@linzumi/cli 0.0.19-beta → 0.0.22-beta

package/src/oauth.ts

@@ -1,425 +0,0 @@
-/*
-- Date: 2026-04-24
-  Spec: plans/2026-04-24-local-codex-channel-thread-binding-spec.md
-  Relationship: Implements the runner-side browser authorization flow used
-  when the operator does not pass a pre-existing Kandan token.
-*/
-import { spawn } from "node:child_process";
-import { randomBytes } from "node:crypto";
-
-export type LocalRunnerOAuthOptions = {
-  readonly kandanUrl: string;
-  readonly workspaceSlug?: string | undefined;
-  readonly channelSlug?: string | undefined;
-  readonly onboarding?: "start" | undefined;
-  readonly callbackHost?: string | undefined;
-  readonly openAuthorizationUrl?: ((url: string) => Promise<void> | void) | undefined;
-};
-
-export type LocalRunnerOAuthToken = {
-  readonly accessToken: string;
-  readonly expiresInSeconds?: number | undefined;
-  readonly workspaceSlug?: string | undefined;
-  readonly channelSlug?: string | undefined;
-};
-
-export type LocalRunnerStartTarget = {
-  readonly workspaceSlug: string;
-  readonly channelSlug: string;
-  readonly workspaceName: string;
-  readonly channelName: string;
-};
-
-export async function acquireLocalRunnerToken(
-  options: LocalRunnerOAuthOptions,
-): Promise<string> {
-  const token = await acquireLocalRunnerTokenDetails(options);
-  return token.accessToken;
-}
-
-export async function acquireLocalRunnerTokenDetails(
-  options: LocalRunnerOAuthOptions,
-): Promise<LocalRunnerOAuthToken> {
-  const httpBaseUrl = kandanHttpBaseUrl(options.kandanUrl);
-  const state = randomBytes(18).toString("base64url");
-  const callback = await startCallbackServer({
-    host: oauthCallbackHost(options.kandanUrl, options.callbackHost),
-  });
-  const authorizeUrl = authorizationUrl({
-    httpBaseUrl,
-    redirectUri: callback.redirectUri,
-    state,
-    workspaceSlug: options.workspaceSlug,
-    channelSlug: options.channelSlug,
-    onboarding: options.onboarding,
-  });
-
-  process.stderr.write(`Authorize the local Codex runner:\n${authorizeUrl}\n`);
-
-  try {
-    await (options.openAuthorizationUrl ?? openBrowser)(authorizeUrl);
-    const result = await callback.waitForCallback();
-
-    if (result.state !== state) {
-      throw new Error("local runner OAuth state mismatch");
-    }
-
-    return await exchangeCodeForToken({
-      httpBaseUrl,
-      code: result.code,
-      redirectUri: callback.redirectUri,
-    });
-  } finally {
-    callback.close();
-  }
-}
-
-export async function validateLocalRunnerToken(args: {
-  readonly kandanUrl: string;
-  readonly accessToken: string;
-  readonly workspaceSlug?: string | undefined;
-  readonly channelSlug?: string | undefined;
-}): Promise<boolean> {
-  const url = new URL(
-    "/api/v2/local-codex-runner/oauth/validate",
-    kandanHttpBaseUrl(args.kandanUrl),
-  );
-
-  if (args.workspaceSlug !== undefined) {
-    url.searchParams.set("workspace", args.workspaceSlug);
-  }
-
-  if (args.channelSlug !== undefined) {
-    url.searchParams.set("channel", args.channelSlug);
-  }
-
-  const response = await fetch(
-    url,
-    {
-      method: "GET",
-      headers: { authorization: `Bearer ${args.accessToken}` },
-    },
-  );
-
-  switch (response.status) {
-    case 200: {
-      const body: unknown = await response.json();
-      return typeof body === "object" && body !== null && "ok" in body && body.ok === true;
-    }
-    case 401:
-    case 403:
-      return false;
-    default:
-      throw new Error(`local runner auth validation failed with HTTP ${response.status}`);
-  }
-}
-
-export async function fetchLocalRunnerStartTarget(args: {
-  readonly kandanUrl: string;
-  readonly accessToken: string;
-}): Promise<LocalRunnerStartTarget> {
-  const response = await fetch(
-    new URL(
-      "/api/v2/local-codex-runner/onboarding/start",
-      kandanHttpBaseUrl(args.kandanUrl),
-    ),
-    {
-      method: "GET",
-      headers: { authorization: `Bearer ${args.accessToken}` },
