@positronic/cli 0.0.56 → 0.0.58

package/dist/src/hooks/useApi.js

@@ -218,6 +218,16 @@ function _ts_generator(thisArg, body) {
 }
 import { useState, useEffect, useCallback } from 'react';
 import { apiClient, isApiLocalDevMode } from '../commands/helpers.js';
+var ROOT_KEY_NOT_CONFIGURED_ERROR = {
+    title: 'Root Key Not Configured',
+    message: 'The server does not have a root authentication key configured.',
+    details: "Run 'px auth format-jwk-key' to generate the key, then add ROOT_PUBLIC_KEY as a secret in your server configuration."
+};
+var AUTH_REQUIRED_ERROR = {
+    title: 'Authentication Required',
+    message: 'Your request could not be authenticated.',
+    details: "Run 'px auth login' to configure your SSH key, or check that your key is registered on the server."
+};
 function getConnectionErrorMessage() {
     if (isApiLocalDevMode()) {
         return {
@@ -233,6 +243,125 @@ function getConnectionErrorMessage() {
         };
     }
 }
+/**
+ * Fetch auth setup instructions from the server
+ */ function fetchAuthSetupInstructions() {
+    return _async_to_generator(function() {
+        var response;
+        return _ts_generator(this, function(_state) {
+            switch(_state.label){
+                case 0:
+                    return [
+                        4,
+                        apiClient.fetchUnauthenticated('/auth/setup')
+                    ];
+                case 1:
+                    response = _state.sent();
+                    if (!response.ok) return [
+                        3,
+                        3
+                    ];
+                    return [
+                        4,
+                        response.json()
+                    ];
+                case 2:
+                    return [
+                        2,
+                        _state.sent()
+                    ];
+                case 3:
+                    return [
+                        2,
+                        null
+                    ];
+            }
+        });
+    })();
+}
+/**
+ * Check if the error response indicates ROOT_KEY_NOT_CONFIGURED
+ */ function isRootKeyNotConfiguredError(response) {
+    return _async_to_generator(function() {
+        var clonedResponse, data, e;
+        return _ts_generator(this, function(_state) {
+            switch(_state.label){
+                case 0:
+                    _state.trys.push([
+                        0,
+                        2,
+                        ,
+                        3
+                    ]);
+                    clonedResponse = response.clone();
+                    return [
+                        4,
+                        clonedResponse.json()
+                    ];
+                case 1:
+                    data = _state.sent();
+                    return [
+                        2,
+                        data.error === 'ROOT_KEY_NOT_CONFIGURED'
+                    ];
+                case 2:
+                    e = _state.sent();
+                    return [
+                        2,
+                        false
+                    ];
+                case 3:
+                    return [
+                        2
+                    ];
+            }
+        });
+    })();
+}
+/**
+ * Build the appropriate auth error based on the response
+ */ function buildAuthError(response) {
+    return _async_to_generator(function() {
+        var setupInfo;
+        return _ts_generator(this, function(_state) {
+            switch(_state.label){
+                case 0:
+                    return [
+                        4,
+                        isRootKeyNotConfiguredError(response)
+                    ];
+                case 1:
+                    if (!_state.sent()) return [
+                        3,
+                        3
+                    ];
+                    return [
+                        4,
+                        fetchAuthSetupInstructions()
+                    ];
+                case 2:
+                    setupInfo = _state.sent();
+                    if (setupInfo) {
+                        return [
+                            2,
+                            _object_spread_props(_object_spread({}, ROOT_KEY_NOT_CONFIGURED_ERROR), {
+                                details: setupInfo.instructions
+                            })
+                        ];
+                    }
+                    return [
+                        2,
+                        ROOT_KEY_NOT_CONFIGURED_ERROR
+                    ];
+                case 3:
+                    return [
+                        2,
+                        AUTH_REQUIRED_ERROR
+                    ];
+            }
+        });
+    })();
+}
 export function useApiGet(endpoint, options) {
     var _useState = _sliced_to_array(useState(null), 2), data = _useState[0], setData = _useState[1];
     var _useState1 = _sliced_to_array(useState(true), 2), loading = _useState1[0], setLoading = _useState1[1];
@@ -246,9 +375,9 @@ export function useApiGet(endpoint, options) {
                         case 0:
                             _state.trys.push([
                                 0,
-                                6,
-                                7,
-                                8
+                                8,
+                                9,
+                                10
                             ]);
                             setLoading(true);
                             setError(null);
@@ -273,27 +402,44 @@ export function useApiGet(endpoint, options) {
                             setData(result);
                             return [
                                 3,
-                                5
+                                7
                             ];
                         case 3:
+                            if (!(response.status === 401)) return [
+                                3,
+                                5
+                            ];
                             return [
                                 4,
-                                response.text()
+                                buildAuthError(response)
                             ];
                         case 4:
+                            setError.apply(void 0, [
