@rigkit/provider-freestyle 0.2.3 → 0.2.4

package/README.md

@@ -4,8 +4,14 @@ Freestyle provider integration for `rig`.
 
 This package supplies:
 
-- `freestyle.provider(...)` for Freestyle VM/snapshot workflow tasks
+- `freestyle.provider(...)` for host Freestyle authentication
 - `freestyle.terminal()` for provider-owned browser terminal sessions targeting Freestyle VMs
+- `providers.freestyle.client` for direct access to the authenticated Freestyle SDK client
+- `providers.freestyle.createSSHOptions(...)` for VM SSH connection options with provider-owned auth handled internally
 - `providers.freestyle.cmux.createSshOptions(...)` and `providers.freestyle.vscode.createUrl(...)` adapter helpers
-- `createFreestyleProvider(...)` for low-level Freestyle VM operations
-- Freestyle-specific JSON state helpers backed by the Rigkit-owned provider storage table
+- Freestyle SDK exports like `VmSpec` and `VmBaseImage`, so configs use one SDK instance for specs and clients
+- Freestyle-specific JSON state helpers backed by Rigkit provider storage
+
+Pass Rigkit's `step.log` to Freestyle SDK calls that accept `logger` to stream SDK progress into the CLI.
+
+By default the provider authenticates through a browser login and stores Freestyle credentials in Rigkit's provider host storage, outside project `.rigkit/state.sqlite`. Pass `auth: { apiKey }` to use API-key auth instead.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigkit/provider-freestyle",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "type": "module",
   "repository": {
     "type": "git",
@@ -16,14 +16,17 @@
     "README.md"
   ],
   "dependencies": {
-    "freestyle": "latest",
     "zod": "^4",
-    "@rigkit/sdk": "0.2.3",
-    "@rigkit/provider-cmux": "0.2.3",
-    "@rigkit/engine": "0.2.3"
+    "@rigkit/sdk": "0.2.4",
+    "@rigkit/engine": "0.2.4",
+    "@rigkit/provider-cmux": "0.2.4"
+  },
+  "peerDependencies": {
+    "freestyle": "^0.1.51"
   },
   "devDependencies": {
     "@types/bun": "latest",
+    "freestyle": "^0.1.51",
     "typescript": "latest"
   },
   "publishConfig": {

