@plosson/agentio 0.2.0 → 0.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plosson/agentio",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "CLI for LLM agents to interact with communication and tracking services",
   "type": "module",
   "license": "MIT",
@@ -48,6 +48,7 @@
   "dependencies": {
     "commander": "^14.0.2",
     "googleapis": "^169.0.0",
+    "libsodium-wrappers": "^0.8.1",
     "rss-parser": "^3.13.0"
   }
 }

package/src/auth/github-oauth.ts

@@ -0,0 +1,141 @@
+import { createServer, type Server } from 'http';
+import { URL } from 'url';
+import { GITHUB_OAUTH_CONFIG } from '../config/credentials';
+
+const GITHUB_SCOPES = ['repo'];
+
+const PORT_RANGE_START = 3000;
+const PORT_RANGE_END = 3010;
+
+async function findAvailablePort(): Promise<number> {
+  for (let port = PORT_RANGE_START; port <= PORT_RANGE_END; port++) {
+    try {
+      await new Promise<void>((resolve, reject) => {
+        const server = createServer();
+        server.listen(port, () => {
+          server.close(() => resolve());
+        });
+        server.on('error', reject);
+      });
+      return port;
+    } catch {
+      continue;
+    }
+  }
+  throw new Error(`No available port found in range ${PORT_RANGE_START}-${PORT_RANGE_END}`);
+}
+
+export interface GitHubOAuthResult {
+  accessToken: string;
+}
+
+export async function performGitHubOAuthFlow(): Promise<GitHubOAuthResult> {
+  const port = await findAvailablePort();
+  const redirectUri = `http://localhost:${port}/callback`;
+
+  const authUrl = new URL('https://github.com/login/oauth/authorize');
+  authUrl.searchParams.set('client_id', GITHUB_OAUTH_CONFIG.clientId);
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('scope', GITHUB_SCOPES.join(' '));
+  authUrl.searchParams.set('state', Math.random().toString(36).substring(7));
+
+  return new Promise((resolve, reject) => {
+    let server: Server;
+
+    const timeout = setTimeout(() => {
+      server?.close();
+      reject(new Error('OAuth flow timed out after 5 minutes'));
+    }, 5 * 60 * 1000);
+
+    server = createServer(async (req, res) => {
+      const url = new URL(req.url || '', `http://localhost:${port}`);
+
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+
+      const code = url.searchParams.get('code');
+      const error = url.searchParams.get('error');
+      const errorDescription = url.searchParams.get('error_description');
+
+      if (error) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end('<html><body><h1>Authorization Failed</h1><p>You can close this window.</p></body></html>');
+        clearTimeout(timeout);
+        server.close();
+        reject(new Error(`GitHub OAuth error: ${error} - ${errorDescription || 'Unknown error'}`));
+        return;
+      }
+
+      if (!code) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end('<html><body><h1>Missing Authorization Code</h1><p>You can close this window.</p></body></html>');
+        clearTimeout(timeout);
+        server.close();
+        reject(new Error('Missing authorization code in OAuth callback'));
+        return;
+      }
+
+      try {
+        // Exchange code for access token
+        const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+          method: 'POST',
+          headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            client_id: GITHUB_OAUTH_CONFIG.clientId,
+            client_secret: GITHUB_OAUTH_CONFIG.clientSecret,
+            code,
+            redirect_uri: redirectUri,
+          }),
+        });
+
+        const tokenData = await tokenResponse.json() as {
+          access_token?: string;
+          error?: string;
+          error_description?: string;
+        };
+
+        if (tokenData.error || !tokenData.access_token) {
+          throw new Error(tokenData.error_description || tokenData.error || 'Failed to get access token');
+        }
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end('<html><body><h1>Authorization Successful!</h1><p>You can close this window and return to the terminal.</p></body></html>');
+
+        clearTimeout(timeout);
+        server.close();
+
+        resolve({
+          accessToken: tokenData.access_token,
+        });
+      } catch (err) {
+        res.writeHead(500);
+        res.end('Failed to exchange authorization code');
+        clearTimeout(timeout);
+        server.close();
+        reject(err);
+      }
+    });
+
+    server.listen(port, () => {
+      console.error(`\nOpening browser for GitHub authorization...`);
+      console.error(`If browser doesn't open, visit:\n${authUrl.toString()}\n`);
+
+      // Open browser
+      const open = process.platform === 'darwin' ? 'open' :
+                   process.platform === 'win32' ? 'start' : 'xdg-open';
+      Bun.spawn([open, authUrl.toString()], { stdout: 'ignore', stderr: 'ignore' });
+    });
+
+    server.on('error', (err) => {
+      clearTimeout(timeout);
+      server?.close();
+      reject(err);
+    });
+  });
+}

