@vee-stack/delta-cli 2.0.3 → 2.0.5

package/dist/apps/cli/src/auth/secure-auth.js

@@ -0,0 +1,312 @@
+/**
+ * Secure Authentication System with OAuth2 + Keychain Integration
+ * Features:
+ * - OAuth2 PKCE flow
+ * - Secure token storage in OS keychain
+ * - Automatic token refresh
+ * - Session management
+ * - PAT (Personal Access Token) support for CI/CD
+ */
+import keytar from 'keytar';
+import fetch from 'node-fetch';
+import open from 'open';
+import { createServer } from 'http';
+import { URL } from 'url';
+import crypto from 'crypto';
+import chalk from 'chalk';
+import { printSuccess, printError, printInfo, startSpinner, stopSpinner } from '../ui.js';
+const SERVICE_NAME = 'delta-cli';
+const ACCOUNT_NAME = 'user-token';
+const REFRESH_ACCOUNT = 'refresh-token';
+// PKCE Code Generator
+function generatePKCE() {
+    const verifier = crypto.randomBytes(32).toString('base64url');
+    const challenge = crypto
+        .createHash('sha256')
+        .update(verifier)
+        .digest('base64url');
+    return { verifier, challenge };
+}
+// Secure Token Storage
+export class SecureTokenStore {
+    static async saveAccessToken(token) {
+        await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
+    }
+    static async getAccessToken() {
+        return await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    }
+    static async saveRefreshToken(token) {
+        await keytar.setPassword(SERVICE_NAME, REFRESH_ACCOUNT, token);
+    }
+    static async getRefreshToken() {
+        return await keytar.getPassword(SERVICE_NAME, REFRESH_ACCOUNT);
+    }
+    static async clearTokens() {
+        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+        await keytar.deletePassword(SERVICE_NAME, REFRESH_ACCOUNT);
+    }
+    static async hasTokens() {
+        const token = await this.getAccessToken();
+        return !!token;
+    }
+}
+// OAuth2 Flow Handler
+export async function startOAuthFlow(method = 'oauth') {
+    startSpinner('Starting OAuth2 authentication flow...');
+    try {
+        const { verifier, challenge } = generatePKCE();
+        const redirectUri = 'http://localhost:3456/callback';
+        const state = crypto.randomBytes(16).toString('hex');
+        // Build OAuth URL
+        const oauthUrl = new URL('https://api.delta.dev/auth/authorize');
+        oauthUrl.searchParams.set('response_type', 'code');
+        oauthUrl.searchParams.set('client_id', 'delta-cli');
+        oauthUrl.searchParams.set('redirect_uri', redirectUri);
+        oauthUrl.searchParams.set('code_challenge', challenge);
+        oauthUrl.searchParams.set('code_challenge_method', 'S256');
+        oauthUrl.searchParams.set('state', state);
+        oauthUrl.searchParams.set('scope', 'read write analyze');
+        if (method === 'github') {
+            oauthUrl.searchParams.set('provider', 'github');
+        }
+        else if (method === 'google') {
+            oauthUrl.searchParams.set('provider', 'google');
+        }
+        stopSpinner(true, 'OAuth server ready');
+        // Open browser
+        printInfo('Opening browser for authentication...');
+        await open(oauthUrl.toString());
+        // Start local server to capture callback
+        const authCode = await new Promise((resolve, reject) => {
+            const server = createServer(async (req, res) => {
+                const url = new URL(req.url || '/', `http://localhost:3456`);
+                if (url.pathname === '/callback') {
+                    const code = url.searchParams.get('code');
+                    const returnedState = url.searchParams.get('state');
+                    const error = url.searchParams.get('error');
+                    if (error) {
+                        res.writeHead(400, { 'Content-Type': 'text/html' });
+                        res.end(`
+              <html>
+                <body style="font-family: system-ui; text-align: center; padding: 50px;">
+                  <h1 style="color: #e74c3c;">❌ Authentication Failed</h1>
+                  <p>${error}</p>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+                        reject(new Error(error));
+                        server.close();
+                        return;
+                    }
+                    if (!code || returnedState !== state) {
+                        res.writeHead(400, { 'Content-Type': 'text/html' });
+                        res.end(`
+              <html>
+                <body style="font-family: system-ui; text-align: center; padding: 50px;">
+                  <h1 style="color: #e74c3c;">❌ Invalid Response</h1>
+                  <p>You can close this window.</p>
+                </body>
+              </html>
+            `);
+                        reject(new Error('Invalid OAuth response'));
+                        server.close();
+                        return;
+                    }
