@kweaver-ai/kweaver-sdk 0.4.5 → 0.4.6

package/dist/auth/oauth.d.ts

@@ -1,5 +1,21 @@
 import { type TokenConfig } from "../config/store.js";
 export declare function normalizeBaseUrl(value: string): string;
+/**
+ * OAuth2 Authorization Code login flow.
+ * 1. Register client (if not already registered)
+ * 2. Open browser to /oauth2/auth
+ * 3. Receive authorization code via local HTTP callback
+ * 4. Exchange code for access_token + refresh_token
+ * 5. Save token.json + client.json to ~/.kweaver/
+ */
+export declare function oauth2Login(baseUrl: string, options?: {
+    port?: number;
+    scope?: string;
+}): Promise<TokenConfig>;
+/**
+ * Playwright cookie login (legacy fallback).
+ * Does NOT produce a refresh_token — token expires in 1 hour with no auto-refresh.
+ */
 export declare function playwrightLogin(baseUrl: string, options?: {
     username?: string;
     password?: string;

package/dist/auth/oauth.js

@@ -1,11 +1,169 @@
-import { getCurrentPlatform, loadClientConfig, loadTokenConfig, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
+import { getCurrentPlatform, loadClientConfig, loadTokenConfig, saveClientConfig, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
 import { HttpError, NetworkRequestError } from "../utils/http.js";
 const TOKEN_TTL_SECONDS = 3600;
 /** Seconds before access token expiry to trigger refresh (matches Python ConfigAuth). */
 const REFRESH_THRESHOLD_SEC = 60;
+const DEFAULT_REDIRECT_PORT = 9010;
+const DEFAULT_SCOPE = "openid offline all";
 export function normalizeBaseUrl(value) {
     return value.replace(/\/+$/, "");
 }
+/**
+ * OAuth2 Authorization Code login flow.
+ * 1. Register client (if not already registered)
+ * 2. Open browser to /oauth2/auth
+ * 3. Receive authorization code via local HTTP callback
+ * 4. Exchange code for access_token + refresh_token
+ * 5. Save token.json + client.json to ~/.kweaver/
+ */
+export async function oauth2Login(baseUrl, options) {
+    const { createServer } = await import("node:http");
+    const { randomBytes } = await import("node:crypto");
+    const base = normalizeBaseUrl(baseUrl);
+    const port = options?.port ?? DEFAULT_REDIRECT_PORT;
+    const scope = options?.scope ?? DEFAULT_SCOPE;
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    // Step 1: Ensure registered client
+    let client = loadClientConfig(base);
+    if (!client?.clientId) {
+        client = await registerOAuth2Client(base, redirectUri, scope);
+        saveClientConfig(base, client);
+    }
+    // Step 2: Generate CSRF state
+    const state = randomBytes(12).toString("hex");
+    // Step 3: Build authorization URL
+    const authParams = new URLSearchParams({
+        redirect_uri: redirectUri,
+        "x-forwarded-prefix": "",
+        client_id: client.clientId,
+        scope,
+        response_type: "code",
+        state,
+        lang: "zh-cn",
+        product: "adp",
+    });
+    const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+    // Step 4: Start local callback server, wait for code
+    const code = await new Promise((resolve, reject) => {
+        const timeoutId = setTimeout(() => {
+            server.close();
+            reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
+        }, 120_000);
+        const server = createServer((req, res) => {
+            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+            if (url.pathname === "/callback") {
+                const receivedState = url.searchParams.get("state");
+                const receivedCode = url.searchParams.get("code");
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
+                clearTimeout(timeoutId);
+                server.close();