package/src/commands/config.ts

@@ -10,7 +10,6 @@ import type { Config } from '../types/config';
 import type { StoredCredentials } from '../types/tokens';
 
 const ALGORITHM = 'aes-256-gcm';
-const DEFAULT_EXPORT_FILE = 'agentio.config';
 
 interface ExportedData {
   version: number;
@@ -59,6 +58,31 @@ function decrypt(data: string, key: Buffer): string {
   return decrypted.toString('utf-8');
 }
 
+/**
+ * Generate encrypted config data for CI/CD environments.
+ * Returns the key and encrypted config that can be used as environment variables.
+ */
+export async function generateExportData(): Promise<{ key: string; config: string }> {
+  const encryptionKey = generateKey();
+
+  const configData = await loadConfig();
+  const credentials = await getAllCredentials();
+
+  const exportData: ExportedData = {
+    version: 1,
+    config: configData,
+    credentials,
+  };
+
+  const key = deriveKeyFromPassword(encryptionKey);
+  const encrypted = encrypt(JSON.stringify(exportData), key);
+
+  return {
+    key: encryptionKey,
+    config: encrypted,
+  };
+}
+
 export function registerConfigCommands(program: Command): void {
   const config = program
     .command('config')
@@ -66,10 +90,9 @@ export function registerConfigCommands(program: Command): void {
 
   config
     .command('export')
-    .description('Export configuration and credentials to an encrypted file')
+    .description('Export configuration and credentials (as environment variables by default, or to a file)')
     .option('--key <key>', 'Encryption key (64 hex characters). If not provided, a random key will be generated')
-    .option('--output <file>', 'Output file path', DEFAULT_EXPORT_FILE)
-    .option('--env', 'Output as environment variables instead of writing to file')
+    .option('--file <path>', 'Write encrypted config to file instead of outputting AGENTIO_CONFIG')
     .action(async (options) => {
       try {
         // Validate key if provided
@@ -101,19 +124,15 @@ export function registerConfigCommands(program: Command): void {
         const key = deriveKeyFromPassword(encryptionKey);
         const encrypted = encrypt(JSON.stringify(exportData), key);
 
-        if (options.env) {
+        if (options.file) {
+          // Write to file, output just the key
+          const filePath = options.file.startsWith('/') ? options.file : join(process.cwd(), options.file);
+          await writeFile(filePath, encrypted, { mode: 0o600 });
+          console.log(`AGENTIO_KEY=${encryptionKey}`);
+        } else {
           // Output as environment variables
           console.log(`AGENTIO_KEY=${encryptionKey}`);
           console.log(`AGENTIO_CONFIG=${encrypted}`);
-        } else {
-          // Write to file
-          const outputPath = join(process.cwd(), options.output);
-          await writeFile(outputPath, encrypted, { mode: 0o600 });
-
-          console.log(`Configuration exported to: ${outputPath}`);
-          console.log(`Encryption key: ${encryptionKey}`);
-          console.log('');
-          console.log('Keep this key safe! You will need it to import the configuration.');
         }
       } catch (error) {
         handleError(error);