+                                _state.sent()
+                            ]);
+                            return [
+                                3,
+                                7
+                            ];
+                        case 5:
+                            return [
+                                4,
+                                response.text()
+                            ];
+                        case 6:
                             errorText = _state.sent();
                             setError({
                                 title: 'Server Error',
                                 message: "Error fetching ".concat(endpoint, ": ").concat(response.status, " ").concat(response.statusText),
                                 details: "Server response: ".concat(errorText)
                             });
-                            _state.label = 5;
-                        case 5:
+                            _state.label = 7;
+                        case 7:
                             return [
                                 3,
-                                8
+                                10
                             ];
-                        case 6:
+                        case 8:
                             err = _state.sent();
                             baseError = getConnectionErrorMessage();
                             errorDetails = err.message;
@@ -305,14 +451,14 @@ export function useApiGet(endpoint, options) {
                             }));
                             return [
                                 3,
-                                8
+                                10
                             ];
-                        case 7:
+                        case 9:
                             setLoading(false);
                             return [
                                 7
                             ];
-                        case 8:
+                        case 10:
                             return [
                                 2
                             ];
@@ -336,15 +482,15 @@ export function useApiPost(endpoint, defaultOptions) {
     var _useState2 = _sliced_to_array(useState(null), 2), error = _useState2[0], setError = _useState2[1];
     var execute = useCallback(function(body, options) {
         return _async_to_generator(function() {
-            var response, result, errorText, errorObj, err, baseError, errorDetails, errorObj1;
+            var response, result, errorObj, errorText, errorObj1, err, baseError, errorDetails, errorObj2;
             return _ts_generator(this, function(_state) {
                 switch(_state.label){
                     case 0:
                         _state.trys.push([
                             0,
-                            6,
-                            7,
-                            8
+                            8,
+                            9,
+                            10
                         ]);
                         setLoading(true);
                         setError(null);
@@ -358,7 +504,7 @@ export function useApiPost(endpoint, defaultOptions) {
                         ];
                     case 1:
                         response = _state.sent();
-                        if (!(response.status === 200 || response.status === 201)) return [
+                        if (!(response.status === 200 || response.status === 201 || response.status === 202)) return [
                             3,
                             3
                         ];
@@ -374,25 +520,38 @@ export function useApiPost(endpoint, defaultOptions) {
                             result
                         ];
                     case 3:
+                        if (!(response.status === 401)) return [
+                            3,
+                            5
+                        ];
                         return [
                             4,
-                            response.text()
+                            buildAuthError(response)
                         ];
                     case 4:
+                        errorObj = _state.sent();
+                        setError(errorObj);
+                        throw errorObj;
+                    case 5:
+                        return [
+                            4,
+                            response.text()
+                        ];
+                    case 6:
                         errorText = _state.sent();
-                        errorObj = {
+                        errorObj1 = {
                             title: 'Server Error',
                             message: "Error posting to ".concat(endpoint, ": ").concat(response.status, " ").concat(response.statusText),
                             details: "Server response: ".concat(errorText)
                         };
-                        setError(errorObj);
-                        throw errorObj;
-                    case 5:
+                        setError(errorObj1);
+                        throw errorObj1;
+                    case 7:
                         return [
                             3,
-                            8
+                            10
                         ];
-                    case 6:
+                    case 8:
                         err = _state.sent();
                         // If it's already our error object, don't wrap it again
                         if (err.title && err.message) {
@@ -404,17 +563,17 @@ export function useApiPost(endpoint, defaultOptions) {
                         if (err.code === 'ECONNREFUSED') {
                             errorDetails = 'Connection refused. The server might not be running or is listening on a different port.';
                         }
-                        errorObj1 = _object_spread_props(_object_spread({}, baseError), {
+                        errorObj2 = _object_spread_props(_object_spread({}, baseError), {
                             details: "".concat(baseError.details, " ").concat(errorDetails)
                         });
-                        setError(errorObj1);
-                        throw errorObj1;
-                    case 7:
+                        setError(errorObj2);
+                        throw errorObj2;
+                    case 9:
