@plosson/agentio 0.8.1 → 0.8.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plosson/agentio",
-  "version": "0.8.1",
+  "version": "0.8.3",
   "description": "CLI for LLM agents to interact with communication and tracking services",
   "type": "module",
   "license": "MIT",

package/src/server/oauth.test.ts

@@ -809,6 +809,29 @@ describe('handleAuthorizePost — happy path', () => {
     expect(url.searchParams.get('state')).toBe('STATE_XYZ');
   });
 
+  test('api_key with trailing whitespace still authorizes (trim)', async () => {
+    // Regression: operators often paste the key with a trailing newline
+    // from terminals. Byte-for-byte compare would silently reject.
+    const ctx = makeCtx();
+    const clientId = await registerTestClient(ctx);
+    for (const suffix of [' ', '\n', '\r\n', '  \t']) {
+      const res = await handleAuthorizePost(
+        authorizePost({
+          client_id: clientId,
+          redirect_uri: 'http://localhost:53682/callback',
+          response_type: 'code',
+          code_challenge: 'CHAL',
+          code_challenge_method: 'S256',
+          state: '',
+          scope: 'gchat:default',
+          api_key: TEST_API_KEY + suffix,
+        }),
+        ctx
+      );
+      expect(res.status).toBe(302);
+    }
+  });
+
   test('issued code is consumable from the store', async () => {
     const ctx = makeCtx();
     const clientId = await registerTestClient(ctx);

package/src/server/oauth.ts

@@ -539,7 +539,10 @@ export async function handleAuthorizePost(
 
   const params = result.params;
   const client = ctx.oauthStore.findClient(params.clientId);
-  const apiKey = form.get('api_key') ?? '';
+  // Trim pasted whitespace — same UX issue as setup-page.ts: a stray
+  // newline or trailing space from copy-paste would otherwise fail the
+  // byte-for-byte compare with a confusing error.
+  const apiKey = (form.get('api_key') ?? '').trim();
 
   if (!apiKey || !constantTimeEquals(apiKey, ctx.apiKey)) {
     // Re-render the form with an error. We deliberately do NOT redirect

package/src/server/setup-page.test.ts

@@ -32,10 +32,14 @@ interface FakeProfile {
 // Mutable container the mock consults on each call.
 let currentProfiles: FakeProfile[] = [];
 
-function setProfiles(fixture: Record<string, string[]>): void {
-  currentProfiles = Object.entries(fixture).map(([service, names]) => ({
+type ProfileFixture = string | { name: string; readOnly?: boolean };
+
+function setProfiles(fixture: Record<string, ProfileFixture[]>): void {
+  currentProfiles = Object.entries(fixture).map(([service, entries]) => ({
     service,
-    profiles: names.map((n) => ({ name: n })),
+    profiles: entries.map((e) =>
+      typeof e === 'string' ? { name: e } : { name: e.name, readOnly: e.readOnly }
+    ),
   }));
 }
 
@@ -160,6 +164,23 @@ describe('POST / — login', () => {
     expect(res.headers.get('set-cookie')).toBeNull();
   });
 
+  test('correct api_key with trailing whitespace (newline/space) → 302', async () => {
+    // Regression: operators routinely paste the key with a trailing
+    // newline from terminals. Byte-for-byte compare would silently
+    // reject an otherwise-valid key; trim makes it forgiving.
+    for (const suffix of [' ', '\n', '\r\n', '  \t']) {
+      const res = await handleRequest(
+        req('POST', '/', {
+          contentType: FORM,
+          body: formBody({ api_key: API_KEY + suffix }),
+        }),
+        ctx
+      );
+      expect(res.status).toBe(302);
+      expect(res.headers.get('set-cookie')).toContain(expectedCookieValue(API_KEY));
+    }
+  });
+
   test('correct api_key → 302 to /, sets cookie with expected attributes', async () => {
     const res = await handleRequest(
       req('POST', '/', {
@@ -246,6 +267,33 @@ describe('GET / — authenticated (valid cookie)', () => {
     expect(html).not.toContain('<h2>jira</h2>');
   });
 