package/src/commands/github.ts

@@ -0,0 +1,169 @@
+import { Command } from 'commander';
+import { setCredentials, getCredentials } from '../auth/token-store';
+import { setProfile, getProfile } from '../config/config-manager';
+import { createProfileCommands } from '../utils/profile-commands';
+import { GitHubClient } from '../services/github/client';
+import { performGitHubOAuthFlow } from '../auth/github-oauth';
+import { generateExportData } from './config';
+import { CliError, handleError } from '../utils/errors';
+import { resolveProfileName } from '../utils/stdin';
+import type { GitHubCredentials } from '../types/github';
+
+async function getGitHubClient(profileName?: string): Promise<{ client: GitHubClient; profile: string }> {
+  const profile = await getProfile('github', profileName);
+
+  if (!profile) {
+    throw new CliError(
+      'PROFILE_NOT_FOUND',
+      profileName
+        ? `Profile "${profileName}" not found for github`
+        : 'No default profile configured for github',
+      'Run: agentio github profile add'
+    );
+  }
+
+  const credentials = await getCredentials<GitHubCredentials>('github', profile);
+
+  if (!credentials) {
+    throw new CliError(
+      'AUTH_FAILED',
+      `No credentials found for github profile "${profile}"`,
+      `Run: agentio github profile add --profile ${profile}`
+    );
+  }
+
+  return {
+    client: new GitHubClient(credentials),
+    profile,
+  };
+}
+
+function parseRepo(repo: string): { owner: string; name: string } {
+  const parts = repo.split('/');
+  if (parts.length !== 2 || !parts[0] || !parts[1]) {
+    throw new CliError(
+      'INVALID_PARAMS',
+      `Invalid repository format: "${repo}"`,
+      'Use the format: owner/repo (e.g., octocat/hello-world)'
+    );
+  }
+  return { owner: parts[0], name: parts[1] };
+}
+
+export function registerGitHubCommands(program: Command): void {
+  const github = program
+    .command('github')
+    .description('GitHub operations');
+
+  github
+    .command('install')
+    .description('Install AGENTIO_KEY and AGENTIO_CONFIG as GitHub Actions secrets')
+    .argument('<repo>', 'Repository in owner/repo format')
+    .option('--profile <name>', 'Profile name')
+    .action(async (repo: string, options) => {
+      try {
+        // Validate repo format
+        parseRepo(repo);
+
+        const { client, profile } = await getGitHubClient(options.profile);
+
+        console.error(`Using GitHub profile: ${profile}`);
+        console.error(`Installing secrets to: ${repo}`);
+
+        // Generate the export data
+        const exportData = await generateExportData();
+
+        // Set secrets on the repo
+        console.error('\nSetting AGENTIO_KEY...');
+        await client.setRepoSecret(repo, 'AGENTIO_KEY', exportData.key);
+
+        console.error('Setting AGENTIO_CONFIG...');
+        await client.setRepoSecret(repo, 'AGENTIO_CONFIG', exportData.config);
+
+        console.log(`\nInstalled AGENTIO_KEY and AGENTIO_CONFIG to ${repo}`);
+        console.log('\nIn your GitHub Actions workflow, use:');
