@positronic/cli 0.0.55 → 0.0.57

package/dist/src/hooks/useApi.js

@@ -246,9 +246,9 @@ export function useApiGet(endpoint, options) {
                         case 0:
                             _state.trys.push([
                                 0,
-                                6,
                                 7,
-                                8
+                                8,
+                                9
                             ]);
                             setLoading(true);
                             setError(null);
@@ -273,27 +273,41 @@ export function useApiGet(endpoint, options) {
                             setData(result);
                             return [
                                 3,
-                                5
+                                6
                             ];
                         case 3:
+                            if (!(response.status === 401)) return [
+                                3,
+                                4
+                            ];
+                            setError({
+                                title: 'Authentication Required',
+                                message: 'Your request could not be authenticated.',
+                                details: "Run 'px auth login' to configure your SSH key, or check that your key is registered on the server."
+                            });
+                            return [
+                                3,
+                                6
+                            ];
+                        case 4:
                             return [
                                 4,
                                 response.text()
                             ];
-                        case 4:
+                        case 5:
                             errorText = _state.sent();
                             setError({
                                 title: 'Server Error',
                                 message: "Error fetching ".concat(endpoint, ": ").concat(response.status, " ").concat(response.statusText),
                                 details: "Server response: ".concat(errorText)
                             });
-                            _state.label = 5;
-                        case 5:
+                            _state.label = 6;
+                        case 6:
                             return [
                                 3,
-                                8
+                                9
                             ];
-                        case 6:
+                        case 7:
                             err = _state.sent();
                             baseError = getConnectionErrorMessage();
                             errorDetails = err.message;
@@ -305,14 +319,14 @@ export function useApiGet(endpoint, options) {
                             }));
                             return [
                                 3,
-                                8
+                                9
                             ];
-                        case 7:
+                        case 8:
                             setLoading(false);
                             return [
                                 7
                             ];
-                        case 8:
+                        case 9:
                             return [
                                 2
                             ];
@@ -336,15 +350,15 @@ export function useApiPost(endpoint, defaultOptions) {
     var _useState2 = _sliced_to_array(useState(null), 2), error = _useState2[0], setError = _useState2[1];
     var execute = useCallback(function(body, options) {
         return _async_to_generator(function() {
-            var response, result, errorText, errorObj, err, baseError, errorDetails, errorObj1;
+            var response, result, errorObj, errorText, errorObj1, err, baseError, errorDetails, errorObj2;
             return _ts_generator(this, function(_state) {
                 switch(_state.label){
                     case 0:
                         _state.trys.push([
                             0,
-                            6,
                             7,
-                            8
+                            8,
+                            9
                         ]);
                         setLoading(true);
                         setError(null);
@@ -358,7 +372,7 @@ export function useApiPost(endpoint, defaultOptions) {
                         ];
                     case 1:
                         response = _state.sent();
-                        if (!(response.status === 200 || response.status === 201)) return [
+                        if (!(response.status === 200 || response.status === 201 || response.status === 202)) return [
                             3,
                             3
                         ];
@@ -374,25 +388,37 @@ export function useApiPost(endpoint, defaultOptions) {
                             result
                         ];
                     case 3:
+                        if (!(response.status === 401)) return [
+                            3,
+                            4
+                        ];
+                        errorObj = {
+                            title: 'Authentication Required',
+                            message: 'Your request could not be authenticated.',
+                            details: "Run 'px auth login' to configure your SSH key, or check that your key is registered on the server."
