npm - @kuckit/cli-auth-module - Versions diffs - 1.0.0 - Mend

@kuckit/cli-auth-module 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/client/index.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { KuckitClientModuleContext } from "@kuckit/sdk-react";
+import * as react_jsx_runtime0 from "react/jsx-runtime";
+//#region src/client/pages/ActivatePage.d.ts
+declare function ActivatePage(): react_jsx_runtime0.JSX.Element;
+//#endregion
+//#region src/client/index.d.ts
+declare const kuckitClientModule: {
+  id: string;
+  displayName: string;
+  version: string;
+  register(ctx: KuckitClientModuleContext): void;
+};
+//#endregion
+export { ActivatePage, kuckitClientModule };
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.js ADDED Viewed

@@ -0,0 +1,178 @@
+import { defineKuckitClientModule, useRpc } from "@kuckit/sdk-react";
+import { useState } from "react";
+import { jsx, jsxs } from "react/jsx-runtime";
+//#region src/client/pages/ActivatePage.tsx
+function formatUserCode(value) {
+	const cleaned = value.toUpperCase().replace(/[^A-Z0-9]/g, "");
+	if (cleaned.length <= 4) return cleaned;
+	return `${cleaned.slice(0, 4)}-${cleaned.slice(4, 8)}`;
+}
+function ActivatePage() {
+	const rpc = useRpc();
+	const [userCode, setUserCode] = useState("");
+	const [state, setState] = useState("idle");
+	const [message, setMessage] = useState("");
+	const handleChange = (e) => {
+		setUserCode(formatUserCode(e.target.value));
+	};
+	const handleSubmit = async (e) => {
+		e.preventDefault();
+		if (userCode.replace(/-/g, "").length !== 8) {
+			setState("error");
+			setMessage("Please enter a valid 8-character code");
+			return;
+		}
+		setState("loading");
+		setMessage("");
+		try {
+			const result = await rpc.cliDevice.approve({ userCode });
+			if (result.success) {
+				setState("success");
+				setMessage("Device authorized successfully! You can close this window and return to your terminal.");
+			} else {
+				setState("error");
+				setMessage(result.message || "Failed to authorize device. Please check the code and try again.");
+			}
+		} catch (error) {
+			console.error("Device activation error:", error);
+			if (error instanceof Error && error.message.includes("401")) {
+				window.location.href = "/sign-in?redirect=/cli/activate";
+				return;
+			}
+			setState("error");
+			setMessage("Network error. Please try again.");
+		}
+	};
+	return /* @__PURE__ */ jsx("div", {
+		className: "min-h-screen bg-[#0a0a0b] flex items-center justify-center p-6",
+		children: /* @__PURE__ */ jsx("div", {
+			className: "w-full max-w-md",
+			children: /* @__PURE__ */ jsxs("div", {
+				className: "bg-white/5 border border-white/10 rounded-2xl p-8",
+				children: [
+					/* @__PURE__ */ jsxs("div", {
+						className: "text-center mb-8",
+						children: [
+							/* @__PURE__ */ jsx("div", {
+								className: "w-12 h-12 rounded-xl bg-gradient-to-br from-emerald-400 to-teal-500 flex items-center justify-center mx-auto mb-4",
+								children: /* @__PURE__ */ jsx("svg", {
+									className: "w-6 h-6 text-black",
+									fill: "none",
+									stroke: "currentColor",
+									viewBox: "0 0 24 24",
+									children: /* @__PURE__ */ jsx("path", {
+										strokeLinecap: "round",
+										strokeLinejoin: "round",
+										strokeWidth: 2,
+										d: "M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z"
+									})
+								})
+							}),
+							/* @__PURE__ */ jsx("h1", {
+								className: "text-2xl font-bold text-white mb-2",
+								children: "Activate CLI Access"
+							}),
+							/* @__PURE__ */ jsx("p", {
+								className: "text-white/60 text-sm",
+								children: "Enter the code displayed in your terminal to authorize CLI access"
+							})
+						]
+					}),
+					state === "success" ? /* @__PURE__ */ jsxs("div", {
+						className: "text-center",
+						children: [
+							/* @__PURE__ */ jsx("div", {
+								className: "w-16 h-16 rounded-full bg-emerald-500/20 flex items-center justify-center mx-auto mb-4",
+								children: /* @__PURE__ */ jsx("svg", {
+									className: "w-8 h-8 text-emerald-400",
+									fill: "none",
+									stroke: "currentColor",
+									viewBox: "0 0 24 24",
+									children: /* @__PURE__ */ jsx("path", {
+										strokeLinecap: "round",
+										strokeLinejoin: "round",
+										strokeWidth: 2,
+										d: "M5 13l4 4L19 7"
+									})
+								})
+							}),
+							/* @__PURE__ */ jsx("p", {
+								className: "text-emerald-400 font-medium mb-2",
+								children: "Success!"
+							}),
+							/* @__PURE__ */ jsx("p", {
+								className: "text-white/60 text-sm",
+								children: message
+							})
+						]
+					}) : /* @__PURE__ */ jsxs("form", {
+						onSubmit: handleSubmit,
+						children: [
+							/* @__PURE__ */ jsxs("div", {
+								className: "mb-6",
+								children: [/* @__PURE__ */ jsx("label", {
+									htmlFor: "userCode",
+									className: "block text-sm font-medium text-white/80 mb-2",
+									children: "Activation Code"
+								}), /* @__PURE__ */ jsx("input", {
+									id: "userCode",
+									type: "text",
+									value: userCode,
+									onChange: handleChange,
+									placeholder: "XXXX-XXXX",
+									maxLength: 9,
+									disabled: state === "loading",
+									className: "w-full px-4 py-3 rounded-xl bg-white/5 border border-white/10 text-white text-center text-2xl font-mono tracking-widest placeholder:text-white/20 focus:outline-none focus:border-emerald-500/50 focus:ring-2 focus:ring-emerald-500/20 transition-all disabled:opacity-50",
+									autoComplete: "off",
+									autoFocus: true
+								})]
+							}),
+							state === "error" && message && /* @__PURE__ */ jsx("div", {
+								className: "mb-4 p-3 rounded-lg bg-red-500/10 border border-red-500/20",
+								children: /* @__PURE__ */ jsx("p", {
+									className: "text-red-400 text-sm text-center",
+									children: message
+								})
+							}),
+							/* @__PURE__ */ jsx("button", {
+								type: "submit",
+								disabled: state === "loading" || userCode.replace(/-/g, "").length !== 8,
+								className: "w-full px-6 py-3 rounded-xl bg-gradient-to-r from-emerald-500 to-teal-500 font-medium text-black hover:from-emerald-400 hover:to-teal-400 transition-all disabled:opacity-50 disabled:cursor-not-allowed",
+								children: state === "loading" ? "Authorizing..." : "Authorize Device"
+							})
+						]
+					}),
+					/* @__PURE__ */ jsx("p", {
+						className: "text-white/40 text-xs text-center mt-6",
+						children: "This will grant CLI access to your account for 90 days"
+					})
+				]
+			})
+		})
+	});
+}
+//#endregion
+//#region src/client/index.ts
+const kuckitClientModule = defineKuckitClientModule({
+	id: "kuckit.cli-auth",
+	displayName: "CLI Authentication",
+	version: "0.1.0",
+	register(ctx) {
+		ctx.registerComponent("ActivatePage", ActivatePage);
+		ctx.addRoute({
+			id: "cli-activate",
+			path: "/cli/activate",
+			component: ActivatePage,
+			meta: {
+				title: "Activate CLI Access",
+				requiresAuth: true
+			}
+		});
+	}
+});
+//#endregion
+export { ActivatePage, kuckitClientModule };
