@meshxdata/fops 0.0.1

package/src/auth/oauth.js

@@ -0,0 +1,203 @@
+import crypto from "node:crypto";
+import http from "node:http";
+import https from "node:https";
+import { URL, URLSearchParams } from "node:url";
+import chalk from "chalk";
+import { saveClaudeCodeKeychain } from "./keychain.js";
+import { saveApiKey, openBrowser } from "./login.js";
+
+// OAuth configuration (same as Claude Code uses)
+export const OAUTH_CONFIG = {
+  authorizationEndpoint: "https://claude.ai/oauth/authorize",
+  tokenEndpoint: "https://claude.ai/api/oauth/token",
+  clientId: "9d1c250a-e61b-44d0-8e2d-42452f11526c", // Claude Code's public client ID
+  scope: "user:inference",
+};
+
+/**
+ * Generate PKCE code verifier and challenge
+ */
+export function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto
+    .createHash("sha256")
+    .update(verifier)
+    .digest("base64url");
+  return { verifier, challenge };
+}
+
+/**
+ * Make HTTPS POST request and return JSON
+ */
+export function httpsPost(url, data) {
+  return new Promise((resolve, reject) => {
+    const parsed = new URL(url);
+    const body = new URLSearchParams(data).toString();
+    const req = https.request({
+      hostname: parsed.hostname,
+      port: 443,
+      path: parsed.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": Buffer.byteLength(body),
+      },
+    }, (res) => {
+      let responseBody = "";
+      res.on("data", (chunk) => { responseBody += chunk; });
+      res.on("end", () => {
+        try {
+          resolve({ status: res.statusCode, data: JSON.parse(responseBody) });
+        } catch {
+          reject(new Error(`Invalid JSON response: ${responseBody}`));
+        }
+      });
+    });
+    req.on("error", reject);
+    req.write(body);
+    req.end();
+  });
+}
+
+export function getResultHTML(success, message) {
+  const color = success ? "#4ade80" : "#f87171";
+  const icon = success ? "✓" : "✗";
+  return `<!DOCTYPE html>
+<html>
+<head><title>Foundation CLI</title>
+<style>
+  body { font-family: -apple-system, sans-serif; background: #1a1a2e; color: #e4e4e7;
+    min-height: 100vh; margin: 0; display: flex; align-items: center; justify-content: center; }
+  .container { text-align: center; }
+  .icon { font-size: 64px; color: ${color}; }
+  h1 { color: ${color}; margin: 16px 0 8px; }
+  p { color: #a1a1aa; }
+</style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">${icon}</div>
+    <h1>${success ? "Success" : "Error"}</h1>
+    <p>${message}</p>
+  </div>
+</body>
+</html>`;
+}
+
+/**
+ * OAuth login flow - opens browser and receives token via callback
+ */
+export async function runOAuthLogin() {
+  return new Promise((resolve) => {
+    const { verifier, challenge } = generatePKCE();
+    const state = crypto.randomBytes(16).toString("hex");
+
+    const server = http.createServer(async (req, res) => {
+      const url = new URL(req.url, `http://127.0.0.1`);
+
+      if (url.pathname === "/callback") {
+        const code = url.searchParams.get("code");
+        const returnedState = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
+
+        if (error) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(getResultHTML(false, `Authorization failed: ${error}`));
+          server.close();
+          resolve(false);
+          return;
+        }
+
+        if (returnedState !== state) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(getResultHTML(false, "Invalid state parameter"));
+          server.close();
+          resolve(false);
+          return;
+        }
+
+        if (!code) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(getResultHTML(false, "No authorization code received"));
+          server.close();
+          resolve(false);
+          return;
+        }
+
+        // Exchange code for token
+        try {
+          const { port } = server.address();
+          const tokenResponse = await httpsPost(OAUTH_CONFIG.tokenEndpoint, {
+            grant_type: "authorization_code",
+            client_id: OAUTH_CONFIG.clientId,
+            code,
+            redirect_uri: `http://127.0.0.1:${port}/callback`,
+            code_verifier: verifier,
+          });
+