                         setLoading(false);
                         return [
                             7
                         ];
-                    case 8:
+                    case 10:
                         return [
                             2
                         ];
@@ -437,15 +596,15 @@ export function useApiDelete(resourceType) {
     var _useState1 = _sliced_to_array(useState(null), 2), error = _useState1[0], setError = _useState1[1];
     var execute = useCallback(function(endpoint, options) {
         return _async_to_generator(function() {
-            var response, errorText, errorObj, err, baseError, errorDetails, errorObj1;
+            var response, errorObj, errorText, errorObj1, err, baseError, errorDetails, errorObj2;
             return _ts_generator(this, function(_state) {
                 switch(_state.label){
                     case 0:
                         _state.trys.push([
                             0,
-                            5,
-                            6,
-                            7
+                            7,
+                            8,
+                            9
                         ]);
                         setLoading(true);
                         setError(null);
@@ -466,25 +625,38 @@ export function useApiDelete(resourceType) {
                             true
                         ];
                     case 2:
+                        if (!(response.status === 401)) return [
+                            3,
+                            4
+                        ];
                         return [
                             4,
-                            response.text()
+                            buildAuthError(response)
                         ];
                     case 3:
+                        errorObj = _state.sent();
+                        setError(errorObj);
+                        throw errorObj;
+                    case 4:
+                        return [
+                            4,
+                            response.text()
+                        ];
+                    case 5:
                         errorText = _state.sent();
-                        errorObj = {
+                        errorObj1 = {
                             title: 'Server Error',
                             message: "Error deleting ".concat(resourceType, ": ").concat(response.status, " ").concat(response.statusText),
                             details: "Server response: ".concat(errorText)
                         };
-                        setError(errorObj);
-                        throw errorObj;
-                    case 4:
+                        setError(errorObj1);
+                        throw errorObj1;
+                    case 6:
                         return [
                             3,
-                            7
+                            9
                         ];
-                    case 5:
+                    case 7:
                         err = _state.sent();
                         // If it's already our error object, don't wrap it again
                         if (err.title && err.message) {
@@ -496,17 +668,17 @@ export function useApiDelete(resourceType) {
                         if (err.code === 'ECONNREFUSED') {
                             errorDetails = 'Connection refused. The server might not be running or is listening on a different port.';
                         }
-                        errorObj1 = _object_spread_props(_object_spread({}, baseError), {
+                        errorObj2 = _object_spread_props(_object_spread({}, baseError), {
                             details: "".concat(baseError.details, " ").concat(errorDetails)
                         });
-                        setError(errorObj1);
-                        throw errorObj1;
-                    case 6:
+                        setError(errorObj2);
+                        throw errorObj2;
+                    case 8:
                         setLoading(false);
                         return [
                             7
                         ];
-                    case 7:
+                    case 9:
                         return [
                             2
                         ];

package/dist/src/lib/request-signer.js

@@ -0,0 +1,208 @@
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _defineProperties(target, props) {
+    for(var i = 0; i < props.length; i++){
+        var descriptor = props[i];
+        descriptor.enumerable = descriptor.enumerable || false;
+        descriptor.configurable = true;
+        if ("value" in descriptor) descriptor.writable = true;
+        Object.defineProperty(target, descriptor.key, descriptor);
+    }
+}
+function _create_class(Constructor, protoProps, staticProps) {
+    if (protoProps) _defineProperties(Constructor.prototype, protoProps);
+    if (staticProps) _defineProperties(Constructor, staticProps);
+    return Constructor;
+}
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _instanceof(left, right) {
+    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
+        return !!right[Symbol.hasInstance](left);
+    } else {
+        return left instanceof right;
+    }
+}
+import { loadPrivateKey, getPrivateKeyFingerprint, signWithPrivateKey, resolvePrivateKeyPath } from './ssh-key-utils.js';
+import { existsSync } from 'fs';
+import { ProjectConfigManager } from '../commands/project-config-manager.js';
+/**
+ * Request signer for RFC 9421 HTTP Message Signatures
+ */ export var RequestSigner = /*#__PURE__*/ function() {
+    "use strict";
+    function RequestSigner() {
+        _class_call_check(this, RequestSigner);
+        _define_property(this, "privateKey", null);
+        _define_property(this, "fingerprint", null);
+        _define_property(this, "initialized", false);
+        _define_property(this, "initError", null);
+        this.initialize();
+    }
+    _create_class(RequestSigner, [
+        {
+            key: "initialize",
+            value: function initialize() {
+                try {
+                    // Get configured path from project config manager
+                    var configManager = new ProjectConfigManager();
+                    var configuredPath = configManager.getPrivateKeyPath();
