@vkenliu/adit-cloud 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vkenliu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/auth/credentials.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Cloud credential storage.
+ *
+ * Persists JWT tokens and server-assigned client ID to
+ * ~/.adit/cloud-credentials.json with restricted file permissions.
+ */
+export interface CloudCredentials {
+    /** Authentication type: "device" (default) or "token" (static JWT) */
+    authType?: "device" | "token";
+    /** JWT access token (1-hour expiry for device, static for token) */
+    accessToken: string;
+    /** Opaque refresh token (90-day expiry); empty string for token auth */
+    refreshToken: string;
+    /** Server-assigned client UUID */
+    clientId: string;
+    /** Access token expiration (ISO 8601); empty string for token auth (never expires) */
+    expiresAt: string;
+    /** Server URL these credentials belong to */
+    serverUrl: string;
+    /** Consecutive sync error count (circuit breaker) */
+    syncErrorCount?: number;
+    /** True when circuit breaker has tripped (sync disabled) */
+    syncDisabled?: boolean;
+    /** ISO 8601 timestamp of the first error in the current failure window */
+    firstSyncErrorAt?: string;
+}
+/** Load stored credentials, or null if not logged in */
+export declare function loadCredentials(): CloudCredentials | null;
+/** Save credentials to disk with restricted permissions (0600) */
+export declare function saveCredentials(creds: CloudCredentials): void;
+/** Remove stored credentials (logout) */
+export declare function clearCredentials(): void;
+/** Check if the access token has expired (with 60s safety margin) */
+export declare function isTokenExpired(creds: CloudCredentials): boolean;
+/**
+ * Create in-memory credentials from the ADIT_AUTH_TOKEN env var.
+ * Returns null if the env var is not set.
+ */
+export declare function credentialsFromEnvToken(serverUrl: string, clientId: string): CloudCredentials | null;
+/**
+ * Increment the sync error counter in stored credentials.
+ *
+ * The circuit breaker uses a time-windowed approach: errors are only
+ * counted within a rolling window (default 1 hour). If the first error
+ * in the current window is older than the window, the counter resets
+ * before incrementing. This ensures that transient outages don't
+ * permanently disable auto-sync.
+ *
+ * Returns true if sync is now disabled (threshold reached within window).
+ */
+export declare function incrementSyncErrors(threshold?: number): boolean;
+/** Reset sync error counter and re-enable sync. */
+export declare function clearSyncErrors(): void;
+/**
+ * Check if sync has been disabled by the circuit breaker.
+ *
+ * If the breaker is tripped but the error window has expired (>1 hour
+ * since the first error), automatically resets the breaker and returns
+ * false — giving auto-sync another chance.
+ */
+export declare function isSyncDisabled(): boolean;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/auth/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/auth/credentials.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC;IAC9B,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,sFAAsF;IACtF,SAAS,EAAE,MAAM,CAAC;IAClB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAQD,wDAAwD;AACxD,wBAAgB,eAAe,IAAI,gBAAgB,GAAG,IAAI,CAgBzD;AAED,kEAAkE;AAClE,wBAAgB,eAAe,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI,CAS7D;AAED,yCAAyC;AACzC,wBAAgB,gBAAgB,IAAI,IAAI,CAKvC;AAED,qEAAqE;AACrE,wBAAgB,cAAc,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAM/D;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,GACf,gBAAgB,GAAG,IAAI,CAWzB;AAKD;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,SAAI,GAAG,OAAO,CAyB1D;AAED,mDAAmD;AACnD,wBAAgB,eAAe,IAAI,IAAI,CAUtC;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,IAAI,OAAO,CAexC"}

package/dist/auth/credentials.js

@@ -0,0 +1,151 @@
+/**
+ * Cloud credential storage.
+ *
+ * Persists JWT tokens and server-assigned client ID to
+ * ~/.adit/cloud-credentials.json with restricted file permissions.
