@linkedclaw/cli 0.1.7 → 0.2.0

package/dist/bin.js

@@ -6357,19 +6357,409 @@ function registerArenaCommands(program2) {
   });
 }
 
+// src/auth/decide.ts
+import { existsSync as existsSync2 } from "fs";
+import { hostname, platform } from "os";
+function detectLabel(packageVersion) {
+  const host = hostname();
+  return truncate(
+    `linkedclaw-cli/${packageVersion} on ${platform()} (host: ${host})`,
+    120
+  );
+}
+function truncate(s, n) {
+  return s.length <= n ? s : s.slice(0, n - 1) + "\u2026";
+}
+function isHeadless(env = process.env) {
+  if (env.SSH_CLIENT || env.SSH_TTY) return true;
+  if (env.CODESPACES === "true") return true;
+  if (env.LINKEDCLAW_FORCE_DEVICE_FLOW === "1") return true;
+  if (existsSync2("/.dockerenv") || existsSync2("/run/.containerenv")) return true;
+  if (platform() === "linux") {
+    if (!env.DISPLAY && !env.WAYLAND_DISPLAY) return true;
+  }
+  return false;
+}
+
+// src/auth/loopback.ts
+import { createServer } from "http";
+
+// src/auth/pkce.ts
+import { createHash as createHash2, randomBytes } from "crypto";
+function generateVerifier() {
+  return randomBytes(64).toString("base64url");
+}
+function deriveChallenge(verifier) {
+  return createHash2("sha256").update(verifier).digest("base64url");
+}
+function generateState() {
+  return randomBytes(16).toString("base64url");
+}
+
+// src/auth/loopback.ts
+var LoopbackError = class extends Error {
+  constructor(message, recoverable) {
+    super(message);
+    this.recoverable = recoverable;
+    this.name = "LoopbackError";
+  }
+  recoverable;
+};
+var SUCCESS_HTML = `<!doctype html>
+<html><head><meta charset="utf-8"><title>LinkedClaw \u2014 Authorized</title></head>
+<body style="font-family:system-ui,sans-serif;text-align:center;padding:48px">
+<h2>\u2705 Authorized</h2>
+<p>You can close this tab and return to your terminal.</p>
+</body></html>`;
+var ERROR_HTML = (msg) => `<!doctype html>
+<html><head><meta charset="utf-8"><title>LinkedClaw \u2014 Error</title></head>
+<body style="font-family:system-ui,sans-serif;text-align:center;padding:48px">
+<h2>\u274C Authorization failed</h2>
+<p>${msg}</p>
+<p>Return to your terminal \u2014 the CLI will retry or fall back automatically.</p>
+</body></html>`;
+async function runLoopback(opts) {
+  const verifier = generateVerifier();
+  const challenge = deriveChallenge(verifier);
+  const state = generateState();
+  const server = createServer();
+  await new Promise((resolve3, reject) => {
+    server.once("error", reject);
+    server.listen(0, "127.0.0.1", () => {
+      server.removeListener("error", reject);
+      resolve3();
+    });
+  });
+  const port = server.address().port;
+  const redirectUri = `http://127.0.0.1:${port}/cb`;
+  let initResp;
+  try {
+    initResp = await initiate(opts.cloudUrl, {
+      client_label: opts.clientLabel,
+      requested_scope: opts.requestedScope,
+      redirect_uri: redirectUri,
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      state
+    });
+  } catch (err) {
+    server.close();
+    throw new LoopbackError(
+      `Failed to start authorization: ${err.message}`,
+      // network failure shouldn't fall through to device flow — it'll fail there too.
+      false
+    );
+  }
+  try {
+    await opts.openBrowser(initResp.authorize_url);
+  } catch {
+    server.close();
+    throw new LoopbackError(
+      "Could not open browser; switching to device flow.",
+      true
+    );
+  }
+  if (opts.onUserPrompt) opts.onUserPrompt(initResp.authorize_url);
+  const timeoutMs = opts.timeoutMs ?? 6e4;
+  const callbackParams = await waitForCallback(server, timeoutMs).catch((err) => {
+    server.close();
+    throw err;
+  });
+  server.close();
+  if (callbackParams.error) {
+    throw new LoopbackError(`Authorization denied: ${callbackParams.error}`, false);
+  }
+  if (!callbackParams.code) {
+    throw new LoopbackError("Authorization callback missing code.", true);
+  }
+  if (callbackParams.state !== state) {
+    throw new LoopbackError("Authorization callback state mismatch.", false);
+  }
+  const tokenResp = await exchangeToken(opts.cloudUrl, {
+    grant_type: "authorization_code",
+    code: callbackParams.code,
+    code_verifier: verifier
+  });
+  return {
+    apiKey: tokenResp.api_key,
+    userId: tokenResp.user_id,
+    handle: tokenResp.handle ?? null,
+    scope: tokenResp.scope,
+    keyId: tokenResp.key_id
+  };
+}
+function waitForCallback(server, timeoutMs) {
+  return new Promise((resolve3, reject) => {
+    const timer = setTimeout(() => {
+      reject(new LoopbackError("Browser callback timed out.", true));
+    }, timeoutMs);