+                if (receivedState !== state) {
+                    reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                }
+                else if (!receivedCode) {
+                    reject(new Error("No authorization code received in callback."));
+                }
+                else {
+                    resolve(receivedCode);
+                }
+            }
+            else {
+                res.writeHead(404);
+                res.end();
+            }
+        });
+        server.listen(port, "127.0.0.1", () => {
+            // Step 5: Open browser
+            import("node:child_process").then(({ exec }) => {
+                const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+                exec(`${cmd} "${authUrl}"`);
+            });
+        });
+    });
+    // Step 6: Exchange code for tokens
+    const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri);
+    setCurrentPlatform(base);
+    return token;
+}
+async function registerOAuth2Client(baseUrl, redirectUri, scope) {
+    const logoutUri = redirectUri.replace("/callback", "/successful-logout");
+    const response = await fetch(`${baseUrl}/oauth2/clients`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json" },
+        body: JSON.stringify({
+            client_name: "kweaver-sdk",
+            grant_types: ["authorization_code", "implicit", "refresh_token"],
+            response_types: ["token id_token", "code", "token"],
+            scope: "openid offline all",
+            redirect_uris: [redirectUri],
+            post_logout_redirect_uris: [logoutUri],
+            metadata: {
+                device: {
+                    name: "kweaver-sdk",
+                    client_type: "web",
+                    description: "KWeaver TypeScript SDK",
+                },
+            },
+        }),
+    });
+    const text = await response.text();
+    if (!response.ok) {
+        throw new HttpError(response.status, response.statusText, text);
+    }
+    const data = JSON.parse(text);
+    return {
+        baseUrl,
+        clientId: data.client_id,
+        clientSecret: data.client_secret,
+        redirectUri,
+        logoutRedirectUri: logoutUri,
+        scope,
+        lang: "zh-cn",
+        product: "adp",
+        xForwardedPrefix: "",
+    };
+}
+async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redirectUri) {
+    const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+    const response = await fetch(`${baseUrl}/oauth2/token`, {
+        method: "POST",
+        headers: {
+            Authorization: `Basic ${credentials}`,
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+        }).toString(),
+    });
+    const text = await response.text();
+    if (!response.ok) {
+        throw new HttpError(response.status, response.statusText, text);
+    }
+    const data = JSON.parse(text);
+    const now = new Date();
+    const expiresIn = typeof data.expires_in === "number" ? data.expires_in : 3600;
+    const token = {
+        baseUrl,
+        accessToken: data.access_token,
+        tokenType: data.token_type ?? "Bearer",
+        scope: data.scope ?? "",
+        expiresIn,
+        expiresAt: new Date(now.getTime() + expiresIn * 1000).toISOString(),
+        refreshToken: data.refresh_token ?? "",
+        idToken: data.id_token ?? "",
+        obtainedAt: now.toISOString(),
+    };
+    saveTokenConfig(token);
+    return token;
+}
+/**
+ * Playwright cookie login (legacy fallback).
+ * Does NOT produce a refresh_token — token expires in 1 hour with no auto-refresh.
+ */
 export async function playwrightLogin(baseUrl, options) {
     let chromium;
     try {