+ */
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync, chmodSync, } from "node:fs";
+const CREDENTIALS_FILE = "cloud-credentials.json";
+function credentialsPath() {
+    return join(homedir(), ".adit", CREDENTIALS_FILE);
+}
+/** Load stored credentials, or null if not logged in */
+export function loadCredentials() {
+    const path = credentialsPath();
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed.accessToken)
+            return null;
+        // Token auth only requires accessToken; device auth requires all fields
+        if (parsed.authType !== "token" && (!parsed.refreshToken || !parsed.clientId)) {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/** Save credentials to disk with restricted permissions (0600) */
+export function saveCredentials(creds) {
+    const path = credentialsPath();
+    mkdirSync(join(homedir(), ".adit"), { recursive: true });
+    writeFileSync(path, JSON.stringify(creds, null, 2), "utf-8");
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch {
+        // chmod may fail on some platforms (Windows) — not critical
+    }
+}
+/** Remove stored credentials (logout) */
+export function clearCredentials() {
+    const path = credentialsPath();
+    if (existsSync(path)) {
+        unlinkSync(path);
+    }
+}
+/** Check if the access token has expired (with 60s safety margin) */
+export function isTokenExpired(creds) {
+    // Static tokens never expire
+    if (creds.authType === "token")
+        return false;
+    const expiresAt = new Date(creds.expiresAt).getTime();
+    const safetyMarginMs = 60_000; // Refresh 60s before actual expiry
+    return Date.now() >= expiresAt - safetyMarginMs;
+}
+/**
+ * Create in-memory credentials from the ADIT_AUTH_TOKEN env var.
+ * Returns null if the env var is not set.
+ */
+export function credentialsFromEnvToken(serverUrl, clientId) {
+    const token = process.env.ADIT_AUTH_TOKEN;
+    if (!token)
+        return null;
+    return {
+        authType: "token",
+        accessToken: token,
+        refreshToken: "",
+        clientId,
+        expiresAt: "",
+        serverUrl,
+    };
+}
+/** Default circuit breaker window in milliseconds (1 hour) */
+const CIRCUIT_BREAKER_WINDOW_MS = 60 * 60 * 1000;
+/**
+ * Increment the sync error counter in stored credentials.
+ *
+ * The circuit breaker uses a time-windowed approach: errors are only
+ * counted within a rolling window (default 1 hour). If the first error
+ * in the current window is older than the window, the counter resets
+ * before incrementing. This ensures that transient outages don't
+ * permanently disable auto-sync.
+ *
+ * Returns true if sync is now disabled (threshold reached within window).
+ */
+export function incrementSyncErrors(threshold = 5) {
+    const creds = loadCredentials();
+    if (!creds)
+        return false;
+    const now = new Date().toISOString();
+    let count = creds.syncErrorCount ?? 0;
+    let firstErrorAt = creds.firstSyncErrorAt ?? now;
+    // If the first error is outside the window, reset the counter
+    const elapsed = Date.now() - new Date(firstErrorAt).getTime();
+    if (elapsed > CIRCUIT_BREAKER_WINDOW_MS) {
+        count = 0;
+        firstErrorAt = now;
+    }
+    count += 1;
+    const disabled = count >= threshold;
+    saveCredentials({
+        ...creds,
+        syncErrorCount: count,
+        syncDisabled: disabled,
+        firstSyncErrorAt: firstErrorAt,
+    });
+    return disabled;
+}
+/** Reset sync error counter and re-enable sync. */
+export function clearSyncErrors() {
+    const creds = loadCredentials();
+    if (!creds)
+        return;
+    if (!creds.syncErrorCount && !creds.syncDisabled)
+        return;
+    saveCredentials({
+        ...creds,
+        syncErrorCount: 0,
+        syncDisabled: false,
+        firstSyncErrorAt: undefined,
+    });
+}
+/**
+ * Check if sync has been disabled by the circuit breaker.
+ *
+ * If the breaker is tripped but the error window has expired (>1 hour
+ * since the first error), automatically resets the breaker and returns
+ * false — giving auto-sync another chance.
