@vee-stack/delta-cli 2.0.9 → 2.0.11

package/dist/auth/device-auth.js

@@ -1,261 +0,0 @@
-/**
- * Device Authorization Flow for CLI Authentication
- * Implements OAuth 2.0 Device Authorization Grant (RFC 8628)
- */
-import * as https from 'https';
-import * as http from 'http';
-import { spawn } from 'child_process';
-import * as os from 'os';
-import { printSuccess, printError, printInfo, printSection, startSpinner, stopSpinner, printKeyValue, printCommandHint, printHeader, } from '../ui.js';
-import { SecureTokenStore } from '../auth/secure-auth.js';
-export class DeviceAuthorizationFlow {
-    apiUrl;
-    clientId;
-    constructor(apiUrl, clientId = 'delta-cli') {
-        this.apiUrl = apiUrl;
-        this.clientId = clientId;
-    }
-    async startDeviceFlow() {
-        printHeader('Device Authorization');
-        printInfo('Starting device authorization flow...');
-        console.log();
-        try {
-            // Step 1: Request device code
-            startSpinner('Requesting device code...');
-            const deviceCodeResponse = await this.requestDeviceCode();
-            stopSpinner(true, 'Device code received');
-            // Step 2: Show instructions to user
-            this.displayAuthorizationInstructions(deviceCodeResponse);
-            // Step 3: Open browser automatically
-            await this.openBrowser(deviceCodeResponse.verification_uri_complete);
-            // Step 4: Poll for token
-            printSection('Waiting for Authorization');
-            printInfo('Waiting for you to complete the authorization in your browser...');
-            console.log();
-            const tokenResponse = await this.pollForToken(deviceCodeResponse);
-            // Step 5: Save tokens and show success
-            await this.saveTokens(tokenResponse);
-            this.showSuccess();
-            return true;
-        }
-        catch (error) {
-            this.handleError(error);
-            return false;
-        }
-    }
-    async requestDeviceCode() {
-        const response = await this.makeRequest('/api/auth/device/code', {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-            },
-            body: JSON.stringify({
-                client_id: this.clientId,
-                scope: 'read write analyze',
-            }),
-        });
-        const data = (await response.json());
-        if (!response.ok) {
-            throw new Error(`Failed to request device code: ${data.error || 'Unknown error'}`);
-        }
-        return data;
-    }
-    displayAuthorizationInstructions(response) {
-        console.log();
-        printSection('Authorization Required');
-        printInfo('Please complete the authorization using one of these methods:');
-        console.log();
-        // Method 1: Auto-opened browser
-        printKeyValue('🌐 Browser', 'A browser window should have opened automatically');
-        // Method 2: Manual URL
-        console.log();
-        printKeyValue('📋 Manual URL', response.verification_uri);
-        printKeyValue('🔢 Code', response.user_code);
-        console.log();
-        // Method 3: Complete URL
-        printInfo('Or use this direct link:');
-        console.log(`  ${response.verification_uri_complete}`);
-        console.log();
-        printInfo('⏱️  This code will expire in ' + Math.floor(response.expires_in / 60) + ' minutes');
-        console.log();
-    }
-    async openBrowser(url) {
-        const platform = os.platform();
-        let command;
-        switch (platform) {
-            case 'darwin':
-                command = `open "${url}"`;
-                break;
-            case 'win32':
-                command = `start "" "${url}"`;
-                break;
-            default: // linux
-                command = `xdg-open "${url}"`;
-                break;
-        }
-        try {
-            await this.executeCommand(command);
-            printInfo('✓ Browser opened successfully');
-        }
-        catch (error) {
-            printInfo('⚠️  Could not open browser automatically');
-            printInfo('Please manually open the URL above');
-        }
-    }
-    executeCommand(command) {
-        return new Promise((resolve, reject) => {
-            const child = spawn(command, [], { shell: true, stdio: 'ignore' });
-            child.on('close', code => {
-                if (code === 0) {
-                    resolve();
-                }
-                else {
-                    reject(new Error(`Command failed with code ${code}`));
-                }
-            });
-            child.on('error', reject);
-        });
-    }
-    async pollForToken(deviceCode) {
-        const startTime = Date.now();
-        const endTime = startTime + deviceCode.expires_in * 1000;
-        const interval = deviceCode.interval * 1000;
-        const spinner = startSpinner('Checking authorization status...');
-        void spinner; // Spinner is managed internally by the UI system
-        while (Date.now() < endTime) {
-            try {
-                const response = await this.makeRequest('/api/auth/device/token', {
-                    method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/json',
-                    },
-                    body: JSON.stringify({
-                        device_code: deviceCode.device_code,
-                        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
-                    }),
-                });
-                const data = (await response.json());
-                if ('error' in data) {
-                    if (data.error === 'authorization_pending') {
-                        // Still waiting, continue polling
-                        await this.sleep(interval);
-                        continue;
-                    }
-                    else if (data.error === 'slow_down') {
-                        // Server asks to slow down
-                        await this.sleep(interval * 2);
-                        continue;
-                    }
-                    else {
-                        // Error occurred
-                        stopSpinner(false);
-                        throw new Error(`Authorization failed: ${data.error_description || data.error}`);
-                    }
-                }
-                else {
-                    // Success!