+          if (tokenResponse.status !== 200 || !tokenResponse.data.access_token) {
+            throw new Error(tokenResponse.data.error || "Token exchange failed");
+          }
+
+          const { access_token, refresh_token } = tokenResponse.data;
+
+          // Save to keychain (macOS) or credentials file
+          if (process.platform === "darwin") {
+            saveClaudeCodeKeychain(access_token, refresh_token);
+          } else {
+            saveApiKey(access_token);
+          }
+
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(getResultHTML(true, "Login successful! You can close this window."));
+
+          console.log(chalk.green("\nLogin successful"));
+          if (process.platform === "darwin") {
+            console.log(chalk.gray("Token saved to macOS Keychain\n"));
+          } else {
+            console.log(chalk.gray("Token saved to ~/.claude/.credentials.json\n"));
+          }
+
+          server.close();
+          resolve(true);
+        } catch (err) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(getResultHTML(false, `Token exchange failed: ${err.message}`));
+          server.close();
+          resolve(false);
+        }
+        return;
+      }
+
+      res.writeHead(404);
+      res.end();
+    });
+
+    server.listen(0, "127.0.0.1", () => {
+      const { port } = server.address();
+      const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+      const authUrl = new URL(OAUTH_CONFIG.authorizationEndpoint);
+      authUrl.searchParams.set("client_id", OAUTH_CONFIG.clientId);
+      authUrl.searchParams.set("redirect_uri", redirectUri);
+      authUrl.searchParams.set("response_type", "code");
+      authUrl.searchParams.set("scope", OAUTH_CONFIG.scope);
+      authUrl.searchParams.set("state", state);
+      authUrl.searchParams.set("code_challenge", challenge);
+      authUrl.searchParams.set("code_challenge_method", "S256");
+
+      console.log(chalk.blue("\nOpening browser for Claude login...\n"));
+      console.log(chalk.gray(`  If browser doesn't open, visit:\n  ${chalk.cyan(authUrl.toString())}\n`));
+      console.log(chalk.gray("  Waiting for authentication..."));
+
+      openBrowser(authUrl.toString());
+    });
+
+    // Timeout after 5 minutes
+    setTimeout(() => {
+      console.log(chalk.yellow("\n  Login timed out. Run foundation login again.\n"));
+      server.close();
+      resolve(false);
+    }, 5 * 60 * 1000);
+  });
+}

package/src/auth/oauth.test.js

@@ -0,0 +1,118 @@
+import { describe, it, expect } from "vitest";
+import crypto from "node:crypto";
+import { OAUTH_CONFIG, generatePKCE, getResultHTML } from "./oauth.js";
+
+describe("auth/oauth", () => {
+  describe("OAUTH_CONFIG", () => {
+    it("has required OAuth fields", () => {
+      expect(OAUTH_CONFIG.authorizationEndpoint).toContain("claude.ai");
+      expect(OAUTH_CONFIG.tokenEndpoint).toContain("claude.ai");
+      expect(typeof OAUTH_CONFIG.clientId).toBe("string");
+      expect(OAUTH_CONFIG.clientId.length).toBeGreaterThan(0);
+      expect(OAUTH_CONFIG.scope).toBe("user:inference");
+    });
+
+    it("authorization endpoint is a valid URL", () => {
+      expect(() => new URL(OAUTH_CONFIG.authorizationEndpoint)).not.toThrow();
+    });
+
+    it("token endpoint is a valid URL", () => {
+      expect(() => new URL(OAUTH_CONFIG.tokenEndpoint)).not.toThrow();
+    });
+
+    it("clientId is a UUID format", () => {
+      expect(OAUTH_CONFIG.clientId).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
+      );
+    });
+
+    it("endpoints use HTTPS", () => {
+      expect(OAUTH_CONFIG.authorizationEndpoint).toMatch(/^https:/);
+      expect(OAUTH_CONFIG.tokenEndpoint).toMatch(/^https:/);
+    });
+  });
+
+  describe("generatePKCE", () => {
+    it("returns verifier and challenge", () => {
+      const { verifier, challenge } = generatePKCE();
+      expect(typeof verifier).toBe("string");
+      expect(typeof challenge).toBe("string");
+      expect(verifier.length).toBeGreaterThan(0);
+      expect(challenge.length).toBeGreaterThan(0);
+    });
+
+    it("generates base64url strings (no +, /, = chars)", () => {
+      const { verifier, challenge } = generatePKCE();
