@khanglvm/outline-cli 0.1.1

package/src/entry-integrity-manifest.generated.js

@@ -0,0 +1,74 @@
+// Auto-generated by scripts/generate-entry-integrity.mjs
+export const ENTRY_INTEGRITY_MANIFEST = Object.freeze({
+  version: 1,
+  algorithm: "sha256",
+  signatureAlgorithm: "sha256-salted-manifest-v1",
+  signature: "26d0616d3f957992d3bf8ecf5a243bed9afb4bd239710449c5e2b8df56117996",
+  generatedAt: "2026-03-05T13:45:11.761Z",
+  files: [
+  {
+    "path": "src/action-gate.js",
+    "sha256": "f85adb76e6da6e1644715586b09d02bc5ab9b5bf37a29f6c207dce4cc26d6a78"
+  },
+  {
+    "path": "src/agent-skills.js",
+    "sha256": "d9ea2f000689311ecb6bfae92c469dd16a2d4f64ce84098f121cad2a24dd4529"
+  },
+  {
+    "path": "src/cli.js",
+    "sha256": "b19f98ced5aba789c860891bbc21f95d4a5443f185c6c48f00bced81eadc1acb"
+  },
+  {
+    "path": "src/config-store.js",
+    "sha256": "e0d62083c694f84895a93752738accbbd98830157227f06380ccdf8e421508fd"
+  },
+  {
+    "path": "src/entry-integrity.js",
+    "sha256": "3463fc3a3c6d0aead8e889ecce7c323b64b09ef54c772c52ff8b7266eb8c0d69"
+  },
+  {
+    "path": "src/errors.js",
+    "sha256": "45d49bbad4aaa5973fa01e176cd4c5efbddaa487692f18de698bdcad16be00a6"
+  },
+  {
+    "path": "src/outline-client.js",
+    "sha256": "2fe343f3cb1773c53fd14fad784d3ef1f5ff0e2c4c43b4a752ca9b7d5421677c"
+  },
+  {
+    "path": "src/result-store.js",
+    "sha256": "774e220493103fac4fa462a4539b9d644a06a760a73ec53d9779f7fb613d4544"
+  },
+  {
+    "path": "src/secure-keyring.js",
+    "sha256": "370d904265733f7d6b0f47b3213c7f026c95e59bc18d364dff96be90dbd7f479"
+  },
+  {
+    "path": "src/tool-arg-schemas.js",
+    "sha256": "de6f389349d6688296a8e66d2d612937f31b4fc2a0efdca085d36ec5b09cab26"
+  },
+  {
+    "path": "src/tools.extended.js",
+    "sha256": "8f29601301c7942cce8884c689916a78a22231e5f6691ecebfe09d9d4f87d6c3"
+  },
+  {
+    "path": "src/tools.js",
+    "sha256": "bfcb36045abecc758237ce9441d7e5994a4467893b09d48557749a90de424401"
+  },
+  {
+    "path": "src/tools.mutation.js",
+    "sha256": "013cee7d9815f868cca8990af39abe385239fa0f324054477d681e479605e903"
+  },
+  {
+    "path": "src/tools.navigation.js",
+    "sha256": "8cd6ad37db2ef4d8a2ddd2eea408c8ab50b5649b620680cef07bd8f3ecea7e89"
+  },
+  {
+    "path": "src/tools.platform.js",
+    "sha256": "4ddbc9a07d184fe9162a90b64ebf019d03c4edbc3067dc99e6b2a1ebcccc0afe"
+  },
+  {
+    "path": "src/utils.js",
+    "sha256": "c586c449ee51145c3cdc1fc98731acddbfb5d969255cab5064c291276e11012d"
+  }
+],
+});

