@oml/cli 0.14.2 → 0.14.4

package/src/auth/auth.ts

@@ -10,6 +10,7 @@ import {
     DEFAULT_SUPABASE_ANON_KEY,
     DEFAULT_SUPABASE_URL
 } from './constants.js';
+
 const GITHUB_DEVICE_CODE_URL = 'https://github.com/login/device/code';
 const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
 const GITHUB_USER_URL = 'https://api.github.com/user';
@@ -17,20 +18,40 @@ const DEFAULT_GITHUB_CLIENT_ID = 'Ov23liQkHYczdOAvHp5P';
 const API_BASE_URL_ENV = 'OML_PLATFORM_API_URL';
 const SUPABASE_URL_ENV = 'OML_SUPABASE_URL';
 const SUPABASE_ANON_KEY_ENV = 'OML_SUPABASE_ANON_KEY';
+const API_KEY_ENV = 'OML_PLATFORM_API_KEY';
+const KEYCHAIN_SERVICE = 'oml-code';
+const ACCESS_TOKEN_KEY = 'oml.cli.access_token';
+const REFRESH_TOKEN_KEY = 'oml.cli.refresh_token';
+const EXPIRES_AT_KEY = 'oml.cli.expires_at';
+const PROFILE_PATH = path.join(os.homedir(), '.oml', 'cli-profile.json');
+const LOCK_PATH = path.join(os.homedir(), '.oml', 'credentials.lock');
+const SESSION_EXPIRATION_LEEWAY_MS = 20_000;
+const LOCK_TIMEOUT_MS = 5_000;
+const LOCK_POLL_INTERVAL_MS = 200;
+
+type KeytarModule = {
+    getPassword(service: string, account: string): Promise<string | null>;
+    setPassword(service: string, account: string, password: string): Promise<void>;
+    deletePassword(service: string, account: string): Promise<boolean>;
+};
+
+let keytarModulePromise: Promise<KeytarModule> | undefined;
 
 type Provider = 'github';
 
-type StoredSession = {
+type StoredProfile = {
     provider: Provider;
     userId: string;
     userLabel?: string;
     email: string | null;
     tier?: string;
+    signedInAt: string;
+};
+
+type StoredCredential = {
     accessToken: string;
     refreshToken: string;
-    tokenType: string;
-    expiresIn: number;
-    signedInAt: string;
+    expiresAtMs: number;
 };
 
 type LoginOptions = {
@@ -43,134 +64,222 @@ export type OmlCliServerAuthSnapshot = {
 };
 
 export class OmlCliAuthService {
+    async login(_options: LoginOptions): Promise<void> {
+        const apiKey = process.env[API_KEY_ENV]?.trim();
+        if (apiKey) {
+            console.error(chalk.yellow(
+                'OML_PLATFORM_API_KEY is set and will take precedence over stored OAuth credentials. ' +
+                'Unset it to use interactive CLI login.'
+            ));
+            console.error('Run `oml whoami` to inspect the currently effective authentication mode.');
+            return;
+        }
 
-    async login(options: LoginOptions): Promise<void> {
-        const session = await this.authenticate();
-        await writeSession(session, true);
+        const existing = await this.tryGetValidSnapshot();
+        if (existing) {
+            const profile = await readProfile();
+            console.error(chalk.green(
+                `Already signed in as ${profile?.userLabel ?? profile?.email ?? profile?.userId ?? 'current user'}.`
+            ));
+            return;
+        }
+
+        const session = await authenticateWithGitHub();
+        await writeCredential({
+            accessToken: session.accessToken,
+            refreshToken: session.refreshToken,
+            expiresAtMs: session.expiresAtMs,
+        });
+        await writeProfile({
+            provider: session.provider,
+            userId: session.userId,
+            userLabel: session.userLabel,
+            email: session.email,
+            tier: session.tier,
+            signedInAt: new Date().toISOString(),
+        });
         const summary = session.userLabel ?? session.email ?? 'signed-in user';
         console.error(chalk.green(`Signed in as ${summary} via ${session.provider}.`));
     }
 
