npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.546 → 0.1.0-alpha.548 - Mend

@ouro.bot/cli 0.1.0-alpha.546 → 0.1.0-alpha.548

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/changelog.json +13 -0
package/dist/heart/auth/auth-flow.js +62 -10
package/dist/heart/daemon/cli-defaults.js +9 -1
package/dist/heart/provider-credentials.js +1 -1
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,19 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.548",
+      "changes": [
+        "OpenAI Codex auth now reuses an existing fresh local Codex login before starting browser login, letting `ouro auth --provider openai-codex` repair stale vault copies without a human OAuth round-trip when the local Codex CLI is already logged in.",
+        "Codex provider credentials now retain refresh metadata (`refreshToken` and `expiresAt`) alongside the access token, setting up proactive non-browser refresh handling for future hardening."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.547",
+      "changes": [
+        "Version-managed macOS daemon LaunchAgents now point at the stable `~/.ouro-cli/CurrentVersion` entry path instead of a concrete installed version directory, so future runtime updates do not leave launchd holding stale daemon argv."
+      ]
+    },
     {
       "version": "0.1.0-alpha.546",
       "changes": [

package/dist/heart/auth/auth-flow.js CHANGED Viewed

@@ -52,6 +52,7 @@ const provider_credentials_1 = require("../provider-credentials");
 const vault_unlock_1 = require("../../repertoire/vault-unlock");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
+const CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS = 5 * 60 * 1000;
 function assertPersistentProviderCredentialsAllowed(agentName) {
     if (agentName === "SerpentGuide") {
         throw new Error("SerpentGuide uses provider credentials in memory during hatch bootstrap; persistent SerpentGuide auth is not supported.");
@@ -171,18 +172,64 @@ function writeAgentModel(agentName, facing, modelName, deps = {}) {
     });
     return { configPath, provider, previousModel };
 }
-function readCodexAccessToken(homeDir) {
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function isFreshCodexToken(credentials, now) {
+    if (!credentials.oauthAccessToken)
+        return false;
+    if (typeof credentials.expiresAt !== "number")
+        return false;
+    return credentials.expiresAt > now.getTime() + CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS;
+}
+function readCodexLocalAuthCredentials(homeDir) {
     const authPath = path.join(homeDir, ".codex", "auth.json");
     try {
         const raw = fs.readFileSync(authPath, "utf8");
         const parsed = JSON.parse(raw);
-        const token = parsed?.tokens?.access_token;
-        return typeof token === "string" ? token.trim() : /* v8 ignore next -- defensive: codex login always writes a string token @preserve */ "";
+        const accessToken = typeof parsed.tokens?.access_token === "string" ? parsed.tokens.access_token.trim() : "";
+        if (!accessToken)
+            return {};
+        const refreshToken = typeof parsed.tokens?.refresh_token === "string" ? parsed.tokens.refresh_token.trim() : "";
+        const expiresAt = readJwtExpiresAt(accessToken);
+        return {
+            oauthAccessToken: accessToken,
+            ...(refreshToken ? { refreshToken } : {}),
+            ...(expiresAt ? { expiresAt } : {}),
+        };
     }
     catch {
-        return "";
+        return {};
     }
 }
+function isCodexLoginStatusReady(result) {
+    if (result.error || result.status !== 0)
+        return false;
+    const output = `${typeof result.stdout === "string" ? result.stdout : ""}\n${typeof result.stderr === "string" ? result.stderr : ""}`;
+    return output.toLowerCase().includes("logged in");
+}
 function ensurePromptInput(promptInput, provider) {
     if (promptInput)
         return promptInput;
@@ -224,6 +271,7 @@ function validateAnthropicToken(token) {
 async function collectRuntimeAuthCredentials(input, deps) {
     const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
     const homeDir = deps.homeDir ?? os.homedir();
+    const now = deps.now ?? (() => new Date());
     if (input.provider === "github-copilot") {
         let token = process.env.GH_TOKEN?.trim() || process.env.GITHUB_TOKEN?.trim() || "";
         if (!token) {
@@ -267,9 +315,13 @@ async function collectRuntimeAuthCredentials(input, deps) {
         return { githubToken: token, baseUrl };
     }
     if (input.provider === "openai-codex") {
-        // Always run codex login when auth is explicitly requested — stale tokens
-        // are indistinguishable from valid ones without an API call, and the user
-        // is asking to re-authenticate.
+        writeAuthProgress(input, "checking local Codex login...");
+        const localStatus = spawnSync("codex", ["login", "status"], { encoding: "utf8" });
+        const localCredentials = readCodexLocalAuthCredentials(homeDir);
+        if (isCodexLoginStatusReady(localStatus) && isFreshCodexToken(localCredentials, now())) {
+            writeAuthProgress(input, "using existing openai-codex local login...");
+            return localCredentials;
+        }
         (0, runtime_1.emitNervesEvent)({
             component: "daemon",
             event: "daemon.auth_codex_login_start",
@@ -285,11 +337,11 @@ async function collectRuntimeAuthCredentials(input, deps) {
             throw new Error(`'codex login' exited with status ${result.status}.`);
         }
         writeAuthProgress(input, "openai-codex login complete; reading local Codex token...");
-        const token = readCodexAccessToken(homeDir);
-        if (!token) {
+        const credentials = readCodexLocalAuthCredentials(homeDir);
+        if (!credentials.oauthAccessToken) {
             throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
         }
-        return { oauthAccessToken: token };
+        return credentials;
     }
     if (input.provider === "anthropic") {
         (0, runtime_1.emitNervesEvent)({