+ */
+export function isSyncDisabled() {
+    const creds = loadCredentials();
+    if (creds?.syncDisabled !== true)
+        return false;
+    // Auto-reset if the error window has expired
+    const firstErrorAt = creds.firstSyncErrorAt;
+    if (firstErrorAt) {
+        const elapsed = Date.now() - new Date(firstErrorAt).getTime();
+        if (elapsed > CIRCUIT_BREAKER_WINDOW_MS) {
+            clearSyncErrors();
+            return false;
+        }
+    }
+    return true;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/auth/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/auth/credentials.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EACL,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,EACT,UAAU,EACV,SAAS,GACV,MAAM,SAAS,CAAC;AAuBjB,MAAM,gBAAgB,GAAG,wBAAwB,CAAC;AAElD,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;AACpD,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,eAAe;IAC7B,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QACnD,IAAI,CAAC,MAAM,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACrC,wEAAwE;QACxE,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,eAAe,CAAC,KAAuB;IACrD,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAC7D,IAAI,CAAC;QACH,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,4DAA4D;IAC9D,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,gBAAgB;IAC9B,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,cAAc,CAAC,KAAuB;IACpD,6BAA6B;IAC7B,IAAI,KAAK,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IACtD,MAAM,cAAc,GAAG,MAAM,CAAC,CAAC,mCAAmC;IAClE,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,GAAG,cAAc,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAiB,EACjB,QAAgB;IAEhB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,KAAK;QAClB,YAAY,EAAE,EAAE;QAChB,QAAQ;QACR,SAAS,EAAE,EAAE;QACb,SAAS;KACV,CAAC;AACJ,CAAC;AAED,8DAA8D;AAC9D,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEjD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAS,GAAG,CAAC;IAC/C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,KAAK,GAAG,KAAK,CAAC,cAAc,IAAI,CAAC,CAAC;IACtC,IAAI,YAAY,GAAG,KAAK,CAAC,gBAAgB,IAAI,GAAG,CAAC;IAEjD,8DAA8D;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC;IAC9D,IAAI,OAAO,GAAG,yBAAyB,EAAE,CAAC;QACxC,KAAK,GAAG,CAAC,CAAC;QACV,YAAY,GAAG,GAAG,CAAC;IACrB,CAAC;IAED,KAAK,IAAI,CAAC,CAAC;IACX,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,CAAC;IAEpC,eAAe,CAAC;QACd,GAAG,KAAK;QACR,cAAc,EAAE,KAAK;QACrB,YAAY,EAAE,QAAQ;QACtB,gBAAgB,EAAE,YAAY;KAC/B,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,eAAe;IAC7B,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO;IACnB,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,KAAK,CAAC,YAAY;QAAE,OAAO;IACzD,eAAe,CAAC;QACd,GAAG,KAAK;QACR,cAAc,EAAE,CAAC;QACjB,YAAY,EAAE,KAAK;QACnB,gBAAgB,EAAE,SAAS;KAC5B,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK,EAAE,YAAY,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAE/C,6CAA6C;IAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAC5C,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC;QAC9D,IAAI,OAAO,GAAG,yBAAyB,EAAE,CAAC;YACxC,eAAe,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/device-auth.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Device authorization flow.
+ *
+ * Implements the device code flow (similar to GitHub CLI / VS Code):
+ * 1. Client requests a device code + user code
+ * 2. User opens a browser, enters the user code, and approves
+ * 3. Client polls until approved, then receives tokens
+ */
+export interface DeviceCodeResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUrl: string;
+    expiresAt: string;
+}
+export interface TokenResponse {
+    accessToken: string;
+    refreshToken: string;
+    clientId: string;
+    expiresAt: string;
+}
+export interface DeviceAuthOptions {
+    /** Machine identifier (hardware fingerprint) */
+    machineId: string;
+    /** Platform (e.g., "darwin-arm64") */
+    platform: string;
+    /** ADIT version */
+    aditVersion: string;
+    /** Display name for the device (e.g., "MacBook Pro Work") */
+    displayName?: string;
+}
+/** Step 1: Request a device code from the server */
+export declare function requestDeviceCode(serverUrl: string, options: DeviceAuthOptions): Promise<DeviceCodeResponse>;
+/**
+ * Step 2: Poll for token approval.