     async logout(): Promise<void> {
-        await deleteSession();
-        console.error(chalk.green('Signed out.'));
+        const activeServers = await listActiveServers();
+        await deleteCredential();
+        await deleteProfile();
+        if (activeServers.length > 0) {
+            console.error(chalk.yellow('Stored OAuth credentials were cleared. Running servers were not stopped:'));
+            for (const server of activeServers) {
+                console.error(`- ${server.workspaceRoot ?? '(unknown workspace)'} on port ${server.port} (pid ${server.pid})`);
+            }
+            if (process.env[API_KEY_ENV]?.trim()) {
+                console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
+            }
+            return;
+        }
+        console.error(chalk.green('Stored OAuth credentials were cleared.'));
+        if (process.env[API_KEY_ENV]?.trim()) {
+            console.error(chalk.yellow('OML_PLATFORM_API_KEY is still set, so future starts may use API-key auth.'));
+        }
     }
 
     async whoami(): Promise<void> {
-        const session = await readSession();
-        if (!session) {
+        const apiKey = process.env[API_KEY_ENV]?.trim();
+        if (apiKey) {
+            console.error('Auth mode: api_key');
+            console.error('Account: resolved by OML Platform from OML_PLATFORM_API_KEY');
+            const profile = await readProfile();
+            if (profile) {
+                console.error(`Stored OAuth user: ${profile.userLabel ?? profile.email ?? profile.userId}`);
+            }
+            return;
+        }
+
+        const credential = await readCredential();
+        const profile = await readProfile();
+        if (!credential || !profile) {
             console.error(chalk.yellow('Not signed in.'));
             return;
         }
-        console.error(`Provider: ${session.provider}`);
-        console.error(`User ID: ${session.userId}`);
-        console.error(`User label: ${session.userLabel ?? '(not set)'}`);
-        console.error(`Email: ${session.email ?? '(not set)'}`);
-        console.error(`Tier: ${session.tier ?? '(not set)'}`);
-        console.error(`Signed in at: ${session.signedInAt}`);
+        console.error('Auth mode: oauth');
+        console.error(`Provider: ${profile.provider}`);
+        console.error(`User ID: ${profile.userId}`);
+        console.error(`User label: ${profile.userLabel ?? '(not set)'}`);
+        console.error(`Email: ${profile.email ?? '(not set)'}`);
+        console.error(`Tier: ${profile.tier ?? '(not set)'}`);
+        console.error(`Signed in at: ${profile.signedInAt}`);
+        console.error(`Access token expires at: ${new Date(credential.expiresAtMs).toISOString()}`);
     }
 
     async ensureAuthenticated(operationName: string): Promise<void> {
-        const session = await readSession();
+        if (process.env[API_KEY_ENV]?.trim()) {
+            return;
+        }
+        const session = await readCredential();
         if (!session) {
             throw new Error(`${operationName} requires authentication. Run 'oml login' first.`);
         }
     }
 
     async getAccessToken(): Promise<string> {
-        const session = await readSession();
-        if (!session?.accessToken) {
-            throw new Error('OML CLI authentication is required. Run \'oml login\' first.');
-        }
+        const session = await this.getServerAuthSnapshot();
         return session.accessToken;
     }
 
     async refreshAccessToken(): Promise<string> {
-        const session = await readSession();
-        if (!session?.refreshToken) {
-            throw new Error('OML CLI authentication is required. Run \'oml login\' first.');
-        }
-
-        let refreshed;
-        try {
-            refreshed = await refreshSupabaseAccessToken(
-                resolveSupabaseUrl(),
-                resolveSupabaseAnonKey(),
-                session.refreshToken
-            );
-        } catch {
-            throw new Error('Authentication refresh failed. Check your network connection or sign in again with \'oml login\'.');
-        }
-
-        const updatedSession: StoredSession = {
-            ...session,
-            accessToken: refreshed.access_token,
-            refreshToken: refreshed.refresh_token,
-            tokenType: refreshed.token_type,
-            expiresIn: refreshed.expires_in,
-            email: refreshed.email ?? session.email,
-            signedInAt: new Date().toISOString(),
-        };
-
-        await writeSession(updatedSession);
-        return updatedSession.accessToken;
+        const refreshed = await this.refreshCredential();
+        return refreshed.accessToken;
     }
 
