@oml/cli 0.7.0

package/src/auth.ts

@@ -0,0 +1,315 @@
+// Copyright (c) 2026 Modelware. All rights reserved.
+
+import chalk from 'chalk';
+import * as fs from 'node:fs/promises';
+import * as os from 'node:os';
+import * as path from 'node:path';
+
+const DEFAULT_WHITELIST_URL = 'https://www.modelware.io/oml-code/auth/permissions.json';
+const CACHE_DURATION_MS = 5 * 60 * 1000;
+const GITHUB_DEVICE_CODE_URL = 'https://github.com/login/device/code';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+const GITHUB_USER_URL = 'https://api.github.com/user';
+const DEFAULT_GITHUB_CLIENT_ID = 'Ov23liQkHYczdOAvHp5P';
+
+type Provider = 'github';
+
+type StoredSession = {
+    provider: Provider;
+    userId: string;
+    userLabel?: string;
+    signedInAt: string;
+};
+
+type LoginOptions = {
+};
+
+type AuthStatus = {
+    session: StoredSession;
+    authorized: boolean;
+};
+
+export class OmlCliAuthService {
+    private whitelistCache: Set<string> | null = null;
+    private whitelistCacheTime = 0;
+
+    async login(options: LoginOptions): Promise<void> {
+        const session = await this.authenticate();
+
+        const authorized = await this.isAuthorized(session);
+        if (!authorized) {
+            throw new Error('Sign in succeeded, but this account is not authorized.');
+        }
+
+        await writeSession(session);
+        const summary = session.userLabel ? `${session.userLabel} (${session.userId})` : session.userId;
+        console.error(chalk.green(`Signed in as ${summary} via ${session.provider}.`));
+    }
+
+    async logout(): Promise<void> {
+        await deleteSession();
+        this.clearWhitelistCache();
+        console.error(chalk.green('Signed out.'));
+    }
+
+    async whoami(): Promise<void> {
+        const session = await readSession();
+        if (!session) {
+            console.error(chalk.yellow('Not signed in.'));
+            return;
+        }
+        const authorized = await this.isAuthorized(session);
+        console.error(`Provider: ${session.provider}`);
+        console.error(`User ID: ${session.userId}`);
+        console.error(`User label: ${session.userLabel ?? '(not set)'}`);
+        console.error(`Signed in at: ${session.signedInAt}`);
+        console.error(`Authorized: ${authorized ? 'yes' : 'no'}`);
+    }
+
+    async ensureAuthenticated(operationName: string): Promise<AuthStatus> {
+        const session = await readSession();
+        if (!session) {
+            throw new Error(`${operationName} requires authentication. Run 'oml login' first.`);
+        }
+
+        const authorized = await this.isAuthorized(session);
+        if (!authorized) {
+            throw new Error(`${operationName} requires authorization. Your account is not authorized.`);
+        }
+
+        return { session, authorized };
+    }
+
+    private async isAuthorized(session: StoredSession): Promise<boolean> {
+        const whitelist = await this.fetchWhitelist();
+        if (!whitelist) {
+            return true;
+        }
+        const userId = session.userId.toLowerCase();
+        return whitelist.has(userId);
+    }
+
+    private async fetchWhitelist(): Promise<Set<string> | null> {
+        const whitelistUrl = process.env.OML_AUTH_WHITELIST_URL ?? DEFAULT_WHITELIST_URL;
+        if (!whitelistUrl) {
+            return null;
+        }
+
+        const now = Date.now();
+        if (this.whitelistCache && (now - this.whitelistCacheTime) < CACHE_DURATION_MS) {
+            return this.whitelistCache;
+        }
+
+        try {
+            const response = await fetch(whitelistUrl);
+            if (!response.ok) {
+                throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+            }
+            const data = await response.json();
+            const userList = extractWhitelistEntries(data);
+            this.whitelistCache = new Set(userList.map((id) => String(id).toLowerCase()));
+            this.whitelistCacheTime = now;
+            return this.whitelistCache;
+        } catch (error) {
+            console.error(chalk.yellow(
+                `OML: Could not verify authorization. ${error instanceof Error ? error.message : String(error)}`
+            ));
+            return null;
+        }
+    }
+
+    private clearWhitelistCache(): void {
+        this.whitelistCache = null;
+        this.whitelistCacheTime = 0;
+    }
+
+    private async authenticate(): Promise<StoredSession> {
+        return authenticateWithGitHub();
+    }
+}
+
+function extractWhitelistEntries(data: unknown): string[] {
+    if (Array.isArray(data)) {
+        return data.map((value) => String(value));
+    }
+    if (typeof data === 'object' && data !== null) {
+        const record = data as { allowedUsers?: unknown; users?: unknown };
+        if (Array.isArray(record.allowedUsers)) {
+            return record.allowedUsers.map((value) => String(value));
+        }
+        if (Array.isArray(record.users)) {
+            return record.users.map((value) => String(value));
+        }
+    }
+    throw new Error('Invalid whitelist format. Expected array or object with "allowedUsers" or "users" property.');
+}
+
+async function readSession(): Promise<StoredSession | undefined> {
+    try {
+        const content = await fs.readFile(getSessionPath(), 'utf-8');
+        const data = JSON.parse(content) as Partial<StoredSession>;
+        if (!data.userId || !data.provider || !data.signedInAt) {
