@ouro.bot/cli 0.1.0-alpha.56 → 0.1.0-alpha.561

package/dist/heart/auth/auth-flow.js

@@ -0,0 +1,479 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readAgentConfigForAgent = readAgentConfigForAgent;
+exports.writeAgentProviderSelection = writeAgentProviderSelection;
+exports.storeProviderCredentials = storeProviderCredentials;
+exports.writeAgentModel = writeAgentModel;
+exports.collectRuntimeAuthCredentials = collectRuntimeAuthCredentials;
+exports.resolveHatchCredentials = resolveHatchCredentials;
+exports.runRuntimeAuthFlow = runRuntimeAuthFlow;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const migrate_config_1 = require("../migrate-config");
+const provider_models_1 = require("../provider-models");
+const provider_credentials_1 = require("../provider-credentials");
+const vault_unlock_1 = require("../../repertoire/vault-unlock");
+const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
+const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
+const CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS = 5 * 60 * 1000;
+function assertPersistentProviderCredentialsAllowed(agentName) {
+    if (agentName === "SerpentGuide") {
+        throw new Error("SerpentGuide uses provider credentials in memory during hatch bootstrap; persistent SerpentGuide auth is not supported.");
+    }
+}
+function readJsonRecord(filePath, label) {
+    try {
+        const raw = fs.readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("expected object");
+        }
+        return parsed;
+    }
+    catch (error) {
+        throw new Error(`Failed to read ${label} at ${filePath}: ${String(error)}`);
+    }
+}
+function readAgentConfigForAgent(agentName, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const agentRoot = path.join(bundlesRoot, `${agentName}.ouro`);
+    const configPath = path.join(agentRoot, "agent.json");
+    let parsed = readJsonRecord(configPath, "agent config");
+    // Inline migration: v1 -> v2
+    const version = typeof parsed.version === "number" ? parsed.version : 1;
+    if (version < 2) {
+        (0, migrate_config_1.migrateAgentConfigV1ToV2)(agentRoot);
+        parsed = readJsonRecord(configPath, "agent config");
+    }
+    // Validate v2 required facing fields
+    const humanFacing = parsed.humanFacing;
+    const agentFacing = parsed.agentFacing;
+    if (!humanFacing || typeof humanFacing !== "object") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(parsed.provider)}'`);
+    }
+    const provider = humanFacing.provider;
+    if (provider !== "azure" &&
+        provider !== "anthropic" &&
+        provider !== "minimax" &&
+        provider !== "openai-codex" &&
+        provider !== "github-copilot") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(provider)}'`);
+    }
+    if (!agentFacing || typeof agentFacing !== "object") {
+        throw new Error(`agent.json at ${configPath} has unsupported provider '${String(parsed.provider)}'`);
+    }
+    // Spread-with-validation: same pattern as loadAgentConfig to eliminate
+    // the unvalidated-pass-through bug class. The spread carries through
+    // every field present in parsed; senses goes through the same
+    // normalization as loadAgentConfig so the two entry points return
+    // equivalent configs for the same file.
+    const config = {
+        ...parsed,
+        senses: (0, identity_1.normalizeSenses)(parsed.senses, configPath),
+    };
+    return {
+        configPath,
+        config,
+    };
+}
+function writeAgentProviderSelection(agentName, facing, provider, bundlesRoot = (0, identity_1.getAgentBundlesRoot)()) {
+    const { configPath, config } = readAgentConfigForAgent(agentName, bundlesRoot);
+    const facingKey = facing === "human" ? "humanFacing" : "agentFacing";
+    const previousFacing = config[facingKey];
+    const resolved = (0, provider_models_1.resolveModelForProviderSelection)(provider, previousFacing.model);
+    const nextConfig = {
+        ...config,
+        [facingKey]: { ...previousFacing, provider, model: resolved.model },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_provider_selected",
+        message: "updated agent provider selection after auth flow",
+        meta: {
+            agentName,
+            facing,
+            provider,
+            previousProvider: previousFacing.provider,
+            previousModel: previousFacing.model,
+            model: resolved.model,
+            preservedModel: resolved.preserved,
+            configPath,
+        },
+    });
+    return configPath;
+}
+async function storeProviderCredentials(agentName, provider, credentials, deps = {}) {
+    assertPersistentProviderCredentialsAllowed(agentName);
+    const split = (0, provider_credentials_1.splitProviderCredentialFields)(provider, credentials);
+    await (0, provider_credentials_1.upsertProviderCredential)({
+        agentName,
+        provider,
+        credentials: split.credentials,
+        config: split.config,
+        provenance: { source: "auth-flow" },