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":["error: unknown"],"sources":["../../src/client/pages/ActivatePage.tsx","../../src/client/index.ts"],"sourcesContent":["'use client'\n\nimport { useState, type FormEvent, type ChangeEvent } from 'react'\nimport { useRpc } from '@kuckit/sdk-react'\n\ntype FormState = 'idle' | 'loading' | 'success' | 'error'\n\ninterface CliDeviceRouter {\n\tcliDevice: {\n\t\tapprove: (input: { userCode: string }) => Promise<{ success: boolean; message?: string }>\n\t}\n}\n\nfunction formatUserCode(value: string): string {\n\tconst cleaned = value.toUpperCase().replace(/[^A-Z0-9]/g, '')\n\tif (cleaned.length <= 4) {\n\t\treturn cleaned\n\t}\n\treturn `${cleaned.slice(0, 4)}-${cleaned.slice(4, 8)}`\n}\n\nexport function ActivatePage() {\n\tconst rpc = useRpc<CliDeviceRouter>()\n\tconst [userCode, setUserCode] = useState('')\n\tconst [state, setState] = useState<FormState>('idle')\n\tconst [message, setMessage] = useState('')\n\n\tconst handleChange = (e: ChangeEvent<HTMLInputElement>) => {\n\t\tconst formatted = formatUserCode(e.target.value)\n\t\tsetUserCode(formatted)\n\t}\n\n\tconst handleSubmit = async (e: FormEvent) => {\n\t\te.preventDefault()\n\n\t\tconst cleanCode = userCode.replace(/-/g, '')\n\t\tif (cleanCode.length !== 8) {\n\t\t\tsetState('error')\n\t\t\tsetMessage('Please enter a valid 8-character code')\n\t\t\treturn\n\t\t}\n\n\t\tsetState('loading')\n\t\tsetMessage('')\n\n\t\ttry {\n\t\t\tconst result = await rpc.cliDevice.approve({ userCode })\n\n\t\t\tif (result.success) {\n\t\t\t\tsetState('success')\n\t\t\t\tsetMessage(\n\t\t\t\t\t'Device authorized successfully! You can close this window and return to your terminal.'\n\t\t\t\t)\n\t\t\t} else {\n\t\t\t\tsetState('error')\n\t\t\t\tsetMessage(\n\t\t\t\t\tresult.message || 'Failed to authorize device. Please check the code and try again.'\n\t\t\t\t)\n\t\t\t}\n\t\t} catch (error: unknown) {\n\t\t\tconsole.error('Device activation error:', error)\n\t\t\tif (error instanceof Error && error.message.includes('401')) {\n\t\t\t\twindow.location.href = '/sign-in?redirect=/cli/activate'\n\t\t\t\treturn\n\t\t\t}\n\t\t\tsetState('error')\n\t\t\tsetMessage('Network error. Please try again.')\n\t\t}\n\t}\n\n\treturn (\n\t\t<div className=\"min-h-screen bg-[#0a0a0b] flex items-center justify-center p-6\">\n\t\t\t<div className=\"w-full max-w-md\">\n\t\t\t\t<div className=\"bg-white/5 border border-white/10 rounded-2xl p-8\">\n\t\t\t\t\t<div className=\"text-center mb-8\">\n\t\t\t\t\t\t<div className=\"w-12 h-12 rounded-xl bg-gradient-to-br from-emerald-400 to-teal-500 flex items-center justify-center mx-auto mb-4\">\n\t\t\t\t\t\t\t<svg\n\t\t\t\t\t\t\t\tclassName=\"w-6 h-6 text-black\"\n\t\t\t\t\t\t\t\tfill=\"none\"\n\t\t\t\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\t\t\t>\n\t\t\t\t\t\t\t\t<path\n\t\t\t\t\t\t\t\t\tstrokeLinecap=\"round\"\n\t\t\t\t\t\t\t\t\tstrokeLinejoin=\"round\"\n\t\t\t\t\t\t\t\t\tstrokeWidth={2}\n\t\t\t\t\t\t\t\t\td=\"M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z\"\n\t\t\t\t\t\t\t\t/>\n\t\t\t\t\t\t\t</svg>\n\t\t\t\t\t\t</div>\n\t\t\t\t\t\t<h1 className=\"text-2xl font-bold text-white mb-2\">Activate CLI Access</h1>\n\t\t\t\t\t\t<p className=\"text-white/60 text-sm\">\n\t\t\t\t\t\t\tEnter the code displayed in your terminal to authorize CLI access\n\t\t\t\t\t\t</p>\n\t\t\t\t\t</div>\n\n\t\t\t\t\t{state === 'success' ? (\n\t\t\t\t\t\t<div className=\"text-center\">\n\t\t\t\t\t\t\t<div className=\"w-16 h-16 rounded-full bg-emerald-500/20 flex items-center justify-center mx-auto mb-4\">\n\t\t\t\t\t\t\t\t<svg\n\t\t\t\t\t\t\t\t\tclassName=\"w-8 h-8 text-emerald-400\"\n\t\t\t\t\t\t\t\t\tfill=\"none\"\n\t\t\t\t\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\t\t\t\t>\n\t\t\t\t\t\t\t\t\t<path\n\t\t\t\t\t\t\t\t\t\tstrokeLinecap=\"round\"\n\t\t\t\t\t\t\t\t\t\tstrokeLinejoin=\"round\"\n\t\t\t\t\t\t\t\t\t\tstrokeWidth={2}\n\t\t\t\t\t\t\t\t\t\td=\"M5 13l4 4L19 7\"\n\t\t\t\t\t\t\t\t\t/>\n\t\t\t\t\t\t\t\t</svg>\n\t\t\t\t\t\t\t</div>\n\t\t\t\t\t\t\t<p className=\"text-emerald-400 font-medium mb-2\">Success!</p>\n\t\t\t\t\t\t\t<p className=\"text-white/60 text-sm\">{message}</p>\n\t\t\t\t\t\t</div>\n\t\t\t\t\t) : (\n\t\t\t\t\t\t<form onSubmit={handleSubmit}>\n\t\t\t\t\t\t\t<div className=\"mb-6\">\n\t\t\t\t\t\t\t\t<label htmlFor=\"userCode\" className=\"block text-sm font-medium text-white/80 mb-2\">\n\t\t\t\t\t\t\t\t\tActivation Code\n\t\t\t\t\t\t\t\t</label>\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\tid=\"userCode\"\n\t\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\t\tvalue={userCode}\n\t\t\t\t\t\t\t\t\tonChange={handleChange}\n\t\t\t\t\t\t\t\t\tplaceholder=\"XXXX-XXXX\"\n\t\t\t\t\t\t\t\t\tmaxLength={9}\n\t\t\t\t\t\t\t\t\tdisabled={state === 'loading'}\n\t\t\t\t\t\t\t\t\tclassName=\"w-full px-4 py-3 rounded-xl bg-white/5 border border-white/10 text-white text-center text-2xl font-mono tracking-widest placeholder:text-white/20 focus:outline-none focus:border-emerald-500/50 focus:ring-2 focus:ring-emerald-500/20 transition-all disabled:opacity-50\"\n\t\t\t\t\t\t\t\t\tautoComplete=\"off\"\n\t\t\t\t\t\t\t\t\tautoFocus\n\t\t\t\t\t\t\t\t/>\n\t\t\t\t\t\t\t</div>\n\n\t\t\t\t\t\t\t{state === 'error' && message && (\n\t\t\t\t\t\t\t\t<div className=\"mb-4 p-3 rounded-lg bg-red-500/10 border border-red-500/20\">\n\t\t\t\t\t\t\t\t\t<p className=\"text-red-400 text-sm text-center\">{message}</p>\n\t\t\t\t\t\t\t\t</div>\n\t\t\t\t\t\t\t)}\n\n\t\t\t\t\t\t\t<button\n\t\t\t\t\t\t\t\ttype=\"submit\"\n\t\t\t\t\t\t\t\tdisabled={state === 'loading' || userCode.replace(/-/g, '').length !== 8}\n\t\t\t\t\t\t\t\tclassName=\"w-full px-6 py-3 rounded-xl bg-gradient-to-r from-emerald-500 to-teal-500 font-medium text-black hover:from-emerald-400 hover:to-teal-400 transition-all disabled:opacity-50 disabled:cursor-not-allowed\"\n\t\t\t\t\t\t\t>\n\t\t\t\t\t\t\t\t{state === 'loading' ? 'Authorizing...' : 'Authorize Device'}\n\t\t\t\t\t\t\t</button>\n\t\t\t\t\t\t</form>\n\t\t\t\t\t)}\n\n\t\t\t\t\t<p className=\"text-white/40 text-xs text-center mt-6\">\n\t\t\t\t\t\tThis will grant CLI access to your account for 90 days\n\t\t\t\t\t</p>\n\t\t\t\t</div>\n\t\t\t</div>\n\t\t</div>\n\t)\n}\n","import { defineKuckitClientModule, type KuckitClientModuleContext } from '@kuckit/sdk-react'\nimport { ActivatePage } from './pages/ActivatePage'\n\nexport const kuckitClientModule = defineKuckitClientModule({\n\tid: 'kuckit.cli-auth',\n\tdisplayName: 'CLI Authentication',\n\tversion: '0.1.0',\n\n\tregister(ctx: KuckitClientModuleContext) {\n\t\tctx.registerComponent('ActivatePage', ActivatePage)\n\n\t\tctx.addRoute({\n\t\t\tid: 'cli-activate',\n\t\t\tpath: '/cli/activate',\n\t\t\tcomponent: ActivatePage,\n\t\t\tmeta: {\n\t\t\t\ttitle: 'Activate CLI Access',\n\t\t\t\trequiresAuth: true,\n\t\t\t},\n\t\t})\n\t},\n})\n\nexport { ActivatePage } from './pages/ActivatePage'\n"],"mappings":";;;;;AAaA,SAAS,eAAe,OAAuB;CAC9C,MAAM,UAAU,MAAM,aAAa,CAAC,QAAQ,cAAc,GAAG;AAC7D,KAAI,QAAQ,UAAU,EACrB,QAAO;AAER,QAAO,GAAG,QAAQ,MAAM,GAAG,EAAE,CAAC,GAAG,QAAQ,MAAM,GAAG,EAAE;;AAGrD,SAAgB,eAAe;CAC9B,MAAM,MAAM,QAAyB;CACrC,MAAM,CAAC,UAAU,eAAe,SAAS,GAAG;CAC5C,MAAM,CAAC,OAAO,YAAY,SAAoB,OAAO;CACrD,MAAM,CAAC,SAAS,cAAc,SAAS,GAAG;CAE1C,MAAM,gBAAgB,MAAqC;AAE1D,cADkB,eAAe,EAAE,OAAO,MAAM,CAC1B;;CAGvB,MAAM,eAAe,OAAO,MAAiB;AAC5C,IAAE,gBAAgB;AAGlB,MADkB,SAAS,QAAQ,MAAM,GAAG,CAC9B,WAAW,GAAG;AAC3B,YAAS,QAAQ;AACjB,cAAW,wCAAwC;AACnD;;AAGD,WAAS,UAAU;AACnB,aAAW,GAAG;AAEd,MAAI;GACH,MAAM,SAAS,MAAM,IAAI,UAAU,QAAQ,EAAE,UAAU,CAAC;AAExD,OAAI,OAAO,SAAS;AACnB,aAAS,UAAU;AACnB,eACC,yFACA;UACK;AACN,aAAS,QAAQ;AACjB,eACC,OAAO,WAAW,mEAClB;;WAEMA,OAAgB;AACxB,WAAQ,MAAM,4BAA4B,MAAM;AAChD,OAAI,iBAAiB,SAAS,MAAM,QAAQ,SAAS,MAAM,EAAE;AAC5D,WAAO,SAAS,OAAO;AACvB;;AAED,YAAS,QAAQ;AACjB,cAAW,mCAAmC;;;AAIhD,QACC,oBAAC;EAAI,WAAU;YACd,oBAAC;GAAI,WAAU;aACd,qBAAC;IAAI,WAAU;;KACd,qBAAC;MAAI,WAAU;;OACd,oBAAC;QAAI,WAAU;kBACd,oBAAC;SACA,WAAU;SACV,MAAK;SACL,QAAO;SACP,SAAQ;mBAER,oBAAC;UACA,eAAc;UACd,gBAAe;UACf,aAAa;UACb,GAAE;WACD;UACG;SACD;OACN,oBAAC;QAAG,WAAU;kBAAqC;SAAwB;OAC3E,oBAAC;QAAE,WAAU;kBAAwB;SAEjC;;OACC;KAEL,UAAU,YACV,qBAAC;MAAI,WAAU;;OACd,oBAAC;QAAI,WAAU;kBACd,oBAAC;SACA,WAAU;SACV,MAAK;SACL,QAAO;SACP,SAAQ;mBAER,oBAAC;UACA,eAAc;UACd,gBAAe;UACf,aAAa;UACb,GAAE;WACD;UACG;SACD;OACN,oBAAC;QAAE,WAAU;kBAAoC;SAAY;OAC7D,oBAAC;QAAE,WAAU;kBAAyB;SAAY;;OAC7C,GAEN,qBAAC;MAAK,UAAU;;OACf,qBAAC;QAAI,WAAU;mBACd,oBAAC;SAAM,SAAQ;SAAW,WAAU;mBAA+C;UAE3E,EACR,oBAAC;SACA,IAAG;SACH,MAAK;SACL,OAAO;SACP,UAAU;SACV,aAAY;SACZ,WAAW;SACX,UAAU,UAAU;SACpB,WAAU;SACV,cAAa;SACb;UACC;SACG;OAEL,UAAU,WAAW,WACrB,oBAAC;QAAI,WAAU;kBACd,oBAAC;SAAE,WAAU;mBAAoC;UAAY;SACxD;OAGP,oBAAC;QACA,MAAK;QACL,UAAU,UAAU,aAAa,SAAS,QAAQ,MAAM,GAAG,CAAC,WAAW;QACvE,WAAU;kBAET,UAAU,YAAY,mBAAmB;SAClC;;OACH;KAGR,oBAAC;MAAE,WAAU;gBAAyC;OAElD;;KACC;IACD;GACD;;;;;AC1JR,MAAa,qBAAqB,yBAAyB;CAC1D,IAAI;CACJ,aAAa;CACb,SAAS;CAET,SAAS,KAAgC;AACxC,MAAI,kBAAkB,gBAAgB,aAAa;AAEnD,MAAI,SAAS;GACZ,IAAI;GACJ,MAAM;GACN,WAAW;GACX,MAAM;IACL,OAAO;IACP,cAAc;IACd;GACD,CAAC;;CAEH,CAAC"}