+ *
+ * Polls the server every `intervalMs` until the user approves
+ * the device or the request expires/times out.
+ */
+export declare function pollForToken(serverUrl: string, deviceCode: string, intervalMs?: number, timeoutMs?: number): Promise<TokenResponse>;
+//# sourceMappingURL=device-auth.d.ts.map

package/dist/auth/device-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-auth.d.ts","sourceRoot":"","sources":["../../src/auth/device-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,oDAAoD;AACpD,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,kBAAkB,CAAC,CAgC7B;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,UAAU,SAAO,EACjB,SAAS,SAAU,GAClB,OAAO,CAAC,aAAa,CAAC,CAwDxB"}

package/dist/auth/device-auth.js

@@ -0,0 +1,84 @@
+/**
+ * Device authorization flow.
+ *
+ * Implements the device code flow (similar to GitHub CLI / VS Code):
+ * 1. Client requests a device code + user code
+ * 2. User opens a browser, enters the user code, and approves
+ * 3. Client polls until approved, then receives tokens
+ */
+import { CloudApiError, CloudNetworkError } from "../http/errors.js";
+/** Step 1: Request a device code from the server */
+export async function requestDeviceCode(serverUrl, options) {
+    const url = `${serverUrl.replace(/\/$/, "")}/api/auth/device`;
+    try {
+        const response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                machineId: options.machineId,
+                platform: options.platform,
+                aditVersion: options.aditVersion,
+                displayName: options.displayName,
+            }),
+        });
+        if (!response.ok) {
+            const body = await response.text();
+            throw new CloudApiError(`Failed to request device code: ${response.status}`, response.status, body);
+        }
+        return (await response.json());
+    }
+    catch (error) {
+        if (error instanceof CloudApiError)
+            throw error;
+        throw new CloudNetworkError(`Failed to connect to ${serverUrl}: ${error instanceof Error ? error.message : String(error)}`, error instanceof Error ? error : undefined);
+    }
+}
+/**
+ * Step 2: Poll for token approval.
+ *
+ * Polls the server every `intervalMs` until the user approves
+ * the device or the request expires/times out.
+ */
+export async function pollForToken(serverUrl, deviceCode, intervalMs = 5000, timeoutMs = 300_000) {
+    const url = `${serverUrl.replace(/\/$/, "")}/api/auth/device/token`;
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        try {
+            const response = await fetch(url, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ deviceCode }),
+            });
+            if (response.ok) {
+                return (await response.json());
+            }
+            // 428 = authorization_pending (standard device flow response)
+            if (response.status === 428) {
+                await sleep(intervalMs);
+                continue;
+            }
+            // 410 = expired
+            if (response.status === 410) {
+                throw new CloudApiError("Device authorization request expired. Please try again.", 410);
+            }
+            // 409 = denied
+            if (response.status === 409) {
+                throw new CloudApiError("Device authorization was denied by the user.", 409);
+            }
+            // Other errors
+            const body = await response.text();
+            throw new CloudApiError(`Unexpected response during device polling: ${response.status}`, response.status, body);
+        }
+        catch (error) {
+            if (error instanceof CloudApiError)
+                throw error;
+            // Network errors during polling — wait and retry
+            await sleep(intervalMs);
+        }
+    }
+    throw new CloudApiError("Device authorization timed out. Please try again.", 408);
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=device-auth.js.map