+        console.log('  env:');
+        console.log('    AGENTIO_KEY: ${{ secrets.AGENTIO_KEY }}');
+        console.log('    AGENTIO_CONFIG: ${{ secrets.AGENTIO_CONFIG }}');
+      } catch (error) {
+        handleError(error);
+      }
+    });
+
+  github
+    .command('uninstall')
+    .description('Remove AGENTIO_KEY and AGENTIO_CONFIG secrets from a repository')
+    .argument('<repo>', 'Repository in owner/repo format')
+    .option('--profile <name>', 'Profile name')
+    .action(async (repo: string, options) => {
+      try {
+        // Validate repo format
+        parseRepo(repo);
+
+        const { client, profile } = await getGitHubClient(options.profile);
+
+        console.error(`Using GitHub profile: ${profile}`);
+        console.error(`Removing secrets from: ${repo}`);
+
+        // Delete secrets from the repo
+        console.error('\nDeleting AGENTIO_KEY...');
+        await client.deleteRepoSecret(repo, 'AGENTIO_KEY');
+
+        console.error('Deleting AGENTIO_CONFIG...');
+        await client.deleteRepoSecret(repo, 'AGENTIO_CONFIG');
+
+        console.log(`\nRemoved AGENTIO_KEY and AGENTIO_CONFIG from ${repo}`);
+      } catch (error) {
+        handleError(error);
+      }
+    });
+
+  // Profile management
+  const profile = createProfileCommands<GitHubCredentials>(github, {
+    service: 'github',
+    displayName: 'GitHub',
+    getExtraInfo: (credentials) => credentials?.username ? ` (${credentials.username})` : '',
+  });
+
+  profile
+    .command('add')
+    .description('Add a new GitHub profile')
+    .option('--profile <name>', 'Profile name', 'default')
+    .action(async (options) => {
+      try {
+        const profileName = await resolveProfileName('github', options.profile);
+
+        console.error('\nGitHub Setup\n');
+        console.error('This will open your browser to authorize agentio with GitHub.');
+        console.error('You will need to grant access to repositories where you want to set secrets.\n');
+
+        // Perform OAuth flow
+        const oauthResult = await performGitHubOAuthFlow();
+
+        // Create client to fetch user info
+        const credentials: GitHubCredentials = {
+          accessToken: oauthResult.accessToken,
+          username: '',
+          email: null,
+        };
+
+        const client = new GitHubClient(credentials);
+        const user = await client.getUser();
+
+        // Update credentials with user info
+        credentials.username = user.login;
+        credentials.email = user.email;
+
+        console.error(`\nAuthenticated as: ${user.login}${user.email ? ` (${user.email})` : ''}`);
+
+        // Save credentials
+        await setProfile('github', profileName);
+        await setCredentials('github', profileName, credentials);
+
+        console.log(`\nProfile "${profileName}" configured!`);
+        console.log(`  Install secrets: agentio github install owner/repo --profile ${profileName}`);
+      } catch (error) {
+        handleError(error);
+      }
+    });
+}