package/dist/server/module.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import * as _kuckit_sdk0 from "@kuckit/sdk";
+import "drizzle-orm/pg-core";
+import "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+//#region src/server/use-cases/validate-cli-token.d.ts
+interface ValidateCliTokenOutput {
+  readonly id: string;
+  readonly userId: string;
+  readonly scopes: string[];
+}
+//#endregion
+//#region src/server/middleware/cli-auth.middleware.d.ts
+interface CliAuthContext {
+  id: string;
+  userId: string;
+  scopes: string[];
+}
+declare global {
+  namespace Express {
+    interface Request {
+      cliAuth?: CliAuthContext;
+    }
+  }
+}
+type ValidateCliToken = (rawToken: string) => Promise<ValidateCliTokenOutput | null>;
+interface CliAuthMiddlewareDeps {
+  validateCliToken: ValidateCliToken;
+}
+declare const makeCliAuthMiddleware: (deps: CliAuthMiddlewareDeps) => (req: Request, res: Response, next: NextFunction) => Promise<void>;
+declare const requireScope: (scope: string) => (req: Request, res: Response, next: NextFunction) => void;
+//#endregion
+//#region src/server/module.d.ts
+type CliAuthModuleConfig = Record<string, never>;
+declare const kuckitModule: _kuckit_sdk0.KuckitModuleDefinition<CliAuthModuleConfig>;
+//#endregion
+export { type CliAuthContext, CliAuthModuleConfig, kuckitModule, makeCliAuthMiddleware, requireScope };
+//# sourceMappingURL=module.d.ts.map

package/dist/server/module.js ADDED Viewed

@@ -0,0 +1,353 @@
+import { asFunction, defineKuckitModule } from "@kuckit/sdk";
+import { index, integer, pgEnum, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import { and, eq, gt, isNull, or } from "drizzle-orm";
+import { createHash, randomBytes } from "crypto";
+import { protectedProcedure, publicProcedure } from "@kuckit/api";
+import { z } from "zod";
+//#region src/server/schema/cli-auth.ts
+const deviceCodeStatusEnum = pgEnum("cli_auth_device_code_status", [
+	"pending",
+	"approved",
+	"denied",
+	"expired"
+]);
+const cliAuthTokenTable = pgTable("cli_auth_token", {
+	id: text("id").primaryKey(),
+	userId: text("user_id").notNull(),
+	tokenHash: text("token_hash").notNull().unique(),
+	scopes: text("scopes").array().notNull().default([]),
+	name: text("name"),
+	expiresAt: timestamp("expires_at"),
+	lastUsedAt: timestamp("last_used_at"),
+	revokedAt: timestamp("revoked_at"),
+	createdAt: timestamp("created_at").notNull().defaultNow()
+}, (table) => ({ userIdIdx: index("cli_auth_token_user_id_idx").on(table.userId) }));
+const cliAuthDeviceCodeTable = pgTable("cli_auth_device_code", {
+	id: text("id").primaryKey(),
+	deviceCode: text("device_code").notNull().unique(),
+	userCode: text("user_code").notNull().unique(),
+	scopes: text("scopes").array().notNull().default([]),
+	status: deviceCodeStatusEnum("status").notNull().default("pending"),
+	approvedUserId: text("approved_user_id"),
+	approvedToken: text("approved_token"),
+	intervalSec: integer("interval_sec").notNull().default(5),
+	expiresAt: timestamp("expires_at").notNull(),
+	createdAt: timestamp("created_at").notNull().defaultNow()
+});
+//#endregion
+//#region src/server/repository/helpers.ts
+const USER_CODE_ALPHABET = "ABCDEFGHJKMNPQRSTUVWXYZ23456789";
+/**
+* Generate a user-friendly 8-character code in XXXX-XXXX format.
+* Uses crypto.randomBytes for entropy and excludes confusing characters.
+*/
+function generateUserCode() {
+	const bytes = randomBytes(8);
+	let code = "";
+	for (let i = 0; i < 8; i++) {
+		code += USER_CODE_ALPHABET[bytes[i] % 31];
+		if (i === 3) code += "-";
+	}
+	return code;
+}
+//#endregion
+//#region src/server/repository/cli-auth.repository.ts
+const makeCliAuthRepository = (db) => ({
+	async createToken(data) {
+		const rawToken = `kuckit_cli_${randomBytes(32).toString("base64url")}`;
+		const tokenHash = createHash("sha256").update(rawToken).digest("hex");
+		const id = crypto.randomUUID();
+		const [record] = await db.insert(cliAuthTokenTable).values({
+			...data,
+			id,
+			tokenHash
+		}).returning();
+		return {
+			token: rawToken,
+			record
+		};
+	},
+	async findTokenByHash(hash) {
+		const [token] = await db.select().from(cliAuthTokenTable).where(and(eq(cliAuthTokenTable.tokenHash, hash), isNull(cliAuthTokenTable.revokedAt), or(isNull(cliAuthTokenTable.expiresAt), gt(cliAuthTokenTable.expiresAt, /* @__PURE__ */ new Date())))).limit(1);
+		return token ?? null;
+	},
+	async updateTokenLastUsed(id) {
+		await db.update(cliAuthTokenTable).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq(cliAuthTokenTable.id, id));
+	},
+	async revokeToken(id) {
+		await db.update(cliAuthTokenTable).set({ revokedAt: /* @__PURE__ */ new Date() }).where(eq(cliAuthTokenTable.id, id));
+	},
+	async createDeviceCode(scopes) {
+		const id = crypto.randomUUID();
+		const deviceCode = randomBytes(32).toString("base64url");
+		const userCode = generateUserCode();
+		const [record] = await db.insert(cliAuthDeviceCodeTable).values({
+			id,
+			deviceCode,
+			userCode,
+			scopes,
+			expiresAt: new Date(Date.now() + 600 * 1e3)
+		}).returning();
+		return record;
+	},
+	async findDeviceCodeByCode(deviceCode) {
+		const [record] = await db.select().from(cliAuthDeviceCodeTable).where(eq(cliAuthDeviceCodeTable.deviceCode, deviceCode)).limit(1);
+		return record ?? null;
+	},
+	async findDeviceCodeByUserCode(userCode) {
+		const [record] = await db.select().from(cliAuthDeviceCodeTable).where(eq(cliAuthDeviceCodeTable.userCode, userCode.toUpperCase())).limit(1);
+		return record ?? null;
+	},
+	async approveDeviceCode(id, userId, rawToken) {
+		await db.update(cliAuthDeviceCodeTable).set({
+			status: "approved",
+			approvedUserId: userId,
+			approvedToken: rawToken
+		}).where(eq(cliAuthDeviceCodeTable.id, id));
+	},
+	async clearApprovedToken(id) {
+		await db.update(cliAuthDeviceCodeTable).set({ approvedToken: null }).where(eq(cliAuthDeviceCodeTable.id, id));
+	}
+});
+//#endregion
+//#region src/server/use-cases/initiate-device-login.ts
+const makeInitiateDeviceLogin = (deps) => {
+	return async (input) => {
+		const { cliAuthRepository, logger } = deps;
+		const deviceCode = await cliAuthRepository.createDeviceCode(input.scopes);
+		logger.info("Device login initiated", { userCode: deviceCode.userCode });
+		const appUrl = process.env.APP_URL || "http://localhost:3001";
+		return {
+			deviceCode: deviceCode.deviceCode,
+			userCode: deviceCode.userCode,
+			verificationUrl: `${appUrl}/cli/activate`,
+			expiresIn: 600,
+			intervalSec: deviceCode.intervalSec
+		};
+	};
+};
+//#endregion
+//#region src/server/use-cases/poll-device-login.ts
+const makePollDeviceLogin = (deps) => {
+	return async (input) => {
+		const { cliAuthRepository, userRepository, logger } = deps;
+		const deviceCode = await cliAuthRepository.findDeviceCodeByCode(input.deviceCode);
+		if (!deviceCode) {
+			logger.warn("Poll for unknown device code", { deviceCode: input.deviceCode.slice(0, 8) });
+			return { status: "expired" };
+		}