package/src/entry-integrity.js

@@ -0,0 +1,112 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { CliError } from "./errors.js";
+import { ENTRY_INTEGRITY_BINDING } from "./entry-integrity-binding.generated.js";
+import { ENTRY_INTEGRITY_MANIFEST } from "./entry-integrity-manifest.generated.js";
+
+const REPO_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+
+function digestHex(value) {
+  return crypto.createHash("sha256").update(value).digest("hex");
+}
+
+function canonicalManifestInput(files) {
+  return files
+    .map((item) => ({
+      path: item.path.replace(/\\/g, "/"),
+      sha256: String(item.sha256),
+    }))
+    .sort((a, b) => a.path.localeCompare(b.path))
+    .map((item) => `${item.path}:${item.sha256}`)
+    .join("\n");
+}
+
+function signatureFor(files, keySalt) {
+  const canonical = canonicalManifestInput(files);
+  return digestHex(`${keySalt}\n${canonical}`);
+}
+
+async function hashFile(absPath) {
+  const raw = await fs.readFile(absPath);
+  return digestHex(raw);
+}
+
+function shouldSkipIntegrityCheck() {
+  const value = String(process.env.OUTLINE_CLI_SKIP_INTEGRITY_CHECK || "").trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes";
+}
+
+export async function assertEntryIntegrity(rootDir = REPO_ROOT) {
+  if (shouldSkipIntegrityCheck()) {
+    return {
+      ok: true,
+      skipped: true,
+      reason: "env-skip",
+    };
+  }
+
+  const manifest = ENTRY_INTEGRITY_MANIFEST || {};
+  const files = Array.isArray(manifest.files) ? manifest.files : [];
+  if (files.length === 0) {
+    throw new CliError("Entry integrity manifest is empty", {
+      code: "ENTRY_INTEGRITY_MANIFEST_EMPTY",
+    });
+  }
+
+  const computedSignature = signatureFor(files, ENTRY_INTEGRITY_BINDING.keySalt);
+  if (computedSignature !== manifest.signature) {
+    throw new CliError("Entry integrity signature mismatch", {
+      code: "ENTRY_INTEGRITY_SIGNATURE_MISMATCH",
+      expected: manifest.signature,
+      actual: computedSignature,
+      keyId: ENTRY_INTEGRITY_BINDING.keyId,
+    });
+  }
+
+  const mismatches = [];
+  for (const item of files) {
+    const relPath = item.path.replace(/\\/g, "/");
+    const absPath = path.resolve(rootDir, relPath);
+    try {
+      const actual = await hashFile(absPath);
+      if (actual !== item.sha256) {
+        mismatches.push({
+          path: relPath,
+          expected: item.sha256,
+          actual,
+        });
+      }
+    } catch (err) {
+      mismatches.push({
+        path: relPath,
+        expected: item.sha256,
+        actual: null,
+        error: err?.message || String(err),
+      });
+    }
+  }
+
+  if (mismatches.length > 0) {
+    throw new CliError("Entry integrity check failed; one or more sub-modules do not match build-time state", {
+      code: "ENTRY_SUBMODULE_INTEGRITY_FAILED",
+      mismatchCount: mismatches.length,
+      mismatches,
+    });
+  }
+
+  return {
+    ok: true,
+    checkedFiles: files.length,
+    keyId: ENTRY_INTEGRITY_BINDING.keyId,
+  };
+}
+
+export function signManifestFiles(files, keySalt) {
+  return signatureFor(files, keySalt);
+}
+
+export function normalizeManifestFiles(files) {
+  return canonicalManifestInput(files);
+}

package/src/errors.js

@@ -0,0 +1,15 @@
+export class CliError extends Error {
+  constructor(message, details = {}) {
+    super(message);
+    this.name = "CliError";
+    this.details = details;
+  }
+}
+
+export class ApiError extends Error {
+  constructor(message, details = {}) {
+    super(message);
+    this.name = "ApiError";
+    this.details = details;
+  }
+}