+        now: deps.now,
+        onProgress: deps.onProgress,
+    });
+    return { credentialPath: (0, provider_credentials_1.providerCredentialItemName)(provider) };
+}
+function writeAgentModel(agentName, facing, modelName, deps = {}) {
+    const { configPath, config } = readAgentConfigForAgent(agentName, deps.bundlesRoot);
+    const facingKey = facing === "human" ? "humanFacing" : "agentFacing";
+    const facingBlock = config[facingKey];
+    const previousModel = facingBlock.model;
+    const provider = facingBlock.provider;
+    const nextConfig = {
+        ...config,
+        [facingKey]: { ...facingBlock, model: modelName },
+    };
+    fs.writeFileSync(configPath, `${JSON.stringify(nextConfig, null, 2)}\n`, "utf8");
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.config_model_updated",
+        message: "updated agent model in agent.json",
+        meta: { agentName, facing, provider, modelName, previousModel, configPath },
+    });
+    return { configPath, provider, previousModel };
+}
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function isFreshCodexToken(credentials, now) {
+    if (!credentials.oauthAccessToken)
+        return false;
+    if (typeof credentials.expiresAt !== "number")
+        return false;
+    return credentials.expiresAt > now.getTime() + CODEX_LOCAL_TOKEN_REFRESH_MARGIN_MS;
+}
+function readCodexLocalAuthCredentials(homeDir) {
+    const authPath = path.join(homeDir, ".codex", "auth.json");
+    try {
+        const raw = fs.readFileSync(authPath, "utf8");
+        const parsed = JSON.parse(raw);
+        const accessToken = typeof parsed.tokens?.access_token === "string" ? parsed.tokens.access_token.trim() : "";
+        if (!accessToken)
+            return {};
+        const refreshToken = typeof parsed.tokens?.refresh_token === "string" ? parsed.tokens.refresh_token.trim() : "";
+        const expiresAt = readJwtExpiresAt(accessToken);
+        return {
+            oauthAccessToken: accessToken,
+            ...(refreshToken ? { refreshToken } : {}),
+            ...(expiresAt ? { expiresAt } : {}),
+        };
+    }
+    catch {
+        return {};
+    }
+}
+function isCodexLoginStatusReady(result) {
+    if (result.error || result.status !== 0)
+        return false;
+    const output = `${typeof result.stdout === "string" ? result.stdout : ""}\n${typeof result.stderr === "string" ? result.stderr : ""}`;
+    return output.toLowerCase().includes("logged in");
+}
+function ensurePromptInput(promptInput, provider) {
+    if (promptInput)
+        return promptInput;
+    throw new Error(`No prompt input is available for ${provider} authentication.`);
+}
+function writeAuthProgress(input, message) {
+    input.onProgress?.(message);
+}
+function isVaultStoreUnlockError(message) {
+    return (message.includes("bw CLI could not use the local Bitwarden session because it is locked, missing, or expired") ||
+        message.includes("bw CLI rejected the saved vault unlock secret for this machine"));
+}
+function formatVaultStoreError(agentName, provider, error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.startsWith("credential stored in vault, but the in-memory provider credential pool could not be refreshed:")) {
+        return new Error(`provider authentication succeeded and ${provider} credentials were stored in ${agentName}'s vault, ` +
+            `but the in-memory provider credential pool refresh failed: ${message.replace("credential stored in vault, but the in-memory provider credential pool could not be refreshed: ", "")}`);
+    }
+    const retry = `Then retry 'ouro auth --agent ${agentName} --provider ${provider}'.`;
+    if (isVaultStoreUnlockError(message)) {
+        return new Error(`provider authentication succeeded, but storing ${provider} credentials in ${agentName}'s vault failed: ${message}\n` +
+            (0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(agentName, retry));
+    }
+    return new Error(`provider authentication succeeded, but storing ${provider} credentials in ${agentName}'s vault failed: ${message}\n${retry}`);
+}
+function validateAnthropicToken(token) {
+    const trimmed = token.trim();
+    if (!trimmed) {
+        throw new Error("No Anthropic setup token was provided.");
+    }
+    if (!trimmed.startsWith(ANTHROPIC_SETUP_TOKEN_PREFIX)) {
+        throw new Error(`Invalid Anthropic setup token format. Expected prefix ${ANTHROPIC_SETUP_TOKEN_PREFIX}.`);
+    }
+    if (trimmed.length < ANTHROPIC_SETUP_TOKEN_MIN_LENGTH) {
+        throw new Error("Anthropic setup token looks too short.");
+    }
+    return trimmed;
+}
+async function collectRuntimeAuthCredentials(input, deps) {
+    const spawnSync = deps.spawnSync ?? child_process_1.spawnSync;
+    const homeDir = deps.homeDir ?? os.homedir();
+    const now = deps.now ?? (() => new Date());
+    if (input.provider === "github-copilot") {
+        let token = process.env.GH_TOKEN?.trim() || process.env.GITHUB_TOKEN?.trim() || "";