-    },
-  );
-  const body: unknown = await response.json();
-
-  if (!response.ok || typeof body !== "object" || body === null) {
-    throw new Error(`local runner start target failed with HTTP ${response.status}`);
-  }
-
-  const workspace = "workspace" in body ? body.workspace : undefined;
-  const channel = "channel" in body ? body.channel : undefined;
-  const workspaceName = "workspace_name" in body ? body.workspace_name : undefined;
-  const channelName = "channel_name" in body ? body.channel_name : undefined;
-
-  if (
-    typeof workspace !== "string" ||
-    workspace.trim() === "" ||
-    typeof channel !== "string" ||
-    channel.trim() === "" ||
-    typeof workspaceName !== "string" ||
-    workspaceName.trim() === "" ||
-    typeof channelName !== "string" ||
-    channelName.trim() === ""
-  ) {
-    throw new Error("local runner start target response was incomplete");
-  }
-
-  return {
-    workspaceSlug: workspace,
-    channelSlug: channel,
-    workspaceName,
-    channelName,
-  };
-}
-
-export function kandanHttpBaseUrl(kandanUrl: string): string {
-  const parsed = new URL(kandanUrl);
-
-  switch (parsed.protocol) {
-    case "ws:":
-      parsed.protocol = "http:";
-      break;
-    case "wss:":
-      parsed.protocol = "https:";
-      break;
-    case "http:":
-    case "https:":
-      break;
-    default:
-      throw new Error("--kandan-url must be ws://, wss://, http://, or https://");
-  }
-
-  parsed.pathname = "";
-  parsed.search = "";
-  parsed.hash = "";
-  return parsed.toString().replace(/\/$/, "");
-}
-
-export function oauthCallbackHost(
-  kandanUrl: string,
-  explicitHost?: string | undefined,
-): string {
-  const normalizedExplicitHost = explicitHost?.trim();
-
-  if (normalizedExplicitHost !== undefined && normalizedExplicitHost !== "") {
-    return normalizedExplicitHost;
-  }
-
-  const host = new URL(kandanUrl).hostname.trim();
-
-  return isPrivateCallbackHost(host) && host !== "localhost" ? host : "127.0.0.1";
-}
-
-function isPrivateCallbackHost(host: string): boolean {
-  const octets = host.split(".").map((part) => Number.parseInt(part, 10));
-
-  if (
-    octets.length !== 4 ||
-    octets.some((part) => !Number.isInteger(part) || part < 0 || part > 255)
-  ) {
-    return host === "localhost";
-  }
-
-  const [a, b] = octets;
-
-  if (a === undefined || b === undefined) {
-    return false;
-  }
-
-  return (
-    a === 10 ||
-    a === 127 ||
-    (a === 172 && b >= 16 && b <= 31) ||
-    (a === 192 && b === 168) ||
-    (a === 169 && b === 254) ||
-    (a === 100 && b >= 64 && b <= 127)
-  );
-}
-
-function authorizationUrl(args: {
-  readonly httpBaseUrl: string;
-  readonly redirectUri: string;
-  readonly state: string;
-  readonly workspaceSlug?: string | undefined;
-  readonly channelSlug?: string | undefined;
-  readonly onboarding?: "start" | undefined;
-}): string {
-  const url = new URL("/api/v2/local-codex-runner/oauth/authorize", args.httpBaseUrl);
-  url.searchParams.set("redirect_uri", args.redirectUri);
-  url.searchParams.set("state", args.state);
-
-  if (args.workspaceSlug !== undefined) {
-    url.searchParams.set("workspace", args.workspaceSlug);
-  }
-
-  if (args.channelSlug !== undefined) {
-    url.searchParams.set("channel", args.channelSlug);
-  }
-
-  if (args.onboarding !== undefined) {
-    url.searchParams.set("onboarding", args.onboarding);
-  }
-
-  return url.toString();
-}
-
-async function exchangeCodeForToken(args: {
-  readonly httpBaseUrl: string;
-  readonly code: string;
-  readonly redirectUri: string;
-}): Promise<LocalRunnerOAuthToken> {
-  const response = await fetch(
-    new URL("/api/v2/local-codex-runner/oauth/token", args.httpBaseUrl),
-    {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({
-        code: args.code,
-        redirect_uri: args.redirectUri,
-      }),
-    },
-  );
-  const body: unknown = await response.json();
-