+                    var keyPath = resolvePrivateKeyPath(configuredPath);
+                    if (!existsSync(keyPath)) {
+                        this.initError = new Error("Private key not found at ".concat(keyPath, ". Run 'px auth login' to configure your SSH key, or set POSITRONIC_PRIVATE_KEY environment variable."));
+                        return;
+                    }
+                    this.privateKey = loadPrivateKey(keyPath);
+                    this.fingerprint = getPrivateKeyFingerprint(this.privateKey);
+                    this.initialized = true;
+                } catch (error) {
+                    this.initError = _instanceof(error, Error) ? error : new Error('Failed to initialize request signer');
+                }
+            }
+        },
+        {
+            /**
+   * Check if the signer is ready to sign requests
+   */ key: "isReady",
+            value: function isReady() {
+                return this.initialized && this.privateKey !== null;
+            }
+        },
+        {
+            /**
+   * Get the error that occurred during initialization, if any
+   */ key: "getError",
+            value: function getError() {
+                return this.initError;
+            }
+        },
+        {
+            /**
+   * Get the fingerprint of the loaded private key
+   */ key: "getFingerprint",
+            value: function getFingerprint() {
+                return this.fingerprint;
+            }
+        },
+        {
+            /**
+   * Sign an HTTP request and return the signature headers
+   */ key: "signRequest",
+            value: function signRequest(method, url) {
+                var headers = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
+                if (!this.privateKey || !this.fingerprint) {
+                    throw new Error('Request signer not initialized');
+                }
+                var parsedUrl = new URL(url);
+                var created = Math.floor(Date.now() / 1000);
+                // Build the signature base
+                var coveredComponents = [
+                    '"@method"',
+                    '"@path"',
+                    '"@authority"'
+                ];
+                // Add content-type if present
+                if (headers['Content-Type'] || headers['content-type']) {
+                    coveredComponents.push('"content-type"');
+                }
+                // Create the signature base string
+                var signatureBaseLines = [];
+                var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
+                try {
+                    for(var _iterator = coveredComponents[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+                        var component = _step.value;
+                        var componentName = component.replace(/"/g, '');
+                        if (componentName === '@method') {
+                            signatureBaseLines.push('"@method": '.concat(method.toUpperCase()));
+                        } else if (componentName === '@path') {
+                            signatureBaseLines.push('"@path": '.concat(parsedUrl.pathname));
+                        } else if (componentName === '@authority') {
+                            signatureBaseLines.push('"@authority": '.concat(parsedUrl.host));
+                        } else {
+                            // Regular header
+                            var headerValue = headers[componentName] || headers[componentName.toLowerCase()] || headers[componentName.charAt(0).toUpperCase() + componentName.slice(1)];
+                            if (headerValue) {
+                                signatureBaseLines.push('"'.concat(componentName.toLowerCase(), '": ').concat(headerValue));
+                            }
+                        }
+                    }
+                } catch (err) {
+                    _didIteratorError = true;
+                    _iteratorError = err;
+                } finally{
+                    try {
+                        if (!_iteratorNormalCompletion && _iterator.return != null) {
+                            _iterator.return();
+                        }
+                    } finally{
+                        if (_didIteratorError) {
+                            throw _iteratorError;
+                        }
+                    }
+                }
+                // Create the signature-params line
+                var signatureParams = "(".concat(coveredComponents.join(' '), ");created=").concat(created, ';keyid="').concat(this.fingerprint, '"');
+                signatureBaseLines.push('"@signature-params": '.concat(signatureParams));
+                var signatureBase = signatureBaseLines.join('\n');
+                // Sign the base
+                var signatureBytes = signWithPrivateKey(this.privateKey, signatureBase);
+                var signatureValue = signatureBytes.toString('base64');
+                return {
+                    Signature: "sig1=:".concat(signatureValue, ":"),
+                    'Signature-Input': "sig1=".concat(signatureParams)
+                };
+            }
+        }
+    ]);
+    return RequestSigner;
+}();
+// Singleton instance
+var signerInstance = null;
+/**
+ * Get the singleton request signer instance
+ */ export function getRequestSigner() {
+    if (!signerInstance) {
+        signerInstance = new RequestSigner();
+    }
+    return signerInstance;
+}
+/**
+ * Reset the request signer singleton
+ * Call this after auth config changes to force reinitialization with new key
+ */ export function resetRequestSigner() {
+    signerInstance = null;
+}
+/**
+ * Check if request signing is available
+ */ export function isSigningAvailable() {
+    return getRequestSigner().isReady();
+}
+/**
+ * Sign an HTTP request if signing is available
+ * Returns the additional headers to add, or empty object if signing is not available
+ */ export function maybeSignRequest(method, url) {
+    var headers = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
+    var signer = getRequestSigner();
+    if (!signer.isReady()) {
+        return {};
+    }
+    try {
+        return signer.signRequest(method, url, headers);
+    } catch (error) {
+        console.error('Warning: Failed to sign request:', error);
+        return {};
+    }
+}