@oml/cli 0.14.17 → 0.16.0

package/src/auth/auth.ts

@@ -1,7 +1,9 @@
 // Copyright (c) 2026 Modelware. All rights reserved.
 
-import { exchangeGitHubToken, refreshSupabaseAccessToken } from '@oml/platform';
+import { exchangeGitHubToken, refreshSupabaseAccessToken, verifyEntitlementsToken } from '@oml/platform';
 import chalk from 'chalk';
+import * as crypto from 'node:crypto';
+import type { JsonWebKey } from 'node:crypto';
 import * as fs from 'node:fs/promises';
 import * as os from 'node:os';
 import * as path from 'node:path';
@@ -23,7 +25,10 @@ const KEYCHAIN_SERVICE = 'oml-code';
 const ACCESS_TOKEN_KEY = 'oml.cli.access_token';
 const REFRESH_TOKEN_KEY = 'oml.cli.refresh_token';
 const EXPIRES_AT_KEY = 'oml.cli.expires_at';
-const PROFILE_PATH = path.join(os.homedir(), '.oml', 'cli-profile.json');
+const ENTITLEMENT_EXPIRY_KEY = 'oml.cli.entitlement_expiry';
+const ENTITLEMENT_FEATURES_KEY = 'oml.cli.entitlement_features';
+const ENTITLEMENT_TOKEN_KEY = 'oml.cli.entitlement_token';
+const ENTITLEMENT_PUBKEY_KEY = 'oml.cli.entitlement_pubkey';
 const LOCK_PATH = path.join(os.homedir(), '.oml', 'credentials.lock');
 const SESSION_EXPIRATION_LEEWAY_MS = 20_000;
 const LOCK_TIMEOUT_MS = 5_000;
@@ -37,17 +42,6 @@ type KeytarModule = {
 
 let keytarModulePromise: Promise<KeytarModule> | undefined;
 
-type Provider = 'github';
-
-type StoredProfile = {
-    provider: Provider;
-    userId: string;
-    userLabel?: string;
-    email: string | null;
-    tier?: string;
-    signedInAt: string;
-};
-
 type StoredCredential = {
     accessToken: string;
     refreshToken: string;
@@ -77,10 +71,9 @@ export class OmlCliAuthService {
 
         const existing = await this.tryGetValidSnapshot();
         if (existing) {
-            const profile = await readProfile();
-            console.error(chalk.green(
-                `Already signed in as ${profile?.userLabel ?? profile?.email ?? profile?.userId ?? 'current user'}.`
-            ));
+            const claims = decodeJwtClaims(existing.accessToken);
+            const label = claims.userLabel ?? claims.email ?? 'current user';
+            console.error(chalk.green(`Already signed in as ${label}.`));
             return;
         }
 
@@ -90,33 +83,14 @@ export class OmlCliAuthService {
             refreshToken: session.refreshToken,
             expiresAtMs: session.expiresAtMs,
         });
-        await writeProfile({
-            provider: session.provider,
-            userId: session.userId,
-            userLabel: session.userLabel,
-            email: session.email,
-            tier: session.tier,
-            signedInAt: new Date().toISOString(),
-        });
+        void fetchAndSaveEntitlementsPubkey(resolveApiBaseUrl(), this).catch(() => undefined);
         const summary = session.userLabel ?? session.email ?? 'signed-in user';
-        console.error(chalk.green(`Signed in as ${summary} via ${session.provider}.`));
+        console.error(chalk.green(`Signed in as ${summary} via GitHub.`));
     }
 
     async logout(): Promise<void> {
-        const activeServers = await listActiveServers();
         await deleteCredential();
-        await deleteProfile();
-        if (activeServers.length > 0) {
-            console.error(chalk.yellow('Stored OAuth credentials were cleared. Running servers were not stopped:'));
-            for (const server of activeServers) {
-                console.error(`- ${server.workspaceRoot ?? '(unknown workspace)'} on port ${server.port} (pid ${server.pid})`);
-            }
-            if (process.env[API_KEY_ENV]?.trim()) {
-                console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
-            }
-            return;
-        }
-        console.error(chalk.green('Stored OAuth credentials were cleared.'));
+        console.error(chalk.green('Signed out.'));
         if (process.env[API_KEY_ENV]?.trim()) {
             console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
         }
@@ -127,27 +101,85 @@ export class OmlCliAuthService {
         if (apiKey) {
             console.error('Auth mode: api_key');
             console.error('Account: resolved by OML Platform from OML_PLATFORM_API_KEY');
-            const profile = await readProfile();
-            if (profile) {
-                console.error(`Stored OAuth user: ${profile.userLabel ?? profile.email ?? profile.userId}`);
-            }
             return;
         }
 
