@vibetasks/core 0.5.0 → 0.5.1

package/dist/index.d.ts

@@ -46,20 +46,33 @@ declare class ConfigManager {
 
 /**
  * Manages authentication tokens with secure storage
- * Uses system keychain (keytar) when available, falls back to config file
+ *
+ * Priority order for token retrieval:
+ * 1. VIBETASKS_TOKEN or VIBETASKS_ACCESS_TOKEN environment variable
+ * 2. System keychain (macOS/Windows)
+ * 3. Config file (~/.config/taskflow/config.json)
+ *
+ * Automatically refreshes expired tokens when using stored tokens.
  */
 declare class AuthManager {
     private configManager;
     private keytar;
     private useKeytar;
+    private isRefreshing;
     constructor();
+    /**
+     * Check for token in environment variables (highest priority)
+     * Used by AI agents and CI/CD pipelines
+     */
+    private getEnvToken;
     /**
      * Initialize keytar (system keychain) if available
      */
     private initKeytar;
     /**
-     * Get the access token
-     */
+       * Get the access token
+       * Priority: ENV var > Keychain > Config file
+       */
     getAccessToken(): Promise<string | null>;
     /**
      * Set the access token
@@ -86,13 +99,34 @@ declare class AuthManager {
      */
     setConfig(key: string, value: any): Promise<void>;
     /**
-     * Check if user is authenticated (has access token)
-     */
+       * Check if user is authenticated (has access token)
+       */
     isAuthenticated(): Promise<boolean>;
     /**
      * Get storage method being used
      */
     getStorageMethod(): 'keychain' | 'config-file';
+    /**
+     * Check if token is expired (with 5 min buffer)
+     */
+    private isTokenExpired;
+    /**
+     * Refresh the access token using the refresh token
+     */
+    refreshAccessToken(): Promise<string | null>;
+    /**
+     * Get a valid access token, refreshing if necessary
+     * Environment tokens are always considered valid (no refresh)
+     */
+    getValidAccessToken(): Promise<string | null>;
+    /**
+     * Check if using environment token (for AI agents/CI)
+     */
+    isUsingEnvToken(): boolean;
+    /**
+     * Get auth source for debugging
+     */
+    getAuthSource(): 'env' | 'keychain' | 'config' | 'none';
 }
 
 interface SupabaseConfig {
@@ -187,8 +221,9 @@ declare class TaskOperations {
     private supabase;
     constructor(supabase: SupabaseClient);
     /**
-     * Create TaskOperations from AuthManager
-     */
+       * Create TaskOperations from AuthManager
+       * Automatically refreshes expired tokens
+       */
     static fromAuthManager(authManager: AuthManager): Promise<TaskOperations>;
     getTasks(filter?: TaskFilter, includeArchived?: boolean): Promise<Task[]>;
     getTask(taskId: string): Promise<Task>;

package/dist/index.js

@@ -87,18 +87,68 @@ var ConfigManager = class {
   }
 };
 