+    server.on("request", (req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1`);
+      if (url.pathname !== "/cb") {
+        res.statusCode = 404;
+        res.end();
+        return;
+      }
+      const params = {
+        code: url.searchParams.get("code") ?? void 0,
+        state: url.searchParams.get("state") ?? void 0,
+        error: url.searchParams.get("error") ?? void 0
+      };
+      const html = params.error ? ERROR_HTML(params.error) : params.code ? SUCCESS_HTML : ERROR_HTML("Missing code parameter");
+      res.statusCode = params.code ? 200 : 400;
+      res.setHeader("Content-Type", "text/html; charset=utf-8");
+      res.end(html);
+      clearTimeout(timer);
+      resolve3(params);
+    });
+  });
+}
+async function initiate(cloudUrl, body) {
+  const resp = await fetch(`${cloudUrl}/api/v1/auth/oauth/initiate`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (resp.status !== 201) {
+    const detail = await safeDetail(resp);
+    throw new Error(`/auth/oauth/initiate ${resp.status}: ${detail}`);
+  }
+  return await resp.json();
+}
+async function exchangeToken(cloudUrl, body) {
+  const resp = await fetch(`${cloudUrl}/api/v1/auth/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (resp.status !== 200) {
+    const detail = await safeDetail(resp);
+    throw new LoopbackError(`Token exchange failed: ${detail}`, false);
+  }
+  return await resp.json();
+}
+async function safeDetail(resp) {
+  try {
+    const j = await resp.json();
+    return j.detail ?? `${resp.status}`;
+  } catch {
+    return `${resp.status}`;
+  }
+}
+
+// src/auth/device.ts
+import { setTimeout as sleep } from "timers/promises";
+var DeviceFlowError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "DeviceFlowError";
+  }
+  code;
+};
+async function runDeviceFlow(opts) {
+  const init = await issueDeviceCode(opts.cloudUrl, {
+    client_label: opts.clientLabel,
+    requested_scope: opts.requestedScope
+  });
+  if (opts.openBrowser) {
+    try {
+      await opts.openBrowser(init.verification_uri_complete);
+    } catch {
+    }
+  }
+  opts.onUserPrompt(init);
+  const deadline = Date.now() + init.expires_in * 1e3;
+  let interval = init.interval;
+  while (Date.now() < deadline) {
+    const before = Date.now();
+    const result = await pollOnce(
+      opts.cloudUrl,
+      init.device_code,
+      opts.pollOverride
+    );
+    if (result.kind === "approved") {
+      return {
+        apiKey: result.api_key,
+        userId: result.user_id,
+        handle: result.handle ?? null,
+        scope: result.scope,
+        keyId: result.key_id
+      };
+    }
+    if (result.kind === "slow_down") {
+      interval = Math.min(interval * 2, 30);
+    }
+    const elapsed = Date.now() - before;
+    const wait = Math.max(0, interval * 1e3 - elapsed);
+    await sleep(wait);
+  }
+  throw new DeviceFlowError(
+    "Login window expired. Run `linkedclaw login` to retry.",
+    "expired_token"
+  );
+}
+async function pollOnce(cloudUrl, deviceCode, override) {
+  const raw = override ? await override(deviceCode) : await rawPoll(cloudUrl, deviceCode);
+  return interpretPoll(raw);
+}
+async function rawPoll(cloudUrl, deviceCode) {
+  const resp = await fetch(`${cloudUrl}/api/v1/auth/device/poll`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ device_code: deviceCode })
+  });
+  if (resp.status === 400) {
+    let detail = "invalid_grant";
+    try {
+      const j = await resp.json();
+      if (j.detail) detail = j.detail;
+    } catch {
+    }
+    if (detail === "slow_down") return { __slow: true };
+    throw new DeviceFlowError(_humanize(detail), detail);
+  }
+  if (resp.status !== 200) {
+    throw new DeviceFlowError(`Poll failed: HTTP ${resp.status}`, "http_error");
+  }
+  return await resp.json();
+}
+function interpretPoll(raw) {
+  if (raw && typeof raw === "object" && "__slow" in raw) {
+    return { kind: "slow_down" };
+  }
+  const obj = raw ?? {};
+  if (obj.status === "pending") return { kind: "pending" };
+  if (obj.status === "approved") {
+    return {
+      kind: "approved",
+      api_key: String(obj.api_key),
+      user_id: String(obj.user_id),
+      handle: obj.handle ?? null,
+      scope: String(obj.scope),
+      key_id: String(obj.key_id)
+    };
+  }
+  throw new DeviceFlowError(`Unexpected poll status: ${obj.status}`, "protocol_error");
+}
+function _humanize(code) {
+  switch (code) {
+    case "expired_token":
+      return "Login window expired. Run `linkedclaw login` to retry.";
+    case "access_denied":
+      return "Authorization denied by user.";
+    case "invalid_grant":
+      return "Authorization session is no longer valid.";