-                    stopSpinner(true, 'Authorization complete');
-                    return data;
-                }
-            }
-            catch (error) {
-                stopSpinner(false);
-                throw error;
-            }
-        }
-        stopSpinner(false);
-        throw new Error('Authorization timed out. Please try again.');
-    }
-    async saveTokens(tokenResponse) {
-        // Save access token securely
-        await SecureTokenStore.saveAccessToken(tokenResponse.access_token);
-        // Save refresh token securely
-        await SecureTokenStore.saveRefreshToken(tokenResponse.refresh_token);
-        // Save session info for future reference
-        await SecureTokenStore.saveSessionInfo({
-            session_id: tokenResponse.session_id,
-            expires_at: new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString(),
-        });
-    }
-    showSuccess() {
-        console.log();
-        printSuccess('🎉 Device authorization successful!');
-        console.log();
-        printSection('Next Steps');
-        printCommandHint('delta whoami', 'to verify your account');
-        printCommandHint('delta analyze', 'to start analyzing code');
-        console.log();
-    }
-    handleError(error) {
-        console.log();
-        printError('Device authorization failed');
-        console.log();
-        if (error instanceof Error) {
-            if (error.message.includes('ENOTFOUND') || error.message.includes('ECONNREFUSED')) {
-                printError('Connection Error', 'Cannot connect to the Delta platform');
-                printInfo('Please check:');
-                printKeyValue('• Server', 'Is the web platform running?');
-                printKeyValue('• Network', 'Check your internet connection');
-                printKeyValue('• URL', `Is ${this.apiUrl} correct?`);
-            }
-            else if (error.message.includes('authorization_pending')) {
-                printError('Timeout', 'Authorization was not completed in time');
-                printInfo('Please try again');
-            }
-            else if (error.message.includes('access_denied')) {
-                printError('Access Denied', 'You denied the authorization request');
-                printInfo('If this was a mistake, please try again');
-            }
-            else {
-                printError('Error', error.message);
-            }
-        }
-        else {
-            printError('Unknown Error', String(error));
-        }
-        console.log();
-        printInfo('Alternative: Use a Personal Access Token');
-        printCommandHint('delta login --token delta_pat_xxxxx', '');
-    }
-    async makeRequest(endpoint, options) {
-        const url = `${this.apiUrl}${endpoint}`;
-        // Use Node.js built-in fetch if available, otherwise fallback to http/https modules
-        if (typeof fetch !== 'undefined') {
-            return fetch(url, options);
-        }
-        // Fallback for older Node.js versions
-        return new Promise((resolve, reject) => {
-            const urlObj = new URL(url);
-            const module = urlObj.protocol === 'https:' ? https : http;
-            const requestOptions = {
-                method: options.method || 'GET',
-                headers: options.headers || {},
-            };
-            const req = module.request(url, requestOptions, res => {
-                let data = '';
-                res.on('data', chunk => (data += chunk));
-                res.on('end', () => {
-                    resolve(new Response(data, {
-                        status: res.statusCode,
-                        statusText: res.statusMessage,
-                        headers: res.headers,
-                    }));
-                });
-            });
-            req.on('error', reject);
-            if (options.body) {
-                req.write(options.body);
-            }
-            req.end();
-        });
-    }
-    sleep(ms) {
-        return new Promise(resolve => setTimeout(resolve, ms));
-    }
-}
-// Export for use in auth commands
-export async function startDeviceFlow(apiUrl) {
-    const flow = new DeviceAuthorizationFlow(apiUrl);
-    return flow.startDeviceFlow();
-}
-//# sourceMappingURL=device-auth.js.map

package/dist/auth/secure-auth.js

@@ -1,401 +0,0 @@
-/**
- * Secure Authentication System with OAuth2 + Keychain Integration
- * Features:
- * - OAuth2 PKCE flow
- * - Secure token storage in OS keychain
- * - Automatic token refresh
- * - Session management
- * - PAT (Personal Access Token) support for CI/CD
- */
-import * as fs from 'fs/promises';
-import * as path from 'path';
-import * as os from 'os';
-import fetch from 'node-fetch';
-import open from 'open';
-import { createServer } from 'http';
-import { URL } from 'url';
-import crypto from 'crypto';
-import chalk from 'chalk';
-import { printSuccess, printError, printInfo, printWarning, startSpinner, stopSpinner, } from '../ui.js';
-const CONFIG_DIR = path.join(os.homedir(), '.delta');