+                        };
+                        setError(errorObj);
+                        throw errorObj;
+                    case 4:
                         return [
                             4,
                             response.text()
                         ];
-                    case 4:
+                    case 5:
                         errorText = _state.sent();
-                        errorObj = {
+                        errorObj1 = {
                             title: 'Server Error',
                             message: "Error posting to ".concat(endpoint, ": ").concat(response.status, " ").concat(response.statusText),
                             details: "Server response: ".concat(errorText)
                         };
-                        setError(errorObj);
-                        throw errorObj;
-                    case 5:
+                        setError(errorObj1);
+                        throw errorObj1;
+                    case 6:
                         return [
                             3,
-                            8
+                            9
                         ];
-                    case 6:
+                    case 7:
                         err = _state.sent();
                         // If it's already our error object, don't wrap it again
                         if (err.title && err.message) {
@@ -404,17 +430,17 @@ export function useApiPost(endpoint, defaultOptions) {
                         if (err.code === 'ECONNREFUSED') {
                             errorDetails = 'Connection refused. The server might not be running or is listening on a different port.';
                         }
-                        errorObj1 = _object_spread_props(_object_spread({}, baseError), {
+                        errorObj2 = _object_spread_props(_object_spread({}, baseError), {
                             details: "".concat(baseError.details, " ").concat(errorDetails)
                         });
-                        setError(errorObj1);
-                        throw errorObj1;
-                    case 7:
+                        setError(errorObj2);
+                        throw errorObj2;
+                    case 8:
                         setLoading(false);
                         return [
                             7
                         ];
-                    case 8:
+                    case 9:
                         return [
                             2
                         ];
@@ -437,15 +463,15 @@ export function useApiDelete(resourceType) {
     var _useState1 = _sliced_to_array(useState(null), 2), error = _useState1[0], setError = _useState1[1];
     var execute = useCallback(function(endpoint, options) {
         return _async_to_generator(function() {
-            var response, errorText, errorObj, err, baseError, errorDetails, errorObj1;
+            var response, errorObj, errorText, errorObj1, err, baseError, errorDetails, errorObj2;
             return _ts_generator(this, function(_state) {
                 switch(_state.label){
                     case 0:
                         _state.trys.push([
                             0,
-                            5,
                             6,
-                            7
+                            7,
+                            8
                         ]);
                         setLoading(true);
                         setError(null);
@@ -466,25 +492,37 @@ export function useApiDelete(resourceType) {
                             true
                         ];
                     case 2:
+                        if (!(response.status === 401)) return [
+                            3,
+                            3
+                        ];
+                        errorObj = {
+                            title: 'Authentication Required',
+                            message: 'Your request could not be authenticated.',
+                            details: "Run 'px auth login' to configure your SSH key, or check that your key is registered on the server."
+                        };
+                        setError(errorObj);
+                        throw errorObj;
+                    case 3:
                         return [
                             4,
                             response.text()
                         ];
-                    case 3:
+                    case 4:
                         errorText = _state.sent();
-                        errorObj = {
+                        errorObj1 = {
                             title: 'Server Error',
                             message: "Error deleting ".concat(resourceType, ": ").concat(response.status, " ").concat(response.statusText),
                             details: "Server response: ".concat(errorText)
                         };
-                        setError(errorObj);
-                        throw errorObj;
-                    case 4:
+                        setError(errorObj1);
+                        throw errorObj1;
+                    case 5:
                         return [
                             3,
-                            7
+                            8
                         ];
-                    case 5:
+                    case 6:
                         err = _state.sent();
                         // If it's already our error object, don't wrap it again
                         if (err.title && err.message) {
@@ -496,17 +534,17 @@ export function useApiDelete(resourceType) {
                         if (err.code === 'ECONNREFUSED') {
                             errorDetails = 'Connection refused. The server might not be running or is listening on a different port.';
                         }