+    default:
+      return code;
+  }
+}
+async function issueDeviceCode(cloudUrl, body) {
+  const resp = await fetch(`${cloudUrl}/api/v1/auth/device/code`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (resp.status !== 201) {
+    let detail = `${resp.status}`;
+    try {
+      const j = await resp.json();
+      if (j.detail) detail = j.detail;
+    } catch {
+    }
+    throw new DeviceFlowError(`/auth/device/code ${resp.status}: ${detail}`, "init_failed");
+  }
+  return await resp.json();
+}
+
 // src/commands/auth.ts
+var CLI_VERSION = "0.2.0";
 function registerAuthCommands(program2) {
-  program2.command("login").description("Store API key in ~/.linkedclaw/config.yaml").option("--api-key <key>", "API key (otherwise read from stdin)").option("--cloud-url <url>", "Override cloud URL").action(async (opts) => {
+  program2.command("login").description(
+    "Authenticate via browser (loopback PKCE; falls back to device code if headless)."
+  ).option("--api-key <key>", "Skip browser; store key directly").option("--paste", "Skip browser; prompt for key on stdin").option("--device", "Force device flow (skip loopback)").option("--scope <scope>", "Requested scope: full | read | invoke", "full").option("--label <label>", "Client label override (default: auto-detected)").option("--cloud-url <url>", "Override cloud URL").action(async (opts) => {
     await runCommand(async () => {
-      let apiKey = opts.apiKey;
-      if (!apiKey) {
-        apiKey = await readLine("Paste API key: ");
-      }
-      if (!apiKey) throw new Error("empty api key");
       const prev = readFileConfig();
-      const next = { ...prev, apiKey, ...opts.cloudUrl ? { cloudUrl: opts.cloudUrl } : {} };
-      writeFileConfig(next);
-      return { ok: true, path: configPath() };
+      const cloudUrl = opts.cloudUrl ?? prev.cloudUrl ?? process.env.LINKEDCLAW_CLOUD_URL ?? DEFAULT_CLOUD_URL;
+      if (opts.apiKey || opts.paste) {
+        let apiKey = opts.apiKey;
+        if (!apiKey) apiKey = await readLine("Paste API key: ");
+        if (!apiKey) throw new Error("empty api key");
+        writeFileConfig({ ...prev, apiKey, cloudUrl });
+        return { ok: true, mode: "paste", path: configPath() };
+      }
+      const clientLabel = opts.label ?? detectLabel(CLI_VERSION);
+      const requestedScope = opts.scope ?? "full";
+      const openBrowser = async (url) => {
+        const open = (await import("open")).default;
+        await open(url);
+      };
+      const forceDevice = Boolean(opts.device) || isHeadless();
+      if (!forceDevice) {
+        try {
+          const result2 = await runLoopback({
+            cloudUrl,
+            clientLabel,
+            requestedScope,
+            openBrowser,
+            onUserPrompt: (url) => {
+              process.stderr.write(
+                `Opened browser to ${url}
+Approve the request to continue.
+`
+              );
+            }
+          });
+          writeFileConfig({ ...prev, apiKey: result2.apiKey, cloudUrl });
+          return {
+            ok: true,
+            mode: "loopback",
+            path: configPath(),
+            user_id: result2.userId,
+            handle: result2.handle,
+            scope: result2.scope,
+            key_id: result2.keyId
+          };
+        } catch (err) {
+          if (err instanceof LoopbackError && err.recoverable) {
+            process.stderr.write(`${err.message}
+`);
+          } else {
+            throw err;
+          }
+        }
+      }
+      const result = await runDeviceFlow({
+        cloudUrl,
+        clientLabel,
+        requestedScope,
+        openBrowser,
+        onUserPrompt: (info) => {
+          process.stderr.write(
+            `
+\u{1F513} LinkedClaw login
+
+Open this URL in your browser:
+  ${info.verification_uri_complete}
+
+Or visit ${info.verification_uri} and enter:
+  ${info.user_code}
+
+Waiting for approval... (${Math.floor(info.expires_in / 60)}m ${info.expires_in % 60}s remaining)
+`
+          );
+        }
+      });
+      writeFileConfig({ ...prev, apiKey: result.apiKey, cloudUrl });
+      return {
+        ok: true,
+        mode: "device",
+        path: configPath(),
+        user_id: result.userId,
+        handle: result.handle,
+        scope: result.scope,
+        key_id: result.keyId
+      };
     });
   });
   program2.command("register").description("Open browser to create a LinkedClaw account, then paste your API key").option("--no-browser", "Print URL instead of attempting to open the browser").option("--cloud-url <url>", "Override cloud URL").action(async (opts) => {
@@ -6439,7 +6829,7 @@ function tryParseJson(v) {
 