package/dist/auth/device-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-auth.js","sourceRoot":"","sources":["../../src/auth/device-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AA2BrE,oDAAoD;AACpD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAiB,EACjB,OAA0B;IAE1B,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC;IAE9D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,aAAa,CACrB,kCAAkC,QAAQ,CAAC,MAAM,EAAE,EACnD,QAAQ,CAAC,MAAM,EACf,IAAI,CACL,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAuB,CAAC;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,aAAa;YAAE,MAAM,KAAK,CAAC;QAChD,MAAM,IAAI,iBAAiB,CACzB,wBAAwB,SAAS,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAC9F,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC3C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,UAAkB,EAClB,UAAU,GAAG,IAAI,EACjB,SAAS,GAAG,OAAO;IAEnB,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,wBAAwB,CAAC;IACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAExC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC;aACrC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;YAClD,CAAC;YAED,8DAA8D;YAC9D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;gBACxB,SAAS;YACX,CAAC;YAED,gBAAgB;YAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,aAAa,CACrB,yDAAyD,EACzD,GAAG,CACJ,CAAC;YACJ,CAAC;YAED,eAAe;YACf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,aAAa,CACrB,8CAA8C,EAC9C,GAAG,CACJ,CAAC;YACJ,CAAC;YAED,eAAe;YACf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,aAAa,CACrB,8CAA8C,QAAQ,CAAC,MAAM,EAAE,EAC/D,QAAQ,CAAC,MAAM,EACf,IAAI,CACL,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,aAAa;gBAAE,MAAM,KAAK,CAAC;YAChD,iDAAiD;YACjD,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,aAAa,CACrB,mDAAmD,EACnD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Cloud sync configuration.
+ *
+ * Loaded from environment variables with sensible defaults.
+ * Cloud sync is entirely optional — when serverUrl is null,
+ * all cloud features are disabled.
+ */
+export interface CloudConfig {
+    /** Cloud server URL (e.g., "https://adit-cloud.varve.ai") */
+    serverUrl: string | null;
+    /** Whether cloud sync is enabled */
+    enabled: boolean;
+    /** Auto-sync after hook events (fire-and-forget) */
+    autoSync: boolean;
+    /** Max records per sync batch (server limit: 500) */
+    batchSize: number;
+    /** Minimum unsynced events before auto-sync triggers (default: 20) */
+    syncThreshold: number;
+    /** Hours since last successful sync before auto-sync triggers regardless of count (default: 2) */
+    syncTimeoutHours: number;
+    /** Transcript upload configuration */
+    transcriptUpload: TranscriptUploadConfig;
+    /** Project-link auto-sync configuration */
+    projectLink: ProjectLinkConfig;
+}
+export interface ProjectLinkConfig {
+    /** Whether project-link auto-sync is enabled on session-start (default: true) */
+    autoSync: boolean;
+    /** Hours before cached project-link data is considered stale (default: 2) */
+    staleHours: number;
+}
+export interface TranscriptUploadConfig {
+    /** Whether transcript upload is enabled (default: true) */
+    enabled: boolean;
+    /** Interval in seconds between upload checks (default: 30) */
+    pollIntervalSec: number;
+    /** Max concurrent uploads (default: 2) */
+    maxConcurrent: number;
+    /** Max consecutive failures per file before giving up (default: 3) */
+    maxRetries: number;
+    /** Minimum bytes of new data before uploading an increment (default: 1024) */
+    minIncrementBytes: number;
+}
+/** Default cloud server URL */
+export declare const DEFAULT_SERVER_URL = "https://adit-cloud.varve.ai";
+/** Load cloud configuration from environment variables */
+export declare function loadCloudConfig(): CloudConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,sEAAsE;IACtE,aAAa,EAAE,MAAM,CAAC;IACtB,kGAAkG;IAClG,gBAAgB,EAAE,MAAM,CAAC;IACzB,sCAAsC;IACtC,gBAAgB,EAAE,sBAAsB,CAAC;IACzC,2CAA2C;IAC3C,WAAW,EAAE,iBAAiB,CAAC;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,iFAAiF;IACjF,QAAQ,EAAE,OAAO,CAAC;IAClB,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,2DAA2D;IAC3D,OAAO,EAAE,OAAO,CAAC;IACjB,8DAA8D;IAC9D,eAAe,EAAE,MAAM,CAAC;IACxB,0CAA0C;IAC1C,aAAa,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC;IACnB,8EAA8E;IAC9E,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,+BAA+B;AAC/B,eAAO,MAAM,kBAAkB,gCAAgC,CAAC;AAEhE,0DAA0D;AAC1D,wBAAgB,eAAe,IAAI,WAAW,CA6B7C"}

package/dist/config.js

@@ -0,0 +1,80 @@
+/**
+ * Cloud sync configuration.
