@rigkit/provider-freestyle 0.0.0-canary-20260518T014918-c5bc0c2

package/README.md

@@ -0,0 +1,17 @@
+# @rigkit/provider-freestyle
+
+Freestyle provider integration for `rig`.
+
+This package supplies:
+
+- `freestyle.provider(...)` for host Freestyle authentication
+- `freestyle.terminal()` for provider-owned browser terminal sessions targeting Freestyle VMs
+- `providers.freestyle.client` for direct access to the authenticated Freestyle SDK client
+- `providers.freestyle.createSSHOptions(...)` for VM SSH connection options with provider-owned auth handled internally
+- `providers.freestyle.cmux.createSshOptions(...)` and `providers.freestyle.vscode.createUrl(...)` adapter helpers
+- Freestyle SDK exports like `VmSpec` and `VmBaseImage`, so configs use one SDK instance for specs and clients
+- Freestyle-specific JSON state helpers backed by Rigkit provider storage
+
+Pass `console.log` to Freestyle SDK calls that accept `logger` to stream SDK progress into the CLI. Console output inside a task handler is intercepted by the Rigkit runtime and emitted as leveled `log.output` events.
+
+By default the provider authenticates through a browser login and stores Freestyle credentials in Rigkit's provider host storage, outside project `.rigkit/state.sqlite`. Pass `freestyle.provider({ apiKey })` or `freestyle.provider(apiKey)` to use API-key auth instead.

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@rigkit/provider-freestyle",
+  "version": "0.0.0-canary-20260518T014918-c5bc0c2",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/freestyle-sh/rigkit.git",
+    "directory": "packages/provider-freestyle"
+  },
+  "exports": {
+    ".": "./src/index.ts",
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "src",
+    "README.md"
+  ],
+  "dependencies": {
+    "zod": "^4",
+    "@rigkit/sdk": "0.0.0-canary-20260518T014918-c5bc0c2",
+    "@rigkit/engine": "0.0.0-canary-20260518T014918-c5bc0c2",
+    "@rigkit/provider-cmux": "0.0.0-canary-20260518T014918-c5bc0c2"
+  },
+  "peerDependencies": {
+    "freestyle": "^0.1.51"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "freestyle": "^0.1.51",
+    "typescript": "latest"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc --noEmit",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test"
+  }
+}

package/src/auth.ts

@@ -0,0 +1,24 @@
+declare const freestyleIdentityIdBrand: unique symbol;
+declare const freestyleTokenIdBrand: unique symbol;
+declare const freestyleTokenBrand: unique symbol;
+
+export type FreestyleIdentityId = string & { readonly [freestyleIdentityIdBrand]: true };
+export type FreestyleTokenId = string & { readonly [freestyleTokenIdBrand]: true };
+export type FreestyleToken = string & { readonly [freestyleTokenBrand]: true };
+
+export function freestyleIdentityId(value: string): FreestyleIdentityId {
+  return nonEmpty(value, "Freestyle identity id") as FreestyleIdentityId;
+}
+
+export function freestyleTokenId(value: string): FreestyleTokenId {
+  return nonEmpty(value, "Freestyle token id") as FreestyleTokenId;
+}
+
+export function freestyleToken(value: string): FreestyleToken {
+  return nonEmpty(value, "Freestyle token") as FreestyleToken;
+}
+
+function nonEmpty(value: string, label: string): string {
+  if (!value) throw new Error(`${label} must be a non-empty string`);
+  return value;
+}