package/src/commands/status.ts

@@ -5,6 +5,7 @@ import { createGoogleAuth } from '../auth/token-manager';
 import { refreshJiraToken } from '../auth/jira-oauth';
 import { TelegramClient } from '../services/telegram/client';
 import { GmailClient } from '../services/gmail/client';
+import { GitHubClient } from '../services/github/client';
 import { JiraClient } from '../services/jira/client';
 import { GChatClient } from '../services/gchat/client';
 import { SlackClient } from '../services/slack/client';
@@ -14,6 +15,7 @@ import type { ServiceClient, ValidationResult } from '../types/service';
 import type { ServiceName } from '../types/config';
 import type { OAuthTokens } from '../types/tokens';
 import type { TelegramCredentials } from '../types/telegram';
+import type { GitHubCredentials } from '../types/github';
 import type { JiraCredentials } from '../types/jira';
 import type { GChatCredentials } from '../types/gchat';
 import type { SlackCredentials } from '../types/slack';
@@ -49,22 +51,36 @@ async function createServiceClient(
       return new TelegramClient(creds.bot_token, creds.channel_id);
     }
 
+    case 'github': {
+      const creds = credentials as GitHubCredentials;
+      return new GitHubClient(creds);
+    }
+
     case 'jira': {
       let creds = credentials as JiraCredentials;
-      // Refresh token if expired or about to expire
-      const bufferTime = 5 * 60 * 1000;
-      if (creds.expiryDate && Date.now() + bufferTime >= creds.expiryDate) {
+
+      // Helper to refresh token
+      const tryRefresh = async (): Promise<JiraCredentials | null> => {
         try {
           const refreshed = await refreshJiraToken(creds.refreshToken);
-          creds = {
+          const newCreds = {
             ...creds,
             accessToken: refreshed.accessToken,
             refreshToken: refreshed.refreshToken,
             expiryDate: Date.now() + refreshed.expiresIn * 1000,
           };
-          await setCredentials('jira', profileName, creds);
+          await setCredentials('jira', profileName, newCreds);
+          return newCreds;
         } catch {
-          // Return a mock client that reports refresh failure
+          return null;
+        }
+      };
+
+      // Refresh token if expired or about to expire
+      const bufferTime = 5 * 60 * 1000;
+      if (creds.expiryDate && Date.now() + bufferTime >= creds.expiryDate) {
+        const refreshedCreds = await tryRefresh();
+        if (!refreshedCreds) {
           return {
             validate: async () => ({
               valid: false,
@@ -72,8 +88,32 @@ async function createServiceClient(
             }),
           };
         }
+        creds = refreshedCreds;
       }
-      return new JiraClient(creds);
+
+      // Create client and return a wrapper that attempts refresh on validation failure
+      const client = new JiraClient(creds);
+      return {
+        validate: async () => {
+          const result = await client.validate();
+          if (result.valid) {
+            return result;
+          }
+
+          // Validation failed - try to refresh token and retry
+          const refreshedCreds = await tryRefresh();
+          if (!refreshedCreds) {
+            return {
+              valid: false,
+              error: 'refresh token expired, re-authenticate',
+            };
+          }
+
+          // Retry validation with refreshed credentials
+          const refreshedClient = new JiraClient(refreshedCreds);
+          return refreshedClient.validate();
+        },
+      };
     }
 
     case 'gchat': {

package/src/config/credentials.ts

@@ -20,3 +20,12 @@ export const JIRA_OAUTH_CONFIG = {
   clientId: JIRA_CLIENT_ID,
   clientSecret: reveal(JIRA_CLIENT_SECRET_ENC),
 };
+
+// GitHub OAuth credentials
+const GITHUB_CLIENT_ID = 'Ov23liR1X63IRAf6eONJ';
+const GITHUB_CLIENT_SECRET_ENC = 'Sztvs0AEbI5enapA40GFdqQc4RMgf8tmrMGXZ7RQIxYnuKmllPl8bZluGh5e15QfTjRe7HwZ5Bc';
+
+export const GITHUB_OAUTH_CONFIG = {
+  clientId: GITHUB_CLIENT_ID,
+  clientSecret: reveal(GITHUB_CLIENT_SECRET_ENC),
+};

package/src/index.ts

@@ -3,6 +3,7 @@ import { Command } from 'commander';
 import { registerGmailCommands } from './commands/gmail';
 import { registerTelegramCommands } from './commands/telegram';
 import { registerGChatCommands } from './commands/gchat';
+import { registerGitHubCommands } from './commands/github';
 import { registerJiraCommands } from './commands/jira';
 import { registerSlackCommands } from './commands/slack';
 import { registerRssCommands } from './commands/rss';
@@ -33,6 +34,7 @@ program
 registerGmailCommands(program);
 registerTelegramCommands(program);
 registerGChatCommands(program);
+registerGitHubCommands(program);
 registerJiraCommands(program);
 registerSlackCommands(program);
 registerRssCommands(program);

