@unifiedmemory/cli 1.0.0

package/commands/login.js

@@ -0,0 +1,390 @@
+import http from 'http';
+import { URL } from 'url';
+import open from 'open';
+import chalk from 'chalk';
+import crypto from 'crypto';
+import inquirer from 'inquirer';
+import { config, validateConfig } from '../lib/config.js';
+import { saveToken, updateSelectedOrg } from '../lib/token-storage.js';
+import { getUserOrganizations, getOrganizationsFromToken, formatOrganization, getOrgScopedToken } from '../lib/clerk-api.js';
+
+function generateRandomState() {
+  return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+}
+
+function base64URLEncode(buffer) {
+  return buffer.toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+}
+
+function sha256(buffer) {
+  return crypto.createHash('sha256').update(buffer).digest();
+}
+
+function generatePKCE() {
+  const verifier = base64URLEncode(crypto.randomBytes(32));
+  const challenge = base64URLEncode(sha256(verifier));
+  return { verifier, challenge };
+}
+
+function parseJWT(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+      return null;
+    }
+    const payload = Buffer.from(parts[1], 'base64').toString('utf8');
+    return JSON.parse(payload);
+  } catch (error) {
+    return null;
+  }
+}
+
+/**
+ * Prompt user to select an organization context
+ * @param {Array} memberships - Array of organization memberships
+ * @returns {Promise<Object|null>} Selected organization data or null for personal context
+ */
+async function selectOrganization(memberships) {
+  console.log(chalk.blue('\n🔍 Checking for organizations...'));
+
+  if (memberships.length === 0) {
+    console.log(chalk.gray('No organizations found. Using personal account context.'));
+    return null;
+  }
+
+  console.log(chalk.green(`\nFound ${memberships.length} organization(s)!`));
+
+  // Debug: Log raw memberships
+  console.log(chalk.gray('\nRaw memberships data:'));
+  console.log(JSON.stringify(memberships, null, 2));
+
+  // Format organizations for display
+  const formattedOrgs = memberships.map(formatOrganization);
+
+  // Print numbered list
+  console.log(chalk.cyan('\n📋 Available contexts:\n'));
+
+  formattedOrgs.forEach((org, index) => {
+    console.log(chalk.green(`  ${index + 1}. ${org.name}`) + chalk.gray(` (${org.slug})`) + chalk.yellow(` [${org.role}]`));
+  });
+
+  console.log(chalk.cyan(`  ${formattedOrgs.length + 1}. Personal Account`) + chalk.gray(' (no organization)'));
+
+  // Simple input prompt
+  const answer = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'selection',
+      message: `Choose context (1-${formattedOrgs.length + 1}):`,
+      default: '1',
+      validate: (input) => {
+        const num = parseInt(input, 10);
+        if (isNaN(num) || num < 1 || num > formattedOrgs.length + 1) {
+          return `Please enter a number between 1 and ${formattedOrgs.length + 1}`;
+        }
+        return true;
+      },
+    },
+  ]);
+
+  const selectedIndex = parseInt(answer.selection, 10) - 1;
+
+  // If they selected beyond orgs list, that's personal account (null)
+  if (selectedIndex >= formattedOrgs.length) {
+    return null;
+  }
+
+  return formattedOrgs[selectedIndex];
+}
+
+export async function login() {
+  validateConfig();
+
+  const state = generateRandomState();
+  const pkce = generatePKCE();
+
+  // Build OAuth2 authorization URL with PKCE
+  const authUrl = new URL(`https://${config.clerkDomain}/oauth/authorize`);
+  authUrl.searchParams.append('client_id', config.clerkClientId);
+  authUrl.searchParams.append('redirect_uri', config.redirectUri);
+  authUrl.searchParams.append('response_type', 'code');
+  authUrl.searchParams.append('scope', 'openid profile email');
+  authUrl.searchParams.append('state', state);
+  authUrl.searchParams.append('code_challenge', pkce.challenge);
+  authUrl.searchParams.append('code_challenge_method', 'S256');
+
+  console.log(chalk.blue('🔐 Starting OAuth2 authentication flow...'));
+  console.log(chalk.gray(`Opening browser to: ${authUrl.toString()}`));
+
+  return new Promise((resolve, reject) => {
+    const server = http.createServer(async (req, res) => {
+      const url = new URL(req.url, `http://localhost:${config.port}`);
+
+      if (url.pathname === '/callback') {
+        const code = url.searchParams.get('code');
+        const returnedState = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+
+        if (error) {
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(`
+            <html>
+              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+                <h1>❌ Authentication Failed</h1>
+                <p>Error: ${error}</p>
+                <p>You can close this window.</p>
+              </body>
+            </html>
+          `);
+          server.close();
+          reject(new Error(`Authentication error: ${error}`));
+          return;
+        }
+
+        if (returnedState !== state) {