package/src/outline-client.js

@@ -0,0 +1,237 @@
+import { ApiError } from "./errors.js";
+import { sleep } from "./utils.js";
+
+export class OutlineClient {
+  #tokenState = null;
+
+  constructor(profile) {
+    this.profile = profile;
+    this.baseApiUrl = `${profile.baseUrl.replace(/\/+$/, "")}/api`;
+    this.timeoutMs = profile.timeoutMs || 30000;
+  }
+
+  async call(method, body = {}, options = {}) {
+    const apiMethod = method.startsWith("/") ? method.slice(1) : method;
+    const url = `${this.baseApiUrl}/${apiMethod}`;
+    const maxAttempts = Math.max(1, options.maxAttempts || 1);
+
+    let lastErr;
+    for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+      try {
+        return await this.#callOnce(url, body, options);
+      } catch (err) {
+        lastErr = err;
+        const shouldRetry =
+          err instanceof ApiError &&
+          (err.details.status === 429 || err.details.status >= 500) &&
+          attempt < maxAttempts;
+
+        if (!shouldRetry) {
+          throw err;
+        }
+
+        const retryAfter = Number(err.details.retryAfter || 0);
+        const waitMs = retryAfter > 0 ? retryAfter * 1000 : attempt * 400;
+        await sleep(waitMs);
+      }
+    }
+
+    throw lastErr;
+  }
+
+  async #callOnce(url, body, options) {
+    const bodyType = options.bodyType === "multipart" ? "multipart" : "json";
+    const requestBody = this.#buildRequestBody(bodyType, body);
+    const headers = await this.#buildHeaders(options.headers || {}, { bodyType });
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+
+    let res;
+    try {
+      res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: requestBody,
+        signal: controller.signal,
+      });
+    } catch (err) {
+      if (err.name === "AbortError") {
+        throw new ApiError(`Request timeout after ${this.timeoutMs}ms`, {
+          status: 408,
+          url,
+        });
+      }
+      throw new ApiError(`Network error: ${err.message}`, {
+        status: 503,
+        url,
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
+
+    const text = await res.text();
+    let parsed;
+    try {
+      parsed = text ? JSON.parse(text) : {};
+    } catch {
+      parsed = { ok: false, message: text || "Non-JSON response" };
+    }
+
+    if (!res.ok || parsed?.ok === false) {
+      const status = parsed?.status || res.status;
+      const retryAfter = res.headers.get("retry-after");
+      throw new ApiError(parsed?.message || parsed?.error || res.statusText, {
+        status,
+        retryAfter,
+        body: parsed,
+        url,
+      });
+    }
+
+    return {
+      ok: true,
+      status: res.status,
+      headers: Object.fromEntries(res.headers.entries()),
+      body: parsed,
+    };
+  }
+
+  #buildRequestBody(bodyType, body) {
+    if (bodyType === "multipart") {
+      if (body instanceof FormData) {
+        return body;
+      }
+
+      const form = new FormData();
+      if (body && typeof body === "object") {
+        const keys = Object.keys(body).sort((a, b) => a.localeCompare(b));
+        for (const key of keys) {
+          const value = body[key];
+          if (value === undefined) {
+            continue;
+          }
+          if (value instanceof Blob) {
+            form.append(key, value);