     async getServerAuthSnapshot(): Promise<OmlCliServerAuthSnapshot> {
-        const session = await readSession();
+        const session = await readCredential();
         if (!session?.accessToken) {
             throw new Error('OML CLI authentication is required. Run \'oml login\' first.');
         }
-        const signedInAtMs = Date.parse(session.signedInAt);
-        const expiresAtMs = Number.isFinite(signedInAtMs)
-            ? signedInAtMs + (session.expiresIn * 1000)
-            : undefined;
-        if (expiresAtMs !== undefined && Date.now() + 20_000 >= expiresAtMs) {
-            await this.refreshAccessToken();
-            return await this.getServerAuthSnapshot();
+        if (Date.now() + SESSION_EXPIRATION_LEEWAY_MS >= session.expiresAtMs) {
+            const refreshed = await this.refreshCredential();
+            return {
+                accessToken: refreshed.accessToken,
+                refreshToken: refreshed.refreshToken,
+                expiresAtMs: refreshed.expiresAtMs,
+            };
         }
         return {
             accessToken: session.accessToken,
             refreshToken: session.refreshToken,
-            expiresAtMs,
+            expiresAtMs: session.expiresAtMs,
         };
     }
 
-    async storeRefreshedTokens(accessToken: string, refreshToken: string, expiresAtMs: number): Promise<void> {
-        const session = await readSession();
-        if (!session) {
-            return;
+    private async tryGetValidSnapshot(): Promise<OmlCliServerAuthSnapshot | null> {
+        try {
+            return await this.getServerAuthSnapshot();
+        } catch {
+            return null;
         }
-        const expiresIn = Math.max(0, Math.round((expiresAtMs - Date.now()) / 1000));
-        const updatedSession: StoredSession = {
-            ...session,
-            accessToken,
-            refreshToken,
-            expiresIn,
-            signedInAt: new Date().toISOString(),
-        };
-        await writeSession(updatedSession);
     }
 
-    private async authenticate(): Promise<StoredSession> {
-        return authenticateWithGitHub();
+    private async refreshCredential(): Promise<StoredCredential> {
+        const session = await readCredential();
+        if (!session?.refreshToken) {
+            throw new Error('OML CLI authentication is required. Run \'oml login\' first.');
+        }
+
+        const lock = await acquireCredentialLock();
+        try {
+            const latest = await readCredential();
+            if (latest && Date.now() + SESSION_EXPIRATION_LEEWAY_MS < latest.expiresAtMs) {
+                return latest;
+            }
+            const source = latest ?? session;
+            const refreshed = await refreshSupabaseAccessToken(
+                resolveSupabaseUrl(),
+                resolveSupabaseAnonKey(),
+                source.refreshToken
+            );
+            const updatedSession: StoredCredential = {
+                accessToken: refreshed.access_token,
+                refreshToken: refreshed.refresh_token,
+                expiresAtMs: Date.now() + (refreshed.expires_in * 1000),
+            };
+            await writeCredential(updatedSession);
+            const profile = await readProfile();
+            if (profile) {
+                await writeProfile({
+                    ...profile,
+                    email: refreshed.email ?? profile.email,
+                });
+            }
+            return updatedSession;
+        } catch (error) {
+            if (isUnauthorizedError(error)) {
+                await deleteCredential();
+                await deleteProfile();
+                throw new Error('Authentication refresh failed because the stored credential was revoked. Run \'oml login\' again.');
+            }
+            throw new Error('Authentication refresh failed. Check your network connection or sign in again with \'oml login\'.');
+        } finally {
+            await lock.release();
+        }
+    }
+}
+
+async function readCredential(): Promise<StoredCredential | undefined> {
+    const keytar = await getKeytarModule();
+    const [accessToken, refreshToken, expiresAtRaw] = await Promise.all([
+        keytar.getPassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY),
+        keytar.getPassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY),
+        keytar.getPassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY),
+    ]);
+    const expiresAtMs = Number(expiresAtRaw ?? NaN);
+    if (!accessToken || !refreshToken || !Number.isFinite(expiresAtMs)) {
+        return undefined;
     }
+    return { accessToken, refreshToken, expiresAtMs };
 }
 