+ *
+ * Loaded from environment variables with sensible defaults.
+ * Cloud sync is entirely optional — when serverUrl is null,
+ * all cloud features are disabled.
+ */
+/** Default cloud server URL */
+export const DEFAULT_SERVER_URL = "https://adit-cloud.varve.ai";
+/** Load cloud configuration from environment variables */
+export function loadCloudConfig() {
+    const serverUrl = process.env.ADIT_CLOUD_URL ?? null;
+    // Cloud is enabled unless explicitly disabled via env var.
+    // When ADIT_CLOUD_ENABLED is not set, enabled is true — actual
+    // activation depends on credentials existing (checked by auto-sync).
+    const enabled = process.env.ADIT_CLOUD_ENABLED !== "false";
+    // Auto-sync is enabled by default when credentials exist.
+    // Only disabled when explicitly set to "false".
+    const autoSync = process.env.ADIT_CLOUD_AUTO_SYNC !== "false";
+    return {
+        serverUrl,
+        enabled,
+        autoSync,
+        batchSize: Math.min(parseInt(process.env.ADIT_CLOUD_BATCH_SIZE ?? "500", 10) || 500, 500),
+        syncThreshold: parseSyncThreshold(process.env.ADIT_CLOUD_SYNC_THRESHOLD),
+        syncTimeoutHours: parseSyncTimeoutHours(process.env.ADIT_CLOUD_SYNC_TIMEOUT_HOURS),
+        transcriptUpload: loadTranscriptUploadConfig(),
+        projectLink: loadProjectLinkConfig(),
+    };
+}
+function loadTranscriptUploadConfig() {
+    return {
+        enabled: process.env.ADIT_TRANSCRIPT_UPLOAD !== "false",
+        pollIntervalSec: parsePositiveInt(process.env.ADIT_TRANSCRIPT_POLL_INTERVAL, 30),
+        maxConcurrent: parsePositiveInt(process.env.ADIT_TRANSCRIPT_MAX_CONCURRENT, 2),
+        maxRetries: parsePositiveInt(process.env.ADIT_TRANSCRIPT_MAX_RETRIES, 3),
+        minIncrementBytes: parsePositiveInt(process.env.ADIT_TRANSCRIPT_MIN_INCREMENT, 1024),
+    };
+}
+function loadProjectLinkConfig() {
+    return {
+        autoSync: process.env.ADIT_PROJECT_LINK_AUTO_SYNC !== "false",
+        staleHours: parsePositiveFloat(process.env.ADIT_PROJECT_LINK_STALE_HOURS, 2),
+    };
+}
+function parsePositiveFloat(raw, defaultVal) {
+    if (raw === undefined)
+        return defaultVal;
+    const parsed = parseFloat(raw);
+    if (Number.isNaN(parsed) || parsed <= 0)
+        return defaultVal;
+    return parsed;
+}
+function parseSyncTimeoutHours(raw) {
+    const DEFAULT = 2;
+    if (raw === undefined)
+        return DEFAULT;
+    const parsed = parseFloat(raw);
+    if (Number.isNaN(parsed) || parsed <= 0)
+        return DEFAULT;
+    return parsed;
+}
+function parseSyncThreshold(raw) {
+    const DEFAULT = 20;
+    if (raw === undefined)
+        return DEFAULT;
+    const parsed = parseInt(raw, 10);
+    if (Number.isNaN(parsed))
+        return DEFAULT;
+    return Math.max(parsed, 1);
+}
+function parsePositiveInt(raw, defaultVal) {
+    if (raw === undefined)
+        return defaultVal;
+    const parsed = parseInt(raw, 10);
+    if (Number.isNaN(parsed) || parsed < 1)
+        return defaultVal;