 // src/commands/converge.ts
 import { spawnSync } from "child_process";
-import { existsSync as existsSync4, mkdirSync as mkdirSync4, unlinkSync as unlinkSync2 } from "fs";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, unlinkSync as unlinkSync2 } from "fs";
 import { isAbsolute as isAbsolute2, join as join5, relative, resolve as resolve2 } from "path";
 
 // src/converge/api.ts
@@ -6574,7 +6964,7 @@ function makeConvergeApi(cloudUrl, apiKey) {
 }
 
 // src/converge/hash.ts
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 function encodeString(s) {
   let out = '"';
   for (let i = 0; i < s.length; i++) {
@@ -6600,7 +6990,7 @@ function canonicalize(value) {
   return "{" + keys.map((k) => encodeString(k) + ":" + canonicalize(value[k])).join(",") + "}";
 }
 function sha256OfCanonicalJson(value) {
-  const h = createHash2("sha256");
+  const h = createHash3("sha256");
   h.update(canonicalize(value));
   return "sha256:" + h.digest("hex");
 }
@@ -6634,15 +7024,15 @@ function acquireLock(stagingDir) {
 }
 
 // src/converge/staging.ts
-import { createHash as createHash3 } from "crypto";
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync2 } from "fs";
+import { createHash as createHash4 } from "crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync2 } from "fs";
 import { dirname as dirname2, join as join3 } from "path";
 import { load as yamlLoad2, dump as yamlDump2 } from "js-yaml";
 function stagingPathFor(stagingDir, cruxId) {
   return join3(stagingDir, `${cruxId}.md`);
 }
 function listCruxFiles(stagingDir) {
-  if (!existsSync2(stagingDir)) return [];
+  if (!existsSync3(stagingDir)) return [];
   return readdirSync(stagingDir).filter(
     (f) => f.endsWith(".md") && !f.startsWith(".")
   );
@@ -6685,17 +7075,17 @@ function writeStaging(path2, doc) {
   writeFileSync2(path2, dumpStaging(doc), "utf8");
 }
 function computePaBodyHash(body) {
-  return "sha256:" + createHash3("sha256").update(Buffer.from(body, "utf8")).digest("hex");
+  return "sha256:" + createHash4("sha256").update(Buffer.from(body, "utf8")).digest("hex");
 }
 