-  if (!response.ok || typeof body !== "object" || body === null) {
-    throw new Error("local runner OAuth token exchange failed");
-  }
-
-  const token = "access_token" in body ? body.access_token : undefined;
-
-  if (typeof token !== "string" || token.trim() === "") {
-    throw new Error("local runner OAuth token response did not include access_token");
-  }
-
-  const expiresIn = "expires_in" in body ? body.expires_in : undefined;
-
-  return {
-    accessToken: token,
-    expiresInSeconds: typeof expiresIn === "number" ? expiresIn : undefined,
-    workspaceSlug: stringBodyField(body, "workspace"),
-    channelSlug: stringBodyField(body, "channel"),
-  };
-}
-
-function stringBodyField(body: object, key: string): string | undefined {
-  const value = key in body ? body[key as keyof typeof body] : undefined;
-
-  return typeof value === "string" && value.trim() !== "" ? value : undefined;
-}
-
-function startCallbackServer(args: {
-  readonly host: string;
-}): Promise<{
-  readonly redirectUri: string;
-  readonly waitForCallback: () => Promise<{ readonly code: string; readonly state: string }>;
-  readonly close: () => void;
-}> {
-  return new Promise((resolve) => {
-    let resolveCallback:
-      | ((value: { readonly code: string; readonly state: string }) => void)
-      | undefined;
-    let rejectCallback: ((reason?: unknown) => void) | undefined;
-    const callbackPromise = new Promise<{ readonly code: string; readonly state: string }>(
-      (callbackResolve, callbackReject) => {
-        resolveCallback = callbackResolve;
-        rejectCallback = callbackReject;
-      },
-    );
-
-    const server = Bun.serve({
-      hostname: args.host,
-      port: 0,
-      fetch(request) {
-        const url = new URL(request.url);
-        const code = url.searchParams.get("code");
-        const state = url.searchParams.get("state");
-        const error = url.searchParams.get("error");
-
-        if (error !== null && error.trim() !== "") {
-          rejectCallback?.(new Error(`local runner OAuth failed: ${error}`));
-          return oauthResultHtml({
-            title: "Linzumi CLI was not authorized",
-            body: "You denied the request. You can close this tab and rerun linzumi start when you are ready.",
-            status: 403,
-          });
-        }
-
-        if (code === null || state === null || code.trim() === "" || state.trim() === "") {
-          return oauthResultHtml({
-            title: "Authorization callback was incomplete",
-            body: "Kandan did not send the local runner authorization code. Return to your terminal and try again.",
-            status: 400,
-          });
-        }
-
-        resolveCallback?.({ code, state });
-        return oauthResultHtml({
-          title: "Linzumi CLI is connected",
-          body: "You can close this tab and return to the terminal. Kandan will finish starting the local runner.",
-          status: 200,
-        });
-      },
-    });
-
-    resolve({
-      redirectUri: `http://${args.host}:${server.port}/callback`,
-      waitForCallback: () => callbackPromise,
-      close: () => {
-        server.stop(true);
-      },
-    });
-  });
-}
-
-function oauthResultHtml(args: {
-  readonly title: string;
-  readonly body: string;
-  readonly status: number;
-}): Response {
-  return new Response(
-    `<!doctype html>
-<html>
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>${escapeHtml(args.title)}</title>
-    <style>
-      :root { color-scheme: light dark; font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; }
-      body { margin: 0; min-height: 100vh; display: grid; place-items: center; background: #f6f7f9; color: #13161c; }
-      main { width: min(520px, calc(100vw - 32px)); border: 1px solid #d9dde5; border-radius: 12px; background: #fff; padding: 30px; box-shadow: 0 24px 70px rgba(18, 25, 38, 0.12); }
-      h1 { margin: 0 0 10px; font-size: 24px; line-height: 1.2; }
-      p { margin: 0; color: #465160; line-height: 1.55; }