+// src/supabase-client.ts
+import { createClient } from "@supabase/supabase-js";
+function createSupabaseClient(config) {
+  const { supabaseUrl, supabaseKey, accessToken } = config;
+  if (!supabaseUrl || !supabaseKey) {
+    throw new Error("Supabase URL and key are required");
+  }
+  const client = createClient(supabaseUrl, supabaseKey, {
+    auth: {
+      persistSession: false,
+      // CLI/MCP don't need session persistence
+      autoRefreshToken: false
+      // We'll handle refresh manually if needed
+    },
+    global: accessToken ? {
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    } : void 0
+  });
+  return client;
+}
+function createSupabaseClientFromEnv() {
+  const supabaseUrl = process.env.TASKFLOW_SUPABASE_URL || process.env.SUPABASE_URL;
+  const supabaseKey = process.env.TASKFLOW_SUPABASE_KEY || process.env.SUPABASE_KEY || process.env.SUPABASE_ANON_KEY;
+  const accessToken = process.env.TASKFLOW_ACCESS_TOKEN;
+  if (!supabaseUrl || !supabaseKey) {
+    throw new Error(
+      "Supabase configuration not found in environment variables. Set TASKFLOW_SUPABASE_URL and TASKFLOW_SUPABASE_KEY, or run: taskflow login"
+    );
+  }
+  return createSupabaseClient({
+    supabaseUrl,
+    supabaseKey,
+    accessToken
+  });
+}
+
 // src/auth-manager.ts
 var SERVICE_NAME = "taskflow-cli";
 var ACCESS_TOKEN_ACCOUNT = "access-token";
 var REFRESH_TOKEN_ACCOUNT = "refresh-token";
+var DEFAULT_SUPABASE_URL = "https://cbkkztbcoitrfcleghfd.supabase.co";
+var DEFAULT_SUPABASE_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNia2t6dGJjb2l0cmZjbGVnaGZkIiwicm9sZSI6ImFub24iLCJpYXQiOjE3Njc3NTc0MjgsImV4cCI6MjA4MzMzMzQyOH0.G7ILx-nntP0NbxO1gKt5yASb7nt7OmpJ8qtykeGYbQA";
+var ENV_TOKEN = "VIBETASKS_TOKEN";
+var ENV_ACCESS_TOKEN = "VIBETASKS_ACCESS_TOKEN";
 var AuthManager = class {
   configManager;
   keytar = null;
   useKeytar = false;
+  isRefreshing = false;
   constructor() {
     this.configManager = new ConfigManager();
     this.initKeytar();
   }
+  /**
+   * Check for token in environment variables (highest priority)
+   * Used by AI agents and CI/CD pipelines
+   */
+  getEnvToken() {
+    return process.env[ENV_TOKEN] || process.env[ENV_ACCESS_TOKEN] || null;
+  }
   /**
    * Initialize keytar (system keychain) if available
    */
@@ -111,9 +161,14 @@ var AuthManager = class {
     }
   }
   /**
-   * Get the access token
-   */
+     * Get the access token
+     * Priority: ENV var > Keychain > Config file
+     */
   async getAccessToken() {
+    const envToken = this.getEnvToken();
+    if (envToken) {
+      return envToken;
+    }
     if (this.keytar === null && process.platform !== "linux") {
       await this.initKeytar();
     }
@@ -204,8 +259,8 @@ var AuthManager = class {
     await this.configManager.setConfig(key, value);
   }
   /**
-   * Check if user is authenticated (has access token)
-   */
+     * Check if user is authenticated (has access token)
+     */
   async isAuthenticated() {
     const token = await this.getAccessToken();
     return token !== null && token !== void 0 && token.length > 0;
@@ -216,45 +271,102 @@ var AuthManager = class {
   getStorageMethod() {
     return this.useKeytar ? "keychain" : "config-file";
   }
-};
-
-// src/supabase-client.ts
-import { createClient } from "@supabase/supabase-js";
-function createSupabaseClient(config) {
-  const { supabaseUrl, supabaseKey, accessToken } = config;
-  if (!supabaseUrl || !supabaseKey) {
-    throw new Error("Supabase URL and key are required");
+  /**
+   * Check if token is expired (with 5 min buffer)
+   */
+  isTokenExpired(token) {
+    try {
+      const payload = JSON.parse(Buffer.from(token.split(".")[1], "base64").toString());
+      const expiresAt = payload.exp * 1e3;
+      const bufferMs = 5 * 60 * 1e3;
+      return Date.now() > expiresAt - bufferMs;
+    } catch {
+      return true;
+    }
   }
-  const client = createClient(supabaseUrl, supabaseKey, {
-    auth: {
-      persistSession: false,
-      // CLI/MCP don't need session persistence
-      autoRefreshToken: false
-      // We'll handle refresh manually if needed
-    },
-    global: accessToken ? {
-      headers: {
-        Authorization: `Bearer ${accessToken}`
+  /**
+   * Refresh the access token using the refresh token
+   */
+  async refreshAccessToken() {
+    if (this.isRefreshing) {
+      await new Promise((resolve) => setTimeout(resolve, 1e3));
+      return await this.getAccessToken();
+    }
+    this.isRefreshing = true;
+    try {
+      const refreshToken = await this.getRefreshToken();
+      if (!refreshToken) {
+        throw new Error("No refresh token available");
       }
-    } : void 0
-  });
-  return client;
-}
-function createSupabaseClientFromEnv() {
-  const supabaseUrl = process.env.TASKFLOW_SUPABASE_URL || process.env.SUPABASE_URL;
-  const supabaseKey = process.env.TASKFLOW_SUPABASE_KEY || process.env.SUPABASE_KEY || process.env.SUPABASE_ANON_KEY;
-  const accessToken = process.env.TASKFLOW_ACCESS_TOKEN;
-  if (!supabaseUrl || !supabaseKey) {
-    throw new Error(
-      "Supabase configuration not found in environment variables. Set TASKFLOW_SUPABASE_URL and TASKFLOW_SUPABASE_KEY, or run: taskflow login"
-    );
+      const supabaseUrl = await this.getConfig("supabase_url") || DEFAULT_SUPABASE_URL;
+      const supabaseKey = await this.getConfig("supabase_key") || DEFAULT_SUPABASE_KEY;
+      const supabase = createSupabaseClient({ supabaseUrl, supabaseKey });
+      const { data, error } = await supabase.auth.refreshSession({
+        refresh_token: refreshToken
+      });
+      if (error) {
+        throw error;
+      }
+      if (!data.session) {
+        throw new Error("No session returned from refresh");
+      }
+      await this.setAccessToken(data.session.access_token);
+      await this.setRefreshToken(data.session.refresh_token);
+      return data.session.access_token;
+    } catch (error) {
+      const isRefreshTokenUsed = error.message?.includes("Already Used") || error.code === "refresh_token_already_used";
+      if (isRefreshTokenUsed) {
+        await this.clearTokens();
+      }
+      if (process.stderr.isTTY) {
+        if (isRefreshTokenUsed) {
+          console.error("Session expired. Please run: vibetasks login");
+        } else {
+          console.error("Token refresh failed:", error.message);
+        }
+      }
+      return null;
+    } finally {
+      this.isRefreshing = false;
+    }
   }
-  return createSupabaseClient({
-    supabaseUrl,
-    supabaseKey,
-    accessToken
-  });
-}
+  /**
+   * Get a valid access token, refreshing if necessary
+   * Environment tokens are always considered valid (no refresh)
+   */
+  async getValidAccessToken() {
+    const envToken = this.getEnvToken();
+    if (envToken) {
+      return envToken;
+    }
+    const token = await this.getAccessToken();
+    if (!token) {
+      return null;
+    }
+    if (this.isTokenExpired(token)) {
+      const newToken = await this.refreshAccessToken();
+      if (newToken) {
+        return newToken;
+      }
+      return null;
+    }
+    return token;
+  }
+  /**
+   * Check if using environment token (for AI agents/CI)
+   */
+  isUsingEnvToken() {
+    return this.getEnvToken() !== null;
+  }
+  /**
+   * Get auth source for debugging
+   */
+  getAuthSource() {
+    if (this.getEnvToken()) return "env";
+    if (this.useKeytar) return "keychain";
+    return "config";
+  }
+};
 