-async function readSession(): Promise<StoredSession | undefined> {
+async function writeCredential(credential: StoredCredential): Promise<void> {
+    const keytar = await getKeytarModule();
+    await Promise.all([
+        keytar.setPassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY, credential.accessToken),
+        keytar.setPassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY, credential.refreshToken),
+        keytar.setPassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY, String(credential.expiresAtMs)),
+    ]);
+}
+
+async function deleteCredential(): Promise<void> {
+    const keytar = await getKeytarModule();
+    await Promise.all([
+        keytar.deletePassword(KEYCHAIN_SERVICE, ACCESS_TOKEN_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, REFRESH_TOKEN_KEY),
+        keytar.deletePassword(KEYCHAIN_SERVICE, EXPIRES_AT_KEY),
+    ]);
+}
+
+async function readProfile(): Promise<StoredProfile | undefined> {
     try {
-        const content = await fs.readFile(getSessionPath(), 'utf-8');
-        const data = JSON.parse(content) as Partial<StoredSession>;
-        if (!data.userId || !data.provider || !data.signedInAt) {
-            return undefined;
-        }
-        if (!data.accessToken) {
-            return undefined;
-        }
-        if (!data.refreshToken || !data.tokenType || typeof data.expiresIn !== 'number') {
-            return undefined;
-        }
-        if (data.provider !== 'github') {
+        const content = await fs.readFile(PROFILE_PATH, 'utf-8');
+        const data = JSON.parse(content) as Partial<StoredProfile>;
+        if (!data.provider || !data.userId || !data.signedInAt) {
             return undefined;
         }
         return {
@@ -179,34 +288,21 @@ async function readSession(): Promise<StoredSession | undefined> {
             userLabel: data.userLabel,
             email: data.email ?? null,
             tier: data.tier,
-            accessToken: data.accessToken,
-            refreshToken: data.refreshToken,
-            tokenType: data.tokenType,
-            expiresIn: data.expiresIn,
-            signedInAt: data.signedInAt
+            signedInAt: data.signedInAt,
         };
     } catch {
         return undefined;
     }
 }
 
-async function writeSession(session: StoredSession, warnAboutPlaintext = false): Promise<void> {
-    const sessionPath = getSessionPath();
-    await fs.mkdir(path.dirname(sessionPath), { recursive: true });
-    await fs.writeFile(sessionPath, `${JSON.stringify(session, null, 2)}\n`, 'utf-8');
-    if (warnAboutPlaintext) {
-        process.stderr.write(
-            chalk.yellow(
-                `[oml] Warning: credentials stored in plaintext at ${sessionPath}. ` +
-                `A system keychain is not available in this environment.\n`
-            )
-        );
-    }
+async function writeProfile(profile: StoredProfile): Promise<void> {
+    await fs.mkdir(path.dirname(PROFILE_PATH), { recursive: true });
+    await fs.writeFile(PROFILE_PATH, `${JSON.stringify(profile, null, 2)}\n`, 'utf-8');
 }
 
-async function deleteSession(): Promise<void> {
+async function deleteProfile(): Promise<void> {
     try {
-        await fs.unlink(getSessionPath());
+        await fs.unlink(PROFILE_PATH);
     } catch (error) {
         if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
             throw error;
@@ -214,11 +310,16 @@ async function deleteSession(): Promise<void> {
     }
 }
 