+            return undefined;
+        }
+        if (data.provider !== 'github' && data.provider !== 'microsoft') {
+            return undefined;
+        }
+        return {
+            provider: data.provider,
+            userId: data.userId,
+            userLabel: data.userLabel,
+            signedInAt: data.signedInAt
+        };
+    } catch {
+        return undefined;
+    }
+}
+
+async function writeSession(session: StoredSession): Promise<void> {
+    const sessionPath = getSessionPath();
+    await fs.mkdir(path.dirname(sessionPath), { recursive: true });
+    await fs.writeFile(sessionPath, `${JSON.stringify(session, null, 2)}\n`, 'utf-8');
+}
+
+async function deleteSession(): Promise<void> {
+    try {
+        await fs.unlink(getSessionPath());
+    } catch (error) {
+        if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
+            throw error;
+        }
+    }
+}
+
+function getSessionPath(): string {
+    return path.join(os.homedir(), '.oml', 'auth.json');
+}
+
+async function authenticateWithGitHub(): Promise<StoredSession> {
+    const clientId = resolveClientId();
+    const params = new URLSearchParams({
+        client_id: clientId,
+        scope: 'read:user'
+    });
+    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            'content-type': 'application/x-www-form-urlencoded'
+        },
+        body: params
+    });
+    if (!response.ok) {
+        throw new Error(`GitHub device authorization failed: HTTP ${response.status} ${response.statusText}`);
+    }
+    const device = await response.json() as GitHubDeviceCodeResponse;
+    if (!device.device_code || !device.user_code || !device.verification_uri) {
+        throw new Error('GitHub device authorization response was incomplete.');
+    }
+
+    printDeviceFlowInstructions('GitHub', device.verification_uri, device.user_code);
+    const token = await pollForGitHubAccessToken(clientId, device);
+    const userResponse = await fetch(GITHUB_USER_URL, {
+        headers: {
+            accept: 'application/vnd.github+json',
+            authorization: `Bearer ${token}`
+        }
+    });
+    if (!userResponse.ok) {
+        throw new Error(`GitHub user lookup failed: HTTP ${userResponse.status} ${userResponse.statusText}`);
+    }
+    const user = await userResponse.json() as GitHubUserResponse;
+    if (!user.login) {
+        throw new Error('GitHub user lookup did not return a login name.');
+    }
+
+    return {
+        provider: 'github',
+        userId: user.login,
+        userLabel: user.login,
+        signedInAt: new Date().toISOString()
+    };
+}
+
+function printDeviceFlowInstructions(providerName: string, verificationUri: string, userCode: string): void {
+    console.error(chalk.cyan(`${providerName} sign-in required.`));
+    console.error(`Open: ${verificationUri}`);
+    console.error(`Code: ${userCode}`);
+}
+
+async function pollForGitHubAccessToken(clientId: string, device: GitHubDeviceCodeResponse): Promise<string> {
+    const deviceCode = device.device_code;
+    if (!deviceCode) {
+        throw new Error('GitHub device authorization response was incomplete.');
+    }
+    let intervalSeconds = Math.max(1, device.interval ?? 5);
+    while (true) {
+        await delay(intervalSeconds * 1_000);
+        const params = new URLSearchParams({
+            client_id: clientId,
+            device_code: deviceCode,
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
+        });
+        const response = await fetch(GITHUB_TOKEN_URL, {
+            method: 'POST',
+            headers: {
+                accept: 'application/json',
+                'content-type': 'application/x-www-form-urlencoded'
+            },
+            body: params
+        });
+        if (!response.ok) {
+            throw new Error(`GitHub token exchange failed: HTTP ${response.status} ${response.statusText}`);
+        }
+        const token = await response.json() as GitHubTokenResponse;
+        if (token.access_token) {
+            return token.access_token;
+        }
+        if (token.error === 'authorization_pending') {
+            continue;
+        }
+        if (token.error === 'slow_down') {
+            intervalSeconds += 5;
+            continue;
+        }
+        if (token.error === 'expired_token') {
+            throw new Error('GitHub device code expired before authorization completed.');
+        }
+        if (token.error === 'access_denied') {
+            throw new Error('GitHub sign-in was denied.');
+        }
+        throw new Error(token.error_description ?? token.error ?? 'GitHub sign-in failed.');
+    }
+}
+
+function resolveClientId(): string {
+    const configured = process.env.OML_AUTH_GITHUB_CLIENT_ID?.trim() || DEFAULT_GITHUB_CLIENT_ID;
+    if (configured) {
+        return configured;
+    }
+    throw new Error(
+        'GitHub login is not configured. Set OML_AUTH_GITHUB_CLIENT_ID or embed DEFAULT_GITHUB_CLIENT_ID in packages/cli/src/auth.ts.'
+    );
+}
+
+function delay(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+type GitHubDeviceCodeResponse = {
+    device_code?: string;
+    user_code?: string;
+    verification_uri?: string;
+    interval?: number;
+};
+
+type GitHubTokenResponse = {
+    access_token?: string;
+    error?: string;
+    error_description?: string;
+};
+
+type GitHubUserResponse = {
+    id?: number;
+    login?: string;
+};