package/dist/heart/daemon/cli-defaults.js CHANGED Viewed

@@ -97,6 +97,14 @@ function defaultWriteRaw(text) {
     process.stdout.write(text);
 }
 /* v8 ignore stop */
+function resolveDaemonBootEntryPath(homeDir) {
+    const repoRoot = (0, identity_1.getRepoRoot)();
+    const versionManagerRootMarker = `${path.sep}.ouro-cli${path.sep}versions${path.sep}`;
+    if ((0, runtime_mode_1.detectRuntimeMode)(repoRoot) === "production" && repoRoot.includes(versionManagerRootMarker)) {
+        return path.join((0, ouro_version_manager_1.getOuroCliHome)(homeDir), "CurrentVersion", "node_modules", "@ouro.bot", "cli", "dist", "heart", "daemon", "daemon-entry.js");
+    }
+    return path.join(repoRoot, "dist", "heart", "daemon", "daemon-entry.js");
+}
 /**
  * Read the runtimeVersion from the first .ouro bundle's bundle-meta.json.
  * Returns undefined if none found or unreadable.
@@ -218,7 +226,7 @@ function defaultEnsureDaemonBootPersistence(socketPath) {
         mkdirp: (dir) => fs.mkdirSync(dir, { recursive: true }),
         homeDir,
     };
-    const entryPath = path.join((0, identity_1.getRepoRoot)(), "dist", "heart", "daemon", "daemon-entry.js");
+    const entryPath = resolveDaemonBootEntryPath(homeDir);
     /* v8 ignore next -- covered via mock in daemon-cli-defaults.test.ts; v8 on CI attributes the real fs.existsSync branch to the non-mock load @preserve */
     if (!fs.existsSync(entryPath)) {
         (0, runtime_1.emitNervesEvent)({

package/dist/heart/provider-credentials.js CHANGED Viewed

@@ -63,7 +63,7 @@ const PROVIDER_FIELD_SPLITS = {
         config: [],
     },
     "openai-codex": {
-        credentials: ["oauthAccessToken"],
+        credentials: ["oauthAccessToken", "refreshToken", "expiresAt"],
         config: [],
     },
     azure: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.546",
+  "version": "0.1.0-alpha.548",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",