package/src/host-auth.test.ts

@@ -0,0 +1,484 @@
+import { afterEach, describe, expect, test } from "bun:test";
+import type {
+  JsonValue,
+  ProviderRuntimeContext,
+  ProviderStorage,
+  ProviderStorageRecord,
+  WorkflowProviderController,
+  WorkflowEvent,
+} from "@rigkit/engine";
+import { FREESTYLE_PROVIDER_ID, freestyle, freestyleProviderPlugin } from "./index.ts";
+import { createFreestyleProxyFetch } from "./host-auth.ts";
+import type { FreestyleRuntime } from "./provider.ts";
+import { RIGKIT_PROVIDER_FREESTYLE_VERSION } from "./version.ts";
+
+const originalFreestyleApiKey = process.env.FREESTYLE_API_KEY;
+const originalFreestyleTeamId = process.env.FREESTYLE_TEAM_ID;
+
+afterEach(() => {
+  setEnv("FREESTYLE_API_KEY", originalFreestyleApiKey);
+  setEnv("FREESTYLE_TEAM_ID", originalFreestyleTeamId);
+});
+
+describe("Freestyle provider host auth", () => {
+  test("accepts an API key as the provider shorthand", () => {
+    expect(freestyle.provider("shorthand-api-key").config).toEqual({
+      apiKey: "shorthand-api-key",
+    });
+  });
+
+  test("rejects the old nested auth config shape", async () => {
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+
+    await expect(freestyleProviderPlugin.createProvider({
+      provider: {
+        providerId: FREESTYLE_PROVIDER_ID,
+        config: {
+          auth: { apiKey: "nested-api-key" },
+        },
+      },
+      storage: projectStorage,
+      hostStorage,
+      local: { open: async () => {} },
+    })).rejects.toThrow("Invalid Freestyle provider config");
+  });
+
+  test("uses explicit API-key auth and stores identity tokens in host storage", async () => {
+    process.env.FREESTYLE_API_KEY = "ignored-env-api-key";
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const requests: Array<{
+      url: string;
+      method: string;
+      authorization: string | null;
+      rigkit: string | null;
+      rigkitVersion: string | null;
+    }> = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch((resource, init) => {
+      const url = resourceUrl(resource);
+      const method = init?.method ?? "GET";
+      const headers = new Headers(init?.headers);
+      requests.push({
+        url: url.href,
+        method,
+        authorization: headers.get("authorization"),
+        rigkit: headers.get("x-rigkit"),
+        rigkitVersion: headers.get("x-rigkit-version"),
+      });
+      if (url.pathname === "/identity/v1/identities" && method === "POST") {
+        return Response.json({ id: "identity-api-key" });
+      }
+      if (url.pathname === "/identity/v1/identities/identity-api-key/tokens" && method === "POST") {
+        return Response.json({ id: "token-id-api-key", token: "ssh-token-api-key" });
+      }
+      return Response.json({ error: "unexpected request" }, { status: 500 });
+    });
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {
+            apiKey: "object-api-key",
+          },
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: { open: async () => {} },
+      });
+
+      expect(projectStorage.entries()).toEqual([]);
+      expect(hostStorage.entries("identity:")).toHaveLength(1);
+      expect(requests).toHaveLength(2);
+
+      const runtime = await (controller as WorkflowProviderController<FreestyleRuntime>).runtime(providerContext([]));
+
+      expect(runtime.client).toBeDefined();
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-api-key",
+        tokenId: "token-id-api-key",
+        token: "ssh-token-api-key",
+      });
+      expect(requests).toEqual([
+        {
+          url: "https://api.freestyle.sh/identity/v1/identities",
+          method: "POST",
+          authorization: "Bearer object-api-key",
+          rigkit: "true",
+          rigkitVersion: RIGKIT_PROVIDER_FREESTYLE_VERSION,
+        },
+        {
+          url: "https://api.freestyle.sh/identity/v1/identities/identity-api-key/tokens",
+          method: "POST",
+          authorization: "Bearer object-api-key",
+          rigkit: "true",
+          rigkitVersion: RIGKIT_PROVIDER_FREESTYLE_VERSION,
+        },
+      ]);
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
+  test("runs browser auth through provider host storage and proxies SDK requests by team", async () => {
+    delete process.env.FREESTYLE_API_KEY;
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const opened: string[] = [];
+    const proxyRequests: unknown[] = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async (resource, init) => {
+      const url = resourceUrl(resource);
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli") {
+        return Response.json({ polling_code: "poll-code", login_code: "login-code" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli/poll") {
+        return Response.json({ status: "completed", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/sessions/current/refresh") {
+        return Response.json({ access_token: "stack-access-token", refresh_token: "refresh-token-rotated" });
+      }
+      if (url.href === "https://dash.freestyle.sh/api/proxy/request") {
+        const body = JSON.parse(String(init?.body));
+        proxyRequests.push(body);