+  test('read-only profiles render an RO badge; writable profiles do not', async () => {
+    setProfiles({
+      gmail: [
+        'work', // writable
+        { name: 'archive', readOnly: true },
+      ],
+    });
+    const res = await handleRequest(
+      req('GET', '/', { cookie: validCookie() }),
+      ctx
+    );
+    const html = await res.text();
+
+    // Find the two profile rows and check each one independently.
+    const workRow = html.match(
+      /<label class="profile">[^<]*<input[^>]*value="gmail:work"[^>]*>[^<]*(?:<span[^<]*<\/span>)?[^<]*<\/label>/
+    );
+    const archiveRow = html.match(
+      /<label class="profile">[^<]*<input[^>]*value="gmail:archive"[^>]*>[^<]*(?:<span[^<]*<\/span>)?[^<]*<\/label>/
+    );
+    expect(workRow).not.toBeNull();
+    expect(archiveRow).not.toBeNull();
+    expect(workRow![0]).not.toContain('ro-badge');
+    expect(archiveRow![0]).toContain('ro-badge');
+    expect(archiveRow![0]).toContain('>RO<');
+  });
+
   test('no configured profiles → empty-state message, no checkboxes', async () => {
     setProfiles({});
     const res = await handleRequest(

package/src/server/setup-page.ts

@@ -147,6 +147,24 @@ label.profile {
   cursor: pointer;
 }
 label.profile input { margin-right: 0.5rem; }
+.ro-badge {
+  display: inline-block;
+  margin-left: 0.5rem;
+  padding: 0 0.4rem;
+  font-size: 0.7rem;
+  font-weight: 600;
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;
+  letter-spacing: 0.03em;
+  text-transform: uppercase;
+  color: #92400e;
+  background: #fef3c7;
+  border: 1px solid #fde68a;
+  border-radius: 4px;
+  vertical-align: 1px;
+}
+@media (prefers-color-scheme: dark) {
+  .ro-badge { color: #fde68a; background: #3f2e08; border-color: #5c4510; }
+}
 .output { display: flex; flex-direction: column; gap: 0.4rem; margin-top: 1.4rem; }
 .output label { font-weight: 600; font-size: 0.9rem; }
 .output .row { display: flex; gap: 0.5rem; }
@@ -186,9 +204,14 @@ ${errorBlock}
 </html>`;
 }
 
+interface ProfileView {
+  name: string;
+  readOnly: boolean;
+}
+
 interface ServiceProfileList {
   service: string;
-  profiles: string[];
+  profiles: ProfileView[];
 }
 
 function profilesPageHtml(origin: string, configured: ServiceProfileList[]): string {
@@ -198,10 +221,13 @@ function profilesPageHtml(origin: string, configured: ServiceProfileList[]): str
     .map((s) => {
       const items = s.profiles
         .map((p) => {
-          const value = `${s.service}:${p}`;
+          const value = `${s.service}:${p.name}`;
+          const badge = p.readOnly
+            ? ' <span class="ro-badge" title="read-only">RO</span>'
+            : '';
           return `    <label class="profile"><input type="checkbox" name="sp" value="${escapeHtml(
             value
-          )}"> ${escapeHtml(p)}</label>`;
+          )}"> ${escapeHtml(p.name)}${badge}</label>`;
         })
         .join('\n');
       return `  <section class="service">
@@ -314,7 +340,10 @@ async function handleSetupGet(
     .filter((s) => s.profiles.length > 0)
     .map((s) => ({
       service: s.service,
-      profiles: s.profiles.map((p) => p.name),
+      profiles: s.profiles.map((p) => ({
+        name: p.name,
+        readOnly: p.readOnly === true,
+      })),
     }));
 
   return new Response(profilesPageHtml(origin, configured), {
@@ -338,7 +367,11 @@ async function handleSetupPost(
     });
   }
 
-  const apiKey = form.get('api_key') ?? '';
+  // Trim: operators routinely paste the key with a trailing newline or
+  // space from terminals / password managers. constantTimeEquals is a
+  // byte-for-byte compare, so an extra whitespace character silently
+  // fails the login with a confusing "Invalid API key" error.
+  const apiKey = (form.get('api_key') ?? '').trim();
   if (!apiKey || !constantTimeEquals(apiKey, ctx.apiKey)) {
     return new Response(loginFormHtml('Invalid API key.'), {
       status: 401,