-const TOKEN_FILE = path.join(CONFIG_DIR, 'tokens.enc');
-const KEY_FILE = path.join(CONFIG_DIR, '.key');
-// Derive encryption key from machine-specific data
-async function getEncryptionKey() {
-    try {
-        const keyData = await fs.readFile(KEY_FILE, 'utf-8').catch(() => null);
-        if (keyData) {
-            return Buffer.from(keyData, 'hex');
-        }
-    }
-    catch {
-        // File doesn't exist, generate new key
-    }
-    const machineId = `${os.userInfo().username}@${os.hostname()}`;
-    const salt = 'delta-cli-v2-fixed-salt';
-    const key = crypto.pbkdf2Sync(machineId, salt, 100000, 32, 'sha256');
-    await fs.mkdir(CONFIG_DIR, { recursive: true });
-    await fs.writeFile(KEY_FILE, key.toString('hex'), { mode: 0o600 });
-    return key;
-}
-// Encrypt data
-async function encrypt(data) {
-    const key = await getEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
-    let encrypted = cipher.update(data, 'utf-8', 'hex');
-    encrypted += cipher.final('hex');
-    const authTag = cipher.getAuthTag();
-    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
-}
-// Decrypt data
-async function decrypt(encryptedData) {
-    try {
-        const key = await getEncryptionKey();
-        const parts = encryptedData.split(':');
-        if (parts.length !== 3)
-            return null;
-        const iv = Buffer.from(parts[0], 'hex');
-        const authTag = Buffer.from(parts[1], 'hex');
-        const encrypted = parts[2];
-        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
-        decipher.setAuthTag(authTag);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf-8');
-        decrypted += decipher.final('utf-8');
-        return decrypted;
-    }
-    catch {
-        return null;
-    }
-}
-// PKCE Code Generator
-function generatePKCE() {
-    const verifier = crypto.randomBytes(32).toString('base64url');
-    const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
-    return { verifier, challenge };
-}
-// Secure Token Storage using encrypted file
-export class SecureTokenStore {
-    static async saveTokens(tokens) {
-        await fs.mkdir(CONFIG_DIR, { recursive: true });
-        const data = JSON.stringify({
-            access: tokens.access || null,
-            refresh: tokens.refresh || null,
-            updatedAt: new Date().toISOString(),
-        });
-        const encrypted = await encrypt(data);
-        await fs.writeFile(TOKEN_FILE, encrypted, { mode: 0o600 });
-    }
-    static async loadTokens() {
-        try {
-            const encrypted = await fs.readFile(TOKEN_FILE, 'utf-8');
-            const decrypted = await decrypt(encrypted);
-            if (!decrypted)
-                return { access: null, refresh: null };
-            const data = JSON.parse(decrypted);
-            return {
-                access: data.access || null,
-                refresh: data.refresh || null,
-            };
-        }
-        catch {
-            return { access: null, refresh: null };
-        }
-    }
-    static async saveAccessToken(token) {
-        const tokens = await this.loadTokens();
-        await this.saveTokens({ access: token, refresh: tokens.refresh ?? undefined });
-    }
-    static async getAccessToken() {
-        const tokens = await this.loadTokens();
-        return tokens.access;
-    }
-    static async saveRefreshToken(token) {
-        // Encrypt token (side effect - encryption happens before storage)
-        const encrypted = await encrypt(token);
-        void encrypted; // Mark as intentionally used for encryption side effect
-        const tokens = await this.loadTokens();
-        await this.saveTokens({
-            access: tokens.access || undefined,
-            refresh: token,
-        });
-    }
-    static async saveSessionInfo(sessionInfo) {
-        // For now, store session info in a separate file
-        // In production, this should be encrypted and stored securely
-        const sessionFile = path.join(CONFIG_DIR, 'session.json');
-        await fs.mkdir(CONFIG_DIR, { recursive: true });
-        await fs.writeFile(sessionFile, JSON.stringify(sessionInfo, null, 2));
-    }
-    static async getRefreshToken() {
-        const tokens = await this.loadTokens();
-        return tokens.refresh;
-    }
-    static async clearTokens() {
-        try {
-            // Check if file exists first
-            try {
-                await fs.access(TOKEN_FILE);
-            }
-            catch {
-                // File doesn't exist, nothing to clear
-                return;
-            }
-            await fs.unlink(TOKEN_FILE);
-            // Also clear session file if exists
-            const sessionFile = path.join(CONFIG_DIR, 'session.json');
-            try {
-                await fs.access(sessionFile);
-                await fs.unlink(sessionFile);
-            }
-            catch {
-                // Session file may not exist
-            }
-            console.log('   Tokens cleared from:', TOKEN_FILE);
-        }
-        catch (error) {