+        if (body.data.path === "identity/v1/identities") {
+          return Response.json({ id: "identity-browser" });
+        }
+        if (body.data.path === "identity/v1/identities/identity-browser/tokens") {
+          return Response.json({ id: "token-id-browser", token: "ssh-token-browser" });
+        }
+      }
+      return Response.json({ error: "unexpected request", url: url.href }, { status: 500 });
+    });
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {
+            teamId: "team_123",
+          },
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: {
+          open: async (target) => {
+            opened.push(target);
+          },
+        },
+      });
+
+      expect(opened).toEqual([
+        "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
+      ]);
+      expect(projectStorage.entries()).toEqual([]);
+      expect(hostStorage.entries("stack-auth:")[0]?.value).toMatchObject({
+        refreshToken: "refresh-token-rotated",
+        accessToken: "stack-access-token",
+        defaultTeamId: "team_123",
+      });
+
+      await controller.runtime(providerContext([]));
+
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-browser",
+        tokenId: "token-id-browser",
+        token: "ssh-token-browser",
+      });
+      expect(proxyRequests).toEqual([
+        {
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "identity/v1/identities",
+            method: "POST",
+            headers: expect.objectContaining({
+              "x-rigkit": "true",
+              "x-rigkit-version": RIGKIT_PROVIDER_FREESTYLE_VERSION,
+            }),
+          },
+        },
+        {
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "identity/v1/identities/identity-browser/tokens",
+            method: "POST",
+            headers: expect.objectContaining({
+              "x-rigkit": "true",
+              "x-rigkit-version": RIGKIT_PROVIDER_FREESTYLE_VERSION,
+            }),
+          },
+        },
+      ]);
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
+  test("ignores ambient FREESTYLE_API_KEY unless API-key auth is configured", async () => {
+    process.env.FREESTYLE_API_KEY = "stale-api-key";
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const opened: string[] = [];
+    const requests: Array<{ url: string; authorization: string | null }> = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async (resource, init) => {
+      const url = resourceUrl(resource);
+      requests.push({
+        url: url.href,
+        authorization: new Headers(init?.headers).get("authorization"),
+      });
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli") {
+        return Response.json({ polling_code: "poll-code", login_code: "login-code" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli/poll") {
+        return Response.json({ status: "completed", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/sessions/current/refresh") {
+        return Response.json({ access_token: "stack-access-token", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://dash.freestyle.sh/api/proxy/request") {
+        const body = JSON.parse(String(init?.body));
+        if (body.data.path === "api/cli/teams") {
+          return Response.json([{ id: "team_123", displayName: "Team" }]);
+        }
+        if (body.data.path === "identity/v1/identities") {
+          return Response.json({ id: "identity-browser" });
+        }
+        if (body.data.path === "identity/v1/identities/identity-browser/tokens") {
+          return Response.json({ id: "token-id-browser", token: "ssh-token-browser" });
+        }
+      }
+      if (url.href === "https://dash.freestyle.sh/api/cli/teams") {
+        return Response.json([{ id: "team_123", displayName: "Team" }]);
+      }
+      return Response.json({ error: "unexpected request", url: url.href }, { status: 500 });
+    });
+
+    try {
+      await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {},
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: {
+          open: async (target) => {
+            opened.push(target);
+          },
+        },
+      });
+
+      expect(opened).toEqual([
+        "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
+      ]);
+      expect(requests.some((request) => request.authorization === "Bearer stale-api-key")).toBe(false);
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-browser",
+      });
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+});
+
+describe("Freestyle provider proxy fetch", () => {
+  test("preserves Freestyle background request semantics through the browser-auth proxy", async () => {
+    const proxyFetch = createFreestyleProxyFetch({
+      dashboardUrl: "https://dash.freestyle.sh",
+      accessToken: "stack-access-token",
+      teamId: "team_123",
+      fetch: testFetch(async (resource, init) => {
+        const url = resourceUrl(resource);
+        expect(url.href).toBe("https://dash.freestyle.sh/api/proxy/request");
+        expect(init?.method).toBe("POST");
+        expect(new Headers(init?.headers).get("x-rigkit")).toBe("true");
+        expect(new Headers(init?.headers).get("x-rigkit-version")).toBe(RIGKIT_PROVIDER_FREESTYLE_VERSION);
+