         const credential = await readCredential();
-        const profile = await readProfile();
-        if (!credential || !profile) {
+        if (!credential) {
             console.error(chalk.yellow('Not signed in.'));
             return;
         }
+        const claims = decodeJwtClaims(credential.accessToken);
         console.error('Auth mode: oauth');
-        console.error(`Provider: ${profile.provider}`);
-        console.error(`User ID: ${profile.userId}`);
-        console.error(`User label: ${profile.userLabel ?? '(not set)'}`);
-        console.error(`Email: ${profile.email ?? '(not set)'}`);
-        console.error(`Tier: ${profile.tier ?? '(not set)'}`);
-        console.error(`Signed in at: ${profile.signedInAt}`);
-        console.error(`Access token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+        console.error(`User ID:    ${claims.userId ?? '(unknown)'}`);
+        console.error(`User label: ${claims.userLabel ?? '(not set)'}`);
+        console.error(`Email:      ${claims.email ?? '(not set)'}`);
+        console.error(`Tier:       ${claims.tier ?? '(not set)'}`);
+        console.error(`Token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
+    }
+
+    async getDeviceId(): Promise<string> {
+        return getOrCreateDeviceId();
+    }
+
+    async getEntitlementCache(): Promise<{ expiry: number; featureIds: string[]; token?: string } | null> {
+        try {
+            const keytar = await getKeytarModule();
+            const [expiryRaw, featuresRaw, tokenRaw, pubkeyRaw] = await Promise.all([
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+                keytar.getPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
+            ]);
+            const expiry = Number(expiryRaw ?? NaN);
+            if (!Number.isFinite(expiry) || expiry <= Date.now() || !featuresRaw) {
+                return null;
+            }
+            const featureIds = JSON.parse(featuresRaw) as unknown;
+            if (!Array.isArray(featureIds) || !featureIds.every((x) => typeof x === 'string')) {
+                return null;
+            }
+            let token: string | undefined;
+            if (tokenRaw && pubkeyRaw) {
+                try {
+                    const deviceId = await getOrCreateDeviceId();
+                    const valid = await verifyEntitlementsToken(tokenRaw, deviceId, JSON.parse(pubkeyRaw) as JsonWebKey);
+                    if (valid) {
+                        token = tokenRaw;
+                    }
+                } catch {
+                    // Verification failed — proceed without token; gate will re-fetch.
+                }
+            }
+            return { expiry, featureIds: featureIds as string[], token };
+        } catch {
+            return null;
+        }
+    }
+
+    async saveEntitlementCache(expiry: number, featureIds: string[], token?: string): Promise<void> {
+        try {
+            const keytar = await getKeytarModule();
+            const writes: Promise<void>[] = [
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY, String(expiry)),
+                keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY, JSON.stringify(featureIds)),
+            ];
+            if (token) {
+                writes.push(keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY, token));
+            }
+            await Promise.all(writes);
+        } catch {
+            // Credential store unavailable — skip silently.
+        }
+    }
+
+    async saveEntitlementsPubkey(pubkeyJwk: JsonWebKey): Promise<void> {
+        try {
+            const keytar = await getKeytarModule();
+            await keytar.setPassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY, JSON.stringify(pubkeyJwk));
+        } catch {
+            // Credential store unavailable — skip silently.
+        }
     }
 
     async ensureAuthenticated(operationName: string): Promise<void> {
@@ -198,6 +230,10 @@ export class OmlCliAuthService {
         }
     }
 
+    async hasStoredCredential(): Promise<boolean> {
+        return (await readCredential()) !== undefined;
+    }
+
     private async refreshCredential(): Promise<StoredCredential> {
         const session = await readCredential();
         if (!session?.refreshToken) {
@@ -222,18 +258,10 @@ export class OmlCliAuthService {
                 expiresAtMs: Date.now() + (refreshed.expires_in * 1000),
             };
             await writeCredential(updatedSession);
-            const profile = await readProfile();
-            if (profile) {
-                await writeProfile({
-                    ...profile,
-                    email: refreshed.email ?? profile.email,
-                });
-            }
             return updatedSession;
         } catch (error) {
             if (isUnauthorizedError(error)) {
                 await deleteCredential();
-                await deleteProfile();
                 throw new Error('Authentication refresh failed because the stored credential was revoked. Run \'oml login\' again.');
             }
             throw new Error('Authentication refresh failed. Check your network connection or sign in again with \'oml login\'.');
@@ -272,77 +300,46 @@ async function deleteCredential(): Promise<void> {
         keytar.deletePassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY),
         keytar.deletePassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_EXPIRY_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_FEATURES_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_TOKEN_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, ENTITLEMENT_PUBKEY_KEY),
     ]);
 }
 