-            console.error('   Warning: Could not clear tokens:', error.message);
-            throw error;
-        }
-    }
-    static async hasTokens() {
-        const token = await this.getAccessToken();
-        return !!token;
-    }
-}
-// OAuth2 Flow Handler - Uses configurable API URL for local development
-export async function startOAuthFlow(method = 'oauth') {
-    startSpinner('Starting OAuth2 authentication flow...');
-    try {
-        // Get API URL from environment or use default
-        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
-        const { verifier, challenge } = generatePKCE();
-        const state = crypto.randomBytes(16).toString('hex');
-        // Start local server FIRST to capture callback and get actual port
-        const { authCode, redirectUri } = await new Promise((resolve, reject) => {
-            const server = createServer(async (req, res) => {
-                const url = new URL(req.url || '/', `http://localhost:${redirectPort}`);
-                if (url.pathname === '/callback') {
-                    const code = url.searchParams.get('code');
-                    const returnedState = url.searchParams.get('state');
-                    const error = url.searchParams.get('error');
-                    if (error) {
-                        res.writeHead(400, { 'Content-Type': 'text/html' });
-                        res.end(`<html><body><h1>❌ Authentication Failed</h1><p>${error}</p></body></html>`);
-                        reject(new Error(error));
-                        server.close();
-                        return;
-                    }
-                    if (!code || returnedState !== state) {
-                        res.writeHead(400, { 'Content-Type': 'text/html' });
-                        res.end(`<html><body><h1>❌ Invalid Response</h1></body></html>`);
-                        reject(new Error('Invalid OAuth response'));
-                        server.close();
-                        return;
-                    }
-                    res.writeHead(200, { 'Content-Type': 'text/html' });
-                    res.end(`<html><body style="text-align:center;padding:50px;"><h1>✓ Successfully Signed In!</h1><p>You can close this window.</p></body></html>`);
-                    const address = server.address();
-                    const actualPort = typeof address === 'object' && address ? address.port : 3456;
-                    resolve({ authCode: code, redirectUri: `http://localhost:${actualPort}/callback` });
-                    server.close();
-                }
-            });
-            let redirectPort = 3456;
-            // Try to listen on port 3456
-            server.listen(3456, '127.0.0.1', () => {
-                console.log(chalk.dim(`  Waiting for authentication on port ${redirectPort}...`));
-            });
-            // Handle port in use error by trying random port
-            server.on('error', (err) => {
-                if (err.code === 'EADDRINUSE') {
-                    printWarning('Port 3456 is busy, trying alternative port...');
-                    redirectPort = 0; // Let OS assign
-                    server.listen(0, '127.0.0.1', () => {
-                        const address = server.address();
-                        const actualPort = typeof address === 'object' && address ? address.port : 3456;
-                        redirectPort = actualPort;
-                        console.log(chalk.dim(`  Waiting for authentication on port ${actualPort}...`));
-                    });
-                }
-                else {
-                    reject(err);
-                }
-            });
-            // Timeout after 5 minutes
-            setTimeout(() => {
-                server.close();
-                reject(new Error('Authentication timeout'));
-            }, 5 * 60 * 1000);
-        });
-        // NOW build OAuth URL with correct redirect_uri
-        const oauthUrl = new URL(`${apiUrl}/api/auth/authorize`);
-        oauthUrl.searchParams.set('response_type', 'code');
-        oauthUrl.searchParams.set('client_id', 'delta-cli');
-        oauthUrl.searchParams.set('redirect_uri', redirectUri);
-        oauthUrl.searchParams.set('code_challenge', challenge);
-        oauthUrl.searchParams.set('code_challenge_method', 'S256');
-        oauthUrl.searchParams.set('state', state);
-        oauthUrl.searchParams.set('scope', 'read write analyze');
-        if (method === 'github') {
-            oauthUrl.searchParams.set('provider', 'github');
-        }
-        else if (method === 'google') {
-            oauthUrl.searchParams.set('provider', 'google');
-        }
-        stopSpinner(true, 'OAuth server ready');
-        // Open browser with correct URL
-        printInfo(`Opening browser for authentication...`);
-        printInfo(`Full URL: ${oauthUrl.toString()}`);
-        await open(oauthUrl.toString());
-        // Wait for authCode (already resolved above)
-        // Exchange code for tokens
-        startSpinner('Exchanging authorization code...');