package/src/backend/backend-types.ts

@@ -0,0 +1,25 @@
+// Copyright (c) 2026 Modelware. All rights reserved.
+
+import type { MdExecuteBlocksParams, MdExecuteBlocksResult } from '@oml/markdown';
+
+export interface ValidateSummary {
+    filesChecked: number;
+    warnings: number;
+}
+
+export interface MarkdownRenderResult {
+    renderedHtml: string;
+    contextUri?: string;
+}
+
+export interface CliBackendOptions {
+    owlOutputRoot?: string;
+    rdfFormat?: string;
+}
+
+export interface CliBackend {
+    validate(fileName: string | undefined, workspaceRoot: string): Promise<ValidateSummary>;
+    renderMarkdown(markdown: string): Promise<MarkdownRenderResult>;
+    executeMarkdownBlocks(params: MdExecuteBlocksParams, workspaceRoot: string): Promise<MdExecuteBlocksResult>;
+    dispose(): Promise<void>;
+}

package/src/backend/create-backend.ts

@@ -0,0 +1,8 @@
+// Copyright (c) 2026 Modelware. All rights reserved.
+
+import { DirectBackend } from './direct-backend.js';
+import type { CliBackend, CliBackendOptions } from './backend-types.js';
+
+export function createBackend(options: CliBackendOptions = {}): CliBackend {
+    return new DirectBackend(options);
+}