+        const body = JSON.parse(String(init?.body));
+        expect(body).toMatchObject({
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "v1/vms",
+            method: "POST",
+            headers: {
+              "x-rigkit": "true",
+              "x-rigkit-version": RIGKIT_PROVIDER_FREESTYLE_VERSION,
+            },
+          },
+        });
+
+        return Response.json({
+          requestId: "ri_test_123",
+          status: "pending",
+          resultUrl: "/auth/v1/background-requests/ri_test_123",
+          logsUrl: "/observability/v1/logs?requestId=ri_test_123",
+        });
+      }),
+    });
+
+    const response = await proxyFetch("https://api.freestyle.sh/v1/vms", {
+      method: "POST",
+      body: "{}",
+    });
+
+    expect(response.status).toBe(202);
+    expect(response.headers.get("x-freestyle-background-request-id")).toBe("ri_test_123");
+    await expect(response.json()).resolves.toMatchObject({
+      requestId: "ri_test_123",
+      status: "pending",
+    });
+  });
+
+  test("preserves proxy error details for run logs", async () => {
+    const proxyFetch = createFreestyleProxyFetch({
+      dashboardUrl: "https://dash.freestyle.sh",
+      accessToken: "stack-access-token",
+      teamId: "team_123",
+      fetch: testFetch(async () =>
+        Response.json({
+          error: "VM setup failed",
+          requestId: "req_123",
+          logs: ["failed to boot base image"],
+          accessToken: "secret-token",
+        }, { status: 500 })
+      ),
+    });
+
+    const response = await proxyFetch("https://api.freestyle.sh/v1/vms", {
+      method: "POST",
+      body: "{}",
+    });
+
+    expect(response.status).toBe(500);
+    await expect(response.json()).resolves.toEqual({
+      code: "INTERNAL_ERROR",
+      message: "VM setup failed",
+      details: {
+        error: "VM setup failed",
+        requestId: "req_123",
+        logs: ["failed to boot base image"],
+        accessToken: "[redacted]",
+      },
+    });
+  });
+
+  test("redacts sensitive fields on coded proxy errors", async () => {
+    const proxyFetch = createFreestyleProxyFetch({
+      dashboardUrl: "https://dash.freestyle.sh",
+      accessToken: "stack-access-token",
+      teamId: "team_123",
+      fetch: testFetch(async () =>
+        Response.json({
+          code: "INTERNAL_ERROR",
+          message: "Internal server error",
+          requestId: "req_123",
+          accessToken: "secret-token",
+        }, { status: 500 })
+      ),
+    });
+
+    const response = await proxyFetch("https://api.freestyle.sh/v1/vms");
+
+    expect(response.status).toBe(500);
+    await expect(response.json()).resolves.toEqual({
+      code: "INTERNAL_ERROR",
+      message: "Internal server error",
+      requestId: "req_123",
+      accessToken: "[redacted]",
+    });
+  });
+});
+
+class MemoryProviderStorage implements ProviderStorage {
+  private readonly records = new Map<string, ProviderStorageRecord>();
+
+  constructor(private readonly providerId: string) {}
+
+  get<Value extends JsonValue = JsonValue>(key: string): ProviderStorageRecord<Value> | undefined {
+    return this.records.get(key) as ProviderStorageRecord<Value> | undefined;
+  }
+
+  set<Value extends JsonValue = JsonValue>(key: string, value: Value): ProviderStorageRecord<Value> {
+    const now = new Date().toISOString();
+    const existing = this.records.get(key);
+    const record: ProviderStorageRecord<Value> = {
+      providerId: this.providerId,
+      key,
+      value,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now,
+    };
+    this.records.set(key, record as ProviderStorageRecord);
+    return record;
+  }
+
+  delete(key: string): void {
+    this.records.delete(key);
+  }
+
+  entries(prefix = ""): ProviderStorageRecord[] {
+    return [...this.records.values()]
+      .filter((record) => record.key.startsWith(prefix))
+      .sort((a, b) => a.key.localeCompare(b.key));
+  }
+}
+
+function providerContext(
+  events: WorkflowEvent[],
+  local: Partial<ProviderRuntimeContext["local"]> = {},
+): ProviderRuntimeContext {
+  return {
+    workflow: "workflow",
+    nodePath: "workflow.step",
+    emit: (event) => {
+      events.push(event);
+    },
+    interaction: {
+      present: async () => {
+        throw new Error("unexpected interaction");
+      },
+    },
+    local: {
+      open: async () => {},
+      ...local,
+    },
+    metadata: () => {},
+  };
+}
+
+function testFetch(
+  handler: (
+    resource: Parameters<typeof fetch>[0],
+    init: Parameters<typeof fetch>[1],
+  ) => Response | Promise<Response>,
+): typeof fetch {
+  const fetchFn = (async (resource, init) => await handler(resource, init)) as typeof fetch;
+  fetchFn.preconnect = () => {};
+  return fetchFn;
+}
+
+function resourceUrl(resource: Parameters<typeof fetch>[0]): URL {
+  if (typeof resource === "string") return new URL(resource);
+  if (resource instanceof URL) return resource;
+  return new URL(resource.url);
+}
+
+function setEnv(name: string, value: string | undefined): void {
+  if (value === undefined) {
+    delete process.env[name];
+  } else {
+    process.env[name] = value;
+  }
+}