-        const tokenResponse = await fetch(`${apiUrl}/api/auth/token`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                grant_type: 'authorization_code',
-                code: authCode,
-                redirect_uri: redirectUri,
-                client_id: 'delta-cli',
-                code_verifier: verifier,
-            }),
-        });
-        if (!tokenResponse.ok) {
-            throw new Error('Failed to exchange authorization code');
-        }
-        const tokens = (await tokenResponse.json());
-        // Store tokens securely
-        await SecureTokenStore.saveAccessToken(tokens.access_token);
-        await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
-        stopSpinner(true, 'Authentication successful!');
-        printSuccess('Successfully authenticated with Delta Cloud');
-        printInfo(`Token expires in ${tokens.expires_in} seconds`);
-        return true;
-    }
-    catch (error) {
-        stopSpinner(false, 'Authentication failed');
-        printError('OAuth2 authentication failed', error.message);
-        return false;
-    }
-}
-// PAT Authentication for CI/CD - Uses configurable API URL
-export async function authenticateWithPAT(token) {
-    startSpinner('Validating Personal Access Token...');
-    try {
-        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
-        // Validate token
-        const response = await fetch(`${apiUrl}/api/auth/verify`, {
-            headers: {
-                Authorization: `Bearer ${token}`,
-            },
-        });
-        if (!response.ok) {
-            throw new Error('Invalid token');
-        }
-        const data = (await response.json());
-        // Store token
-        await SecureTokenStore.saveAccessToken(token);
-        stopSpinner(true, 'Token validated');
-        printSuccess(`Authenticated as ${data.user.email}`);
-        return true;
-    }
-    catch (error) {
-        stopSpinner(false, 'Token validation failed');
-        printError('PAT authentication failed', error.message);
-        return false;
-    }
-}
-// Token Refresh - Uses configurable API URL
-export async function refreshAccessToken() {
-    const refreshToken = await SecureTokenStore.getRefreshToken();
-    if (!refreshToken) {
-        printError('No refresh token available');
-        return false;
-    }
-    try {
-        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
-        const response = await fetch(`${apiUrl}/api/auth/refresh`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-                client_id: 'delta-cli',
-            }),
-        });
-        if (!response.ok) {
-            throw new Error('Token refresh failed');
-        }
-        const tokens = (await response.json());
-        await SecureTokenStore.saveAccessToken(tokens.access_token);
-        if (tokens.refresh_token) {
-            await SecureTokenStore.saveRefreshToken(tokens.refresh_token);
-        }
-        return true;
-    }
-    catch (error) {
-        printError('Failed to refresh token', error.message);
-        return false;
-    }
-}
-// Logout
-export async function logout() {
-    startSpinner('Clearing credentials...');
-    try {
-        await SecureTokenStore.clearTokens();
-        stopSpinner(true, 'Logged out');
-        printSuccess('Successfully logged out');
-    }
-    catch (error) {
-        stopSpinner(false, 'Logout failed');
-        printError('Failed to clear credentials', error.message);
-    }
-}
-// Auth Status - Uses configurable API URL
-export async function getAuthStatus() {
-    const token = await SecureTokenStore.getAccessToken();
-    if (!token) {
-        return { authenticated: false };
-    }
-    try {
-        const apiUrl = process.env.DELTA_API_URL || 'http://localhost:3000';
-        const response = await fetch(`${apiUrl}/api/auth/me`, {
-            headers: {
-                Authorization: `Bearer ${token}`,
-            },
-        });
-        if (!response.ok) {
-            // Try to refresh token
-            const refreshed = await refreshAccessToken();
-            if (!refreshed) {
-                return { authenticated: false };
-            }
-            // Retry with new token
-            const newToken = await SecureTokenStore.getAccessToken();
-            const retryResponse = await fetch(`${apiUrl}/api/auth/me`, {
-                headers: {
-                    Authorization: `Bearer ${newToken}`,
-                },
-            });
-            if (!retryResponse.ok) {
-                return { authenticated: false };
-            }
-            const userData = (await retryResponse.json());
-            return {
-                authenticated: true,
-                user: userData,
-            };
-        }
-        const userData = (await response.json());
-        return {
-            authenticated: true,
-            user: userData,
-        };
-    }
-    catch {
-        return { authenticated: false };
-    }
-}
-//# sourceMappingURL=secure-auth.js.map