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <html>
+              <head>
+                <style>
+                  body { 
+                    font-family: system-ui, -apple-system, sans-serif; 
+                    text-align: center; 
+                    padding: 50px;
+                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                    color: white;
+                    min-height: 100vh;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                  }
+                  .container {
+                    background: rgba(255,255,255,0.1);
+                    backdrop-filter: blur(10px);
+                    padding: 40px;
+                    border-radius: 20px;
+                    box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+                  }
+                  h1 { margin: 0 0 20px; font-size: 48px; }
+                  .check { font-size: 64px; margin-bottom: 20px; }
+                  p { font-size: 18px; opacity: 0.9; }
+                </style>
+              </head>
+              <body>
+                <div class="container">
+                  <div class="check">✓</div>
+                  <h1>Successfully Signed In!</h1>
+                  <p>You can close this window and return to the terminal.</p>
+                </div>
+              </body>
+            </html>
+          `);
+                    resolve(code);
+                    server.close();
+                }
+            });
+            server.listen(3456, () => {
+                console.log(chalk.dim('  Waiting for authentication...'));
+            });
+            // Timeout after 5 minutes
+            setTimeout(() => {
+                server.close();
+                reject(new Error('Authentication timeout'));
+            }, 5 * 60 * 1000);
+        });
+        // Exchange code for tokens
+        startSpinner('Exchanging authorization code...');
+        const tokenResponse = await fetch('https://api.delta.dev/auth/token', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: 'authorization_code',
+                code: authCode,
+                redirect_uri: redirectUri,
+                client_id: 'delta-cli',
+                code_verifier: verifier,
+            }),
+        });
+        if (!tokenResponse.ok) {
+            throw new Error('Failed to exchange authorization code');
+        }
+        const tokens = await tokenResponse.json();
+        // Store tokens securely
+        await SecureTokenStore.saveAccessToken(tokens.access_token);
+        await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
+        stopSpinner(true, 'Authentication successful!');
+        printSuccess('Successfully authenticated with Delta Cloud');
+        printInfo(`Token expires in ${tokens.expires_in} seconds`);
+        return true;
+    }
+    catch (error) {
+        stopSpinner(false, 'Authentication failed');
+        printError('OAuth2 authentication failed', error.message);
+        return false;
+    }
+}
+// PAT Authentication for CI/CD
+export async function authenticateWithPAT(token) {
+    startSpinner('Validating Personal Access Token...');
+    try {
+        // Validate token
+        const response = await fetch('https://api.delta.dev/auth/verify', {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+        });
+        if (!response.ok) {
+            throw new Error('Invalid token');
+        }
+        const data = await response.json();
+        // Store token
+        await SecureTokenStore.saveAccessToken(token);
+        stopSpinner(true, 'Token validated');
+        printSuccess(`Authenticated as ${data.user.email}`);
+        return true;
+    }
+    catch (error) {
+        stopSpinner(false, 'Token validation failed');
+        printError('PAT authentication failed', error.message);
+        return false;
+    }
+}
+// Token Refresh
+export async function refreshAccessToken() {
+    const refreshToken = await SecureTokenStore.getRefreshToken();
+    if (!refreshToken) {
+        printError('No refresh token available');
+        return false;
+    }
+    try {
+        const response = await fetch('https://api.delta.dev/auth/refresh', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_id: 'delta-cli',
+            }),
+        });
+        if (!response.ok) {
+            throw new Error('Token refresh failed');
+        }
+        const tokens = await response.json();
+        await SecureTokenStore.saveAccessToken(tokens.access_token);
+        if (tokens.refresh_token) {
+            await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
+        }
+        return true;
+    }
+    catch (error) {
+        printError('Failed to refresh token', error.message);
+        return false;
+    }
+}
+// Logout
+export async function logout() {
+    startSpinner('Clearing credentials...');
+    try {
+        await SecureTokenStore.clearTokens();