 // src/task-operations.ts
 var TaskOperations = class _TaskOperations {
@@ -263,19 +375,15 @@ var TaskOperations = class _TaskOperations {
     this.supabase = supabase;
   }
   /**
-   * Create TaskOperations from AuthManager
-   */
+     * Create TaskOperations from AuthManager
+     * Automatically refreshes expired tokens
+     */
   static async fromAuthManager(authManager) {
-    const supabaseUrl = await authManager.getConfig("supabase_url");
-    const supabaseKey = await authManager.getConfig("supabase_key");
-    const accessToken = await authManager.getAccessToken();
-    if (!supabaseUrl || !supabaseKey) {
-      throw new Error(
-        "Supabase configuration not found. Run: taskflow login"
-      );
-    }
+    const supabaseUrl = await authManager.getConfig("supabase_url") || "https://cbkkztbcoitrfcleghfd.supabase.co";
+    const supabaseKey = await authManager.getConfig("supabase_key") || "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNia2t6dGJjb2l0cmZjbGVnaGZkIiwicm9sZSI6ImFub24iLCJpYXQiOjE3Njc3NTc0MjgsImV4cCI6MjA4MzMzMzQyOH0.G7ILx-nntP0NbxO1gKt5yASb7nt7OmpJ8qtykeGYbQA";
+    const accessToken = await authManager.getValidAccessToken();
     if (!accessToken) {
-      throw new Error("Not authenticated. Run: taskflow login");
+      throw new Error("Not authenticated or session expired. Run: vibetasks login --browser");
     }
     const supabase = createSupabaseClient({
       supabaseUrl,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibetasks/core",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Shared core logic for VibeTasks MCP server and CLI - authentication, task operations, and config management",
   "author": "Vyas",
   "license": "MIT",