-function getSessionPath(): string {
-    return path.join(os.homedir(), '.oml', 'auth.json');
-}
-
-async function authenticateWithGitHub(): Promise<StoredSession> {
+async function authenticateWithGitHub(): Promise<{
+    provider: Provider;
+    userId: string;
+    userLabel?: string;
+    email: string | null;
+    tier?: string;
+    accessToken: string;
+    refreshToken: string;
+    expiresAtMs: number;
+}> {
     const clientId = resolveClientId();
     const params = new URLSearchParams({
         client_id: clientId,
@@ -266,9 +367,7 @@ async function authenticateWithGitHub(): Promise<StoredSession> {
         tier: platformSession.tier,
         accessToken: platformSession.access_token,
         refreshToken: platformSession.refresh_token,
-        tokenType: platformSession.token_type,
-        expiresIn: platformSession.expires_in,
-        signedInAt: new Date().toISOString()
+        expiresAtMs: Date.now() + platformSession.expires_in * 1000,
     };
 }
 
@@ -323,6 +422,59 @@ async function pollForGitHubAccessToken(clientId: string, device: GitHubDeviceCo
     }
 }
 
+async function acquireCredentialLock(): Promise<{ release: () => Promise<void> }> {
+    await fs.mkdir(path.dirname(LOCK_PATH), { recursive: true });
+    const startedAt = Date.now();
+    while (Date.now() - startedAt < LOCK_TIMEOUT_MS) {
+        try {
+            const handle = await fs.open(LOCK_PATH, 'wx');
+            return {
+                release: async () => {
+                    await handle.close();
+                    await fs.rm(LOCK_PATH, { force: true });
+                },
+            };
+        } catch (error) {
+            if ((error as NodeJS.ErrnoException).code !== 'EEXIST') {
+                throw error;
+            }
+            await delay(LOCK_POLL_INTERVAL_MS);
+        }
+    }
+    throw new Error('Timed out waiting for the CLI credential lock.');
+}
+
+async function listActiveServers(): Promise<Array<{ pid: number; port: number; workspaceRoot?: string }>> {
+    const baseDir = path.join(os.homedir(), '.oml', 'workspaces');
+    try {
+        const workspaceDirs = await fs.readdir(baseDir);
+        const active: Array<{ pid: number; port: number; workspaceRoot?: string }> = [];
+        for (const workspaceDir of workspaceDirs) {
+            const lockFile = path.join(baseDir, workspaceDir, 'server.lock');
+            try {
+                const raw = await fs.readFile(lockFile, 'utf-8');
+                const parsed = JSON.parse(raw) as { pid?: unknown; port?: unknown; workspaceRoot?: unknown };
+                const pid = Number(parsed.pid);
+                const port = Number(parsed.port);
+                if (!Number.isFinite(pid) || !Number.isFinite(port)) {
+                    continue;
+                }
+                process.kill(Math.trunc(pid), 0);
+                active.push({
+                    pid: Math.trunc(pid),
+                    port: Math.trunc(port),
+                    workspaceRoot: typeof parsed.workspaceRoot === 'string' ? parsed.workspaceRoot : undefined,
+                });
+            } catch {
+                // ignore malformed or stale lock entries
+            }
+        }
+        return active;
+    } catch {
+        return [];
+    }
+}
+
 function resolveClientId(): string {
     const configured = process.env.OML_AUTH_GITHUB_CLIENT_ID?.trim() || DEFAULT_GITHUB_CLIENT_ID;
     if (configured) {
@@ -349,6 +501,32 @@ function delay(ms: number): Promise<void> {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
+function isUnauthorizedError(error: unknown): boolean {
+    const message = error instanceof Error ? error.message : String(error);
+    return /\b401\b/.test(message);
+}
+
+async function getKeytarModule(): Promise<KeytarModule> {
+    if (!keytarModulePromise) {
+        keytarModulePromise = import('keytar')
+            .then((loaded) => loaded.default as KeytarModule)
+            .catch((error: unknown) => {
+                keytarModulePromise = undefined;
+                throw new Error(formatKeytarLoadError(error));
+            });
+    }
+    return keytarModulePromise;
+}
+
+function formatKeytarLoadError(error: unknown): string {
+    const message = error instanceof Error ? error.message : String(error);
+    if (/libsecret|dlopen|ERR_DLOPEN_FAILED/i.test(message)) {
+        return 'Secure credential storage is unavailable (missing system keychain runtime, e.g. libsecret on Linux). ' +
+            'Install the OS keychain runtime or set OML_PLATFORM_API_KEY for non-interactive mode.';
+    }
+    return `Secure credential storage is unavailable: ${message}`;
+}
+
 type GitHubDeviceCodeResponse = {
     device_code?: string;
     user_code?: string;
@@ -363,6 +541,5 @@ type GitHubTokenResponse = {
 };
 