-      @media (prefers-color-scheme: dark) {
-        body { background: #0f131a; color: #f3f5f8; }
-        main { background: #171c25; border-color: #2b3442; box-shadow: 0 24px 70px rgba(0, 0, 0, 0.4); }
-        p { color: #aab4c2; }
-      }
-    </style>
-  </head>
-  <body>
-    <main>
-      <h1>${escapeHtml(args.title)}</h1>
-      <p>${escapeHtml(args.body)}</p>
-    </main>
-  </body>
-</html>`,
-    {
-      status: args.status,
-      headers: { "content-type": "text/html; charset=utf-8" },
-    },
-  );
-}
-
-function escapeHtml(value: string): string {
-  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;");
-}
-
-function openBrowser(url: string): Promise<void> {
-  const command =
-    process.platform === "darwin"
-      ? "open"
-      : process.platform === "win32"
-        ? "cmd"
-        : "xdg-open";
-  const args =
-    process.platform === "win32"
-      ? ["/c", "start", "", url]
-      : [url];
-
-  return new Promise((resolve) => {
-    const child = spawn(command, args, { stdio: "ignore", detached: true });
-    child.on("error", () => resolve());
-    child.on("spawn", () => {
-      child.unref();
-      resolve();
-    });
-  });
-}

package/src/pendingKandanMessageQueue.ts

@@ -1,109 +0,0 @@
-/*
-- Date: 2026-04-26
-  Spec: kandan/server_v2/plans/2026-04-26-local-codex-driver-worldclass-spec.md
-  Relationship: Provides the local Codex channel session with an amortized O(1)
-  pending Kandan message queue so long shared sessions avoid repeated
-  `Array.shift()` reindexing while preserving interrupt fusion order.
-*/
-import {
-  interruptQueuedMessages,
-  type QueueInterruptResult,
-  type QueuedKandanMessage,
-} from "./kandanQueue";
-
-export type PendingKandanMessageQueue = {
-  items: QueuedKandanMessage[];
-  head: number;
-};
-
-export function createPendingKandanMessageQueue(): PendingKandanMessageQueue {
-  return {
-    items: [],
-    head: 0,
-  };
-}
-
-export function pendingKandanMessageQueueLength(
-  queue: PendingKandanMessageQueue,
-): number {
-  return queue.items.length - queue.head;
-}
-
-export function enqueuePendingKandanMessage(
-  queue: PendingKandanMessageQueue,
-  message: QueuedKandanMessage,
-): void {
-  queue.items.push(message);
-}
-
-export function dequeuePendingKandanMessage(
-  queue: PendingKandanMessageQueue,
-): QueuedKandanMessage | undefined {
-  const message = queue.items[queue.head];
-
-  if (message === undefined) {
-    compactPendingKandanMessageQueue(queue);
-    return undefined;
-  }
-
-  queue.head = queue.head + 1;
-  compactPendingKandanMessageQueue(queue);
-  return message;
-}
-
-export function requeuePendingKandanMessageFront(
-  queue: PendingKandanMessageQueue,
-  message: QueuedKandanMessage,
-): void {
-  if (queue.head > 0) {
-    queue.head = queue.head - 1;
-    queue.items[queue.head] = message;
-    return;
-  }
-
-  queue.items.unshift(message);
-}
-
-export function interruptPendingKandanMessages(
-  queue: PendingKandanMessageQueue,
-  throughSeq: number | undefined,
-): QueueInterruptResult {
-  const result = interruptQueuedMessages(pendingKandanMessages(queue), throughSeq);
-
-  if (result.ok) {
-    replacePendingKandanMessages(queue, result.queue);
-  }
-
-  return result;
-}
-
-function replacePendingKandanMessages(
-  queue: PendingKandanMessageQueue,
-  messages: QueuedKandanMessage[],
-): void {
-  queue.items = messages;
-  queue.head = 0;
-}
-
-function pendingKandanMessages(
-  queue: PendingKandanMessageQueue,
-): QueuedKandanMessage[] {
-  return queue.head === 0 ? queue.items : queue.items.slice(queue.head);
-}
-
-function compactPendingKandanMessageQueue(queue: PendingKandanMessageQueue): void {
-  if (queue.head === 0) {
-    return;
-  }
-
-  if (queue.head >= queue.items.length) {
-    queue.items = [];
-    queue.head = 0;
-    return;
-  }
-
-  if (queue.head > queue.items.length / 2) {
-    queue.items = queue.items.slice(queue.head);
-    queue.head = 0;
-  }
-}