@nestpilot/mcp-app 1.0.1 → 1.0.2

package/dist/cli/init.js

@@ -4,12 +4,13 @@
  * Steps:
  *   1. Create ~/.nestpilot/ directory structure
  *   2. Generate encryption key and store in OS keychain
- *   3. Optionally provision API key via cloud endpoint
+ *   3. Authenticate via Device Code Flow and provision API key
  *   4. Write config.json with preferences
  *   5. Copy host config templates
  *   6. Print success message with next steps
  *
  * @feature FEAT-0088
+ * @feature FEAT-0091
  */
 import fs from "node:fs/promises";
 import path from "node:path";
@@ -18,6 +19,7 @@ import { stdin, stdout } from "node:process";
 import { loadLocalConfig, DATA_SUBDIRS, configFilePath, } from "../src/local/local-config.js";
 import { createKeychainProvider } from "../src/local/keychain.js";
 import { EncryptionService } from "../src/local/encryption.js";
+import { DeviceAuthClient } from "../src/local/device-auth.js";
 // ── Init command ─────────────────────────────────────────────────────────
 export async function initCommand() {
     console.log("\n🏠 NestPilot Local Setup");
@@ -48,46 +50,36 @@ export async function initCommand() {
         console.log("   ✓ Encryption key generated and stored in OS keychain");
     }
     console.log();
-    // Step 3: API Key provisioning (optional)
+    // Step 3: API Key provisioning via Device Code Flow (FEAT-0091)
     console.log("3. API Key Provisioning");
     const existingKey = await keychain.get("nestpilot", "api-key");
     if (existingKey) {
-        console.log("   ✓ API key already configured");
+        // Verify the stored key is still valid
+        const deviceAuth = new DeviceAuthClient(config.cloudApiUrl);
+        try {
+            const valid = await deviceAuth.verifyApiKey(existingKey);
+            if (valid) {
+                console.log("   ✓ API key already configured and valid");
+            }
+            else {
+                console.log("   ⚠ Stored API key is expired or revoked. Re-authenticating...");
+                await provisionApiKey(config.cloudApiUrl, keychain);
+            }
+        }
+        catch {
+            console.log("   ✓ API key configured (cloud verification skipped — offline)");
+        }
     }
     else {
         const rl = readline.createInterface({ input: stdin, output: stdout });
         try {
-            const email = await rl.question("   Enter your email for free tier (10 forecasts/mo), or press Enter to skip: ");
-            if (email.trim()) {
-                try {
-                    const response = await fetch(`${config.cloudApiUrl}/api/auth/provision-key`, {
-                        method: "POST",
-                        headers: { "Content-Type": "application/json" },
-                        body: JSON.stringify({ email: email.trim() }),
-                        signal: AbortSignal.timeout(10_000),
-                    });
-                    if (response.ok) {
-                        const data = (await response.json());
-                        await keychain.set("nestpilot", "api-key", data.apiKey);
-                        console.log("   ✓ API key provisioned (10 forecasts/mo free)");
-                        console.log("   ✓ API key stored in OS keychain");
-                    }
-                    else {
-                        console.log("   ⚠ Could not provision API key (cloud API unavailable).");
-                        console.log("   Local plan creation & storage still works without an API key.");
-                        console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
-                        console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
-                    }
-                }
-                catch {
-                    console.log("   ⚠ Could not reach cloud API for key provisioning.");
-                    console.log("   Local plan creation & storage still works without an API key.");
-                    console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
-                    console.log("   Set NESTPILOT_API_KEY env var manually, or run init again later.");
-                }
+            const answer = await rl.question("   Sign in to NestPilot for cloud compute (forecasts, Roth optimization)? [Y/n] ");
+            if (answer.trim().toLowerCase() !== "n") {
+                await provisionApiKey(config.cloudApiUrl, keychain);
             }
             else {
-                console.log("   ⏭ Skipped. Set NESTPILOT_API_KEY env var later.");
+                console.log("   ⏭ Skipped. Run 'nestpilot init' again or set NESTPILOT_API_KEY env var later.");
+                console.log("   Local plan creation & storage works without an API key.");
             }
         }
         finally {
@@ -125,6 +117,46 @@ export async function initCommand() {
     console.log("Quick test: npx nestpilot-mcp-server status");
     console.log();
 }
+async function provisionApiKey(cloudApiUrl, keychain) {
+    const deviceAuth = new DeviceAuthClient(cloudApiUrl);
+    try {
+        // 1. Initiate device code flow
+        const authResponse = await deviceAuth.authorize();
+        console.log();
+        console.log("   ┌──────────────────────────────────────────┐");
+        console.log(`   │  Code: ${authResponse.userCode.padEnd(33)}│`);
+        console.log("   └──────────────────────────────────────────┘");
+        console.log();
+        console.log(`   Open: ${authResponse.verificationUri}`);
+        console.log("   Enter the code above and sign in with your NestPilot account.");
+        console.log();
+        // 2. Open browser automatically
+        deviceAuth.openBrowser(authResponse.verificationUriComplete ?? authResponse.verificationUri);
+        // 3. Poll for token completion
+        console.log("   ⏳ Waiting for sign-in...");
+        const tokenResponse = await deviceAuth.pollForToken(authResponse.deviceCode, authResponse.interval ?? 5, authResponse.expiresIn);
+        if (tokenResponse.status !== "completed" || !tokenResponse.accessToken) {
+            console.log(`   ⚠ Sign-in ${tokenResponse.status}: ${tokenResponse.error ?? "timed out"}`);
+            console.log("   Local plan creation & storage still works without an API key.");
+            console.log("   Run 'nestpilot init' again to retry.");
+            return;
+        }
+        console.log("   ✓ Signed in successfully");
+        // 4. Exchange JWT for a long-lived API key
+        const apiKeyResult = await deviceAuth.exchangeForApiKey(tokenResponse.accessToken, `${process.platform}-cli-${new Date().toISOString().slice(0, 10)}`);
+        // 5. Store in OS keychain
+        await keychain.set("nestpilot", "api-key", apiKeyResult.apiKey);
+        console.log("   ✓ API key provisioned and stored in OS keychain");
+        console.log(`   ✓ Key: ${apiKeyResult.keyPrefix}... (expires: ${apiKeyResult.expiresAt?.slice(0, 10) ?? "never"})`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.log(`   ⚠ Could not complete sign-in: ${msg}`);
+        console.log("   Local plan creation & storage still works without an API key.");
+        console.log("   Cloud compute (forecasts, Roth optimization) requires a key.");
+        console.log("   Run 'nestpilot init' again or set NESTPILOT_API_KEY env var.");
+    }
+}
 // ── Host config writer ───────────────────────────────────────────────────
 async function writeHostConfigs(dir) {
     // Goose