package/src/host-auth.test.ts

@@ -0,0 +1,375 @@
+import { afterEach, describe, expect, test } from "bun:test";
+import type {
+  JsonValue,
+  ProviderRuntimeContext,
+  ProviderStorage,
+  ProviderStorageRecord,
+  WorkflowProviderController,
+  WorkflowEvent,
+} from "@rigkit/engine";
+import { FREESTYLE_PROVIDER_ID, freestyleProviderPlugin } from "./index.ts";
+import { createFreestyleProxyFetch } from "./host-auth.ts";
+import type { FreestyleRuntime } from "./provider.ts";
+
+const originalFreestyleApiKey = process.env.FREESTYLE_API_KEY;
+const originalFreestyleTeamId = process.env.FREESTYLE_TEAM_ID;
+
+afterEach(() => {
+  setEnv("FREESTYLE_API_KEY", originalFreestyleApiKey);
+  setEnv("FREESTYLE_TEAM_ID", originalFreestyleTeamId);
+});
+
+describe("Freestyle provider host auth", () => {
+  test("uses explicit API-key auth and stores identity tokens in host storage", async () => {
+    process.env.FREESTYLE_API_KEY = "ignored-env-api-key";
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const requests: Array<{ url: string; method: string; authorization: string | null }> = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch((resource, init) => {
+      const url = resourceUrl(resource);
+      const method = init?.method ?? "GET";
+      const authorization = new Headers(init?.headers).get("authorization");
+      requests.push({ url: url.href, method, authorization });
+      if (url.pathname === "/identity/v1/identities" && method === "POST") {
+        return Response.json({ id: "identity-api-key" });
+      }
+      if (url.pathname === "/identity/v1/identities/identity-api-key/tokens" && method === "POST") {
+        return Response.json({ id: "token-id-api-key", token: "ssh-token-api-key" });
+      }
+      return Response.json({ error: "unexpected request" }, { status: 500 });
+    });
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {
+            auth: { apiKey: "object-api-key" },
+          },
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: { open: async () => {} },
+      });
+
+      expect(projectStorage.entries()).toEqual([]);
+      expect(hostStorage.entries("identity:")).toHaveLength(1);
+      expect(requests).toHaveLength(2);
+
+      const runtime = await (controller as WorkflowProviderController<FreestyleRuntime>).runtime(providerContext([]));
+
+      expect(runtime.client).toBeDefined();
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-api-key",
+        tokenId: "token-id-api-key",
+        token: "ssh-token-api-key",
+      });
+      expect(requests).toEqual([
+        {
+          url: "https://api.freestyle.sh/identity/v1/identities",
+          method: "POST",
+          authorization: "Bearer object-api-key",
+        },
+        {
+          url: "https://api.freestyle.sh/identity/v1/identities/identity-api-key/tokens",
+          method: "POST",
+          authorization: "Bearer object-api-key",
+        },
+      ]);
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
+  test("runs browser auth through provider host storage and proxies SDK requests by team", async () => {
+    delete process.env.FREESTYLE_API_KEY;
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const opened: string[] = [];
+    const proxyRequests: unknown[] = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async (resource, init) => {
+      const url = resourceUrl(resource);
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli") {
+        return Response.json({ polling_code: "poll-code", login_code: "login-code" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli/poll") {
+        return Response.json({ status: "completed", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/sessions/current/refresh") {
+        return Response.json({ access_token: "stack-access-token", refresh_token: "refresh-token-rotated" });
+      }
+      if (url.href === "https://dash.freestyle.sh/api/proxy/request") {
+        const body = JSON.parse(String(init?.body));
+        proxyRequests.push(body);
+        if (body.data.path === "identity/v1/identities") {
+          return Response.json({ id: "identity-browser" });
+        }
+        if (body.data.path === "identity/v1/identities/identity-browser/tokens") {
+          return Response.json({ id: "token-id-browser", token: "ssh-token-browser" });
+        }
+      }
+      return Response.json({ error: "unexpected request", url: url.href }, { status: 500 });
+    });
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {
+            auth: {
+              teamId: "team_123",
+            },
+          },
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: {
+          open: async (target) => {
+            opened.push(target);
+          },
+        },
+      });
+
+      expect(opened).toEqual([
+        "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
+      ]);
+      expect(projectStorage.entries()).toEqual([]);
+      expect(hostStorage.entries("stack-auth:")[0]?.value).toMatchObject({
+        refreshToken: "refresh-token-rotated",
+        accessToken: "stack-access-token",
+        defaultTeamId: "team_123",
+      });
+
+      await controller.runtime(providerContext([]));
+
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-browser",
+        tokenId: "token-id-browser",
+        token: "ssh-token-browser",
+      });
+      expect(proxyRequests).toEqual([
+        {
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "identity/v1/identities",
+            method: "POST",
+            headers: expect.any(Object),
+          },
+        },
+        {
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "identity/v1/identities/identity-browser/tokens",
+            method: "POST",
+            headers: expect.any(Object),
+          },
+        },
+      ]);
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
+  test("ignores ambient FREESTYLE_API_KEY unless API-key auth is configured", async () => {
+    process.env.FREESTYLE_API_KEY = "stale-api-key";
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const opened: string[] = [];