+        stopSpinner(true, 'Logged out');
+        printSuccess('Successfully logged out');
+    }
+    catch (error) {
+        stopSpinner(false, 'Logout failed');
+        printError('Failed to clear credentials', error.message);
+    }
+}
+// Auth Status
+export async function getAuthStatus() {
+    const token = await SecureTokenStore.getAccessToken();
+    if (!token) {
+        return { authenticated: false };
+    }
+    try {
+        const response = await fetch('https://api.delta.dev/auth/me', {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+        });
+        if (!response.ok) {
+            // Try to refresh token
+            const refreshed = await refreshAccessToken();
+            if (!refreshed) {
+                return { authenticated: false };
+            }
+            // Retry with new token
+            const newToken = await SecureTokenStore.getAccessToken();
+            const retryResponse = await fetch('https://api.delta.dev/auth/me', {
+                headers: {
+                    'Authorization': `Bearer ${newToken}`,
+                },
+            });
+            if (!retryResponse.ok) {
+                return { authenticated: false };
+            }
+            const userData = await retryResponse.json();
+            return {
+                authenticated: true,
+                user: userData,
+            };
+        }
+        const userData = await response.json();
+        return {
+            authenticated: true,
+            user: userData,
+        };
+    }
+    catch {
+        return { authenticated: false };
+    }
+}
+//# sourceMappingURL=secure-auth.js.map

package/dist/apps/cli/src/commands/analyze.js

@@ -0,0 +1,286 @@
+/**
+ * Analyze Command - Run local analysis with optional upload to cloud
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import { loadConfig } from './auth.js';
+export async function analyzeCommand(projectPath, options) {
+    const targetPath = path.resolve(projectPath);
+    console.log('🔍 Running analysis...');
+    console.log(`   Path: ${targetPath}`);
+    // Simple file discovery
+    const files = await discoverFiles(targetPath, {
+        include: options.include ? [options.include] : ['**/*.{ts,tsx,js,jsx}'],
+        exclude: options.exclude ? [options.exclude].concat(['node_modules', 'dist', '.git']) : ['node_modules', 'dist', '.git'],
+        maxSize: parseInt(options.maxSize, 10),
+    });
+    console.log(`   Found ${files.length} files to analyze`);
+    // Run analysis
+    const startTime = Date.now();
+    const summary = {
+        totalFiles: files.length,
+        successfulParses: files.length,
+        failedParses: 0,
+        totalLines: 0,
+        totalFunctions: 0,
+        totalClasses: 0,
+        totalDuration: 0,
+        errors: [],
+    };
+    const findings = [];
+    for (const file of files) {
+        try {
+            const content = await fs.readFile(file, 'utf-8');
+            const lines = content.split('\n');
+            summary.totalLines += lines.length;
+            // Simple heuristics for demo
+            if (content.includes('function '))
+                summary.totalFunctions++;
+            if (content.includes('class '))
+                summary.totalClasses++;
+            // Find potential issues
+            if (content.includes('eval(')) {
+                findings.push({
+                    file: path.relative(targetPath, file),
+                    type: 'security',
+                    severity: 'high',
+                    message: 'Use of eval() detected',
+                });
+            }
+            if (content.includes('console.log')) {
+                findings.push({
+                    file: path.relative(targetPath, file),
+                    type: 'maintainability',
+                    severity: 'low',
+                    message: 'Console.log statement found',
+                });
+            }
+        }
+        catch (error) {
+            summary.failedParses++;
+            summary.successfulParses--;
+            summary.errors.push({
+                file: path.relative(targetPath, file),
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    summary.totalDuration = Date.now() - startTime;
+    // Build report
+    const report = {
+        schema_version: '1.0',
+        engine_version: '0.5.0',
+        created_at: new Date().toISOString(),
+        project: {
+            name: options.projectName || path.basename(targetPath),
+            root_fingerprint: '',
+            path: targetPath,
+        },
+        tools_used: [
+            { id: 'delta-core', version: '0.5.0', adapter_version: '0.5.0' },
+        ],
+        summary: {
+            total: findings.length,
+            high: findings.filter(f => f.severity === 'high').length,
+            medium: findings.filter(f => f.severity === 'medium').length,