package/dist/src/local/device-auth.d.ts

@@ -0,0 +1,52 @@
+export interface DeviceCodeResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete?: string;
+    expiresIn: number;
+    interval: number;
+    message?: string;
+}
+export interface DeviceTokenResponse {
+    status: "pending" | "completed" | "expired" | "denied" | "error";
+    accessToken?: string;
+    tokenType?: string;
+    expiresIn?: number;
+    error?: string;
+    errorDescription?: string;
+}
+export interface ApiKeyCreatedResponse {
+    id: string;
+    apiKey: string;
+    keyPrefix: string;
+    name: string;
+    scopes: string[];
+    expiresAt: string;
+    createdAt: string;
+    message: string;
+}
+export declare class DeviceAuthClient {
+    private cloudApiUrl;
+    constructor(cloudApiUrl: string);
+    /**
+     * Step 1: Initiate device code flow.
+     */
+    authorize(): Promise<DeviceCodeResponse>;
+    /**
+     * Step 2: Open browser for user authentication.
+     */
+    openBrowser(url: string): void;
+    /**
+     * Step 3: Poll for device code completion.
+     * Retries at the specified interval until the user completes auth or the code expires.
+     */
+    pollForToken(deviceCode: string, interval: number, expiresIn: number, onPoll?: () => void): Promise<DeviceTokenResponse>;
+    /**
+     * Step 4: Exchange JWT for a NestPilot API key.
+     */
+    exchangeForApiKey(accessToken: string, name?: string): Promise<ApiKeyCreatedResponse>;
+    /**
+     * Verify an existing API key is still valid.
+     */
+    verifyApiKey(apiKey: string): Promise<boolean>;
+}