+      expect(verifier).toMatch(/^[A-Za-z0-9_-]+$/);
+      expect(challenge).toMatch(/^[A-Za-z0-9_-]+$/);
+    });
+
+    it("generates unique values each time", () => {
+      const a = generatePKCE();
+      const b = generatePKCE();
+      expect(a.verifier).not.toBe(b.verifier);
+      expect(a.challenge).not.toBe(b.challenge);
+    });
+
+    it("challenge is SHA-256 of verifier", () => {
+      const { verifier, challenge } = generatePKCE();
+      const expected = crypto.createHash("sha256").update(verifier).digest("base64url");
+      expect(challenge).toBe(expected);
+    });
+
+    it("verifier is 43 chars (32 bytes base64url)", () => {
+      const { verifier } = generatePKCE();
+      // 32 bytes in base64url = ceil(32 * 4/3) = 43 chars
+      expect(verifier.length).toBe(43);
+    });
+
+    it("challenge is 43 chars (SHA-256 = 32 bytes base64url)", () => {
+      const { challenge } = generatePKCE();
+      expect(challenge.length).toBe(43);
+    });
+  });
+
+  describe("getResultHTML", () => {
+    it("returns success HTML", () => {
+      const html = getResultHTML(true, "All good");
+      expect(html).toContain("<!DOCTYPE html>");
+      expect(html).toContain("Success");
+      expect(html).toContain("All good");
+      expect(html).toContain("#4ade80");
+    });
+
+    it("returns error HTML", () => {
+      const html = getResultHTML(false, "Something failed");
+      expect(html).toContain("Error");
+      expect(html).toContain("Something failed");
+      expect(html).toContain("#f87171");
+    });
+
+    it("success uses checkmark icon", () => {
+      const html = getResultHTML(true, "ok");
+      expect(html).toContain("✓");
+    });
+
+    it("error uses cross icon", () => {
+      const html = getResultHTML(false, "fail");
+      expect(html).toContain("✗");
+    });
+
+    it("escapes message into HTML body", () => {
+      const html = getResultHTML(true, "Token saved");
+      expect(html).toContain("Token saved");
+    });
+
+    it("returns valid HTML with head and body", () => {
+      const html = getResultHTML(true, "test");
+      expect(html).toContain("<head>");
+      expect(html).toContain("<body>");
+      expect(html).toContain("</html>");
+    });
+
+    it("includes Foundation CLI title", () => {
+      const html = getResultHTML(true, "test");
+      expect(html).toContain("Foundation CLI");
+    });
+  });
+});

package/src/auth/resolve.js

@@ -0,0 +1,78 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { execaSync } from "execa";
+
+export const CLAUDE_DIR = path.join(os.homedir(), ".claude");
+export const CLAUDE_JSON = path.join(os.homedir(), ".claude.json");
+export const CLAUDE_CREDENTIALS = path.join(CLAUDE_DIR, ".credentials.json");
+
+export function readJsonKey(obj, keys) {
+  if (!obj || typeof obj !== "object") return null;
+  for (const k of keys) {
+    const v = obj[k];
+    if (typeof v === "string" && v.trim()) return v.trim();
+  }
+  return null;
+}
+
+export function resolveAnthropicApiKey() {
+  const envKey = process.env.ANTHROPIC_API_KEY?.trim();
+  if (envKey) return envKey;
+  try {
+    const settingsPath = path.join(CLAUDE_DIR, "settings.json");
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, "utf8"));
+      const helper = settings?.apiKeyHelper;
+      if (typeof helper === "string" && helper.trim()) {
+        const { stdout } = execaSync(helper.trim(), [], { shell: true, encoding: "utf8" });
+        const key = stdout?.trim();
+        if (key) return key;
+      }
+    }
+  } catch {
+    // ignore
+  }
+  const credKeys = ["anthropic_api_key", "ANTHROPIC_API_KEY", "apiKey", "api_key"];
+  try {
+    if (fs.existsSync(CLAUDE_CREDENTIALS)) {
+      const cred = JSON.parse(fs.readFileSync(CLAUDE_CREDENTIALS, "utf8"));
+      const key = readJsonKey(cred, credKeys);
+      if (key) return key;
+    }
+  } catch {
+    // ignore
+  }
+  try {
+    if (fs.existsSync(CLAUDE_JSON)) {
+      const data = JSON.parse(fs.readFileSync(CLAUDE_JSON, "utf8"));
+      const key = readJsonKey(data, credKeys);
+      if (key) return key;
+    }
+  } catch {
+    // ignore
+  }
+  // Note: Claude Code's OAuth tokens (sk-ant-oat01-...) don't work directly with the API.