+    const requests: Array<{ url: string; authorization: string | null }> = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async (resource, init) => {
+      const url = resourceUrl(resource);
+      requests.push({
+        url: url.href,
+        authorization: new Headers(init?.headers).get("authorization"),
+      });
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli") {
+        return Response.json({ polling_code: "poll-code", login_code: "login-code" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli/poll") {
+        return Response.json({ status: "completed", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/sessions/current/refresh") {
+        return Response.json({ access_token: "stack-access-token", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://dash.freestyle.sh/api/proxy/request") {
+        const body = JSON.parse(String(init?.body));
+        if (body.data.path === "api/cli/teams") {
+          return Response.json([{ id: "team_123", displayName: "Team" }]);
+        }
+        if (body.data.path === "identity/v1/identities") {
+          return Response.json({ id: "identity-browser" });
+        }
+        if (body.data.path === "identity/v1/identities/identity-browser/tokens") {
+          return Response.json({ id: "token-id-browser", token: "ssh-token-browser" });
+        }
+      }
+      if (url.href === "https://dash.freestyle.sh/api/cli/teams") {
+        return Response.json([{ id: "team_123", displayName: "Team" }]);
+      }
+      return Response.json({ error: "unexpected request", url: url.href }, { status: 500 });
+    });
+
+    try {
+      await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {},
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: {
+          open: async (target) => {
+            opened.push(target);
+          },
+        },
+      });
+
+      expect(opened).toEqual([
+        "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
+      ]);
+      expect(requests.some((request) => request.authorization === "Bearer stale-api-key")).toBe(false);
+      expect(hostStorage.entries("identity:")[0]?.value).toMatchObject({
+        identityId: "identity-browser",
+      });
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+});
+
+describe("Freestyle provider proxy fetch", () => {
+  test("preserves Freestyle background request semantics through the browser-auth proxy", async () => {
+    const proxyFetch = createFreestyleProxyFetch({
+      dashboardUrl: "https://dash.freestyle.sh",
+      accessToken: "stack-access-token",
+      teamId: "team_123",
+      fetch: testFetch(async (resource, init) => {
+        const url = resourceUrl(resource);
+        expect(url.href).toBe("https://dash.freestyle.sh/api/proxy/request");
+        expect(init?.method).toBe("POST");
+
+        const body = JSON.parse(String(init?.body));
+        expect(body).toMatchObject({
+          data: {
+            accessToken: "stack-access-token",
+            teamId: "team_123",
+            path: "v1/vms",
+            method: "POST",
+          },
+        });
+
+        return Response.json({
+          requestId: "ri_test_123",
+          status: "pending",
+          resultUrl: "/auth/v1/background-requests/ri_test_123",
+          logsUrl: "/observability/v1/logs?requestId=ri_test_123",
+        });
+      }),
+    });
+
+    const response = await proxyFetch("https://api.freestyle.sh/v1/vms", {
+      method: "POST",
+      body: "{}",
+    });
+
+    expect(response.status).toBe(202);
+    expect(response.headers.get("x-freestyle-background-request-id")).toBe("ri_test_123");
+    await expect(response.json()).resolves.toMatchObject({
+      requestId: "ri_test_123",
+      status: "pending",
+    });
+  });
+});
+
+class MemoryProviderStorage implements ProviderStorage {
+  private readonly records = new Map<string, ProviderStorageRecord>();
+
+  constructor(private readonly providerId: string) {}
+
+  get<Value extends JsonValue = JsonValue>(key: string): ProviderStorageRecord<Value> | undefined {
+    return this.records.get(key) as ProviderStorageRecord<Value> | undefined;
+  }
+
+  set<Value extends JsonValue = JsonValue>(key: string, value: Value): ProviderStorageRecord<Value> {
+    const now = new Date().toISOString();
+    const existing = this.records.get(key);
+    const record: ProviderStorageRecord<Value> = {
+      providerId: this.providerId,
+      key,
+      value,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now,
+    };
+    this.records.set(key, record as ProviderStorageRecord);
+    return record;
+  }
+
+  delete(key: string): void {
+    this.records.delete(key);
+  }
+
+  entries(prefix = ""): ProviderStorageRecord[] {
+    return [...this.records.values()]
+      .filter((record) => record.key.startsWith(prefix))
+      .sort((a, b) => a.key.localeCompare(b.key));
+  }
+}
+
+function providerContext(
+  events: WorkflowEvent[],
+  local: Partial<ProviderRuntimeContext["local"]> = {},
+): ProviderRuntimeContext {
+  return {
+    workflow: "workflow",
+    nodePath: "workflow.step",
+    emit: (event) => {
+      events.push(event);
+    },
+    interaction: {
+      present: async () => {
+        throw new Error("unexpected interaction");
+      },
+    },
+    local: {
+      open: async () => {},
+      ...local,
+    },
+    metadata: () => {},
+  };
+}
+
+function testFetch(
+  handler: (
+    resource: Parameters<typeof fetch>[0],
+    init: Parameters<typeof fetch>[1],
+  ) => Response | Promise<Response>,
+): typeof fetch {
+  const fetchFn = (async (resource, init) => await handler(resource, init)) as typeof fetch;
+  fetchFn.preconnect = () => {};
+  return fetchFn;
+}
+
+function resourceUrl(resource: Parameters<typeof fetch>[0]): URL {
+  if (typeof resource === "string") return new URL(resource);
+  if (resource instanceof URL) return resource;
+  return new URL(resource.url);
+}
+
+function setEnv(name: string, value: string | undefined): void {
+  if (value === undefined) {
+    delete process.env[name];
+  } else {
+    process.env[name] = value;
+  }
+}