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(`
+            <html>
+              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+                <h1>❌ Invalid State</h1>
+                <p>Security validation failed. Please try again.</p>
+                <p>You can close this window.</p>
+              </body>
+            </html>
+          `);
+          server.close();
+          reject(new Error('State mismatch - possible CSRF attack'));
+          return;
+        }
+
+        if (!code) {
+          res.writeHead(400, { 'Content-Type': 'text/html' });
+          res.end(`
+            <html>
+              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+                <h1>❌ No Authorization Code</h1>
+                <p>No authorization code received.</p>
+                <p>You can close this window.</p>
+              </body>
+            </html>
+          `);
+          server.close();
+          reject(new Error('No authorization code received'));
+          return;
+        }
+
+        try {
+          // Exchange code for token
+          console.log(chalk.yellow('🔄 Exchanging authorization code for token...'));
+
+          const tokenParams = {
+            client_id: config.clerkClientId,
+            code: code,
+            redirect_uri: config.redirectUri,
+            grant_type: 'authorization_code',
+            code_verifier: pkce.verifier,
+          };
+
+          // Add client secret if provided (Clerk requires it even with PKCE)
+          if (config.clerkClientSecret) {
+            tokenParams.client_secret = config.clerkClientSecret;
+          }
+
+          const tokenResponse = await fetch(`https://${config.clerkDomain}/oauth/token`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams(tokenParams),
+          });
+
+          if (!tokenResponse.ok) {
+            const errorText = await tokenResponse.text();
+            throw new Error(`Token exchange failed: ${tokenResponse.status} - ${errorText}`);
+          }
+
+          const tokenData = await tokenResponse.json();
+
+          // Debug: Log the token response structure
+          console.log(chalk.gray('\nToken response keys:'), Object.keys(tokenData));
+
+          // Send success response to browser first
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(`
+            <html>
+              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+                <h1 style="color: #10B981;">✅ Authentication Successful!</h1>
+                <p>You have successfully authenticated with Clerk.</p>
+                <p>You can close this window and return to the CLI.</p>
+                <script>setTimeout(() => window.close(), 3000);</script>
+              </body>
+            </html>
+          `);
+
+          // Parse JWT to show user info - try both access_token and id_token
+          const tokenToParse = tokenData.id_token || tokenData.access_token;
+          console.log(chalk.gray('Parsing token type:'), tokenData.id_token ? 'id_token' : 'access_token');
+
+          const decoded = parseJWT(tokenToParse);
+
+          if (!decoded) {
+            console.log(chalk.yellow('⚠️  Could not parse JWT token'));
+            console.log(chalk.gray('Token preview:'), tokenToParse ? tokenToParse.substring(0, 50) + '...' : 'null');
+          } else {
+            // Debug: Show JWT claims to see what's available
+            console.log(chalk.gray('\nJWT Claims:'));
+            console.log(chalk.gray(JSON.stringify(decoded, null, 2)));
+          }
+
+          // Debug: Show token previews to understand format
+          console.log(chalk.gray('\nToken previews:'));
+          if (tokenData.access_token) {
+            console.log(chalk.gray('  Access token:'), tokenData.access_token.substring(0, 50) + '...');
+          }
+          if (tokenData.id_token) {
+            console.log(chalk.gray('  ID token:'), tokenData.id_token.substring(0, 50) + '...');
+          }
+
+          // Save token (save both access_token and id_token if available)
+          saveToken({
+            accessToken: tokenData.access_token,
+            idToken: tokenData.id_token,
+            refresh_token: tokenData.refresh_token,
+            tokenType: tokenData.token_type || 'Bearer',
+            expiresIn: tokenData.expires_in,
+            receivedAt: Date.now(),
+            decoded: decoded
+          });
+
+          console.log(chalk.green('\n✅ Authentication successful!'));
+          if (decoded) {
+            console.log(chalk.gray('\nToken information:'));
+            console.log(chalk.gray(`  User ID: ${decoded.sub || 'N/A'}`));
+            console.log(chalk.gray(`  Email: ${decoded.email || 'N/A'}`));
+            console.log(chalk.gray(`  Issued at: ${decoded.iat ? new Date(decoded.iat * 1000).toLocaleString() : 'N/A'}`));
+            console.log(chalk.gray(`  Expires at: ${decoded.exp ? new Date(decoded.exp * 1000).toLocaleString() : 'N/A'}`));