-                        errorObj1 = _object_spread_props(_object_spread({}, baseError), {
+                        errorObj2 = _object_spread_props(_object_spread({}, baseError), {
                             details: "".concat(baseError.details, " ").concat(errorDetails)
                         });
-                        setError(errorObj1);
-                        throw errorObj1;
-                    case 6:
+                        setError(errorObj2);
+                        throw errorObj2;
+                    case 7:
                         setLoading(false);
                         return [
                             7
                         ];
-                    case 7:
+                    case 8:
                         return [
                             2
                         ];

package/dist/src/lib/request-signer.js

@@ -0,0 +1,208 @@
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _defineProperties(target, props) {
+    for(var i = 0; i < props.length; i++){
+        var descriptor = props[i];
+        descriptor.enumerable = descriptor.enumerable || false;
+        descriptor.configurable = true;
+        if ("value" in descriptor) descriptor.writable = true;
+        Object.defineProperty(target, descriptor.key, descriptor);
+    }
+}
+function _create_class(Constructor, protoProps, staticProps) {
+    if (protoProps) _defineProperties(Constructor.prototype, protoProps);
+    if (staticProps) _defineProperties(Constructor, staticProps);
+    return Constructor;
+}
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _instanceof(left, right) {
+    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
+        return !!right[Symbol.hasInstance](left);
+    } else {
+        return left instanceof right;
+    }
+}
+import { loadPrivateKey, getPrivateKeyFingerprint, signWithPrivateKey, resolvePrivateKeyPath } from './ssh-key-utils.js';
+import { existsSync } from 'fs';
+import { ProjectConfigManager } from '../commands/project-config-manager.js';
+/**
+ * Request signer for RFC 9421 HTTP Message Signatures
+ */ export var RequestSigner = /*#__PURE__*/ function() {
+    "use strict";
+    function RequestSigner() {
+        _class_call_check(this, RequestSigner);
+        _define_property(this, "privateKey", null);
+        _define_property(this, "fingerprint", null);
+        _define_property(this, "initialized", false);
+        _define_property(this, "initError", null);
+        this.initialize();
+    }
+    _create_class(RequestSigner, [
+        {
+            key: "initialize",
+            value: function initialize() {
+                try {
+                    // Get configured path from project config manager
+                    var configManager = new ProjectConfigManager();
+                    var configuredPath = configManager.getPrivateKeyPath();
+                    var keyPath = resolvePrivateKeyPath(configuredPath);
+                    if (!existsSync(keyPath)) {
+                        this.initError = new Error("Private key not found at ".concat(keyPath, ". Run 'px auth login' to configure your SSH key, or set POSITRONIC_PRIVATE_KEY environment variable."));
+                        return;
+                    }
+                    this.privateKey = loadPrivateKey(keyPath);
+                    this.fingerprint = getPrivateKeyFingerprint(this.privateKey);
+                    this.initialized = true;
+                } catch (error) {
+                    this.initError = _instanceof(error, Error) ? error : new Error('Failed to initialize request signer');
+                }
+            }
+        },
+        {
+            /**
+   * Check if the signer is ready to sign requests
+   */ key: "isReady",
+            value: function isReady() {
+                return this.initialized && this.privateKey !== null;
+            }
+        },
+        {
+            /**
+   * Get the error that occurred during initialization, if any
+   */ key: "getError",
+            value: function getError() {
+                return this.initError;
+            }
+        },
+        {
+            /**
+   * Get the fingerprint of the loaded private key
+   */ key: "getFingerprint",
+            value: function getFingerprint() {
+                return this.fingerprint;
+            }
+        },
+        {
+            /**
+   * Sign an HTTP request and return the signature headers
+   */ key: "signRequest",
+            value: function signRequest(method, url) {
+                var headers = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
+                if (!this.privateKey || !this.fingerprint) {
+                    throw new Error('Request signer not initialized');
+                }
+                var parsedUrl = new URL(url);
+                var created = Math.floor(Date.now() / 1000);
+                // Build the signature base
+                var coveredComponents = [
+                    '"@method"',
+                    '"@path"',
+                    '"@authority"'
+                ];
+                // Add content-type if present
+                if (headers['Content-Type'] || headers['content-type']) {
+                    coveredComponents.push('"content-type"');
+                }
+                // Create the signature base string
+                var signatureBaseLines = [];
+                var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+                try {
+                    for(var _iterator = coveredComponents[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+                        var component = _step.value;
+                        var componentName = component.replace(/"/g, '');
+                        if (componentName === '@method') {
+                            signatureBaseLines.push('"@method": '.concat(method.toUpperCase()));