-async function readProfile(): Promise<StoredProfile | undefined> {
+async function getOrCreateDeviceId(): Promise<string> {
     try {
-        const content = await fs.readFile(PROFILE_PATH, 'utf-8');
-        const data = JSON.parse(content) as Partial<StoredProfile>;
-        if (!data.provider || !data.userId || !data.signedInAt) {
-            return undefined;
-        }
-        return {
-            provider: data.provider,
-            userId: data.userId,
-            userLabel: data.userLabel,
-            email: data.email ?? null,
-            tier: data.tier,
-            signedInAt: data.signedInAt,
-        };
+        return (await fs.readFile('/etc/machine-id', 'utf-8')).trim();
     } catch {
-        return undefined;
+        try {
+            return (await fs.readFile(LOCAL_MACHINE_ID_PATH, 'utf-8')).trim();
+        } catch {
+            const id = crypto.randomUUID();
+            await fs.mkdir(path.dirname(LOCAL_MACHINE_ID_PATH), { recursive: true });
+            await fs.writeFile(LOCAL_MACHINE_ID_PATH, id, { encoding: 'utf-8', mode: 0o600 });
+            return id;
+        }
     }
 }
 
-async function writeProfile(profile: StoredProfile): Promise<void> {
-    await fs.mkdir(path.dirname(PROFILE_PATH), { recursive: true });
-    await fs.writeFile(PROFILE_PATH, `${JSON.stringify(profile, null, 2)}\n`, 'utf-8');
-}
-
-async function deleteProfile(): Promise<void> {
-    try {
-        await fs.unlink(PROFILE_PATH);
-    } catch (error) {
-        if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
-            throw error;
-        }
+async function fetchAndSaveEntitlementsPubkey(apiBaseUrl: string, authService: OmlCliAuthService): Promise<void> {
+    const response = await fetch(`${apiBaseUrl}/entitlements/pubkey`);
+    if (!response.ok) {
+        return;
     }
+    const jwk = await response.json() as JsonWebKey;
+    await authService.saveEntitlementsPubkey(jwk);
 }
 
 async function authenticateWithGitHub(): Promise<{
-    provider: Provider;
-    userId: string;
     userLabel?: string;
     email: string | null;
-    tier?: string;
     accessToken: string;
     refreshToken: string;
     expiresAtMs: number;
 }> {
     const clientId = resolveClientId();
-    const params = new URLSearchParams({
-        client_id: clientId,
-        scope: 'read:user user:email'
-    });
-    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
-        method: 'POST',
-        headers: {
-            accept: 'application/json',
-            'content-type': 'application/x-www-form-urlencoded'
-        },
-        body: params
-    });
-    if (!response.ok) {
-        throw new Error(`GitHub device authorization failed: HTTP ${response.status} ${response.statusText}`);
-    }
-    const device = await response.json() as GitHubDeviceCodeResponse;
-    if (!device.device_code || !device.user_code || !device.verification_uri) {
-        throw new Error('GitHub device authorization response was incomplete.');
-    }
-
-    printDeviceFlowInstructions('GitHub', device.verification_uri, device.user_code);
-    const token = await pollForGitHubAccessToken(clientId, device);
+    const token = await authenticateWithGitHubDevice(clientId);
     const userResponse = await fetch(GITHUB_USER_URL, {
         headers: {
             accept: 'application/vnd.github+json',
@@ -360,17 +357,39 @@ async function authenticateWithGitHub(): Promise<{
     const platformSession = await exchangeGitHubToken(resolveApiBaseUrl(), token);
 
     return {
-        provider: 'github',
-        userId: platformSession.user_id,
         userLabel: user.login,
         email: platformSession.email,
-        tier: platformSession.tier,
         accessToken: platformSession.access_token,
         refreshToken: platformSession.refresh_token,
         expiresAtMs: Date.now() + platformSession.expires_in * 1000,
     };
 }
 