+    return parsed;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAyCH,+BAA+B;AAC/B,MAAM,CAAC,MAAM,kBAAkB,GAAG,6BAA6B,CAAC;AAEhE,0DAA0D;AAC1D,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC;IAErD,2DAA2D;IAC3D,+DAA+D;IAC/D,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,OAAO,CAAC;IAE3D,0DAA0D;IAC1D,gDAAgD;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,OAAO,CAAC;IAE9D,OAAO;QACL,SAAS;QACT,OAAO;QACP,QAAQ;QACR,SAAS,EAAE,IAAI,CAAC,GAAG,CACjB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,KAAK,EAAE,EAAE,CAAC,IAAI,GAAG,EAC/D,GAAG,CACJ;QACD,aAAa,EAAE,kBAAkB,CAC/B,OAAO,CAAC,GAAG,CAAC,yBAAyB,CACtC;QACD,gBAAgB,EAAE,qBAAqB,CACrC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAC1C;QACD,gBAAgB,EAAE,0BAA0B,EAAE;QAC9C,WAAW,EAAE,qBAAqB,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B;IACjC,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO;QACvD,eAAe,EAAE,gBAAgB,CAC/B,OAAO,CAAC,GAAG,CAAC,6BAA6B,EACzC,EAAE,CACH;QACD,aAAa,EAAE,gBAAgB,CAC7B,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAC1C,CAAC,CACF;QACD,UAAU,EAAE,gBAAgB,CAC1B,OAAO,CAAC,GAAG,CAAC,2BAA2B,EACvC,CAAC,CACF;QACD,iBAAiB,EAAE,gBAAgB,CACjC,OAAO,CAAC,GAAG,CAAC,6BAA6B,EACzC,IAAI,CACL;KACF,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,OAAO;QAC7D,UAAU,EAAE,kBAAkB,CAC5B,OAAO,CAAC,GAAG,CAAC,6BAA6B,EACzC,CAAC,CACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB,EAAE,UAAkB;IACrE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IACzC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IAC3D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAuB;IACpD,MAAM,OAAO,GAAG,CAAC,CAAC;IAClB,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC;IACtC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC;IACxD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB;IACjD,MAAM,OAAO,GAAG,EAAE,CAAC;IACnB,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC;IACzC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAuB,EAAE,UAAkB;IACnE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IACzC,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC1D,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/http/client.d.ts

@@ -0,0 +1,28 @@
+/**
+ * HTTP client for adit-cloud API.
+ *
+ * Handles Bearer auth, automatic token refresh, and exponential
+ * backoff retry on network errors and 429 rate limits.
+ */
+import type { CloudCredentials } from "../auth/credentials.js";
+export declare class CloudClient {
+    private credentials;
+    private readonly serverUrl;
+    constructor(serverUrl: string, credentials: CloudCredentials);
+    /** GET request with auth */
+    get<T>(path: string): Promise<T>;
+    /** HEAD request with auth — returns headers only */
+    head(path: string): Promise<Record<string, string>>;
+    /** POST request with auth and JSON body */
+    post<T>(path: string, body: unknown): Promise<T>;
+    /** PATCH request with auth */
+    patch<T>(path: string, body: unknown): Promise<T>;
+    /** DELETE request with auth */
+    delete(path: string): Promise<void>;
+    /** Get the current credentials (may have been refreshed) */
+    getCredentials(): CloudCredentials;
+    private request;
+    /** Refresh the access token using the refresh token */
+    private refreshToken;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/http/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/http/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAQ/D,qBAAa,WAAW;IACtB,OAAO,CAAC,WAAW,CAAmB;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB;IAK5D,4BAA4B;IACtB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAItC,oDAAoD;IAC9C,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAoDzD,2CAA2C;IACrC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAItD,8BAA8B;IACxB,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIvD,+BAA+B;IACzB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,4DAA4D;IAC5D,cAAc,IAAI,gBAAgB;YAIpB,OAAO;IAoJrB,uDAAuD;YACzC,YAAY;CA8C3B"}