+  // They're for Claude Code's proxy service. Users need actual API keys.
+  return null;
+}
+
+export function resolveOpenAiApiKey() {
+  const envKey = process.env.OPENAI_API_KEY?.trim();
+  if (envKey) return envKey;
+  try {
+    if (fs.existsSync(CLAUDE_CREDENTIALS)) {
+      const cred = JSON.parse(fs.readFileSync(CLAUDE_CREDENTIALS, "utf8"));
+      const key = readJsonKey(cred, ["openai_api_key", "OPENAI_API_KEY", "apiKey"]);
+      if (key) return key;
+    }
+  } catch {}
+  try {
+    if (fs.existsSync(CLAUDE_JSON)) {
+      const data = JSON.parse(fs.readFileSync(CLAUDE_JSON, "utf8"));
+      const key = readJsonKey(data, ["openai_api_key", "OPENAI_API_KEY"]);
+      if (key) return key;
+    }
+  } catch {}
+  return null;
+}

package/src/auth/resolve.test.js

@@ -0,0 +1,153 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+vi.mock("execa", () => ({
+  execaSync: vi.fn(),
+}));
+
+describe("auth/resolve", () => {
+  describe("readJsonKey", () => {
+    let readJsonKey;
+
+    beforeEach(async () => {
+      ({ readJsonKey } = await import("./resolve.js"));
+    });
+
+    it("returns first matching string key", () => {
+      expect(readJsonKey({ apiKey: "sk-123" }, ["apiKey"])).toBe("sk-123");
+    });
+
+    it("tries multiple keys in order", () => {
+      expect(readJsonKey({ api_key: "sk-456" }, ["apiKey", "api_key"])).toBe("sk-456");
+    });
+
+    it("returns first match when multiple keys exist", () => {
+      expect(readJsonKey({ apiKey: "first", api_key: "second" }, ["apiKey", "api_key"])).toBe("first");
+    });
+
+    it("trims whitespace", () => {
+      expect(readJsonKey({ apiKey: "  sk-789  " }, ["apiKey"])).toBe("sk-789");
+    });
+
+    it("returns null for empty string", () => {
+      expect(readJsonKey({ apiKey: "  " }, ["apiKey"])).toBe(null);
+    });
+
+    it("returns null for non-string values", () => {
+      expect(readJsonKey({ apiKey: 123 }, ["apiKey"])).toBe(null);
+      expect(readJsonKey({ apiKey: true }, ["apiKey"])).toBe(null);
+      expect(readJsonKey({ apiKey: null }, ["apiKey"])).toBe(null);
+      expect(readJsonKey({ apiKey: [] }, ["apiKey"])).toBe(null);
+      expect(readJsonKey({ apiKey: {} }, ["apiKey"])).toBe(null);
+    });
+
+    it("returns null for null/undefined input", () => {
+      expect(readJsonKey(null, ["apiKey"])).toBe(null);
+      expect(readJsonKey(undefined, ["apiKey"])).toBe(null);
+    });
+
+    it("returns null for non-object input", () => {
+      expect(readJsonKey("string", ["apiKey"])).toBe(null);
+      expect(readJsonKey(42, ["apiKey"])).toBe(null);
+      expect(readJsonKey(true, ["apiKey"])).toBe(null);
+    });
+
+    it("returns null when key is not found", () => {
+      expect(readJsonKey({ other: "value" }, ["apiKey"])).toBe(null);
+    });
+
+    it("skips empty keys and continues", () => {
+      expect(readJsonKey({ first: "", second: "found" }, ["first", "second"])).toBe("found");
+    });
+  });