+
+            if (decoded.scope) {
+              console.log(chalk.gray(`  Scopes: ${decoded.scope}`));
+            }
+          }
+
+          // Close server first
+          server.close(async () => {
+            console.log(chalk.gray('✓ Callback server closed'));
+
+            // Prompt for organization selection
+            try {
+              const userId = decoded?.sub;
+              if (userId) {
+                // First try to get organizations from JWT token
+                let memberships = getOrganizationsFromToken(decoded);
+
+                // If not in JWT, fetch from Clerk Frontend API
+                if (memberships.length === 0) {
+                  const sessionToken = tokenData.id_token || tokenData.access_token;
+                  memberships = await getUserOrganizations(userId, sessionToken);
+                }
+
+                const selectedOrg = await selectOrganization(memberships);
+
+                if (selectedOrg) {
+                  // Get org-scoped JWT from Clerk
+                  try {
+                    console.log(chalk.cyan('\n🔄 Getting organization-scoped token...'));
+
+                    const sessionId = decoded.sid;
+                    if (!sessionId) {
+                      throw new Error('No session ID found in token');
+                    }
+
+                    const orgToken = await getOrgScopedToken(
+                      sessionId,
+                      selectedOrg.id,
+                      tokenData.id_token
+                    );
+
+                    // Update saved token with org-scoped version
+                    saveToken({
+                      accessToken: tokenData.access_token,
+                      idToken: orgToken.jwt,
+                      refresh_token: tokenData.refresh_token,
+                      tokenType: 'Bearer',
+                      expiresIn: tokenData.expires_in,
+                      receivedAt: Date.now(),
+                      decoded: parseJWT(orgToken.jwt),
+                      selectedOrg: selectedOrg
+                    });
+
+                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
+                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
+                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
+                    console.log(chalk.gray('   ✓ Token updated with organization context'));
+                  } catch (error) {
+                    console.error(chalk.yellow('\n⚠️  Failed to get org-scoped token:'), error.message);
+                    console.log(chalk.gray('   Continuing with original token (may have limited org access)'));
+
+                    // Fall back to updating selected org without new token
+                    updateSelectedOrg(selectedOrg);
+
+                    console.log(chalk.green(`\n✅ Using organization context: ${chalk.bold(selectedOrg.name)}`));
+                    console.log(chalk.gray(`   Organization ID: ${selectedOrg.id}`));
+                    console.log(chalk.gray(`   Your role: ${selectedOrg.role}`));
+                  }
+                } else {
+                  console.log(chalk.green('\n✅ Using personal account context'));
+                }
+
+                console.log(chalk.gray('\nYou can switch organizations anytime with: um org switch'));
+              }
+            } catch (error) {
+              console.log(chalk.yellow('\n⚠️  Could not fetch organizations. Continuing with personal account context.'));
+              console.log(chalk.gray(`Error: ${error.message}`));
+            }
+
+            resolve(tokenData);
+          });
+        } catch (error) {
+          console.error(chalk.red('Token exchange error:'), error.message);
+
+          res.writeHead(500, { 'Content-Type': 'text/html' });
+          res.end(`
+            <html>
+              <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+                <h1>❌ Token Exchange Failed</h1>
+                <p>${error.message}</p>
+                <p>You can close this window.</p>
+              </body>
+            </html>
+          `);
+
+          server.close();
+          reject(error);
+        }
+      } else {
+        res.writeHead(404, { 'Content-Type': 'text/plain' });
+        res.end('Not Found');
+      }
+    });
+
+    server.listen(config.port, () => {
+      console.log(chalk.gray(`✓ Local callback server running on port ${config.port}`));
+      console.log(chalk.yellow('\n👉 Please complete the authentication in your browser...'));
+
+      // Open browser
+      open(authUrl.toString()).catch(err => {
+        console.log(chalk.yellow('\nCouldn\'t open browser automatically. Please open this URL manually:'));
+        console.log(chalk.cyan(authUrl.toString()));
+      });
+    });
+
+    // Timeout after 5 minutes
+    setTimeout(() => {