+		if (deviceCode.status === "pending" && deviceCode.expiresAt < /* @__PURE__ */ new Date()) return { status: "expired" };
+		switch (deviceCode.status) {
+			case "pending": return { status: "pending" };
+			case "approved": {
+				if (!deviceCode.approvedToken) return { status: "expired" };
+				const user = deviceCode.approvedUserId ? await userRepository.findById(deviceCode.approvedUserId) : null;
+				const result = {
+					status: "approved",
+					token: deviceCode.approvedToken,
+					expiresIn: 2160 * 60 * 60,
+					scopes: deviceCode.scopes,
+					permissions: user?.permissions ? [...user.permissions] : []
+				};
+				await cliAuthRepository.clearApprovedToken(deviceCode.id);
+				logger.info("Device login token retrieved", { deviceCodeId: deviceCode.id });
+				return result;
+			}
+			case "denied": return { status: "denied" };
+			case "expired": return { status: "expired" };
+			default: return { status: "expired" };
+		}
+	};
+};
+//#endregion
+//#region src/server/use-cases/approve-device-login.ts
+const makeApproveDeviceLogin = (deps) => {
+	return async (input) => {
+		const { cliAuthRepository, logger } = deps;
+		const deviceCode = await cliAuthRepository.findDeviceCodeByUserCode(input.userCode);
+		if (!deviceCode) return {
+			success: false,
+			message: "Invalid code"
+		};
+		if (deviceCode.status !== "pending") return {
+			success: false,
+			message: "Code already used or expired"
+		};
+		if (deviceCode.expiresAt < /* @__PURE__ */ new Date()) return {
+			success: false,
+			message: "Code expired"
+		};
+		const { token } = await cliAuthRepository.createToken({
+			userId: input.userId,
+			scopes: deviceCode.scopes,
+			name: `CLI Token - ${(/* @__PURE__ */ new Date()).toISOString()}`,
+			expiresAt: new Date(Date.now() + 2160 * 60 * 60 * 1e3)
+		});
+		await cliAuthRepository.approveDeviceCode(deviceCode.id, input.userId, token);
+		logger.info("Device login approved", {
+			userId: input.userId,
+			userCode: input.userCode
+		});
+		return {
+			success: true,
+			message: "CLI authorized"
+		};
+	};
+};
+//#endregion
+//#region src/server/use-cases/validate-cli-token.ts
+const makeValidateCliToken = (deps) => {
+	return async (rawToken) => {
+		const { cliAuthRepository } = deps;
+		const tokenHash = createHash("sha256").update(rawToken).digest("hex");
+		const token = await cliAuthRepository.findTokenByHash(tokenHash);
+		if (!token) return null;
+		await cliAuthRepository.updateTokenLastUsed(token.id);
+		return {
+			id: token.id,
+			userId: token.userId,
+			scopes: token.scopes
+		};
+	};
+};
+//#endregion
+//#region src/server/router/cli-device.router.ts
+const initiateInputSchema = z.object({ scopes: z.array(z.string()) });
+const initiateOutputSchema = z.object({
+	deviceCode: z.string(),
+	userCode: z.string(),
+	verificationUrl: z.string(),
+	expiresIn: z.number(),
+	intervalSec: z.number()
+});
+const pollInputSchema = z.object({ deviceCode: z.string() });
+const pollOutputSchema = z.discriminatedUnion("status", [
+	z.object({ status: z.literal("pending") }),
+	z.object({
+		status: z.literal("approved"),
+		token: z.string(),
+		expiresIn: z.number(),
+		scopes: z.array(z.string()),
+		permissions: z.array(z.string())
+	}),
+	z.object({ status: z.literal("denied") }),
+	z.object({ status: z.literal("expired") })
+]);
+const approveInputSchema = z.object({ userCode: z.string() });
+const approveOutputSchema = z.object({
+	success: z.boolean(),
+	message: z.string()
+});
+const cliDeviceRouter = {
+	initiate: publicProcedure.input(initiateInputSchema).output(initiateOutputSchema).handler(async ({ input, context }) => {
+		const { initiateDeviceLogin } = context.di.cradle;
+		return initiateDeviceLogin(input);
+	}),
+	poll: publicProcedure.input(pollInputSchema).output(pollOutputSchema).handler(async ({ input, context }) => {
+		const { pollDeviceLogin } = context.di.cradle;
+		return pollDeviceLogin(input);
+	}),
+	approve: protectedProcedure.input(approveInputSchema).output(approveOutputSchema).handler(async ({ input, context }) => {
+		const { approveDeviceLogin } = context.di.cradle;
+		const userId = context.session.user.id;
+		return approveDeviceLogin({
+			userCode: input.userCode,
+			userId
+		});
+	})
+};
+//#endregion
+//#region src/server/middleware/cli-auth.middleware.ts
+const makeCliAuthMiddleware = (deps) => {
+	return async (req, res, next) => {
+		const authHeader = req.headers.authorization;
+		if (!authHeader || !authHeader.startsWith("Bearer ")) {
+			res.status(401).json({ error: "Missing or invalid authorization header" });
+			return;
+		}
+		const token = authHeader.slice(7);
+		const result = await deps.validateCliToken(token);
+		if (!result) {
+			res.status(401).json({ error: "Invalid or expired token" });
+			return;
+		}
+		req.cliAuth = {
+			id: result.id,
+			userId: result.userId,
+			scopes: result.scopes
+		};
+		next();
+	};
+};
+const requireScope = (scope) => {
+	return (req, res, next) => {
+		if (!req.cliAuth) {
+			res.status(401).json({ error: "Not authenticated" });
+			return;
+		}
+		if (!req.cliAuth.scopes.includes(scope)) {
+			res.status(403).json({ error: `Missing required scope: ${scope}` });
+			return;
+		}
+		next();
+	};
+};
+//#endregion
+//#region src/server/module.ts
+const kuckitModule = defineKuckitModule({
+	id: "kuckit.cli-auth",
+	displayName: "CLI Authentication",
+	description: "Device flow authentication for CLI tools",
+	version: "0.1.0",
+	async register(ctx) {
+		const { container } = ctx;
+		ctx.registerSchema("cli_auth_token", cliAuthTokenTable);
+		ctx.registerSchema("cli_auth_device_code", cliAuthDeviceCodeTable);
+		container.register({ cliAuthRepository: asFunction(({ db }) => makeCliAuthRepository(db)).scoped() });
+		container.register({
+			initiateDeviceLogin: asFunction(({ cliAuthRepository, logger }) => makeInitiateDeviceLogin({
+				cliAuthRepository,
+				logger
+			})).scoped(),
+			pollDeviceLogin: asFunction(({ cliAuthRepository, userRepository, logger }) => makePollDeviceLogin({
+				cliAuthRepository,
+				userRepository,
+				logger
+			})).scoped(),
+			approveDeviceLogin: asFunction(({ cliAuthRepository, logger }) => makeApproveDeviceLogin({
+				cliAuthRepository,
+				logger
+			})).scoped(),
+			validateCliToken: asFunction(({ cliAuthRepository }) => makeValidateCliToken({ cliAuthRepository })).scoped()
+		});
+	},
+	registerApi(ctx) {
+		ctx.addApiRegistration({
+			type: "rpc-router",
+			name: "cliDevice",
+			router: cliDeviceRouter
+		});
+	},
+	async onBootstrap(ctx) {
+		const { container } = ctx;
+		container.resolve("logger").info("CLI Auth module initialized");
+	},
+	async onShutdown(ctx) {
+		const { container } = ctx;
+		container.resolve("logger").info("CLI Auth module shutting down");
+	}
+});
+//#endregion
+export { kuckitModule, makeCliAuthMiddleware, requireScope };
+//# sourceMappingURL=module.js.map

