npm - @promptcellar/pc - Versions diffs - 0.3.3 → 0.4.1 - Mend

@promptcellar/pc 0.3.3 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/README.md +3 -3
package/bin/pc.js +3 -1
package/docs/plans/2026-01-30-wa-auth-integration-design.md +118 -0
package/docs/plans/2026-01-30-wa-auth-integration-plan.md +776 -0
package/hooks/codex-capture.js +16 -3
package/hooks/gemini-capture.js +37 -24
package/hooks/prompt-capture.js +67 -23
package/package.json +4 -4
package/src/commands/login.js +125 -41
package/src/commands/logout.js +6 -0
package/src/commands/push.js +1 -29
package/src/commands/save.js +21 -2
package/src/commands/setup.js +44 -44
package/src/commands/status.js +11 -0
package/src/lib/api.js +0 -1
package/src/lib/config.js +28 -1
package/src/lib/crypto.js +39 -0
package/src/lib/device-transfer.js +43 -0
package/src/lib/keychain.js +80 -0
package/src/lib/websocket.js +2 -6
package/tests/device-login.test.js +121 -0
package/tests/device-transfer.test.js +69 -0
package/tests/keychain.test.js +40 -0

package/README.md CHANGED Viewed

@@ -11,7 +11,7 @@ npm install -g @promptcellar/pc
 ## Quick Start
 ```bash
-# Login with your API key
+# Login via browser authorization
 pc login
 # Set up auto-capture for your AI CLI tools
@@ -26,7 +26,7 @@ pc status
 ### Authentication
 ```bash
-pc login     # Login with your API key
+pc login     # Login via browser authorization
 pc logout    # Remove stored credentials
 pc status    # Show current status and connection info
 ```
@@ -41,7 +41,7 @@ pc unsetup   # Remove auto-capture hooks
 Supported tools (auto-detected during setup):
 - **Claude Code** - via Stop hooks
 - **Codex CLI** - via notify hook
-- **Gemini CLI** - via AfterAgent hook
+- **Gemini CLI** - via BeforeAgent hook
 Coming soon:
 - Cursor

package/bin/pc.js CHANGED Viewed

@@ -13,12 +13,14 @@ import { update } from '../src/commands/update.js';
 program
   .name('pc')
   .description('PromptCellar CLI - sync prompts between your terminal and the cloud')
-  .version('0.3.1');
+  .version('0.4.0');
 program
   .command('login')
   .description('Authenticate with PromptCellar via browser')
   .option('-u, --url <url>', 'API URL (for self-hosted instances)')
+  .option('-a, --account-url <url>', 'Account URL (for self-hosted instances)')
+  .option('-c, --client-id <id>', 'OIDC client ID (default: prompts-prod)')
   .action(login);
 program

package/docs/plans/2026-01-30-wa-auth-integration-design.md ADDED Viewed

@@ -0,0 +1,118 @@
+# wa-auth Integration Design
+## Overview
+Migrate pc-cli authentication from prompt-registry's removed device auth endpoints to wa-auth, and add client-side encryption so captured prompts match prompt-registry's zero-knowledge architecture.
+## Login Flow
+Four stages:
+1. **Device code request** -- CLI calls `POST /device/code` on wa-auth with `{ client_id: "prompts-prod" }`. Gets back `device_code`, `user_code`, and `verification_url`.
+2. **User approval** -- User opens the verification URL in browser, authenticates with their passkey, approves the device. CLI polls `POST /device/poll` with `{ device_code }`.
+3. **JWT received** -- On approval, wa-auth returns `{ status: "approved", access_token: "<JWT>", user_id: "..." }`. The JWT has `aud: "prompts-prod"`, `sub: "<user_id>"`, standard exp/iss claims.
+4. **API key exchange** -- CLI calls `POST /api/v1/auth/device-token` on prompt-registry with `Authorization: Bearer <JWT>` and `{ device_name: "Linux - myhostname" }`. Prompt-registry validates the JWT, auto-revokes any previous key with the same device name, creates a new `pk_*` API key, and returns:
+```json
+{
+  "api_key": "pk_...",
+  "email": "user@example.com",
+  "vault": {
+    "available": true,
+    "encrypted_key": "base64url(...)"
