_http_status "$TMPERR")
+  echo "ERROR: Server not reachable at ${JFROG_PLATFORM_URL} (HTTP ${PING_CODE})" >&2
+  exit 2
+fi
+
+# Generate session UUID
+SESSION_UUID=$(uuidgen | tr '[:upper:]' '[:lower:]')
+VERIFY_CODE=${SESSION_UUID: -4}
+
+# Register the session with the Access API
+: >"$TMPERR"
+if ! jf api /access/api/v2/authentication/jfrog_client_login/request \
+  --url "$JFROG_PLATFORM_URL" \
+  -X POST \
+  -H "Content-Type: application/json" \
+  -d "{\"session\":\"${SESSION_UUID}\"}" >/dev/null 2>"$TMPERR"; then
+  REG_CODE=$(jf_api_http_status "$TMPERR")
+  echo "ERROR: Session registration failed (HTTP ${REG_CODE})" >&2
+  exit 3
+fi
+
+echo "SESSION_UUID=${SESSION_UUID}"
+echo "VERIFY_CODE=${VERIFY_CODE}"

package/skills/jfrog/scripts/jfrog-login-save-credentials.sh

@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# jfrog-login-save-credentials.sh — Complete web login by retrieving token and saving credentials
+#
+# Retrieves the one-time access token from a completed web login session,
+# derives a server ID, saves the configuration via jf config, and verifies.
+# Bootstrap token exchange uses `jf api --url` (before any server exists in
+# `jf config`); verification uses `jf api` with --server-id.
+#
+# Leaves the current default `jf` server unchanged. Subsequent calls should
+# pass `--server-id=<id>` explicitly (the SKILL.md "Server selection rules"
+# require this anyway).
+#
+# IMPORTANT: The token endpoint is one-time-use. If this script fails after
+# consuming the token (e.g. jf config write blocked by sandbox), the session
+# is burned and login must restart from register-session.
+#
+# Usage:
+#   bash jfrog-login-save-credentials.sh <platform-url> <session-uuid>
+#
+# Arguments:
+#   platform-url  — Full JFrog Platform URL (e.g. https://mycompany.jfrog.io)
+#   session-uuid  — Session UUID from jfrog-login-register-session.sh output
+#
+# Output (stdout):
+#   SERVER_ID=<derived-server-id>
+#   Followed by the Artifactory version JSON on success.
+#
+# Exit codes:
+#   0 — Login succeeded, credentials saved and verified
+#   1 — Missing arguments or prerequisites
+#   2 — Token retrieval failed (user may not have completed browser login)
+#   3 — Empty token in response
+#   4 — jf config save or verification failed
+
+set -euo pipefail
+
+jf_api_http_status() {
+  local err_file="$1"
+  local line
+  line=$(grep -F 'Http Status:' "$err_file" 2>/dev/null | tail -1 || true)
+  if [[ "$line" =~ Http\ Status:\ ([0-9]+) ]]; then
+    echo "${BASH_REMATCH[1]}"
+  else
+    echo "0"
+  fi
+}
+
+JFROG_PLATFORM_URL="${1:-}"
+SESSION_UUID="${2:-}"
+
+if [[ -z "$JFROG_PLATFORM_URL" || -z "$SESSION_UUID" ]]; then
+  echo "Usage: bash $0 <platform-url> <session-uuid>" >&2
+  exit 1
+fi
+
+JFROG_PLATFORM_URL="${JFROG_PLATFORM_URL%/}"
+
+for cmd in jq jf; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "ERROR: ${cmd} is not installed" >&2
+    exit 1
+  fi
+done
+
+# Derive server ID from URL
+# SaaS:        https://mycompany.jfrog.io  → mycompany
+# Self-hosted:  https://artifactory.internal.corp → artifactory-internal-corp
+JFROG_HOST=$(echo "$JFROG_PLATFORM_URL" | \
+  sed 's|^[a-z]*://||' | sed 's|\.jfrog\.io.*||' | sed 's|[./]|-|g')
+
+# Retrieve the one-time token (stdout = JSON body; stderr = jf status lines)
+RESP_FILE="/tmp/jf-login-resp-$$.json"
+STDERR_FILE="/tmp/jf-login-err-$$.txt"
+trap 'rm -f "$RESP_FILE" "$STDERR_FILE"' EXIT
+
+: >"$STDERR_FILE"
+set +e
+jf api "/access/api/v2/authentication/jfrog_client_login/token/${SESSION_UUID}" \
+  --url "$JFROG_PLATFORM_URL" \
+  >"$RESP_FILE" 2>"$STDERR_FILE"
+api_exit=$?
+set -e
+
+HTTP_CODE=$(jf_api_http_status "$STDERR_FILE")
+if [[ "$HTTP_CODE" == "0" ]]; then
+  HTTP_CODE=$(jf_api_http_status "$RESP_FILE")
+fi
+
+if (( api_exit != 0 )); then
+  echo "ERROR: Token retrieval failed (HTTP ${HTTP_CODE}, exit ${api_exit})." >&2
+  if [[ "$HTTP_CODE" == "400" ]]; then
+    echo "The user may not have completed the browser login yet." >&2
+  fi
+  exit 2
+fi
+
+ACCESS_TOKEN=$(grep -v '\[Info\]' "$RESP_FILE" | jq -r '.access_token // empty')
+
+if [[ -z "$ACCESS_TOKEN" ]]; then
+  echo "ERROR: Response contained no access token. Login must restart from step 1." >&2
+  exit 3
+fi
+
+# Save credentials to jf config (writes to ~/.jfrog/, needs unrestricted filesystem)
+jf config remove "$JFROG_HOST" --quiet 2>/dev/null || true
+
+if ! jf config add "$JFROG_HOST" \
+  --url="$JFROG_PLATFORM_URL" \
+  --access-token="$ACCESS_TOKEN" \
+  --interactive=false 2>/dev/null; then
+  echo "ERROR: Failed to save credentials with jf config add." >&2
+  echo "This may be caused by sandbox restrictions on ~/.jfrog/ writes." >&2
+  exit 4
+fi
+
+echo "SERVER_ID=${JFROG_HOST}"
+
+echo "--- Verifying authentication ---"
+if ! jf api "/artifactory/api/system/version" --server-id="$JFROG_HOST"; then
+  echo "ERROR: Authentication verification failed. Token may not have saved correctly." >&2
+  exit 4
+fi
+
+echo
+echo "NEXT (mandatory): ask the user whether to make '${JFROG_HOST}' the default jf server."
+echo "  - If yes: run 'jf config use ${JFROG_HOST}'"
+echo "  - If no:  pass '--server-id=${JFROG_HOST}' on every subsequent jf call"
+echo "Do not start any other JFrog operation against this server until this question is asked and answered."