 type GitHubUserResponse = {
-    id?: number;
     login?: string;
 };

package/src/auth/platform.ts

@@ -8,7 +8,7 @@
  * commands to execute.
  */
 
-import { OmlClient, FileStorageAdapter, installNodeShutdownHandlers, exchangeApiToken } from '@oml/platform';
+import { OmlClient, FileStorageAdapter, installNodeShutdownHandlers } from '@oml/platform';
 import type { OmlClientConfig } from '@oml/platform';
 import type { NodeShutdownHandle } from '@oml/platform';
 import chalk from 'chalk';
@@ -16,7 +16,6 @@ import { DEFAULT_API_BASE_URL } from './constants.js';
 import { OmlCliAuthService } from './auth.js';
 const API_BASE_URL_ENV = 'OML_PLATFORM_API_URL';
 const API_KEY_ENV = 'OML_PLATFORM_API_KEY';
-const OIDC_TOKEN_ENV = 'OML_CI_TOKEN';
 
 let client: OmlClient | null = null;
 let shutdownHandle: NodeShutdownHandle | null = null;
@@ -37,24 +36,6 @@ export async function initializePlatform(
     const resolvedApiBaseUrl = process.env[API_BASE_URL_ENV]?.trim() || apiBaseUrl;
 
     const apiKey = process.env[API_KEY_ENV]?.trim();
-    let apiKeyAccessToken: string | undefined;
-    let apiKeyAccessTokenExpiresAtMs = 0;
-
-    const getApiKeyAccessToken = async (): Promise<string> => {
-        const refreshLeewayMs = 20_000;
-        if (apiKeyAccessToken && Date.now() + refreshLeewayMs < apiKeyAccessTokenExpiresAtMs) {
-            return apiKeyAccessToken;
-        }
-        if (!apiKey) {
-            throw new Error('OML API key is missing.');
-        }
-        const oidcToken = process.env[OIDC_TOKEN_ENV]?.trim() || undefined;
-        const exchanged = await exchangeApiToken(resolvedApiBaseUrl, apiKey, oidcToken);
-        apiKeyAccessToken = exchanged.accessToken;
-        apiKeyAccessTokenExpiresAtMs = Date.now() + (Math.max(1, exchanged.expiresIn) * 1000);
-        return apiKeyAccessToken;
-    };
-
     const config: OmlClientConfig = {
         apiBaseUrl: resolvedApiBaseUrl,
         tool: 'oml-cli',
@@ -62,21 +43,14 @@ export async function initializePlatform(
         auth: apiKey
             ? {
                 method: 'oauth',
-                getToken: () => getApiKeyAccessToken(),
-                refreshToken: () => getApiKeyAccessToken(),
+                getToken: async () => apiKey,
+                refreshToken: async () => apiKey,
             }
             : {
                 method: 'oauth',
                 getToken: () => authService.getAccessToken(),
                 refreshToken: () => authService.refreshAccessToken(),
             },
-        onConcurrencyLimit: (info) => {
-            console.error(chalk.yellow(
-                `OML Platform: concurrent session limit reached `
-                + `(${info.active_sessions}/${info.max_sessions}). `
-                + `Close another instance or upgrade your plan.`
-            ));
-        },
         onAuthError: (error) => {
             console.error(chalk.red(
                 `OML Platform: authentication error — ${toGenericPlatformErrorMessage(error)}`
@@ -97,7 +71,7 @@ export async function initializePlatform(
 
 /**
  * Dispose the platform client. Flushes any buffered telemetry
- * and ends the session. Call at the end of CLI execution.
+ * and flushes buffered telemetry. Call at the end of CLI execution.
  */
 export async function disposePlatform(): Promise<void> {
     if (shutdownHandle) {