+      server.close();
+      reject(new Error('Authentication timeout - please try again'));
+    }, 5 * 60 * 1000);
+  });
+}

package/commands/org.js

@@ -0,0 +1,111 @@
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import { updateSelectedOrg, getSelectedOrg } from '../lib/token-storage.js';
+import { loadAndRefreshToken } from '../lib/token-validation.js';
+import { getUserOrganizations, getOrganizationsFromToken, formatOrganization } from '../lib/clerk-api.js';
+
+/**
+ * Switch organization context
+ */
+export async function switchOrg() {
+  // Load token and refresh if expired
+  const tokenData = await loadAndRefreshToken();
+
+  const userId = tokenData.decoded?.sub;
+  const accessToken = tokenData.idToken || tokenData.accessToken;
+
+  if (!userId || !accessToken) {
+    console.error(chalk.red('❌ Invalid session'));
+    console.log(chalk.gray('Run `um login` to re-authenticate'));
+    process.exit(1);
+  }
+
+  console.log(chalk.blue('\n🔍 Fetching organizations...'));
+
+  // First try to get organizations from JWT token
+  let memberships = tokenData.decoded
+    ? getOrganizationsFromToken(tokenData.decoded)
+    : [];
+
+  // If not in JWT, fetch from Clerk Frontend API
+  if (memberships.length === 0) {
+    const sessionToken = accessToken;
+    memberships = await getUserOrganizations(userId, sessionToken);
+  }
+
+  if (memberships.length === 0) {
+    console.log(chalk.yellow('\n⚠️  No organizations found'));
+    console.log(chalk.gray('You are using a personal account context.'));
+    console.log(chalk.gray('Create an organization at https://unifiedmemory.ai to collaborate with your team.'));
+    process.exit(0);
+  }
+
+  console.log(chalk.green(`\nFound ${memberships.length} organization(s)!`));
+
+  // Format organizations for display
+  const formattedOrgs = memberships.map(formatOrganization);
+
+  // Get current selection
+  const currentOrg = getSelectedOrg();
+  const currentOrgId = currentOrg?.id;
+
+  // Build choices for inquirer
+  const choices = [
+    {
+      name: chalk.cyan('Personal Account') + chalk.gray(' (no organization)') + (currentOrgId ? '' : chalk.green(' ← current')),
+      value: null,
+      short: 'Personal Account',
+    },
+    new inquirer.Separator(chalk.gray('--- Organizations ---')),
+    ...formattedOrgs.map(org => ({
+      name: `${chalk.green(org.name)} ${chalk.gray(`(${org.slug})`)} ${chalk.yellow(`[${org.role}]`)}${org.id === currentOrgId ? chalk.green(' ← current') : ''}`,
+      value: org,
+      short: org.name,
+    })),
+  ];
+
+  // Prompt user to select
+  const answer = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'organization',
+      message: 'Select account context:',
+      choices: choices,
+      pageSize: 15,
+      default: currentOrgId ? formattedOrgs.findIndex(org => org.id === currentOrgId) + 2 : 0, // +2 for personal + separator
+    },
+  ]);
+
+  // Update selected organization
+  updateSelectedOrg(answer.organization);
+
+  if (answer.organization) {
+    console.log(chalk.green(`\n✅ Switched to organization: ${chalk.bold(answer.organization.name)}`));
+    console.log(chalk.gray(`   Organization ID: ${answer.organization.id}`));
+    console.log(chalk.gray(`   Your role: ${answer.organization.role}`));
+  } else {
+    console.log(chalk.green('\n✅ Switched to personal account context'));
+  }
+
+  console.log(chalk.gray('\nRun `um status` to verify your current context'));
+}
+
+/**
+ * Show current organization
+ */
+export async function showOrg() {
+  const selectedOrg = getSelectedOrg();
+
+  console.log(chalk.blue('\n📋 Current Organization Context\n'));
+
+  if (selectedOrg) {
+    console.log(chalk.green(`  ${selectedOrg.name} (${selectedOrg.slug})`));
+    console.log(chalk.gray(`  ID: ${selectedOrg.id}`));
+    console.log(chalk.gray(`  Role: ${selectedOrg.role}`));
+  } else {
+    console.log(chalk.cyan('  Personal Account'));
+    console.log(chalk.gray('  (no organization selected)'));
+  }
+
+  console.log(chalk.gray('\nRun `um org switch` to change organization\n'));
+}

package/commands/record.js

@@ -0,0 +1,114 @@
+import chalk from 'chalk';
+import fs from 'fs';
+import path from 'path';
+import { loadAndRefreshToken } from '../lib/token-validation.js';
+import { callRemoteMCPTool } from '../lib/mcp-proxy.js';
+
+/**
+ * Record a note to the vault
+ * @param {string} summary - Note summary text
+ * @param {Object} options - Command options
+ */
+export async function record(summary, options = {}) {
+  try {
+    // 1. Validate authentication and refresh if expired
+    const tokenData = await loadAndRefreshToken();
+
+    // 2. Load project context
+    const configPath = path.join(process.cwd(), '.um', 'config.json');
+    if (!fs.existsSync(configPath)) {
+      throw new Error(
+        'No project configuration found in current directory.\n' +
+        'Run "um init" to configure a project.'