+                        } else if (componentName === '@path') {
+                            signatureBaseLines.push('"@path": '.concat(parsedUrl.pathname));
+                        } else if (componentName === '@authority') {
+                            signatureBaseLines.push('"@authority": '.concat(parsedUrl.host));
+                        } else {
+                            // Regular header
+                            var headerValue = headers[componentName] || headers[componentName.toLowerCase()] || headers[componentName.charAt(0).toUpperCase() + componentName.slice(1)];
+                            if (headerValue) {
+                                signatureBaseLines.push('"'.concat(componentName.toLowerCase(), '": ').concat(headerValue));
+                            }
+                        }
+                    }
+                } catch (err) {
+                    _didIteratorError = true;
+                    _iteratorError = err;
+                } finally{
+                    try {
+                        if (!_iteratorNormalCompletion && _iterator.return != null) {
+                            _iterator.return();
+                        }
+                    } finally{
+                        if (_didIteratorError) {
+                            throw _iteratorError;
+                        }
+                    }
+                }
+                // Create the signature-params line
+                var signatureParams = "(".concat(coveredComponents.join(' '), ");created=").concat(created, ';keyid="').concat(this.fingerprint, '"');
+                signatureBaseLines.push('"@signature-params": '.concat(signatureParams));
+                var signatureBase = signatureBaseLines.join('\n');
+                // Sign the base
+                var signatureBytes = signWithPrivateKey(this.privateKey, signatureBase);
+                var signatureValue = signatureBytes.toString('base64');
+                return {
+                    Signature: "sig1=:".concat(signatureValue, ":"),
+                    'Signature-Input': "sig1=".concat(signatureParams)
+                };
+            }
+        }
+    ]);
+    return RequestSigner;
+}();
+// Singleton instance
+var signerInstance = null;
+/**
+ * Get the singleton request signer instance
+ */ export function getRequestSigner() {
+    if (!signerInstance) {
+        signerInstance = new RequestSigner();
+    }
+    return signerInstance;
+}
+/**
+ * Reset the request signer singleton
+ * Call this after auth config changes to force reinitialization with new key
+ */ export function resetRequestSigner() {
+    signerInstance = null;
+}
+/**
+ * Check if request signing is available
+ */ export function isSigningAvailable() {
+    return getRequestSigner().isReady();
+}
+/**
+ * Sign an HTTP request if signing is available
+ * Returns the additional headers to add, or empty object if signing is not available
+ */ export function maybeSignRequest(method, url) {
+    var headers = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
+    var signer = getRequestSigner();
+    if (!signer.isReady()) {
+        return {};
+    }
+    try {
+        return signer.signRequest(method, url, headers);
+    } catch (error) {
+        console.error('Warning: Failed to sign request:', error);
+        return {};
+    }
+}

package/dist/src/lib/ssh-key-utils.js

@@ -0,0 +1,212 @@
+import sshpk from 'sshpk';
+import { readFileSync, readdirSync, existsSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+import { createPublicKey } from 'crypto';
+/**
+ * Discover available SSH keys in the ~/.ssh directory
+ * Scans for common key files and returns metadata about each key
+ */ export function discoverSSHKeys() {
+    var sshDir = join(homedir(), '.ssh');
+    if (!existsSync(sshDir)) {
+        return [];
+    }
+    var discoveredKeys = [];
+    var processedPaths = new Set();
+    // Common private key filenames to look for
+    var commonKeyNames = [
+        'id_rsa',
+        'id_ed25519',
+        'id_ecdsa',
+        'id_dsa'
+    ];
+    var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+    try {
+        // First, check common key names
+        for(var _iterator = commonKeyNames[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+            var keyName = _step.value;
+            var privateKeyPath = join(sshDir, keyName);
+            var publicKeyPath = join(sshDir, "".concat(keyName, ".pub"));
+            if (existsSync(privateKeyPath) && !processedPaths.has(privateKeyPath)) {
+                var keyInfo = tryLoadKeyInfo(privateKeyPath, publicKeyPath);
+                if (keyInfo) {
+                    discoveredKeys.push(keyInfo);
+                    processedPaths.add(privateKeyPath);
+                }
+            }
+        }
+    } catch (err) {
+        _didIteratorError = true;
+        _iteratorError = err;
+    } finally{
+        try {
+            if (!_iteratorNormalCompletion && _iterator.return != null) {
+                _iterator.return();
+            }
+        } finally{
+            if (_didIteratorError) {
+                throw _iteratorError;
+            }
+        }
+    }
+    // Also scan for any .pub files and infer private key path
+    try {
+        var files = readdirSync(sshDir);
+        var _iteratorNormalCompletion1 = true, _didIteratorError1 = false, _iteratorError1 = undefined;
+        try {
+            for(var _iterator1 = files[Symbol.iterator](), _step1; !(_iteratorNormalCompletion1 = (_step1 = _iterator1.next()).done); _iteratorNormalCompletion1 = true){
+                var file = _step1.value;
+                if (file.endsWith('.pub')) {
+                    var privateKeyName = file.slice(0, -4); // Remove .pub