+            low: findings.filter(f => f.severity === 'low').length,
+        },
+        findings,
+        metadata: summary,
+    };
+    // Save report to file
+    const outputDir = path.resolve(options.output);
+    await fs.mkdir(outputDir, { recursive: true });
+    const reportFile = path.join(outputDir, `report-${Date.now()}.json`);
+    await fs.writeFile(reportFile, JSON.stringify(report, null, 2));
+    console.log('\n✅ Analysis complete');
+    console.log(`   Files analyzed: ${summary.totalFiles}`);
+    console.log(`   Total lines: ${summary.totalLines.toLocaleString()}`);
+    console.log(`   Functions: ${summary.totalFunctions}`);
+    console.log(`   Classes: ${summary.totalClasses}`);
+    console.log(`   Duration: ${(summary.totalDuration / 1000).toFixed(2)}s`);
+    console.log(`   Findings: ${findings.length} (${report.summary.high} high, ${report.summary.medium} medium, ${report.summary.low} low)`);
+    console.log(`   Report saved: ${reportFile}`);
+    // Upload to cloud if requested
+    if (options.upload) {
+        console.log('\n☁️  Uploading report to Delta cloud...');
+        await uploadReport(report);
+    }
+}
+async function uploadReport(report) {
+    const config = await loadConfig();
+    if (!config.pat) {
+        console.error('❌ Error: Not authenticated. Run: delta login --token <pat>');
+        process.exit(1);
+    }
+    const apiUrl = process.env.DELTA_API_URL || config.apiUrl || 'https://api.delta.dev';
+    const reportJson = JSON.stringify(report);
+    const reportHash = crypto.createHash('sha256').update(reportJson).digest('hex');
+    try {
+        // Step 1: Init upload session
+        const initResponse = await fetch(`${apiUrl}/api/upload/init`, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${config.pat}`,
+                'Content-Type': 'application/json',
+                'Idempotency-Key': crypto.randomUUID(),
+            },
+            body: JSON.stringify({
+                schemaVersion: '1.0',
+                engineVersion: '0.5.0',
+                reportHash: reportHash,
+                reportSizeBytes: Buffer.byteLength(reportJson),
+                toolsUsed: [{ id: 'delta-core', version: '0.5.0', adapterVersion: '0.5.0' }],
+            }),
+        });
+        if (!initResponse.ok) {
+            let payload = undefined;
+            try {
+                payload = await initResponse.json();
+            }
+            catch {
+                payload = await initResponse.text().catch(() => undefined);
+            }
+            const details = payload?.error?.details ? `\nDetails: ${JSON.stringify(payload.error.details)}` : '';
+            const message = payload?.error?.message || `Init failed: ${initResponse.status}`;
+            throw new Error(message + details);
+        }
+        const initData = await initResponse.json();
+        if (!initData.success) {
+            throw new Error(initData.error?.message || 'Upload init failed');
+        }
+        const uploadId = initData.data.uploadId;
+        const secret = initData.data.signing.secret;
+        console.log(`   Upload session: ${uploadId}`);
+        // Step 2: Sign and upload report
+        const signature = crypto.createHmac('sha256', secret).update(reportJson).digest('hex');
+        const uploadResponse = await fetch(`${apiUrl}/api/upload/${uploadId}`, {
+            method: 'PUT',
+            headers: {
+                'Authorization': `Bearer ${config.pat}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                report: Object.assign({}, report, {
+                    integrity: {
+                        report_hash: reportHash,
+                        signature: signature,
+                        algorithm: 'HMAC-SHA256',
+                    },
+                }),
+            }),
+        });
+        if (!uploadResponse.ok) {
+            let payload = undefined;
+            try {
+                payload = await uploadResponse.json();
+            }
+            catch {
+                payload = await uploadResponse.text().catch(() => undefined);
+            }
+            const details = payload?.error?.details ? `\nDetails: ${JSON.stringify(payload.error.details)}` : '';
+            const message = payload?.error?.message || `Upload failed: ${uploadResponse.status}`;
+            throw new Error(message + details);
+        }
+        console.log('   Report uploaded');
+        // Step 3: Finalize
+        const finalizeResponse = await fetch(`${apiUrl}/api/upload/${uploadId}/finalize`, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${config.pat}`,
+                'Content-Type': 'application/json',
+                'Idempotency-Key': crypto.randomUUID(),
+            },
+            body: '{}',
+        });
+        if (!finalizeResponse.ok) {
+            let payload = undefined;
+            try {