+        if (!token) {
+            writeAuthProgress(input, "checking GitHub CLI credentials...");
+            const result = spawnSync("gh", ["auth", "token"], { encoding: "utf8" });
+            token = (result.status === 0 && result.stdout ? result.stdout.trim() : "");
+        }
+        if (!token) {
+            writeAuthProgress(input, "starting GitHub login...");
+            (0, runtime_1.emitNervesEvent)({
+                component: "daemon",
+                event: "daemon.auth_gh_login_start",
+                message: "starting gh auth login for runtime auth",
+                meta: { agentName: input.agentName },
+            });
+            const loginResult = spawnSync("gh", ["auth", "login"], { stdio: "inherit" });
+            if (loginResult.status !== 0) {
+                throw new Error("'gh auth login' failed. Install the GitHub CLI (gh) and try again.");
+            }
+            const retryResult = spawnSync("gh", ["auth", "token"], { encoding: "utf8" });
+            /* v8 ignore next -- branch: retry after login always succeeds in tests @preserve */
+            token = (retryResult.status === 0 && retryResult.stdout ? retryResult.stdout.trim() : "");
+            /* v8 ignore next -- defensive: gh auth login succeeded but token still missing @preserve */
+            if (!token) {
+                throw new Error("gh auth login completed but no token was found. Run `gh auth login` and try again.");
+            }
+        }
+        writeAuthProgress(input, "checking GitHub Copilot access...");
+        const response = await fetch("https://api.github.com/copilot_internal/user", {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        if (!response.ok) {
+            throw new Error(`GitHub Copilot endpoint discovery failed (HTTP ${response.status}). Ensure your GitHub account has Copilot access.`);
+        }
+        const body = await response.json();
+        const baseUrl = body?.endpoints?.api;
+        /* v8 ignore next -- defensive: valid response but missing endpoints field @preserve */
+        if (!baseUrl) {
+            throw new Error("GitHub Copilot endpoint discovery returned no endpoints.api. Ensure your GitHub account has Copilot access.");
+        }
+        return { githubToken: token, baseUrl };
+    }
+    if (input.provider === "openai-codex") {
+        writeAuthProgress(input, "checking local Codex login...");
+        const localStatus = spawnSync("codex", ["login", "status"], { encoding: "utf8" });
+        const localCredentials = readCodexLocalAuthCredentials(homeDir);
+        if (isCodexLoginStatusReady(localStatus) && isFreshCodexToken(localCredentials, now())) {
+            writeAuthProgress(input, "using existing openai-codex local login...");
+            return localCredentials;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.auth_codex_login_start",
+            message: "starting codex login for runtime auth",
+            meta: { agentName: input.agentName },
+        });
+        writeAuthProgress(input, "starting openai-codex browser login...");
+        const result = spawnSync("codex", ["login"], { stdio: "inherit" });
+        if (result.error) {
+            throw new Error(`Failed to run 'codex login': ${result.error.message}`);
+        }
+        if (result.status !== 0) {
+            throw new Error(`'codex login' exited with status ${result.status}.`);
+        }
+        writeAuthProgress(input, "openai-codex login complete; reading local Codex token...");
+        const credentials = readCodexLocalAuthCredentials(homeDir);
+        if (!credentials.oauthAccessToken) {
+            throw new Error("Codex login completed but no token was found in ~/.codex/auth.json. Re-run `codex login` and try again.");
+        }
+        return credentials;
+    }
+    if (input.provider === "anthropic") {
+        (0, runtime_1.emitNervesEvent)({
+            component: "daemon",
+            event: "daemon.auth_claude_setup_start",
+            message: "starting claude setup-token for runtime auth",
+            meta: { agentName: input.agentName },
+        });
+        writeAuthProgress(input, "starting anthropic setup-token flow...");
+        const result = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
+        if (result.error) {
+            throw new Error(`Failed to run 'claude setup-token': ${result.error.message}`);
+        }
+        if (result.status !== 0) {
+            throw new Error(`'claude setup-token' exited with status ${result.status}.`);
+        }
+        const prompt = ensurePromptInput(input.promptInput, input.provider);
+        const setupToken = validateAnthropicToken(await prompt("Paste the setup token from `claude setup-token`: "));
+        // Exchange the setup token for an access+refresh token pair so auto-refresh works.
+        // The setup token IS the initial access token — we use it as a refresh token to
+        // get back a proper token pair from the OAuth endpoint.