package/dist/server/module.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"module.js","names":["result: PollDeviceLoginOutput"],"sources":["../../src/server/schema/cli-auth.ts","../../src/server/repository/helpers.ts","../../src/server/repository/cli-auth.repository.ts","../../src/server/use-cases/initiate-device-login.ts","../../src/server/use-cases/poll-device-login.ts","../../src/server/use-cases/approve-device-login.ts","../../src/server/use-cases/validate-cli-token.ts","../../src/server/router/cli-device.router.ts","../../src/server/middleware/cli-auth.middleware.ts","../../src/server/module.ts"],"sourcesContent":["import { pgTable, pgEnum, text, timestamp, integer, index } from 'drizzle-orm/pg-core'\n\n// Enum for device code status\nexport const deviceCodeStatusEnum = pgEnum('cli_auth_device_code_status', [\n\t'pending',\n\t'approved',\n\t'denied',\n\t'expired',\n])\n\n// CLI authentication tokens table\nexport const cliAuthTokenTable = pgTable(\n\t'cli_auth_token',\n\t{\n\t\tid: text('id').primaryKey(),\n\t\tuserId: text('user_id').notNull(),\n\t\ttokenHash: text('token_hash').notNull().unique(),\n\t\tscopes: text('scopes').array().notNull().default([]),\n\t\tname: text('name'),\n\t\texpiresAt: timestamp('expires_at'),\n\t\tlastUsedAt: timestamp('last_used_at'),\n\t\trevokedAt: timestamp('revoked_at'),\n\t\tcreatedAt: timestamp('created_at').notNull().defaultNow(),\n\t},\n\t(table) => ({\n\t\tuserIdIdx: index('cli_auth_token_user_id_idx').on(table.userId),\n\t})\n)\n\n// Device codes for device flow authentication\nexport const cliAuthDeviceCodeTable = pgTable('cli_auth_device_code', {\n\tid: text('id').primaryKey(),\n\tdeviceCode: text('device_code').notNull().unique(),\n\tuserCode: text('user_code').notNull().unique(),\n\tscopes: text('scopes').array().notNull().default([]),\n\tstatus: deviceCodeStatusEnum('status').notNull().default('pending'),\n\tapprovedUserId: text('approved_user_id'),\n\tapprovedToken: text('approved_token'),\n\tintervalSec: integer('interval_sec').notNull().default(5),\n\texpiresAt: timestamp('expires_at').notNull(),\n\tcreatedAt: timestamp('created_at').notNull().defaultNow(),\n})\n\nexport type CliAuthToken = typeof cliAuthTokenTable.$inferSelect\nexport type NewCliAuthToken = typeof cliAuthTokenTable.$inferInsert\nexport type CliAuthDeviceCode = typeof cliAuthDeviceCodeTable.$inferSelect\nexport type NewCliAuthDeviceCode = typeof cliAuthDeviceCodeTable.$inferInsert\n","import { randomBytes } from 'crypto'\n\n// Alphabet excluding confusing characters: 0, O, 1, I, L\nconst USER_CODE_ALPHABET = 'ABCDEFGHJKMNPQRSTUVWXYZ23456789'\n\n/**\n * Generate a user-friendly 8-character code in XXXX-XXXX format.\n * Uses crypto.randomBytes for entropy and excludes confusing characters.\n */\nexport function generateUserCode(): string {\n\tconst bytes = randomBytes(8)\n\tlet code = ''\n\tfor (let i = 0; i < 8; i++) {\n\t\tcode += USER_CODE_ALPHABET[bytes[i]! % USER_CODE_ALPHABET.length]\n\t\tif (i === 3) code += '-'\n\t}\n\treturn code\n}\n","import type { NodePgDatabase } from 'drizzle-orm/node-postgres'\nimport { eq, and, isNull, gt, or } from 'drizzle-orm'\nimport { createHash, randomBytes } from 'crypto'\nimport {\n\tcliAuthTokenTable,\n\tcliAuthDeviceCodeTable,\n\ttype CliAuthToken,\n\ttype NewCliAuthToken,\n\ttype CliAuthDeviceCode,\n} from '../schema/cli-auth'\nimport { generateUserCode } from './helpers'\n\nexport interface CliAuthRepository {\n\t// Token operations\n\tcreateToken(\n\t\tdata: Omit<NewCliAuthToken, 'id' | 'tokenHash'>\n\t): Promise<{ token: string; record: CliAuthToken }>\n\tfindTokenByHash(hash: string): Promise<CliAuthToken | null>\n\tupdateTokenLastUsed(id: string): Promise<void>\n\trevokeToken(id: string): Promise<void>\n\n\t// Device code operations\n\tcreateDeviceCode(scopes: string[]): Promise<CliAuthDeviceCode>\n\tfindDeviceCodeByCode(deviceCode: string): Promise<CliAuthDeviceCode | null>\n\tfindDeviceCodeByUserCode(userCode: string): Promise<CliAuthDeviceCode | null>\n\tapproveDeviceCode(id: string, userId: string, rawToken: string): Promise<void>\n\tclearApprovedToken(id: string): Promise<void>\n}\n\nexport const makeCliAuthRepository = (db: NodePgDatabase): CliAuthRepository => ({\n\tasync createToken(data) {\n\t\tconst rawToken = `kuckit_cli_${randomBytes(32).toString('base64url')}`\n\t\tconst tokenHash = createHash('sha256').update(rawToken).digest('hex')\n\t\tconst id = crypto.randomUUID()\n\n\t\tconst [record] = await db\n\t\t\t.insert(cliAuthTokenTable)\n\t\t\t.values({ ...data, id, tokenHash })\n\t\t\t.returning()\n\n\t\treturn { token: rawToken, record: record! }\n\t},\n\n\tasync findTokenByHash(hash) {\n\t\tconst [token] = await db\n\t\t\t.select()\n\t\t\t.from(cliAuthTokenTable)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\teq(cliAuthTokenTable.tokenHash, hash),\n\t\t\t\t\tisNull(cliAuthTokenTable.revokedAt),\n\t\t\t\t\tor(isNull(cliAuthTokenTable.expiresAt), gt(cliAuthTokenTable.expiresAt, new Date()))\n\t\t\t\t)\n\t\t\t)\n\t\t\t.limit(1)\n\t\treturn token ?? null\n\t},\n\n\tasync updateTokenLastUsed(id) {\n\t\tawait db\n\t\t\t.update(cliAuthTokenTable)\n\t\t\t.set({ lastUsedAt: new Date() })\n\t\t\t.where(eq(cliAuthTokenTable.id, id))\n\t},\n\n\tasync revokeToken(id) {\n\t\tawait db\n\t\t\t.update(cliAuthTokenTable)\n\t\t\t.set({ revokedAt: new Date() })\n\t\t\t.where(eq(cliAuthTokenTable.id, id))\n\t},\n\n\tasync createDeviceCode(scopes) {\n\t\tconst id = crypto.randomUUID()\n\t\tconst deviceCode = randomBytes(32).toString('base64url')\n\t\tconst userCode = generateUserCode()\n\n\t\tconst [record] = await db\n\t\t\t.insert(cliAuthDeviceCodeTable)\n\t\t\t.values({\n\t\t\t\tid,\n\t\t\t\tdeviceCode,\n\t\t\t\tuserCode,\n\t\t\t\tscopes,\n\t\t\t\texpiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes\n\t\t\t})\n\t\t\t.returning()\n\n\t\treturn record!\n\t},\n\n\tasync findDeviceCodeByCode(deviceCode) {\n\t\tconst [record] = await db\n\t\t\t.select()\n\t\t\t.from(cliAuthDeviceCodeTable)\n\t\t\t.where(eq(cliAuthDeviceCodeTable.deviceCode, deviceCode))\n\t\t\t.limit(1)\n\t\treturn record ?? null\n\t},\n\n\tasync findDeviceCodeByUserCode(userCode) {\n\t\tconst [record] = await db\n\t\t\t.select()\n\t\t\t.from(cliAuthDeviceCodeTable)\n\t\t\t.where(eq(cliAuthDeviceCodeTable.userCode, userCode.toUpperCase()))\n\t\t\t.limit(1)\n\t\treturn record ?? null\n\t},\n\n\tasync approveDeviceCode(id, userId, rawToken) {\n\t\tawait db\n\t\t\t.update(cliAuthDeviceCodeTable)\n\t\t\t.set({ status: 'approved', approvedUserId: userId, approvedToken: rawToken })\n\t\t\t.where(eq(cliAuthDeviceCodeTable.id, id))\n\t},\n\n\tasync clearApprovedToken(id) {\n\t\tawait db\n\t\t\t.update(cliAuthDeviceCodeTable)\n\t\t\t.set({ approvedToken: null })\n\t\t\t.where(eq(cliAuthDeviceCodeTable.id, id))\n\t},\n})\n","import type { Logger } from '@kuckit/domain'\nimport type { CliAuthRepository } from '../repository/cli-auth.repository'\n\nexport interface InitiateDeviceLoginDeps {\n\treadonly cliAuthRepository: CliAuthRepository\n\treadonly logger: Logger\n}\n\nexport interface InitiateDeviceLoginInput {\n\treadonly scopes: string[]\n}\n\nexport interface InitiateDeviceLoginOutput {\n\treadonly deviceCode: string\n\treadonly userCode: string\n\treadonly verificationUrl: string\n\treadonly expiresIn: number\n\treadonly intervalSec: number\n}\n\nexport const makeInitiateDeviceLogin = (deps: InitiateDeviceLoginDeps) => {\n\treturn async (input: InitiateDeviceLoginInput): Promise<InitiateDeviceLoginOutput> => {\n\t\tconst { cliAuthRepository, logger } = deps\n\n\t\tconst deviceCode = await cliAuthRepository.createDeviceCode(input.scopes)\n\n\t\tlogger.info('Device login initiated', { userCode: deviceCode.userCode })\n\n\t\tconst appUrl = process.env.APP_URL || 'http://localhost:3001'\n\n\t\treturn {\n\t\t\tdeviceCode: deviceCode.deviceCode,\n\t\t\tuserCode: deviceCode.userCode,\n\t\t\tverificationUrl: `${appUrl}/cli/activate`,\n\t\t\texpiresIn: 600,\n\t\t\tintervalSec: deviceCode.intervalSec,\n\t\t}\n\t}\n}\n","import type { Logger, UserRepository } from '@kuckit/domain'\nimport type { CliAuthRepository } from '../repository/cli-auth.repository'\n\nexport interface PollDeviceLoginDeps {\n\treadonly cliAuthRepository: CliAuthRepository\n\treadonly userRepository: UserRepository\n\treadonly logger: Logger\n}\n\nexport interface PollDeviceLoginInput {\n\treadonly deviceCode: string\n}\n\nexport type PollDeviceLoginOutput =\n\t| { status: 'pending' }\n\t| {\n\t\t\tstatus: 'approved'\n\t\t\ttoken: string\n\t\t\texpiresIn: number\n\t\t\tscopes: string[]\n\t\t\tpermissions: string[]\n\t }\n\t| { status: 'denied' }\n\t| { status: 'expired' }\n\nexport const makePollDeviceLogin = (deps: PollDeviceLoginDeps) => {\n\treturn async (input: PollDeviceLoginInput): Promise<PollDeviceLoginOutput> => {\n\t\tconst { cliAuthRepository, userRepository, logger } = deps\n\n\t\tconst deviceCode = await cliAuthRepository.findDeviceCodeByCode(input.deviceCode)\n\n\t\tif (!deviceCode) {\n\t\t\tlogger.warn('Poll for unknown device code', { deviceCode: input.deviceCode.slice(0, 8) })\n\t\t\treturn { status: 'expired' }\n\t\t}\n\n\t\t// Check if expired (only for pending status)\n\t\tif (deviceCode.status === 'pending' && deviceCode.expiresAt < new Date()) {\n\t\t\treturn { status: 'expired' }\n\t\t}\n\n\t\tswitch (deviceCode.status) {\n\t\t\tcase 'pending':\n\t\t\t\treturn { status: 'pending' }\n\n\t\t\tcase 'approved': {\n\t\t\t\tif (!deviceCode.approvedToken) {\n\t\t\t\t\t// Token already retrieved\n\t\t\t\t\treturn { status: 'expired' }\n\t\t\t\t}\n\n\t\t\t\t// Fetch user to get permissions\n\t\t\t\tconst user = deviceCode.approvedUserId\n\t\t\t\t\t? await userRepository.findById(deviceCode.approvedUserId)\n\t\t\t\t\t: null\n\n\t\t\t\t// Calculate remaining time for token expiry (90 days from approval)\n\t\t\t\tconst expiresIn = 90 * 24 * 60 * 60\n\n\t\t\t\tconst result: PollDeviceLoginOutput = {\n\t\t\t\t\tstatus: 'approved',\n\t\t\t\t\ttoken: deviceCode.approvedToken,\n\t\t\t\t\texpiresIn,\n\t\t\t\t\tscopes: deviceCode.scopes,\n\t\t\t\t\tpermissions: user?.permissions ? [...user.permissions] : [],\n\t\t\t\t}\n\n\t\t\t\t// Clear the token after retrieval (one-time read)\n\t\t\t\tawait cliAuthRepository.clearApprovedToken(deviceCode.id)\n\n\t\t\t\tlogger.info('Device login token retrieved', { deviceCodeId: deviceCode.id })\n\n\t\t\t\treturn result\n\t\t\t}\n\n\t\t\tcase 'denied':\n\t\t\t\treturn { status: 'denied' }\n\n\t\t\tcase 'expired':\n\t\t\t\treturn { status: 'expired' }\n\n\t\t\tdefault:\n\t\t\t\treturn { status: 'expired' }\n\t\t}\n\t}\n}\n","import type { Logger } from '@kuckit/domain'\nimport type { CliAuthRepository } from '../repository/cli-auth.repository'\n\nexport interface ApproveDeviceLoginDeps {\n\treadonly cliAuthRepository: CliAuthRepository\n\treadonly logger: Logger\n}\n\nexport interface ApproveDeviceLoginInput {\n\treadonly userCode: string\n\treadonly userId: string\n}\n\nexport interface ApproveDeviceLoginOutput {\n\treadonly success: boolean\n\treadonly message: string\n}\n\nexport const makeApproveDeviceLogin = (deps: ApproveDeviceLoginDeps) => {\n\treturn async (input: ApproveDeviceLoginInput): Promise<ApproveDeviceLoginOutput> => {\n\t\tconst { cliAuthRepository, logger } = deps\n\n\t\tconst deviceCode = await cliAuthRepository.findDeviceCodeByUserCode(input.userCode)\n\n\t\tif (!deviceCode) {\n\t\t\treturn { success: false, message: 'Invalid code' }\n\t\t}\n\n\t\tif (deviceCode.status !== 'pending') {\n\t\t\treturn { success: false, message: 'Code already used or expired' }\n\t\t}\n\n\t\tif (deviceCode.expiresAt < new Date()) {\n\t\t\treturn { success: false, message: 'Code expired' }\n\t\t}\n\n\t\t// Create CLI token with 90-day expiry\n\t\tconst { token } = await cliAuthRepository.createToken({\n\t\t\tuserId: input.userId,\n\t\t\tscopes: deviceCode.scopes,\n\t\t\tname: `CLI Token - ${new Date().toISOString()}`,\n\t\t\texpiresAt: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),\n\t\t})\n\n\t\t// Mark device code as approved (store raw token for polling)\n\t\tawait cliAuthRepository.approveDeviceCode(deviceCode.id, input.userId, token)\n\n\t\tlogger.info('Device login approved', { userId: input.userId, userCode: input.userCode })\n\n\t\treturn { success: true, message: 'CLI authorized' }\n\t}\n}\n","import { createHash } from 'crypto'\nimport type { CliAuthRepository } from '../repository/cli-auth.repository'\n\nexport interface ValidateCliTokenDeps {\n\treadonly cliAuthRepository: CliAuthRepository\n}\n\nexport interface ValidateCliTokenOutput {\n\treadonly id: string\n\treadonly userId: string\n\treadonly scopes: string[]\n}\n\nexport const makeValidateCliToken = (deps: ValidateCliTokenDeps) => {\n\treturn async (rawToken: string): Promise<ValidateCliTokenOutput | null> => {\n\t\tconst { cliAuthRepository } = deps\n\n\t\t// Hash the token\n\t\tconst tokenHash = createHash('sha256').update(rawToken).digest('hex')\n\n\t\t// Look up token by hash\n\t\tconst token = await cliAuthRepository.findTokenByHash(tokenHash)\n\n\t\tif (!token) {\n\t\t\treturn null\n\t\t}\n\n\t\t// Update last used timestamp\n\t\tawait cliAuthRepository.updateTokenLastUsed(token.id)\n\n\t\treturn {\n\t\t\tid: token.id,\n\t\t\tuserId: token.userId,\n\t\t\tscopes: token.scopes,\n\t\t}\n\t}\n}\n","import { publicProcedure, protectedProcedure } from '@kuckit/api'\nimport { z } from 'zod'\nimport type {\n\tInitiateDeviceLoginInput,\n\tInitiateDeviceLoginOutput,\n} from '../use-cases/initiate-device-login'\nimport type { PollDeviceLoginInput, PollDeviceLoginOutput } from '../use-cases/poll-device-login'\nimport type {\n\tApproveDeviceLoginInput,\n\tApproveDeviceLoginOutput,\n} from '../use-cases/approve-device-login'\n\nconst initiateInputSchema = z.object({\n\tscopes: z.array(z.string()),\n})\n\nconst initiateOutputSchema = z.object({\n\tdeviceCode: z.string(),\n\tuserCode: z.string(),\n\tverificationUrl: z.string(),\n\texpiresIn: z.number(),\n\tintervalSec: z.number(),\n})\n\nconst pollInputSchema = z.object({\n\tdeviceCode: z.string(),\n})\n\nconst pollOutputSchema = z.discriminatedUnion('status', [\n\tz.object({ status: z.literal('pending') }),\n\tz.object({\n\t\tstatus: z.literal('approved'),\n\t\ttoken: z.string(),\n\t\texpiresIn: z.number(),\n\t\tscopes: z.array(z.string()),\n\t\tpermissions: z.array(z.string()),\n\t}),\n\tz.object({ status: z.literal('denied') }),\n\tz.object({ status: z.literal('expired') }),\n])\n\nconst approveInputSchema = z.object({\n\tuserCode: z.string(),\n})\n\nconst approveOutputSchema = z.object({\n\tsuccess: z.boolean(),\n\tmessage: z.string(),\n})\n\ninterface CliAuthCradle {\n\tinitiateDeviceLogin: (input: InitiateDeviceLoginInput) => Promise<InitiateDeviceLoginOutput>\n\tpollDeviceLogin: (input: PollDeviceLoginInput) => Promise<PollDeviceLoginOutput>\n\tapproveDeviceLogin: (input: ApproveDeviceLoginInput) => Promise<ApproveDeviceLoginOutput>\n}\n\nexport const cliDeviceRouter = {\n\tinitiate: publicProcedure\n\t\t.input(initiateInputSchema)\n\t\t.output(initiateOutputSchema)\n\t\t.handler(async ({ input, context }): Promise<InitiateDeviceLoginOutput> => {\n\t\t\tconst { initiateDeviceLogin } = context.di.cradle as CliAuthCradle\n\t\t\treturn initiateDeviceLogin(input)\n\t\t}),\n\n\tpoll: publicProcedure\n\t\t.input(pollInputSchema)\n\t\t.output(pollOutputSchema)\n\t\t.handler(async ({ input, context }): Promise<PollDeviceLoginOutput> => {\n\t\t\tconst { pollDeviceLogin } = context.di.cradle as CliAuthCradle\n\t\t\treturn pollDeviceLogin(input)\n\t\t}),\n\n\tapprove: protectedProcedure\n\t\t.input(approveInputSchema)\n\t\t.output(approveOutputSchema)\n\t\t.handler(async ({ input, context }): Promise<ApproveDeviceLoginOutput> => {\n\t\t\tconst { approveDeviceLogin } = context.di.cradle as CliAuthCradle\n\t\t\tconst userId = context.session.user.id\n\t\t\treturn approveDeviceLogin({ userCode: input.userCode, userId })\n\t\t}),\n}\n","import type { Request, Response, NextFunction } from 'express'\nimport type { ValidateCliTokenOutput } from '../use-cases/validate-cli-token'\n\nexport interface CliAuthContext {\n\tid: string\n\tuserId: string\n\tscopes: string[]\n}\n\ndeclare global {\n\t// eslint-disable-next-line @typescript-eslint/no-namespace\n\tnamespace Express {\n\t\tinterface Request {\n\t\t\tcliAuth?: CliAuthContext\n\t\t}\n\t}\n}\n\ntype ValidateCliToken = (rawToken: string) => Promise<ValidateCliTokenOutput | null>\n\nexport interface CliAuthMiddlewareDeps {\n\tvalidateCliToken: ValidateCliToken\n}\n\nexport const makeCliAuthMiddleware = (deps: CliAuthMiddlewareDeps) => {\n\treturn async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n\t\tconst authHeader = req.headers.authorization\n\n\t\tif (!authHeader || !authHeader.startsWith('Bearer ')) {\n\t\t\tres.status(401).json({ error: 'Missing or invalid authorization header' })\n\t\t\treturn\n\t\t}\n\n\t\tconst token = authHeader.slice(7)\n\n\t\tconst result = await deps.validateCliToken(token)\n\n\t\tif (!result) {\n\t\t\tres.status(401).json({ error: 'Invalid or expired token' })\n\t\t\treturn\n\t\t}\n\n\t\treq.cliAuth = {\n\t\t\tid: result.id,\n\t\t\tuserId: result.userId,\n\t\t\tscopes: result.scopes,\n\t\t}\n\n\t\tnext()\n\t}\n}\n\nexport const requireScope = (scope: string) => {\n\treturn (req: Request, res: Response, next: NextFunction): void => {\n\t\tif (!req.cliAuth) {\n\t\t\tres.status(401).json({ error: 'Not authenticated' })\n\t\t\treturn\n\t\t}\n\n\t\tif (!req.cliAuth.scopes.includes(scope)) {\n\t\t\tres.status(403).json({ error: `Missing required scope: ${scope}` })\n\t\t\treturn\n\t\t}\n\n\t\tnext()\n\t}\n}\n","import { defineKuckitModule, asFunction, type KuckitModuleContext } from '@kuckit/sdk'\nimport { cliAuthTokenTable, cliAuthDeviceCodeTable } from './schema'\nimport { makeCliAuthRepository } from './repository'\nimport {\n\tmakeInitiateDeviceLogin,\n\tmakePollDeviceLogin,\n\tmakeApproveDeviceLogin,\n\tmakeValidateCliToken,\n} from './use-cases'\nimport { cliDeviceRouter } from './router'\n\nexport { makeCliAuthMiddleware, requireScope, type CliAuthContext } from './middleware'\n\nexport type CliAuthModuleConfig = Record<string, never>\n\nexport const kuckitModule = defineKuckitModule<CliAuthModuleConfig>({\n\tid: 'kuckit.cli-auth',\n\tdisplayName: 'CLI Authentication',\n\tdescription: 'Device flow authentication for CLI tools',\n\tversion: '0.1.0',\n\n\tasync register(ctx: KuckitModuleContext<CliAuthModuleConfig>) {\n\t\tconst { container } = ctx\n\n\t\t// Register database schemas\n\t\tctx.registerSchema('cli_auth_token', cliAuthTokenTable)\n\t\tctx.registerSchema('cli_auth_device_code', cliAuthDeviceCodeTable)\n\n\t\t// Register repository\n\t\tcontainer.register({\n\t\t\tcliAuthRepository: asFunction(({ db }) => makeCliAuthRepository(db)).scoped(),\n\t\t})\n\n\t\t// Register use cases\n\t\tcontainer.register({\n\t\t\tinitiateDeviceLogin: asFunction(({ cliAuthRepository, logger }) =>\n\t\t\t\tmakeInitiateDeviceLogin({ cliAuthRepository, logger })\n\t\t\t).scoped(),\n\t\t\tpollDeviceLogin: asFunction(({ cliAuthRepository, userRepository, logger }) =>\n\t\t\t\tmakePollDeviceLogin({ cliAuthRepository, userRepository, logger })\n\t\t\t).scoped(),\n\t\t\tapproveDeviceLogin: asFunction(({ cliAuthRepository, logger }) =>\n\t\t\t\tmakeApproveDeviceLogin({ cliAuthRepository, logger })\n\t\t\t).scoped(),\n\t\t\tvalidateCliToken: asFunction(({ cliAuthRepository }) =>\n\t\t\t\tmakeValidateCliToken({ cliAuthRepository })\n\t\t\t).scoped(),\n\t\t})\n\t},\n\n\tregisterApi(ctx) {\n\t\tctx.addApiRegistration({\n\t\t\ttype: 'rpc-router',\n\t\t\tname: 'cliDevice',\n\t\t\trouter: cliDeviceRouter,\n\t\t})\n\t},\n\n\tasync onBootstrap(ctx: KuckitModuleContext<CliAuthModuleConfig>) {\n\t\tconst { container } = ctx\n\t\tconst logger = container.resolve('logger')\n\t\tlogger.info('CLI Auth module initialized')\n\t},\n\n\tasync onShutdown(ctx: KuckitModuleContext<CliAuthModuleConfig>) {\n\t\tconst { container } = ctx\n\t\tconst logger = container.resolve('logger')\n\t\tlogger.info('CLI Auth module shutting down')\n\t},\n})\n"],"mappings":";;;;;;;;AAGA,MAAa,uBAAuB,OAAO,+BAA+B;CACzE;CACA;CACA;CACA;CACA,CAAC;AAGF,MAAa,oBAAoB,QAChC,kBACA;CACC,IAAI,KAAK,KAAK,CAAC,YAAY;CAC3B,QAAQ,KAAK,UAAU,CAAC,SAAS;CACjC,WAAW,KAAK,aAAa,CAAC,SAAS,CAAC,QAAQ;CAChD,QAAQ,KAAK,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;CACpD,MAAM,KAAK,OAAO;CAClB,WAAW,UAAU,aAAa;CAClC,YAAY,UAAU,eAAe;CACrC,WAAW,UAAU,aAAa;CAClC,WAAW,UAAU,aAAa,CAAC,SAAS,CAAC,YAAY;CACzD,GACA,WAAW,EACX,WAAW,MAAM,6BAA6B,CAAC,GAAG,MAAM,OAAO,EAC/D,EACD;AAGD,MAAa,yBAAyB,QAAQ,wBAAwB;CACrE,IAAI,KAAK,KAAK,CAAC,YAAY;CAC3B,YAAY,KAAK,cAAc,CAAC,SAAS,CAAC,QAAQ;CAClD,UAAU,KAAK,YAAY,CAAC,SAAS,CAAC,QAAQ;CAC9C,QAAQ,KAAK,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;CACpD,QAAQ,qBAAqB,SAAS,CAAC,SAAS,CAAC,QAAQ,UAAU;CACnE,gBAAgB,KAAK,mBAAmB;CACxC,eAAe,KAAK,iBAAiB;CACrC,aAAa,QAAQ,eAAe,CAAC,SAAS,CAAC,QAAQ,EAAE;CACzD,WAAW,UAAU,aAAa,CAAC,SAAS;CAC5C,WAAW,UAAU,aAAa,CAAC,SAAS,CAAC,YAAY;CACzD,CAAC;;;;ACtCF,MAAM,qBAAqB;;;;;AAM3B,SAAgB,mBAA2B;CAC1C,MAAM,QAAQ,YAAY,EAAE;CAC5B,IAAI,OAAO;AACX,MAAK,IAAI,IAAI,GAAG,IAAI,GAAG,KAAK;AAC3B,UAAQ,mBAAmB,MAAM,KAAM;AACvC,MAAI,MAAM,EAAG,SAAQ;;AAEtB,QAAO;;;;;ACaR,MAAa,yBAAyB,QAA2C;CAChF,MAAM,YAAY,MAAM;EACvB,MAAM,WAAW,cAAc,YAAY,GAAG,CAAC,SAAS,YAAY;EACpE,MAAM,YAAY,WAAW,SAAS,CAAC,OAAO,SAAS,CAAC,OAAO,MAAM;EACrE,MAAM,KAAK,OAAO,YAAY;EAE9B,MAAM,CAAC,UAAU,MAAM,GACrB,OAAO,kBAAkB,CACzB,OAAO;GAAE,GAAG;GAAM;GAAI;GAAW,CAAC,CAClC,WAAW;AAEb,SAAO;GAAE,OAAO;GAAkB;GAAS;;CAG5C,MAAM,gBAAgB,MAAM;EAC3B,MAAM,CAAC,SAAS,MAAM,GACpB,QAAQ,CACR,KAAK,kBAAkB,CACvB,MACA,IACC,GAAG,kBAAkB,WAAW,KAAK,EACrC,OAAO,kBAAkB,UAAU,EACnC,GAAG,OAAO,kBAAkB,UAAU,EAAE,GAAG,kBAAkB,2BAAW,IAAI,MAAM,CAAC,CAAC,CACpF,CACD,CACA,MAAM,EAAE;AACV,SAAO,SAAS;;CAGjB,MAAM,oBAAoB,IAAI;AAC7B,QAAM,GACJ,OAAO,kBAAkB,CACzB,IAAI,EAAE,4BAAY,IAAI,MAAM,EAAE,CAAC,CAC/B,MAAM,GAAG,kBAAkB,IAAI,GAAG,CAAC;;CAGtC,MAAM,YAAY,IAAI;AACrB,QAAM,GACJ,OAAO,kBAAkB,CACzB,IAAI,EAAE,2BAAW,IAAI,MAAM,EAAE,CAAC,CAC9B,MAAM,GAAG,kBAAkB,IAAI,GAAG,CAAC;;CAGtC,MAAM,iBAAiB,QAAQ;EAC9B,MAAM,KAAK,OAAO,YAAY;EAC9B,MAAM,aAAa,YAAY,GAAG,CAAC,SAAS,YAAY;EACxD,MAAM,WAAW,kBAAkB;EAEnC,MAAM,CAAC,UAAU,MAAM,GACrB,OAAO,uBAAuB,CAC9B,OAAO;GACP;GACA;GACA;GACA;GACA,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,MAAU,IAAK;GAChD,CAAC,CACD,WAAW;AAEb,SAAO;;CAGR,MAAM,qBAAqB,YAAY;EACtC,MAAM,CAAC,UAAU,MAAM,GACrB,QAAQ,CACR,KAAK,uBAAuB,CAC5B,MAAM,GAAG,uBAAuB,YAAY,WAAW,CAAC,CACxD,MAAM,EAAE;AACV,SAAO,UAAU;;CAGlB,MAAM,yBAAyB,UAAU;EACxC,MAAM,CAAC,UAAU,MAAM,GACrB,QAAQ,CACR,KAAK,uBAAuB,CAC5B,MAAM,GAAG,uBAAuB,UAAU,SAAS,aAAa,CAAC,CAAC,CAClE,MAAM,EAAE;AACV,SAAO,UAAU;;CAGlB,MAAM,kBAAkB,IAAI,QAAQ,UAAU;AAC7C,QAAM,GACJ,OAAO,uBAAuB,CAC9B,IAAI;GAAE,QAAQ;GAAY,gBAAgB;GAAQ,eAAe;GAAU,CAAC,CAC5E,MAAM,GAAG,uBAAuB,IAAI,GAAG,CAAC;;CAG3C,MAAM,mBAAmB,IAAI;AAC5B,QAAM,GACJ,OAAO,uBAAuB,CAC9B,IAAI,EAAE,eAAe,MAAM,CAAC,CAC5B,MAAM,GAAG,uBAAuB,IAAI,GAAG,CAAC;;CAE3C;;;;ACtGD,MAAa,2BAA2B,SAAkC;AACzE,QAAO,OAAO,UAAwE;EACrF,MAAM,EAAE,mBAAmB,WAAW;EAEtC,MAAM,aAAa,MAAM,kBAAkB,iBAAiB,MAAM,OAAO;AAEzE,SAAO,KAAK,0BAA0B,EAAE,UAAU,WAAW,UAAU,CAAC;EAExE,MAAM,SAAS,QAAQ,IAAI,WAAW;AAEtC,SAAO;GACN,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,iBAAiB,GAAG,OAAO;GAC3B,WAAW;GACX,aAAa,WAAW;GACxB;;;;;;ACXH,MAAa,uBAAuB,SAA8B;AACjE,QAAO,OAAO,UAAgE;EAC7E,MAAM,EAAE,mBAAmB,gBAAgB,WAAW;EAEtD,MAAM,aAAa,MAAM,kBAAkB,qBAAqB,MAAM,WAAW;AAEjF,MAAI,CAAC,YAAY;AAChB,UAAO,KAAK,gCAAgC,EAAE,YAAY,MAAM,WAAW,MAAM,GAAG,EAAE,EAAE,CAAC;AACzF,UAAO,EAAE,QAAQ,WAAW;;AAI7B,MAAI,WAAW,WAAW,aAAa,WAAW,4BAAY,IAAI,MAAM,CACvE,QAAO,EAAE,QAAQ,WAAW;AAG7B,UAAQ,WAAW,QAAnB;GACC,KAAK,UACJ,QAAO,EAAE,QAAQ,WAAW;GAE7B,KAAK,YAAY;AAChB,QAAI,CAAC,WAAW,cAEf,QAAO,EAAE,QAAQ,WAAW;IAI7B,MAAM,OAAO,WAAW,iBACrB,MAAM,eAAe,SAAS,WAAW,eAAe,GACxD;IAKH,MAAMA,SAAgC;KACrC,QAAQ;KACR,OAAO,WAAW;KAClB,WALiB,OAAU,KAAK;KAMhC,QAAQ,WAAW;KACnB,aAAa,MAAM,cAAc,CAAC,GAAG,KAAK,YAAY,GAAG,EAAE;KAC3D;AAGD,UAAM,kBAAkB,mBAAmB,WAAW,GAAG;AAEzD,WAAO,KAAK,gCAAgC,EAAE,cAAc,WAAW,IAAI,CAAC;AAE5E,WAAO;;GAGR,KAAK,SACJ,QAAO,EAAE,QAAQ,UAAU;GAE5B,KAAK,UACJ,QAAO,EAAE,QAAQ,WAAW;GAE7B,QACC,QAAO,EAAE,QAAQ,WAAW;;;;;;;AChEhC,MAAa,0BAA0B,SAAiC;