+      );
+    }
+
+    const projectContext = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    if (!projectContext.project_id) {
+      throw new Error('Invalid project configuration: missing project_id');
+    }
+
+    // 3. Build auth headers
+    const authHeaders = {
+      'Authorization': `Bearer ${tokenData.idToken || tokenData.accessToken}`,
+    };
+
+    // Add org context
+    if (tokenData.selectedOrg?.id) {
+      authHeaders['X-Org-Id'] = tokenData.selectedOrg.id;
+    } else if (tokenData.decoded?.sub) {
+      authHeaders['X-Org-Id'] = tokenData.decoded.sub;
+    }
+
+    // Add user ID
+    if (tokenData.decoded?.sub) {
+      authHeaders['X-User-Id'] = tokenData.decoded.sub;
+    }
+
+    // 4. Build auth context for parameter injection
+    const authContext = {
+      decoded: tokenData.decoded,
+      selectedOrg: tokenData.selectedOrg
+    };
+
+    // 5. Prepare tool arguments
+    const toolArgs = {
+      body: {
+        summary_text: summary,
+        topic: options.topic || 'general',
+        source: options.source || 'um-cli',
+        confidence: options.confidence ? parseFloat(options.confidence) : 0.7,
+        tags: options.tags ? options.tags.split(',') : []
+      },
+      headers: {
+        'X-Org-Id': tokenData.selectedOrg?.id || tokenData.decoded?.sub,
+        'X-User-Id': tokenData.decoded?.sub
+      }
+    };
+
+    // Add optional metadata
+    if (options.metadata) {
+      try {
+        toolArgs.body.metadata = JSON.parse(options.metadata);
+      } catch (e) {
+        console.error(chalk.yellow('Warning: Invalid metadata JSON, ignoring'));
+      }
+    }
+
+    // 6. Call vault tool
+    console.error(chalk.blue('→ Creating note in vault...'));
+    console.error(chalk.gray(`  Project: ${projectContext.project_name}`));
+    console.error(chalk.gray(`  Topic: ${toolArgs.body.topic}`));
+    console.error(chalk.gray(`  Source: ${toolArgs.body.source}`));
+
+    const result = await callRemoteMCPTool(
+      'create_note',
+      toolArgs,
+      authHeaders,
+      authContext,
+      projectContext
+    );
+
+    // 7. Handle response
+    if (result.content && Array.isArray(result.content)) {
+      const textContent = result.content.find(c => c.type === 'text');
+      if (textContent) {
+        const response = JSON.parse(textContent.text);
+        console.log(chalk.green('✓ Note created successfully'));
+        console.log(chalk.gray(`  Note ID: ${response.note_id || 'N/A'}`));
+        if (response.confidence) {
+          console.log(chalk.gray(`  Confidence: ${response.confidence}`));
+        }
+        return response;
+      }
+    }
+
+    console.log(chalk.green('✓ Note created'));
+    return result;
+
+  } catch (error) {
+    console.error(chalk.red('✗ Failed to create note:'));
+    console.error(chalk.red(`  ${error.message}`));
+    throw error;
+  }
+}