+            continue;
+          }
+          if (value && typeof value === "object") {
+            form.append(key, JSON.stringify(value));
+            continue;
+          }
+          form.append(key, String(value));
+        }
+      }
+
+      return form;
+    }
+
+    return JSON.stringify(body || {});
+  }
+
+  async #buildHeaders(extraHeaders, { bodyType = "json" } = {}) {
+    const headers = {
+      Accept: "application/json",
+      ...this.profile.headers,
+      ...extraHeaders,
+    };
+    const existingContentTypeKey = Object.keys(headers).find((key) => key.toLowerCase() === "content-type");
+
+    if (bodyType === "multipart") {
+      if (existingContentTypeKey) {
+        delete headers[existingContentTypeKey];
+      }
+    } else if (!existingContentTypeKey) {
+      headers["Content-Type"] = "application/json";
+    }
+
+    const auth = this.profile.auth || {};
+    if (auth.type === "apiKey") {
+      headers.Authorization = `Bearer ${auth.apiKey}`;
+      return headers;
+    }
+
+    if (auth.type === "basic") {
+      headers.Authorization = `Basic ${Buffer.from(`${auth.username}:${auth.password}`).toString("base64")}`;
+      return headers;
+    }
+
+    if (auth.type === "password") {
+      if (!auth.tokenEndpoint) {
+        headers.Authorization = `Basic ${Buffer.from(`${auth.username}:${auth.password}`).toString("base64")}`;
+        return headers;
+      }
+
+      const token = await this.#getPasswordToken();
+      headers.Authorization = `Bearer ${token}`;
+      return headers;
+    }
+
+    throw new ApiError(`Unsupported auth type: ${auth.type}`, { status: 400 });
+  }
+
+  async #getPasswordToken() {
+    if (this.#tokenState && this.#tokenState.expiresAt > Date.now() + 15_000) {
+      return this.#tokenState.token;
+    }
+
+    const auth = this.profile.auth;
+    const endpoint = auth.tokenEndpoint;
+    const body = {
+      username: auth.username,
+      password: auth.password,
+      ...(auth.tokenRequestBody || {}),
+    };
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    let res;
+    try {
+      res = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(body),
+        signal: controller.signal,
+      });
+    } catch (err) {
+      if (err.name === "AbortError") {
+        throw new ApiError(`Token request timeout after ${this.timeoutMs}ms`, {
+          status: 408,
+          endpoint,
+        });
+      }
+      throw new ApiError(`Token request failed: ${err.message}`, {
+        status: 503,
+        endpoint,
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
+
+    const payload = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      throw new ApiError(payload?.message || payload?.error || "Failed token exchange", {
+        status: res.status,
+        body: payload,
+      });
+    }
+
+    const token = payload?.[auth.tokenField || "access_token"];
+    if (!token) {
+      throw new ApiError(`Token field not found: ${auth.tokenField || "access_token"}`, {
+        status: 500,
+        body: payload,
+      });
+    }
+
+    const expiresIn = Number(payload?.expires_in || 3600);
+    this.#tokenState = {
+      token,
+      expiresAt: Date.now() + Math.max(30, expiresIn) * 1000,
+    };
+
+    return token;
+  }
+}