package/dist/src/local/device-auth.js

@@ -0,0 +1,148 @@
+/**
+ * Device Authorization Grant (RFC 8628) client for CLI-based authentication.
+ *
+ * Flow:
+ *   1. POST /api/auth/device/authorize → get user_code + verification_uri
+ *   2. Open browser for user to sign in
+ *   3. Poll POST /api/auth/device/token until completed
+ *   4. Exchange JWT for API key via POST /api/auth/api-keys
+ *   5. Store API key in OS keychain
+ *
+ * @feature FEAT-0091
+ */
+import { exec } from "node:child_process";
+import os from "node:os";
+// ── Device Auth Client ───────────────────────────────────────────────────
+export class DeviceAuthClient {
+    cloudApiUrl;
+    constructor(cloudApiUrl) {
+        this.cloudApiUrl = cloudApiUrl;
+        // Strip trailing slash
+        if (this.cloudApiUrl.endsWith("/")) {
+            this.cloudApiUrl = this.cloudApiUrl.slice(0, -1);
+        }
+    }
+    /**
+     * Step 1: Initiate device code flow.
+     */
+    async authorize() {
+        const response = await fetch(`${this.cloudApiUrl}/api/auth/device/authorize`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to initiate device code flow: ${response.status} ${await response.text()}`);
+        }
+        return (await response.json());
+    }
+    /**
+     * Step 2: Open browser for user authentication.
+     */
+    openBrowser(url) {
+        const platform = os.platform();
+        let command;
+        switch (platform) {
+            case "darwin":
+                command = `open "${url}"`;
+                break;
+            case "win32":
+                command = `start "${url}"`;
+                break;
+            case "linux":
+                command = `xdg-open "${url}"`;
+                break;
+            default:
+                console.log(`\n   Please open this URL in your browser:\n   ${url}\n`);
+                return;
+        }
+        exec(command, (error) => {
+            if (error) {
+                console.log(`\n   Could not open browser automatically.\n   Please open this URL:\n   ${url}\n`);
+            }
+        });
+    }
+    /**
+     * Step 3: Poll for device code completion.
+     * Retries at the specified interval until the user completes auth or the code expires.
+     */
+    async pollForToken(deviceCode, interval, expiresIn, onPoll) {
+        const deadline = Date.now() + expiresIn * 1000;
+        while (Date.now() < deadline) {
+            if (onPoll)
+                onPoll();
+            const response = await fetch(`${this.cloudApiUrl}/api/auth/device/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ device_code: deviceCode }),
+                signal: AbortSignal.timeout(10_000),
+            });
+            const result = (await response.json());
+            if (result.status === "completed" && result.accessToken) {
+                return result;
+            }
+            if (result.status === "expired" || result.status === "denied") {
+                return result;
+            }
+            if (result.status === "error" &&
+                result.error !== "authorization_pending") {
+                return result;
+            }
+            // Wait before next poll
+            await sleep(interval * 1000);
+        }
+        return {
+            status: "expired",
+            error: "expired_token",
+            errorDescription: "Device code expired before user completed authentication.",
+        };
+    }
+    /**
+     * Step 4: Exchange JWT for a NestPilot API key.
+     */
+    async exchangeForApiKey(accessToken, name) {
+        const response = await fetch(`${this.cloudApiUrl}/api/auth/api-keys`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${accessToken}`,
+            },
+            body: JSON.stringify({
+                name: name ?? `CLI (${os.hostname()})`,
+                scopes: ["compute"],
+                expiresInDays: 90,
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Failed to create API key: ${response.status} ${text}`);
+        }
+        return (await response.json());
+    }
+    /**
+     * Verify an existing API key is still valid.
+     */
+    async verifyApiKey(apiKey) {
+        try {
+            const response = await fetch(`${this.cloudApiUrl}/api/auth/api-keys/verify`, {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                },
+                signal: AbortSignal.timeout(5_000),
+            });
+            if (!response.ok)
+                return false;
+            const result = (await response.json());
+            return result.valid === true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+// ── Utilities ────────────────────────────────────────────────────────────
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist/src/local/local-data-layer.d.ts

@@ -18,3 +18,5 @@ export { scrubPII, validateNoPII } from "./pii-scrubber.js";
 export type { ScrubResult } from "./pii-scrubber.js";
 export { CloudComputeClient } from "./cloud-compute-client.js";
 export type { CloudComputeResult } from "./cloud-compute-client.js";
+export { DeviceAuthClient } from "./device-auth.js";
+export type { DeviceCodeResponse, DeviceTokenResponse, ApiKeyCreatedResponse, } from "./device-auth.js";

package/dist/src/local/local-data-layer.js

@@ -13,3 +13,4 @@ export { createKeychainProvider, FileKeychain, } from "./keychain.js";
 export { LocalPlanStore } from "./local-plan-store.js";
 export { scrubPII, validateNoPII } from "./pii-scrubber.js";
 export { CloudComputeClient } from "./cloud-compute-client.js";
+export { DeviceAuthClient } from "./device-auth.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nestpilot/mcp-app",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "type": "module",
   "description": "NestPilot MCP App — Retirement planning tools and interactive views",
   "bin": {