+        /* v8 ignore start -- token exchange: requires live Anthropic OAuth endpoint @preserve */
+        try {
+            const { refreshAnthropicToken } = await Promise.resolve().then(() => __importStar(require("../providers/anthropic-token")));
+            writeAuthProgress(input, "exchanging anthropic setup token...");
+            const tokenState = await refreshAnthropicToken(setupToken);
+            if (tokenState) {
+                return {
+                    setupToken: tokenState.accessToken,
+                    refreshToken: tokenState.refreshToken,
+                    expiresAt: tokenState.expiresAt,
+                };
+            }
+        }
+        catch {
+            // Exchange failed — use the raw setup token as-is (it'll work until expiry)
+        }
+        /* v8 ignore stop */
+        return { setupToken };
+    }
+    // Generic prompt-for-fields fallback (minimax, azure, any future simple providers)
+    const prompt = ensurePromptInput(input.promptInput, input.provider);
+    const desc = identity_1.PROVIDER_CREDENTIALS[input.provider];
+    const creds = {};
+    for (const field of desc.required) {
+        /* v8 ignore next -- fallback: all current providers define promptLabels for required fields @preserve */
+        const label = desc.promptLabels[field] ?? field;
+        const value = (await prompt(`${label}: `)).trim();
+        if (!value)
+            throw new Error(`${label} is required.`);
+        creds[field] = value;
+    }
+    return creds;
+}
+async function resolveHatchCredentials(input) {
+    const credentials = { ...(input.credentials ?? {}) };
+    // If all required fields are already provided, return as-is
+    const cred = credentials;
+    const missing = identity_1.PROVIDER_CREDENTIALS[input.provider].required.some((key) => !cred[key]);
+    if (!missing)
+        return credentials;
+    // Try the full auth flow (wraps collectRuntimeAuthCredentials + writes secrets)
+    if (input.runAuthFlow) {
+        const result = await input.runAuthFlow({
+            agentName: input.agentName,
+            provider: input.provider,
+            promptInput: input.promptInput,
+            onProgress: input.onProgress,
+        });
+        Object.assign(credentials, result.credentials);
+        /* v8 ignore next 3 -- branch: auth flow always fills all required fields in production @preserve */
+        if (!identity_1.PROVIDER_CREDENTIALS[input.provider].required.some((key) => !credentials[key])) {
+            return credentials;
+        }
+    }
+    // Prompt for any still-missing required fields
+    /* v8 ignore next -- guard: no promptInput means we can't collect remaining fields @preserve */
+    if (input.promptInput) {
+        const desc = identity_1.PROVIDER_CREDENTIALS[input.provider];
+        for (const field of desc.required) {
+            if (!cred[field]) {
+                const label = desc.promptLabels[field] ?? field;
+                cred[field] = await input.promptInput(`${label}: `);
+            }
+        }
+    }
+    return credentials;
+}
+async function runRuntimeAuthFlow(input, deps = {}) {
+    assertPersistentProviderCredentialsAllowed(input.agentName);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_start",
+        message: "starting runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider },
+    });
+    writeAuthProgress(input, `checking ${input.agentName}'s vault access...`);
+    const vault = await (0, provider_credentials_1.refreshProviderCredentialPool)(input.agentName, {
+        providers: [input.provider],
+        onProgress: (message) => writeAuthProgress(input, message),
+    });
+    if (!vault.ok && vault.reason === "unavailable") {
+        const fix = (0, vault_unlock_1.isCredentialVaultNotConfiguredError)(vault.error)
+            ? (0, vault_unlock_1.vaultCreateRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`)
+            : (0, vault_unlock_1.vaultUnlockReplaceRecoverFix)(input.agentName, `Then retry 'ouro auth --agent ${input.agentName} --provider ${input.provider}'.`);
+        throw new Error(`${vault.error}\n${fix}`);
+    }
+    const credentials = await collectRuntimeAuthCredentials(input, deps);
+    let credentialPath;
+    try {
+        ;
+        ({
+            credentialPath,
+        } = await storeProviderCredentials(input.agentName, input.provider, credentials, {
+            onProgress: (message) => writeAuthProgress(input, message),
+        }));
+    }
+    catch (error) {
+        throw formatVaultStoreError(input.agentName, input.provider, error);
+    }
+    writeAuthProgress(input, `credentials stored at ${credentialPath}; in-memory provider credential pool refreshed.`);
+    (0, runtime_1.emitNervesEvent)({
+        component: "daemon",
+        event: "daemon.auth_flow_end",
+        message: "completed runtime auth flow",
+        meta: { agentName: input.agentName, provider: input.provider, credentialPath },
+    });
+    return {
+        agentName: input.agentName,
+        provider: input.provider,
+        credentialPath,
+        message: `authenticated ${input.agentName} with ${input.provider}`,
+        credentials,
+    };
+}