package/src/result-store.js

@@ -0,0 +1,183 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { defaultTmpDir } from "./config-store.js";
+import { sanitizeFileToken } from "./utils.js";
+
+export class ResultStore {
+  constructor(options = {}) {
+    this.tmpDir = options.tmpDir || defaultTmpDir();
+    this.mode = options.mode || "auto";
+    this.inlineMaxBytes = Number(options.inlineMaxBytes || 12_000);
+    this.pretty = !!options.pretty;
+  }
+
+  async emit(value, opts = {}) {
+    const pretty = opts.pretty ?? this.pretty;
+    const serialized = JSON.stringify(value, null, pretty ? 2 : 0);
+    const bytes = Buffer.byteLength(serialized);
+    const mode = opts.mode || this.mode;
+    const shouldStore =
+      mode === "file" || (mode === "auto" && bytes > this.inlineMaxBytes);
+
+    if (!shouldStore) {
+      process.stdout.write(`${serialized}\n`);
+      return { stored: false, bytes };
+    }
+
+    const file = await this.write(value, {
+      label: opts.label,
+      ext: opts.ext,
+      pretty,
+    });
+    const preview = this.preview(value);
+
+    const envelope = {
+      ok: true,
+      stored: true,
+      file,
+      bytes,
+      preview,
+      hint: `Use shell tools to inspect file, e.g. jq '.' ${JSON.stringify(file)} | head`,
+    };
+
+    process.stdout.write(`${JSON.stringify(envelope, null, pretty ? 2 : 0)}\n`);
+    return { stored: true, file, bytes };
+  }
+
+  async write(value, opts = {}) {
+    await fs.mkdir(this.tmpDir, { recursive: true });
+    const ts = new Date().toISOString().replace(/[:.]/g, "-");
+    const label = sanitizeFileToken(opts.label || "result");
+    const ext = opts.ext || "json";
+    const name = `${ts}-${label}.${ext}`;
+    const file = path.join(this.tmpDir, name);
+    const payload = JSON.stringify(value, null, opts.pretty ? 2 : 0);
+    await fs.writeFile(file, `${payload}\n`, "utf8");
+    return file;
+  }
+
+  async list() {
+    await fs.mkdir(this.tmpDir, { recursive: true });
+    const entries = await fs.readdir(this.tmpDir, { withFileTypes: true });
+    const files = [];
+
+    for (const entry of entries) {
+      if (!entry.isFile()) {
+        continue;
+      }
+      const fullPath = path.join(this.tmpDir, entry.name);
+      const stat = await fs.stat(fullPath);
+      files.push({
+        name: entry.name,
+        file: fullPath,
+        bytes: stat.size,
+        modifiedAt: stat.mtime.toISOString(),
+      });
+    }
+
+    files.sort((a, b) => (a.modifiedAt < b.modifiedAt ? 1 : -1));
+    return files;
+  }
+
+  async read(filePath) {
+    const full = this.resolve(filePath);
+    const content = await fs.readFile(full, "utf8");
+    return { file: full, content };
+  }
+
+  async remove(filePath) {
+    const full = this.resolve(filePath);
+    await fs.rm(full, { force: true });
+    return { file: full, removed: true };
+  }
+
+  async gc(maxAgeHours = 24) {
+    const now = Date.now();
+    const cutoff = now - maxAgeHours * 3600 * 1000;
+    const files = await this.list();
+    const removed = [];
+
+    for (const item of files) {
+      if (Date.parse(item.modifiedAt) > cutoff) {
+        continue;
+      }
+      await fs.rm(item.file, { force: true });
+      removed.push(item.file);
+    }
+
+    return {
+      removed,
+      removedCount: removed.length,
+      keptCount: files.length - removed.length,
+    };
+  }
+
+  resolve(filePath) {
+    if (!filePath) {
+      throw new Error("file path is required");
+    }
+
+    const root = path.resolve(this.tmpDir);
+    const target = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(root, filePath);
+    const relative = path.relative(root, target);
+    const outsideRoot = relative.startsWith("..") || path.isAbsolute(relative);
+
+    if (outsideRoot) {
+      throw new Error(`Refusing to access path outside tmp dir: ${target}`);
+    }
+
+    return target;
+  }
+
+  preview(value, opts = {}) {
+    const maxDepth = Math.max(0, Number(opts.maxDepth ?? 2));
+    const maxArrayItems = Math.max(1, Number(opts.maxArrayItems ?? 3));
+    const maxObjectKeys = Math.max(1, Number(opts.maxObjectKeys ?? 12));
+    const maxString = Math.max(16, Number(opts.maxString ?? 160));
+
+    const walk = (input, depth) => {
+      if (input === null || input === undefined) {
+        return input;
+      }
+
+      if (typeof input === "string") {
+        return input.length > maxString ? `${input.slice(0, maxString)}...` : input;
+      }
+
+      if (typeof input !== "object") {
+        return input;
+      }
+
+      if (Array.isArray(input)) {
+        if (depth >= maxDepth) {
+          return { type: "array", count: input.length };
+        }
+        const items = input.slice(0, maxArrayItems).map((item) => walk(item, depth + 1));
+        if (input.length > maxArrayItems) {
+          items.push({ truncatedItems: input.length - maxArrayItems });
+        }
+        return items;
+      }
+
+      const keys = Object.keys(input);
+      if (depth >= maxDepth) {
+        return {
+          type: "object",
+          keyCount: keys.length,
+          keys: keys.slice(0, maxObjectKeys),
+        };
+      }
+
+      const out = {};
+      for (const key of keys.slice(0, maxObjectKeys)) {
+        out[key] = walk(input[key], depth + 1);
+      }
+      if (keys.length > maxObjectKeys) {
+        out.truncatedKeys = keys.length - maxObjectKeys;
+      }
+      return out;
+    };
+
+    return walk(value, 0);
+  }
+}