package/dist/commands/auth.js

@@ -1,5 +1,5 @@
 import { clearPlatformSession, deletePlatform, getConfigDir, getCurrentPlatform, getPlatformAlias, hasPlatform, listPlatforms, loadTokenConfig, resolvePlatformIdentifier, setCurrentPlatform, setPlatformAlias, } from "../config/store.js";
-import { formatHttpError, normalizeBaseUrl, playwrightLogin, } from "../auth/oauth.js";
+import { formatHttpError, normalizeBaseUrl, oauth2Login, playwrightLogin, } from "../auth/oauth.js";
 export async function runAuthCommand(args) {
     const target = args[0];
     const rest = args.slice(1);
@@ -27,13 +27,23 @@ kweaver auth delete <url>    Delete saved credentials`);
             const alias = readOption(args, "--alias");
             const username = readOption(args, "--username") ?? readOption(args, "-u");
             const password = readOption(args, "--password") ?? readOption(args, "-p");
+            const usePlaywright = args.includes("--playwright");
+            let token;
             if (username && password) {
+                // Headless Playwright login with credentials
                 console.log("Logging in (headless)...");
+                token = await playwrightLogin(normalizedTarget, { username, password });
+            }
+            else if (usePlaywright) {
+                // Explicit Playwright fallback
+                console.log("Opening browser for login (Playwright)...");
+                token = await playwrightLogin(normalizedTarget);
             }
             else {
-                console.log("Opening browser for login...");
+                // Default: OAuth2 authorization code flow (supports refresh_token)
+                console.log("Opening browser for OAuth2 login...");
+                token = await oauth2Login(normalizedTarget);
             }
-            const token = await playwrightLogin(normalizedTarget, username && password ? { username, password } : undefined);
             if (alias) {
                 setPlatformAlias(normalizedTarget, alias);
             }
@@ -49,6 +59,12 @@ kweaver auth delete <url>    Delete saved credentials`);
             }
             console.log(`Current platform: ${normalizedTarget}`);
             console.log(`Access token saved: yes`);
+            if (token.refreshToken) {
+                console.log(`Refresh token: yes (auto-refresh enabled)`);
+            }
+            else {
+                console.log(`Refresh token: no (token will expire in 1 hour)`);
+            }
             if (token.expiresAt) {
                 console.log(`Token expires at: ${token.expiresAt}`);
             }
@@ -79,6 +95,7 @@ kweaver auth delete <url>    Delete saved credentials`);
             `Current platform: ${token.baseUrl === currentPlatform ? "yes" : "no"}`,
             `Token present: yes`,
         ];
+        lines.push(`Refresh token: ${token.refreshToken ? "yes (auto-refresh enabled)" : "no"}`);
         if (token.expiresAt) {
             const expiry = new Date(token.expiresAt);
             const remainingMs = expiry.getTime() - Date.now();
@@ -86,6 +103,9 @@ kweaver auth delete <url>    Delete saved credentials`);
                 const remainingMin = Math.ceil(remainingMs / 60_000);
                 lines.push(`Token status: active (expires in ${remainingMin} min)`);
             }
+            else if (token.refreshToken) {
+                lines.push(`Token status: expired (will auto-refresh on next command)`);
+            }
             else {
                 lines.push(`Token status: expired (run \`kweaver auth login ${token.baseUrl}\` again)`);
             }

package/dist/commands/bkn.js

@@ -528,7 +528,7 @@ export function parseKnObjectTypeQueryArgs(args) {
         body.search_after = searchAfter;
     }
     if (typeof body.limit !== "number" || !Number.isFinite(body.limit) || body.limit < 1) {
-        throw new Error("Missing limit. Provide it in body JSON or via --limit <n>.");
+        body.limit = 30;
     }
     if (!businessDomain)
         businessDomain = resolveBusinessDomain();
@@ -916,7 +916,8 @@ kweaver bkn object-type properties <kn-id> <ot-id> '<json>' [--pretty] [-bd valu
 list: List object types (schema) from ontology-manager.
 get: Get single object type details.
 create/update/delete: Schema CRUD (create requires dataview-id).
-query/properties: Query via ontology-query API. For query, --limit and --search-after are merged into the JSON body.
+query: Query via ontology-query API. Default limit is 30 if not specified. Use --search-after for pagination.
+properties: Query instance properties by primary key.
 
 properties JSON format: {"_instance_identities":[{"<primary-key>":"<value>"}],"properties":["prop1","prop2"]}`);
         return 0;
@@ -1016,6 +1017,10 @@ properties JSON format: {"_instance_identities":[{"<primary-key>":"<value>"}],"p
                 body: options.body,
                 businessDomain: options.businessDomain,
             });
+            const OUTPUT_WARN_BYTES = 100_000;
+            if (result.length > OUTPUT_WARN_BYTES) {
+                console.error(`[warn] Response is ${(result.length / 1024).toFixed(0)}KB. Use a smaller --limit or --search-after to paginate.`);
+            }
             console.log(formatCallOutput(result, options.pretty));
             return 0;
         }
@@ -1343,6 +1348,9 @@ Query subgraph via ontology-query API. JSON body format see references/json-form
             businessDomain,
             queryType,
         });
+        if (result.length > 100_000) {
+            console.error(`[warn] Response is ${(result.length / 1024).toFixed(0)}KB. Consider narrowing the subgraph query.`);
+        }
         console.log(formatCallOutput(result, pretty));
         return 0;
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kweaver-ai/kweaver-sdk",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "description": "KWeaver TypeScript SDK — CLI tool and programmatic API for knowledge networks and Decision Agents.",
   "type": "module",
   "main": "./dist/index.js",