+                payload = await finalizeResponse.json();
+            }
+            catch {
+                payload = await finalizeResponse.text().catch(() => undefined);
+            }
+            const details = payload?.error?.details ? `\nDetails: ${JSON.stringify(payload.error.details)}` : '';
+            const message = payload?.error?.message || `Finalize failed: ${finalizeResponse.status}`;
+            throw new Error(message + details);
+        }
+        const finalizeData = await finalizeResponse.json();
+        if (!finalizeData.success) {
+            throw new Error(finalizeData.error?.message || 'Upload finalize failed');
+        }
+        console.log(`✅ Report finalized: ${finalizeData.data.reportId}`);
+        console.log(`   Quota updated`);
+    }
+    catch (error) {
+        console.error('❌ Upload failed:', error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+}
+async function discoverFiles(rootPath, options) {
+    const files = [];
+    async function walk(dir) {
+        const entries = await fs.readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                // Skip excluded directories
+                if (options.exclude.some(e => entry.name.includes(e)))
+                    continue;
+                await walk(fullPath);
+            }
+            else if (entry.isFile()) {
+                // Check include patterns - support glob patterns like **/*.{ts,tsx}
+                const shouldInclude = options.include.some(pattern => {
+                    // Handle brace expansion: **/*.{ts,tsx} → match **/*.ts or **/*.tsx
+                    if (pattern.includes('{') && pattern.includes('}')) {
+                        const braceMatch = pattern.match(/\{([^}]+)\}/);
+                        if (braceMatch) {
+                            const extensions = braceMatch[1].split(',');
+                            const basePattern = pattern.replace(/\{[^}]+\}/, '');
+                            return extensions.some(ext => {
+                                const fullPattern = basePattern + ext;
+                                return matchGlob(fullPath, fullPattern);
+                            });
+                        }
+                    }
+                    return matchGlob(fullPath, pattern);
+                });
+                if (shouldInclude) {
+                    // Check file size
+                    try {
+                        const stats = await fs.stat(fullPath);
+                        if (stats.size <= options.maxSize) {
+                            files.push(fullPath);
+                        }
+                    }
+                    catch {
+                        // Skip files we can't stat
+                    }
+                }
+            }
+        }
+    }
+    await walk(rootPath);
+    return files;
+}
+function matchGlob(filePath, pattern) {
+    // Convert glob pattern to regex
+    // **/*.ts → matches any .ts file in any directory
+    // *.ts → matches .ts files in current directory
+    const fileName = filePath.split(/[/\\]/).pop() || '';
+    if (pattern.includes('**')) {
+        // Match any directory depth
+        const ext = pattern.replace('**/*', '');
+        return fileName.endsWith(ext);
+    }
+    else if (pattern.includes('*')) {
+        // Simple wildcard
+        const ext = pattern.replace('*', '');
+        return fileName.endsWith(ext);
+    }
+    // Exact match
+    return filePath.includes(pattern);
+}
+//# sourceMappingURL=analyze.js.map

package/dist/apps/cli/src/commands/auth-new.js

@@ -0,0 +1,37 @@
+import chalk from 'chalk';
+import { startOAuthFlow, authenticateWithPAT, SecureTokenStore } from '../auth/secure-auth.js';
+import { printSuccess, printInfo } from '../ui.js';
+import prompts from 'prompts';
+export async function loginCommand(options) {
+    // Check if already authenticated
+    if (await SecureTokenStore.hasTokens()) {
+        const overwrite = await prompts({
+            type: 'confirm',
+            name: 'value',
+            message: chalk.yellow('Already authenticated. Overwrite existing credentials?'),
+            initial: false,
+        });
+        if (!overwrite.value) {
+            printInfo('Login cancelled');
+            return;
+        }
+    }
+    if (options.token) {
+        // PAT authentication
+        await authenticateWithPAT(options.token);
+    }
+    else {
+        // OAuth2 flow
+        const method = options.method || 'oauth';
+        const success = await startOAuthFlow(method);
+        if (success) {
+            printSuccess('You are now logged in!');
+            printInfo('Run "delta whoami" to see your account info');
+        }
+    }
+}
+export async function logoutCommand() {
+    const { logout } = await import('../auth/secure-auth.js');
+    await logout();
+}
+//# sourceMappingURL=auth-new.js.map