+async function authenticateWithGitHubDevice(clientId: string): Promise<string> {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        scope: 'read:user user:email'
+    });
+    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            'content-type': 'application/x-www-form-urlencoded'
+        },
+        body: params
+    });
+    if (!response.ok) {
+        throw new Error(`GitHub device authorization failed: HTTP ${response.status} ${response.statusText}`);
+    }
+    const device = await response.json() as GitHubDeviceCodeResponse;
+    if (!device.device_code || !device.user_code || !device.verification_uri) {
+        throw new Error('GitHub device authorization response was incomplete.');
+    }
+
+    printDeviceFlowInstructions('GitHub', device.verification_uri, device.user_code);
+    return await pollForGitHubAccessToken(clientId, device);
+}
+
 function printDeviceFlowInstructions(providerName: string, verificationUri: string, userCode: string): void {
     console.error(chalk.cyan(`${providerName} sign-in required.`));
     console.error(`Open: ${verificationUri}`);
@@ -444,37 +463,6 @@ async function acquireCredentialLock(): Promise<{ release: () => Promise<void> }
     throw new Error('Timed out waiting for the CLI credential lock.');
 }
 
-async function listActiveServers(): Promise<Array<{ pid: number; port: number; workspaceRoot?: string }>> {
-    const baseDir = path.join(os.homedir(), '.oml', 'workspaces');
-    try {
-        const workspaceDirs = await fs.readdir(baseDir);
-        const active: Array<{ pid: number; port: number; workspaceRoot?: string }> = [];
-        for (const workspaceDir of workspaceDirs) {
-            const lockFile = path.join(baseDir, workspaceDir, 'server.lock');
-            try {
-                const raw = await fs.readFile(lockFile, 'utf-8');
-                const parsed = JSON.parse(raw) as { pid?: unknown; port?: unknown; workspaceRoot?: unknown };
-                const pid = Number(parsed.pid);
-                const port = Number(parsed.port);
-                if (!Number.isFinite(pid) || !Number.isFinite(port)) {
-                    continue;
-                }
-                process.kill(Math.trunc(pid), 0);
-                active.push({
-                    pid: Math.trunc(pid),
-                    port: Math.trunc(port),
-                    workspaceRoot: typeof parsed.workspaceRoot === 'string' ? parsed.workspaceRoot : undefined,
-                });
-            } catch {
-                // ignore malformed or stale lock entries
-            }
-        }
-        return active;
-    } catch {
-        return [];
-    }
-}
-
 function resolveClientId(): string {
     const configured = process.env.OML_AUTH_GITHUB_CLIENT_ID?.trim() || DEFAULT_GITHUB_CLIENT_ID;
     if (configured) {
@@ -506,25 +494,149 @@ function isUnauthorizedError(error: unknown): boolean {
     return /\b401\b/.test(message);
 }
 