+                    var privateKeyPath1 = join(sshDir, privateKeyName);
+                    var publicKeyPath1 = join(sshDir, file);
+                    if (existsSync(privateKeyPath1) && !processedPaths.has(privateKeyPath1)) {
+                        var keyInfo1 = tryLoadKeyInfo(privateKeyPath1, publicKeyPath1);
+                        if (keyInfo1) {
+                            discoveredKeys.push(keyInfo1);
+                            processedPaths.add(privateKeyPath1);
+                        }
+                    }
+                }
+            }
+        } catch (err) {
+            _didIteratorError1 = true;
+            _iteratorError1 = err;
+        } finally{
+            try {
+                if (!_iteratorNormalCompletion1 && _iterator1.return != null) {
+                    _iterator1.return();
+                }
+            } finally{
+                if (_didIteratorError1) {
+                    throw _iteratorError1;
+                }
+            }
+        }
+    } catch (e) {
+    // If we can't read the directory, just return what we have
+    }
+    return discoveredKeys;
+}
+/**
+ * Try to load key info from a private/public key pair
+ */ function tryLoadKeyInfo(privateKeyPath, publicKeyPath) {
+    try {
+        // Try to read the public key to get fingerprint and algorithm
+        if (existsSync(publicKeyPath)) {
+            var pubContent = readFileSync(publicKeyPath, 'utf-8').trim();
+            var sshKey = sshpk.parseKey(pubContent, 'auto');
+            var fingerprint = sshKey.fingerprint('sha256').toString();
+            // Extract comment from public key (usually the third part after algorithm and key data)
+            var parts = pubContent.split(' ');
+            var comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+            return {
+                path: privateKeyPath,
+                fingerprint: fingerprint,
+                algorithm: sshKey.type.toUpperCase(),
+                comment: comment
+            };
+        }
+        // If no public key, try to derive info from private key
+        var privateContent = readFileSync(privateKeyPath, 'utf-8');
+        var privateKey = sshpk.parsePrivateKey(privateContent, 'auto');
+        var publicKey = privateKey.toPublic();
+        var fingerprint1 = publicKey.fingerprint('sha256').toString();
+        return {
+            path: privateKeyPath,
+            fingerprint: fingerprint1,
+            algorithm: privateKey.type.toUpperCase()
+        };
+    } catch (e) {
+        // Key couldn't be parsed, skip it
+        return null;
+    }
+}
+/**
+ * Convert an SSH public key file to JWK format
+ * Uses sshpk for SSH parsing and Node.js crypto for PEM → JWK conversion
+ */ export function convertSSHPubKeyToJWK(pubKeyPath) {
+    var content = readFileSync(pubKeyPath, 'utf-8').trim();
+    var sshKey = sshpk.parseKey(content, 'auto');
+    // Get the fingerprint using SHA256 (sshpk's job)
+    var fingerprint = sshKey.fingerprint('sha256').toString();
+    // Convert SSH → PEM → JWK using Node.js crypto (battle-tested)
+    var pem = sshKey.toString('pem');
+    var keyObject = createPublicKey(pem);
+    var jwk = keyObject.export({
+        format: 'jwk'
+    });
+    return {
+        jwk: jwk,
+        fingerprint: fingerprint,
+        algorithm: sshKey.type
+    };
+}
+/**
+ * Load an SSH private key from a file path or environment variable
+ */ export function loadPrivateKey(pathOrEnv) {
+    var keyPath;
+    if (pathOrEnv) {
+        // If it starts with ~ or /, treat as a path
+        if (pathOrEnv.startsWith('~') || pathOrEnv.startsWith('/')) {
+            keyPath = pathOrEnv.startsWith('~') ? join(homedir(), pathOrEnv.slice(1)) : pathOrEnv;
+        } else {
+            // Otherwise, check if it's an env var or direct path
+            keyPath = pathOrEnv;
+        }
+    } else {
+        // Default to ~/.ssh/id_rsa
+        keyPath = join(homedir(), '.ssh', 'id_rsa');
+    }
+    // Expand ~ if present
+    if (keyPath.startsWith('~')) {
+        keyPath = join(homedir(), keyPath.slice(1));
+    }
+    var content = readFileSync(keyPath, 'utf-8');
+    return sshpk.parsePrivateKey(content, 'auto');
+}
+/**
+ * Get the fingerprint of a private key (from its public component)
+ */ export function getPrivateKeyFingerprint(privateKey) {
+    var publicKey = privateKey.toPublic();
+    return publicKey.fingerprint('sha256').toString();
+}
+/**
+ * Sign data with an SSH private key
+ */ export function signWithPrivateKey(privateKey, data) {
+    var dataBuffer = typeof data === 'string' ? Buffer.from(data) : data;
+    var signer = privateKey.createSign('sha256');
+    signer.update(dataBuffer);
+    var signature = signer.sign();
+    return signature.toBuffer('raw');
+}
+/**
+ * Resolve the private key path from environment, config, or default
+ * @param configuredPath - Optional configured path from ProjectConfigManager
+ */ export function resolvePrivateKeyPath(configuredPath) {
+    // Priority 1: Environment variable (highest)
+    var envPath = process.env.POSITRONIC_PRIVATE_KEY;
+    if (envPath) {
+        if (envPath.startsWith('~')) {
+            return join(homedir(), envPath.slice(1));
+        }
+        return envPath;
+    }
+    // Priority 2: Configured path from config manager
+    if (configuredPath) {
+        if (configuredPath.startsWith('~')) {
+            return join(homedir(), configuredPath.slice(1));
+        }
+        return configuredPath;
+    }
+    // Priority 3: Default fallback
+    return join(homedir(), '.ssh', 'id_rsa');
+}
+/**
+ * Expand a path that may contain ~ to the full path
+ */ export function expandPath(keyPath) {
+    if (keyPath.startsWith('~')) {
+        return join(homedir(), keyPath.slice(1));
+    }
+    return keyPath;
+}