package/src/backend/direct-backend.ts

@@ -0,0 +1,114 @@
+// Copyright (c) 2026 Modelware. All rights reserved.
+
+import { createOwlServices } from '@oml/owl';
+import { MarkdownHandlerRegistry, MarkdownPreviewRuntime } from '@oml/markdown';
+import { MarkdownExecutor, type MdExecuteBlocksParams, type MdExecuteBlocksResult } from '@oml/markdown';
+import { NodeFileSystem } from 'langium/node';
+import { URI } from 'langium';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import { extractDocument } from '../util.js';
+import type { CliBackend, CliBackendOptions, MarkdownRenderResult, ValidateSummary } from './backend-types.js';
+import { loadPreparedDatasetFromOutput, normalizeFormatExtension } from './reasoned-output.js';
+
+export class DirectBackend implements CliBackend {
+    private readonly markdownRuntime = new MarkdownPreviewRuntime(new MarkdownHandlerRegistry());
+    private readonly owlOutputRoot?: string;
+    private readonly rdfFormat: string;
+    private servicesBundle?: ReturnType<typeof createOwlServices>;
+    private initializedWorkspaceRoot?: string;
+    private loadedDatasetKey?: string;
+
+    constructor(options: CliBackendOptions = {}) {
+        this.owlOutputRoot = options.owlOutputRoot ? path.resolve(options.owlOutputRoot) : undefined;
+        this.rdfFormat = normalizeFormatExtension(options.rdfFormat);
+    }
+
+    async validate(fileName: string | undefined, workspaceRoot: string): Promise<ValidateSummary> {
+        const services = await this.ensureServices(workspaceRoot);
+
+        if (fileName) {
+            const document = await extractDocument(fileName, services, undefined);
+            const warnings = (document.diagnostics ?? []).filter((d) => d.severity === 2).length;
+            return { filesChecked: 1, warnings };
+        }
+
+        const files = await findOmlFiles(workspaceRoot);
+        let warningCount = 0;
+        for (const file of files) {
+            const document = await extractDocument(file, services, undefined);
+            warningCount += (document.diagnostics ?? []).filter((d) => d.severity === 2).length;
+        }
+        return { filesChecked: files.length, warnings: warningCount };
+    }
+
+    async renderMarkdown(markdown: string): Promise<MarkdownRenderResult> {
+        const rendered = this.markdownRuntime.prepare(markdown);
+        return {
+            renderedHtml: rendered.renderedHtml,
+            contextUri: rendered.contextUri
+        };
+    }
+
+    async executeMarkdownBlocks(params: MdExecuteBlocksParams, workspaceRoot: string): Promise<MdExecuteBlocksResult> {
+        const services = await this.ensureServices(workspaceRoot);
+        await this.ensurePreparedDataset(workspaceRoot, services);
+        const reasoningService = services.reasoning.ReasoningService as any;
+        const executor = new MarkdownExecutor({
+            ensureContext: (modelUri) => reasoningService.ensureQueryContext(modelUri),
+            resolveContextIri: (modelUri) => reasoningService.getContextIri(modelUri),
+            query: (modelUri, sparql) => reasoningService.getSparqlService().query(modelUri, sparql),
+            construct: (modelUri, sparql) => reasoningService.getSparqlService().construct(modelUri, sparql),
+        });
+        return executor.executeBlocks(params);
+    }
+
+    async dispose(): Promise<void> {
+        this.servicesBundle = undefined;
+        this.initializedWorkspaceRoot = undefined;
+        this.loadedDatasetKey = undefined;
+    }
+
+    private async ensureServices(workspaceRoot: string): Promise<ReturnType<typeof createOwlServices>['Oml']> {
+        const resolvedRoot = path.resolve(workspaceRoot);
+        if (!this.servicesBundle || this.initializedWorkspaceRoot !== resolvedRoot) {
+            this.servicesBundle = createOwlServices(NodeFileSystem);
+            this.initializedWorkspaceRoot = resolvedRoot;
+            await this.servicesBundle.Oml.shared.workspace.WorkspaceManager.initializeWorkspace([
+                { uri: URI.file(resolvedRoot).toString(), name: path.basename(resolvedRoot) }
+            ]);
+        }
+        return this.servicesBundle.Oml;
+    }
+
+    private async ensurePreparedDataset(workspaceRoot: string, services: ReturnType<typeof createOwlServices>['Oml']): Promise<void> {
+        if (!this.owlOutputRoot) {
+            throw new Error('CLI markdown execution requires a prepared RDF output folder.');
+        }
+        const datasetKey = `${this.initializedWorkspaceRoot ?? ''}|${this.owlOutputRoot}|${this.rdfFormat}`;
+        if (this.loadedDatasetKey === datasetKey) {
+            return;
+        }
+        const prepared = await loadPreparedDatasetFromOutput(path.resolve(workspaceRoot), this.owlOutputRoot, this.rdfFormat);
+        services.reasoning.ReasoningService.loadPreparedDataset(prepared);
+        this.loadedDatasetKey = datasetKey;
+    }
+}
+
+async function findOmlFiles(root: string): Promise<string[]> {
+    const entries = await fs.readdir(root, { withFileTypes: true });
+    const results: string[] = [];
+
+    for (const entry of entries) {
+        const fullPath = path.join(root, entry.name);
+        if (entry.isDirectory()) {
+            if (entry.name === 'node_modules' || entry.name.startsWith('.')) {
+                continue;
+            }
+            results.push(...await findOmlFiles(fullPath));
+        } else if (entry.isFile() && path.extname(entry.name) === '.oml') {
+            results.push(fullPath);
+        }
+    }
+    return results;
+}