+
+  describe("resolveAnthropicApiKey", () => {
+    let resolveAnthropicApiKey;
+    const originalEnv = { ...process.env };
+
+    beforeEach(async () => {
+      vi.resetModules();
+      vi.mock("execa", () => ({ execaSync: vi.fn() }));
+      ({ resolveAnthropicApiKey } = await import("./resolve.js"));
+      delete process.env.ANTHROPIC_API_KEY;
+    });
+
+    afterEach(() => {
+      process.env = { ...originalEnv };
+    });
+
+    it("returns env var when set", () => {
+      process.env.ANTHROPIC_API_KEY = "sk-ant-api03-env";
+      expect(resolveAnthropicApiKey()).toBe("sk-ant-api03-env");
+    });
+
+    it("trims env var whitespace", () => {
+      process.env.ANTHROPIC_API_KEY = "  sk-ant-api03-padded  ";
+      expect(resolveAnthropicApiKey()).toBe("sk-ant-api03-padded");
+    });
+
+    it("returns null when nothing is configured", () => {
+      const result = resolveAnthropicApiKey();
+      expect(result === null || typeof result === "string").toBe(true);
+    });
+
+    it("prioritizes env var over files", () => {
+      process.env.ANTHROPIC_API_KEY = "sk-ant-api03-env-wins";
+      // Even if files exist, env should be returned
+      expect(resolveAnthropicApiKey()).toBe("sk-ant-api03-env-wins");
+    });
+  });
+
+  describe("resolveOpenAiApiKey", () => {
+    let resolveOpenAiApiKey;
+    const originalEnv = { ...process.env };
+
+    beforeEach(async () => {
+      vi.resetModules();
+      vi.mock("execa", () => ({ execaSync: vi.fn() }));
+      ({ resolveOpenAiApiKey } = await import("./resolve.js"));
+      delete process.env.OPENAI_API_KEY;
+    });
+
+    afterEach(() => {
+      process.env = { ...originalEnv };
+    });
+
+    it("returns env var when set", () => {
+      process.env.OPENAI_API_KEY = "sk-openai-env";
+      expect(resolveOpenAiApiKey()).toBe("sk-openai-env");
+    });
+
+    it("trims env var whitespace", () => {
+      process.env.OPENAI_API_KEY = "  sk-openai-padded  ";
+      expect(resolveOpenAiApiKey()).toBe("sk-openai-padded");
+    });
+
+    it("returns null when nothing configured", () => {
+      const result = resolveOpenAiApiKey();
+      expect(result === null || typeof result === "string").toBe(true);
+    });
+  });
+
+  describe("CLAUDE_DIR / CLAUDE_JSON / CLAUDE_CREDENTIALS exports", () => {
+    let CLAUDE_DIR, CLAUDE_JSON, CLAUDE_CREDENTIALS;
+
+    beforeEach(async () => {
+      ({ CLAUDE_DIR, CLAUDE_JSON, CLAUDE_CREDENTIALS } = await import("./resolve.js"));
+    });
+
+    it("CLAUDE_DIR points to ~/.claude", () => {
+      expect(CLAUDE_DIR).toBe(path.join(os.homedir(), ".claude"));
+    });
+
+    it("CLAUDE_JSON points to ~/.claude.json", () => {
+      expect(CLAUDE_JSON).toBe(path.join(os.homedir(), ".claude.json"));
+    });
+
+    it("CLAUDE_CREDENTIALS points to ~/.claude/.credentials.json", () => {
+      expect(CLAUDE_CREDENTIALS).toBe(path.join(os.homedir(), ".claude", ".credentials.json"));
+    });
+  });
+});