+  }
+}
+```
+If `vault.available` is false, the CLI warns that capture requires vault setup at the web UI.
+## Changes to wa-auth
+Two modifications to the device auth flow:
+1. **`POST /device/code` accepts `client_id`** -- Validates that `client_id` exists in `OIDC_CLIENTS`. Stores `client_id` on the `DeviceAuthRequest` record (new column). Rejects unknown client IDs.
+2. **`POST /device/poll` returns a JWT on approval** -- When status is `approved`, generates a JWT with `sub: user_id`, `aud: client_id` (from the stored device request), `iss: account.weldedanvil.com`, and standard `iat`/`exp`. Returns it as `access_token` alongside `status` and `user_id`.
+The `DeviceAuthRequest` model gets one new field:
+```
+client_id: String(64) -- stored from the initial code request
+```
+No other wa-auth changes needed.
+## Changes to prompt-registry
+One new endpoint:
+**`POST /api/v1/auth/device-token`** -- Exchanges a wa-auth JWT for a `pk_*` API key.
+- Reads JWT from `Authorization: Bearer <jwt>` header
+- Validates with `verify_account_token()` (existing function)
+- Calls `create_or_get_user(sub, email)` to resolve the user
+- Reads `device_name` from the request body
+- Deletes any existing `UserApiKey` with the same `user_id` and `name` (auto-revoke)
+- Creates a new `UserApiKey` with `generate_api_key()`, stores the hash
+- Returns the plaintext key, user email, and vault status
+Vault status is determined by checking if a vault record exists for the user. If it does, returns `encrypted_metadata`. If not, `vault.available` is false.
+No changes to existing endpoints or middleware.
+## Changes to pc-cli
+### `src/commands/login.js` -- Rewritten login flow
+- Calls wa-auth `POST /device/code` with `client_id`
+- Polls wa-auth `POST /device/poll`
+- On approval, exchanges JWT at prompt-registry `POST /api/v1/auth/device-token` with device name
+- Stores API key, vault key, and account URL in config
+- Warns if vault not available
+### `src/lib/config.js` -- New config fields
+- `accountUrl` -- wa-auth base URL (default `https://account.weldedanvil.com`)
+- `vaultKey` -- encrypted vault metadata from login (empty string default)
+- `vaultAvailable` -- boolean, whether capture is enabled
+### `src/lib/crypto.js` -- New file
+- Derives AES-256-GCM key from vault metadata
+- `encryptPrompt(plaintext, key)` returns `{ encrypted_content, content_iv }`
+- Uses Node.js built-in `crypto` module (no new dependencies)
+### Hook scripts -- Updated capture payload
+`hooks/prompt-capture.js`, `codex-capture.js`, `gemini-capture.js`:
+- Check `vaultAvailable` before attempting capture
+- Encrypt prompt content before sending
+- Send `{ encrypted_content, content_iv, context_hash }` instead of plaintext
+### `src/lib/api.js` -- No changes
+Already sends `Authorization: Bearer <key>` which works with `pk_*` keys.
+## Error Handling
+| Scenario | Behavior |
+|----------|----------|
+| Expired JWT during key exchange | 401 from prompt-registry, CLI says re-run `pc login` |
+| Vault not set up | Login succeeds with warning. Hooks silently skip capture. `pc save` shows actionable error. |
+| Vault set up after login | Re-run `pc login` to pick up vault key |
+| API key revoked from web UI | 401 on API calls, existing "Not logged in" error |
+| wa-auth down during login | Connection error, no partial state saved |
+| prompt-registry down during exchange | JWT expires, re-run `pc login` |
+## Out of Scope
+- Search index encryption from CLI (web UI concern)
+- `pc push` decryption (separate effort)
+- Vault creation from CLI (stays in web UI)
+- Token refresh (API keys don't expire)
+- Migration of existing plaintext captures
+- Changes to `pc setup` (hook registration unchanged)