package/src/services/github/client.ts

@@ -0,0 +1,112 @@
+import sodium from 'libsodium-wrappers';
+import type { GitHubCredentials, GitHubUser, GitHubPublicKey } from '../../types/github';
+import type { ServiceClient, ValidationResult } from '../../types/service';
+import { CliError } from '../../utils/errors';
+
+const GITHUB_API_BASE = 'https://api.github.com';
+
+export class GitHubClient implements ServiceClient {
+  private accessToken: string;
+
+  constructor(credentials: GitHubCredentials) {
+    this.accessToken = credentials.accessToken;
+  }
+
+  async validate(): Promise<ValidationResult> {
+    try {
+      const user = await this.getUser();
+      return { valid: true, info: user.login };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      };
+    }
+  }
+
+  private async request<T>(
+    method: string,
+    path: string,
+    body?: Record<string, unknown>
+  ): Promise<T> {
+    const url = `${GITHUB_API_BASE}${path}`;
+
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+          ...(body ? { 'Content-Type': 'application/json' } : {}),
+        },
+        body: body ? JSON.stringify(body) : undefined,
+      });
+
+      // Handle no-content responses (204)
+      if (response.status === 204) {
+        return {} as T;
+      }
+
+      const data = await response.json();
+
+      if (!response.ok) {
+        const errorMessage = data.message || 'Unknown GitHub API error';
+
+        if (response.status === 401) {
+          throw new CliError('AUTH_FAILED', `GitHub authentication failed: ${errorMessage}`);
+        }
+        if (response.status === 403) {
+          throw new CliError('PERMISSION_DENIED', `Permission denied: ${errorMessage}`, 'You need admin access to set secrets on this repository');
+        }
+        if (response.status === 404) {
+          throw new CliError('NOT_FOUND', `Not found: ${errorMessage}`, 'Check that the repository exists and you have access to it');
+        }
+        if (response.status === 429) {
+          throw new CliError('RATE_LIMITED', `Rate limited: ${errorMessage}`);
+        }
+
+        throw new CliError('API_ERROR', `GitHub API error: ${errorMessage}`);
+      }
+
+      return data as T;
+    } catch (error) {
+      if (error instanceof CliError) throw error;
+
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      throw new CliError('NETWORK_ERROR', `Failed to connect to GitHub: ${message}`);
+    }
+  }
+
+  async getUser(): Promise<GitHubUser> {
+    return this.request<GitHubUser>('GET', '/user');
+  }
+
+  async getRepoPublicKey(repo: string): Promise<GitHubPublicKey> {
+    return this.request<GitHubPublicKey>('GET', `/repos/${repo}/actions/secrets/public-key`);
+  }
+
+  async setRepoSecret(repo: string, secretName: string, secretValue: string): Promise<void> {
+    // Ensure libsodium is ready
+    await sodium.ready;
+
+    // Get the repo's public key
+    const publicKey = await this.getRepoPublicKey(repo);
+
+    // Encrypt the secret using libsodium sealed box
+    const keyBytes = sodium.from_base64(publicKey.key, sodium.base64_variants.ORIGINAL);
+    const messageBytes = sodium.from_string(secretValue);
+    const encryptedBytes = sodium.crypto_box_seal(messageBytes, keyBytes);
+    const encryptedValue = sodium.to_base64(encryptedBytes, sodium.base64_variants.ORIGINAL);
+
+    // Upload the encrypted secret
+    await this.request('PUT', `/repos/${repo}/actions/secrets/${secretName}`, {
+      encrypted_value: encryptedValue,
+      key_id: publicKey.key_id,
+    });
+  }
+
+  async deleteRepoSecret(repo: string, secretName: string): Promise<void> {
+    await this.request('DELETE', `/repos/${repo}/actions/secrets/${secretName}`);
+  }
+}

package/src/types/config.ts

@@ -2,6 +2,7 @@ export interface Config {
   profiles: {
     gmail?: string[];
     gchat?: string[];
+    github?: string[];
     jira?: string[];
     slack?: string[];
     telegram?: string[];
@@ -11,6 +12,7 @@ export interface Config {
   defaults: {
     gmail?: string;
     gchat?: string;
+    github?: string;
     jira?: string;
     slack?: string;
     telegram?: string;
@@ -20,4 +22,4 @@ export interface Config {
   env?: Record<string, string>;
 }
 
-export type ServiceName = 'gmail' | 'gchat' | 'jira' | 'slack' | 'telegram' | 'discourse' | 'sql';
+export type ServiceName = 'gmail' | 'gchat' | 'github' | 'jira' | 'slack' | 'telegram' | 'discourse' | 'sql';

package/src/types/github.ts

@@ -0,0 +1,16 @@
+export interface GitHubCredentials {
+  accessToken: string;
+  username: string;
+  email: string | null;
+}
+
+export interface GitHubUser {
+  login: string;
+  email: string | null;
+  name: string | null;
+}
+
+export interface GitHubPublicKey {
+  key_id: string;
+  key: string;
+}