 // src/converge/workspace.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
 import { dirname as dirname3, isAbsolute, join as join4, resolve } from "path";
 import { load as yamlLoad3, dump as yamlDump3 } from "js-yaml";
 var META_FILENAME = ".run-meta.yaml";
 function readRunMeta(stagingDir) {
   const metaPath = join4(stagingDir, META_FILENAME);
-  if (!existsSync3(metaPath)) return null;
+  if (!existsSync4(metaPath)) return null;
   return yamlLoad3(readFileSync5(metaPath, "utf8"));
 }
 function writeRunMeta(stagingDir, meta) {
@@ -6705,7 +7095,7 @@ function writeRunMeta(stagingDir, meta) {
 function searchUpward(startDir, maxLevels = 5) {
   let dir = startDir;
   for (let i = 0; i < maxLevels; i++) {
-    if (existsSync3(join4(dir, META_FILENAME))) return dir;
+    if (existsSync4(join4(dir, META_FILENAME))) return dir;
     const parent = dirname3(dir);
     if (parent === dir) break;
     dir = parent;
@@ -6958,7 +7348,7 @@ async function buildCruxDecisionRequest(api, ws, cruxId, action, opts = {}) {
   let synthesisEdited = false;
   if (action === "accept") {
     const stagingPath = safeStagingPathFor(ws.stagingDir, cruxId);
-    if (existsSync4(stagingPath)) {
+    if (existsSync5(stagingPath)) {
       const doc = readStaging(stagingPath);
       synthesisEdited = computePaBodyHash(doc.body) !== doc.frontmatter.pa_body_hash;
       if (synthesisEdited) acceptedSynthesisText = doc.body;
@@ -6989,7 +7379,7 @@ async function postCruxDecision(api, ws, cruxId, action, opts = {}) {
 }
 async function materializeAcceptedCrux(ctx, api, ws, cruxId, payload, opts = {}) {
   const stagingPath = safeStagingPathFor(ws.stagingDir, cruxId);
-  if (!existsSync4(stagingPath)) return { warning: `staging_not_found: ${stagingPath}` };
+  if (!existsSync5(stagingPath)) return { warning: `staging_not_found: ${stagingPath}` };
   const doc = readStaging(stagingPath);
   const fm = doc.frontmatter;
   const sourceDebate = await api.getDebate(ws.sourceDebateId);
@@ -7033,11 +7423,11 @@ async function materializeAcceptedCrux(ctx, api, ws, cruxId, payload, opts = {})
   const synthSlug = extractSynthesisSlug(body);
   const finalDir = join5(ws.targetCorpus, "converged", topicSlug);
   const finalPath = safeAcceptedPath(finalDir, cruxId, synthSlug);
-  if (existsSync4(finalPath) && readStaging(finalPath).body !== acceptedDoc.body) {
+  if (existsSync5(finalPath) && readStaging(finalPath).body !== acceptedDoc.body) {
     return { warning: `sync_conflict: ${finalPath}` };
   }
   mkdirSync4(finalDir, { recursive: true });
-  if (!existsSync4(finalPath) || dumpStaging(readStaging(finalPath)) !== dumpStaging(acceptedDoc)) {
+  if (!existsSync5(finalPath) || dumpStaging(readStaging(finalPath)) !== dumpStaging(acceptedDoc)) {
     writeStaging(finalPath, acceptedDoc);
   }
   unlinkSync2(stagingPath);
@@ -7101,7 +7491,7 @@ async function syncTerminalDecisions(ctx, api, ws, opts = {}) {
         if (result.warning) warnings.push(`${cid}: ${result.warning}`);
         continue;
       }
-      if (existsSync4(stagingPath)) {
+      if (existsSync5(stagingPath)) {
         unlinkSync2(stagingPath);
         cleaned.push(cid);
       }
@@ -7217,7 +7607,7 @@ function registerConvergeCommands(program2) {
             const body = buildPaBody(op);
             const newPaBodyHash = computePaBodyHash(body);
             const path2 = safeStagingPathFor(ws.stagingDir, c.crux_id);
-            const existingDoc = existsSync4(path2) ? readStaging(path2) : null;
+            const existingDoc = existsSync5(path2) ? readStaging(path2) : null;
             if (existingDoc && existingDoc.frontmatter.pa_body_hash === newPaBodyHash) continue;
             const fm = {
               debate_id: ws.sourceDebateId,
@@ -8768,9 +9158,9 @@ async function resolveManifestOpt(manifestOpt, manifestId, intention, defaultInt
 
 // src/bin.ts
 var pkgPath = join6(dirname4(fileURLToPath(import.meta.url)), "..", "package.json");
-var CLI_VERSION = JSON.parse(readFileSync8(pkgPath, "utf8")).version;
+var CLI_VERSION2 = JSON.parse(readFileSync8(pkgPath, "utf8")).version;
 var program = new Command();
-program.name("linkedclaw").description("Official LinkedClaw CLI \u2014 any agent can shell out to hire providers, invoke, or gig task").version(`cli ${CLI_VERSION}`);
+program.name("linkedclaw").description("Official LinkedClaw CLI \u2014 any agent can shell out to hire providers, invoke, or gig task").version(`cli ${CLI_VERSION2}`);
 registerAuthCommands(program);
 registerRequesterCommands(program);
 registerProviderCommands(program);