AACvE,QAAO,OAAO,UAAsE;EACnF,MAAM,EAAE,mBAAmB,WAAW;EAEtC,MAAM,aAAa,MAAM,kBAAkB,yBAAyB,MAAM,SAAS;AAEnF,MAAI,CAAC,WACJ,QAAO;GAAE,SAAS;GAAO,SAAS;GAAgB;AAGnD,MAAI,WAAW,WAAW,UACzB,QAAO;GAAE,SAAS;GAAO,SAAS;GAAgC;AAGnE,MAAI,WAAW,4BAAY,IAAI,MAAM,CACpC,QAAO;GAAE,SAAS;GAAO,SAAS;GAAgB;EAInD,MAAM,EAAE,UAAU,MAAM,kBAAkB,YAAY;GACrD,QAAQ,MAAM;GACd,QAAQ,WAAW;GACnB,MAAM,gCAAe,IAAI,MAAM,EAAC,aAAa;GAC7C,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,OAAU,KAAK,KAAK,IAAK;GAC1D,CAAC;AAGF,QAAM,kBAAkB,kBAAkB,WAAW,IAAI,MAAM,QAAQ,MAAM;AAE7E,SAAO,KAAK,yBAAyB;GAAE,QAAQ,MAAM;GAAQ,UAAU,MAAM;GAAU,CAAC;AAExF,SAAO;GAAE,SAAS;GAAM,SAAS;GAAkB;;;;;;ACpCrD,MAAa,wBAAwB,SAA+B;AACnE,QAAO,OAAO,aAA6D;EAC1E,MAAM,EAAE,sBAAsB;EAG9B,MAAM,YAAY,WAAW,SAAS,CAAC,OAAO,SAAS,CAAC,OAAO,MAAM;EAGrE,MAAM,QAAQ,MAAM,kBAAkB,gBAAgB,UAAU;AAEhE,MAAI,CAAC,MACJ,QAAO;AAIR,QAAM,kBAAkB,oBAAoB,MAAM,GAAG;AAErD,SAAO;GACN,IAAI,MAAM;GACV,QAAQ,MAAM;GACd,QAAQ,MAAM;GACd;;;;;;ACtBH,MAAM,sBAAsB,EAAE,OAAO,EACpC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAC3B,CAAC;AAEF,MAAM,uBAAuB,EAAE,OAAO;CACrC,YAAY,EAAE,QAAQ;CACtB,UAAU,EAAE,QAAQ;CACpB,iBAAiB,EAAE,QAAQ;CAC3B,WAAW,EAAE,QAAQ;CACrB,aAAa,EAAE,QAAQ;CACvB,CAAC;AAEF,MAAM,kBAAkB,EAAE,OAAO,EAChC,YAAY,EAAE,QAAQ,EACtB,CAAC;AAEF,MAAM,mBAAmB,EAAE,mBAAmB,UAAU;CACvD,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,UAAU,EAAE,CAAC;CAC1C,EAAE,OAAO;EACR,QAAQ,EAAE,QAAQ,WAAW;EAC7B,OAAO,EAAE,QAAQ;EACjB,WAAW,EAAE,QAAQ;EACrB,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;EAC3B,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC;EAChC,CAAC;CACF,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,SAAS,EAAE,CAAC;CACzC,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,UAAU,EAAE,CAAC;CAC1C,CAAC;AAEF,MAAM,qBAAqB,EAAE,OAAO,EACnC,UAAU,EAAE,QAAQ,EACpB,CAAC;AAEF,MAAM,sBAAsB,EAAE,OAAO;CACpC,SAAS,EAAE,SAAS;CACpB,SAAS,EAAE,QAAQ;CACnB,CAAC;AAQF,MAAa,kBAAkB;CAC9B,UAAU,gBACR,MAAM,oBAAoB,CAC1B,OAAO,qBAAqB,CAC5B,QAAQ,OAAO,EAAE,OAAO,cAAkD;EAC1E,MAAM,EAAE,wBAAwB,QAAQ,GAAG;AAC3C,SAAO,oBAAoB,MAAM;GAChC;CAEH,MAAM,gBACJ,MAAM,gBAAgB,CACtB,OAAO,iBAAiB,CACxB,QAAQ,OAAO,EAAE,OAAO,cAA8C;EACtE,MAAM,EAAE,oBAAoB,QAAQ,GAAG;AACvC,SAAO,gBAAgB,MAAM;GAC5B;CAEH,SAAS,mBACP,MAAM,mBAAmB,CACzB,OAAO,oBAAoB,CAC3B,QAAQ,OAAO,EAAE,OAAO,cAAiD;EACzE,MAAM,EAAE,uBAAuB,QAAQ,GAAG;EAC1C,MAAM,SAAS,QAAQ,QAAQ,KAAK;AACpC,SAAO,mBAAmB;GAAE,UAAU,MAAM;GAAU;GAAQ,CAAC;GAC9D;CACH;;;;ACzDD,MAAa,yBAAyB,SAAgC;AACrE,QAAO,OAAO,KAAc,KAAe,SAAsC;EAChF,MAAM,aAAa,IAAI,QAAQ;AAE/B,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,UAAU,EAAE;AACrD,OAAI,OAAO,IAAI,CAAC,KAAK,EAAE,OAAO,2CAA2C,CAAC;AAC1E;;EAGD,MAAM,QAAQ,WAAW,MAAM,EAAE;EAEjC,MAAM,SAAS,MAAM,KAAK,iBAAiB,MAAM;AAEjD,MAAI,CAAC,QAAQ;AACZ,OAAI,OAAO,IAAI,CAAC,KAAK,EAAE,OAAO,4BAA4B,CAAC;AAC3D;;AAGD,MAAI,UAAU;GACb,IAAI,OAAO;GACX,QAAQ,OAAO;GACf,QAAQ,OAAO;GACf;AAED,QAAM;;;AAIR,MAAa,gBAAgB,UAAkB;AAC9C,SAAQ,KAAc,KAAe,SAA6B;AACjE,MAAI,CAAC,IAAI,SAAS;AACjB,OAAI,OAAO,IAAI,CAAC,KAAK,EAAE,OAAO,qBAAqB,CAAC;AACpD;;AAGD,MAAI,CAAC,IAAI,QAAQ,OAAO,SAAS,MAAM,EAAE;AACxC,OAAI,OAAO,IAAI,CAAC,KAAK,EAAE,OAAO,2BAA2B,SAAS,CAAC;AACnE;;AAGD,QAAM;;;;;;ACjDR,MAAa,eAAe,mBAAwC;CACnE,IAAI;CACJ,aAAa;CACb,aAAa;CACb,SAAS;CAET,MAAM,SAAS,KAA+C;EAC7D,MAAM,EAAE,cAAc;AAGtB,MAAI,eAAe,kBAAkB,kBAAkB;AACvD,MAAI,eAAe,wBAAwB,uBAAuB;AAGlE,YAAU,SAAS,EAClB,mBAAmB,YAAY,EAAE,SAAS,sBAAsB,GAAG,CAAC,CAAC,QAAQ,EAC7E,CAAC;AAGF,YAAU,SAAS;GAClB,qBAAqB,YAAY,EAAE,mBAAmB,aACrD,wBAAwB;IAAE;IAAmB;IAAQ,CAAC,CACtD,CAAC,QAAQ;GACV,iBAAiB,YAAY,EAAE,mBAAmB,gBAAgB,aACjE,oBAAoB;IAAE;IAAmB;IAAgB;IAAQ,CAAC,CAClE,CAAC,QAAQ;GACV,oBAAoB,YAAY,EAAE,mBAAmB,aACpD,uBAAuB;IAAE;IAAmB;IAAQ,CAAC,CACrD,CAAC,QAAQ;GACV,kBAAkB,YAAY,EAAE,wBAC/B,qBAAqB,EAAE,mBAAmB,CAAC,CAC3C,CAAC,QAAQ;GACV,CAAC;;CAGH,YAAY,KAAK;AAChB,MAAI,mBAAmB;GACtB,MAAM;GACN,MAAM;GACN,QAAQ;GACR,CAAC;;CAGH,MAAM,YAAY,KAA+C;EAChE,MAAM,EAAE,cAAc;AAEtB,EADe,UAAU,QAAQ,SAAS,CACnC,KAAK,8BAA8B;;CAG3C,MAAM,WAAW,KAA+C;EAC/D,MAAM,EAAE,cAAc;AAEtB,EADe,UAAU,QAAQ,SAAS,CACnC,KAAK,gCAAgC;;CAE7C,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,61 @@
+{
+	"name": "@kuckit/cli-auth-module",
+	"version": "1.0.0",
+	"description": "Device flow authentication module for Kuckit CLI tools",
+	"type": "module",
+	"main": "src/server/module.ts",
+	"types": "src/server/module.ts",
+	"files": [
+		"dist"
+	],
+	"exports": {
+		".": {
+			"types": "./src/server/module.ts",
+			"default": "./src/server/module.ts"
+		},
+		"./client": {
+			"types": "./src/client/index.ts",
+			"default": "./src/client/index.ts"
+		}
+	},
+	"publishConfig": {
+		"main": "dist/server/module.js",
+		"types": "dist/server/module.d.ts",
+		"exports": {
+			".": {
+				"types": "./dist/server/module.d.ts",
+				"default": "./dist/server/module.js"
+			},
+			"./client": {
+				"types": "./dist/client/index.d.ts",
+				"default": "./dist/client/index.js"
+			}
+		}
+	},
+	"kuckit": {
+		"id": "kuckit.cli-auth",
+		"server": ".",
+		"client": "./client"
+	},
+	"scripts": {
+		"build": "tsdown"
+	},
+	"peerDependencies": {
+		"@kuckit/sdk": "workspace:*",
+		"@kuckit/sdk-react": "workspace:*",
+		"react": "^18 || ^19",
+		"typescript": "^5",
+		"express": "^4 || ^5"
+	},
+	"dependencies": {
+		"@kuckit/api": "workspace:*",
+		"@kuckit/domain": "workspace:*",
+		"drizzle-orm": "^0.44.2",
+		"zod": "catalog:"
+	},
+	"devDependencies": {
+		"@types/react": "^19.0.0",
+		"@types/express": "catalog:",
+		"tsdown": "catalog:"
+	}
+}

package/src/server/module.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import { defineKuckitModule, asFunction, type KuckitModuleContext } from '@kuckit/sdk'
+import { cliAuthTokenTable, cliAuthDeviceCodeTable } from './schema'
+import { makeCliAuthRepository } from './repository'
+import {
+	makeInitiateDeviceLogin,
+	makePollDeviceLogin,
+	makeApproveDeviceLogin,
+	makeValidateCliToken,
+} from './use-cases'
+import { cliDeviceRouter } from './router'
+export { makeCliAuthMiddleware, requireScope, type CliAuthContext } from './middleware'
+export type CliAuthModuleConfig = Record<string, never>
+export const kuckitModule = defineKuckitModule<CliAuthModuleConfig>({
+	id: 'kuckit.cli-auth',
+	displayName: 'CLI Authentication',
+	description: 'Device flow authentication for CLI tools',
+	version: '0.1.0',
+	async register(ctx: KuckitModuleContext<CliAuthModuleConfig>) {
+		const { container } = ctx
+		// Register database schemas
+		ctx.registerSchema('cli_auth_token', cliAuthTokenTable)
+		ctx.registerSchema('cli_auth_device_code', cliAuthDeviceCodeTable)
+		// Register repository
+		container.register({
+			cliAuthRepository: asFunction(({ db }) => makeCliAuthRepository(db)).scoped(),
+		})
+		// Register use cases
+		container.register({
+			initiateDeviceLogin: asFunction(({ cliAuthRepository, logger }) =>
+				makeInitiateDeviceLogin({ cliAuthRepository, logger })
+			).scoped(),
+			pollDeviceLogin: asFunction(({ cliAuthRepository, userRepository, logger }) =>
+				makePollDeviceLogin({ cliAuthRepository, userRepository, logger })
+			).scoped(),
+			approveDeviceLogin: asFunction(({ cliAuthRepository, logger }) =>
+				makeApproveDeviceLogin({ cliAuthRepository, logger })
+			).scoped(),
+			validateCliToken: asFunction(({ cliAuthRepository }) =>
+				makeValidateCliToken({ cliAuthRepository })
+			).scoped(),
+		})
+	},
+	registerApi(ctx) {
+		ctx.addApiRegistration({
+			type: 'rpc-router',
+			name: 'cliDevice',
+			router: cliDeviceRouter,
+		})
+	},
+	async onBootstrap(ctx: KuckitModuleContext<CliAuthModuleConfig>) {
+		const { container } = ctx
+		const logger = container.resolve('logger')
+		logger.info('CLI Auth module initialized')
+	},
+	async onShutdown(ctx: KuckitModuleContext<CliAuthModuleConfig>) {
+		const { container } = ctx
+		const logger = container.resolve('logger')
+		logger.info('CLI Auth module shutting down')
+	},
+})