+const CREDENTIALS_FILE_PATH = path.join(os.homedir(), '.oml', 'credentials.json');
+const LOCAL_MACHINE_ID_PATH = path.join(os.homedir(), '.oml', 'machine-id');
+
+// Derive a 256-bit encryption key bound to this machine and user.
+// Uses /etc/machine-id (Linux) or a locally generated UUID as the key material,
+// combined with the user's home directory so the key is user-specific too.
+async function deriveMachineKey(): Promise<Buffer> {
+    const machineId = await getOrCreateDeviceId();
+    const ikm = Buffer.from(`${machineId}:${os.homedir()}`, 'utf-8');
+    return new Promise<Buffer>((resolve, reject) => {
+        crypto.hkdf('sha256', ikm, Buffer.alloc(0), 'oml-cli-credentials-v1', 32, (err, key) => {
+            if (err) { reject(err); } else { resolve(Buffer.from(key)); }
+        });
+    });
+}
+
+function encryptValue(value: string, key: Buffer): string {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(value, 'utf-8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return JSON.stringify({
+        v: 1,
+        iv: iv.toString('base64'),
+        tag: tag.toString('base64'),
+        data: encrypted.toString('base64'),
+    });
+}
+
+function decryptValue(stored: string, key: Buffer): string {
+    const parsed = JSON.parse(stored) as { v?: number; iv: string; tag: string; data: string };
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(parsed.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(parsed.tag, 'base64'));
+    return decipher.update(Buffer.from(parsed.data, 'base64'), undefined, 'utf-8') + decipher.final('utf-8');
+}
+
+class FileKeytar implements KeytarModule {
+    private keyPromise: Promise<Buffer> | undefined;
+
+    private getKey(): Promise<Buffer> {
+        if (!this.keyPromise) {
+            this.keyPromise = deriveMachineKey();
+        }
+        return this.keyPromise;
+    }
+
+    private async read(): Promise<Record<string, string>> {
+        try {
+            const content = await fs.readFile(CREDENTIALS_FILE_PATH, 'utf-8');
+            return JSON.parse(content) as Record<string, string>;
+        } catch {
+            return {};
+        }
+    }
+
+    private async write(store: Record<string, string>): Promise<void> {
+        await fs.mkdir(path.dirname(CREDENTIALS_FILE_PATH), { recursive: true });
+        await fs.writeFile(CREDENTIALS_FILE_PATH, `${JSON.stringify(store, null, 2)}\n`, { encoding: 'utf-8', mode: 0o600 });
+    }
+
+    private storeKey(service: string, account: string): string {
+        return `${service}:${account}`;
+    }
+
+    async getPassword(service: string, account: string): Promise<string | null> {
+        const store = await this.read();
+        const raw = store[this.storeKey(service, account)];
+        if (raw === undefined || raw === null) {
+            return null;
+        }
+        try {
+            const key = await this.getKey();
+            return decryptValue(raw, key);
+        } catch {
+            // Unreadable entry (wrong machine, corrupt, or legacy plaintext) — treat as missing.
+            return null;
+        }
+    }
+
+    async setPassword(service: string, account: string, password: string): Promise<void> {
+        const [store, key] = await Promise.all([this.read(), this.getKey()]);
+        store[this.storeKey(service, account)] = encryptValue(password, key);
+        await this.write(store);
+    }
+
+    async deletePassword(service: string, account: string): Promise<boolean> {
+        const store = await this.read();
+        const k = this.storeKey(service, account);
+        if (!(k in store)) {
+            return false;
+        }
+        delete store[k];
+        await this.write(store);
+        return true;
+    }
+}
+
 async function getKeytarModule(): Promise<KeytarModule> {
     if (!keytarModulePromise) {
         keytarModulePromise = import('keytar')
             .then((loaded) => loaded.default as KeytarModule)
             .catch((error: unknown) => {
+                const message = error instanceof Error ? error.message : String(error);
+                if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
+                    console.error(chalk.yellow(
+                        'System keychain unavailable; credentials will be stored encrypted at ' +
+                        CREDENTIALS_FILE_PATH + ' using a machine-bound key. ' +
+                        'Set OML_PLATFORM_API_KEY for non-interactive environments.'
+                    ));
+                    return new FileKeytar();
+                }
                 keytarModulePromise = undefined;
-                throw new Error(formatKeytarLoadError(error));
+                throw new Error(`Secure credential storage is unavailable: ${message}`);
             });
     }
     return keytarModulePromise;
 }
 
-function formatKeytarLoadError(error: unknown): string {
-    const message = error instanceof Error ? error.message : String(error);
-    if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
-        return 'Secure credential storage is unavailable (missing system keychain runtime, e.g. libsecret on Linux). ' +
-            'Install the OS keychain runtime or set OML_PLATFORM_API_KEY for non-interactive mode.';
+type JwtClaims = {
+    userId?: string;
+    userLabel?: string;
+    email?: string;
+    tier?: string;
+};
+
+function decodeJwtClaims(token: string): JwtClaims {
+    try {
+        const payload = token.split('.')[1];
+        if (!payload) { return {}; }
+        const json = JSON.parse(Buffer.from(payload.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8')) as Record<string, unknown>;
+        const userMeta = json['user_metadata'];
+        const appMeta = json['app_metadata'];
+        return {
+            userId: typeof json['sub'] === 'string' ? json['sub'] : undefined,
+            email: typeof json['email'] === 'string' ? json['email'] : undefined,
+            userLabel: userMeta && typeof (userMeta as Record<string, unknown>)['user_name'] === 'string'
+                ? (userMeta as Record<string, unknown>)['user_name'] as string : undefined,
+            tier: appMeta && typeof (appMeta as Record<string, unknown>)['tier'] === 'string'
+                ? (appMeta as Record<string, unknown>)['tier'] as string : undefined,
+        };
+    } catch {
+        return {};
     }
-    return `Secure credential storage is unavailable: ${message}`;
 }
 
 type GitHubDeviceCodeResponse = {