@westbayberry/dg 1.3.3 → 2.0.0

package/dist/auth/device-login.js

@@ -0,0 +1,271 @@
+import { spawn } from "node:child_process";
+import { closeSync, openSync, readSync } from "node:fs";
+import { displayTier, writeAuthState } from "./store.js";
+import { loadUserConfig } from "../config/settings.js";
+import { createTheme } from "../presentation/theme.js";
+import { resolvePresentation } from "../presentation/mode.js";
+const DEFAULT_WEB_BASE = "https://westbayberry.com";
+export const POLL_INTERVAL_MS = 2000;
+export const POLL_TIMEOUT_MS = 5 * 60_000;
+export function resolveWebBase(env) {
+    const override = env.DG_AUTH_BASE;
+    if (override) {
+        try {
+            const url = new URL(override);
+            if (url.protocol === "https:" || url.hostname === "localhost" || url.hostname === "127.0.0.1") {
+                return override.replace(/\/$/, "");
+            }
+        }
+        catch {
+            // fall through to derived/default base
+        }
+    }
+    try {
+        const url = new URL(loadUserConfig(env).api.baseUrl);
+        if (url.hostname.startsWith("api.")) {
+            return `${url.protocol}//${url.hostname.slice(4)}`;
+        }
+    }
+    catch {
+        // fall through to default base
+    }
+    return DEFAULT_WEB_BASE;
+}
+function isSameOrSubdomain(host, base) {
+    return host === base || host.endsWith(`.${base}`);
+}
+export function assertTrustedVerifyUrl(verifyUrl, webBase) {
+    let verify;
+    try {
+        verify = new URL(verifyUrl);
+    }
+    catch {
+        throw new Error("login server returned an invalid verify URL");
+    }
+    if (verify.protocol !== "https:" && verify.protocol !== "http:") {
+        throw new Error("login server returned an unsupported verify URL");
+    }
+    const baseHost = new URL(webBase).hostname;
+    if (!isSameOrSubdomain(verify.hostname, baseHost)) {
+        throw new Error(`refusing to open verify URL on untrusted host '${verify.hostname}'`);
+    }
+    return verifyUrl;
+}
+export async function createAuthSession(webBase, fetchImpl) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10_000);
+    try {
+        const response = await fetchImpl(`${webBase}/cli/auth/sessions`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            signal: controller.signal
+        });
+        if (!response.ok) {
+            throw new Error(`could not start login (HTTP ${response.status})`);
+        }
+        const json = (await response.json());
+        const verifyUrl = assertTrustedVerifyUrl(json.verify_url, webBase);
+        return { sessionId: json.session_id, verifyUrl, expiresIn: json.expires_in };
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+export async function pollAuthSession(webBase, sessionId, fetchImpl) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 8_000);
+    try {
+        const response = await fetchImpl(`${webBase}/cli/auth/sessions/${sessionId}/token`, { signal: controller.signal });
+        if (response.status >= 500) {
+            return { status: "pending" };
+        }
+        if (response.status === 404 || !response.ok) {
+            return { status: "expired" };
+        }
+        const json = (await response.json());
+        return { status: json.status, apiKey: json.api_key, email: json.email };
+    }
+    catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+            return { status: "pending" };
+        }
+        return { status: "expired" };
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+export function openBrowser(url) {
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+            return;
+        }
+    }
+    catch {
+        return;
+    }
+    let command;
+    let args;
+    switch (process.platform) {
+        case "darwin":
+            command = "open";
+            args = [url];
+            break;
+        case "linux":
+            command = "xdg-open";
+            args = [url];
+            break;
+        case "win32":
+            command = "cmd.exe";
+            args = ["/c", "start", "", url];
+            break;
+        default:
+            return;
+    }
+    try {
+        const child = spawn(command, args, { stdio: "ignore", detached: true });
+        child.on("error", () => { });
+        child.unref();
+    }
+    catch {
+        // a failed browser open is non-fatal; the verify URL is printed too
+    }
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function waitForEnter() {
+    let tty;
+    try {
+        tty = openSync("/dev/tty", "rs");
+    }
+    catch {
+        return;
+    }
+    try {
+        const byte = Buffer.alloc(1);
+        for (;;) {
+            let read = 0;
+            try {
+                read = readSync(tty, byte, 0, 1, null);
+            }
+            catch (error) {
+                if (error.code === "EAGAIN") {
+                    continue;
+                }
+                break;
+            }
+            if (read === 0) {
+                break;
+            }
+            const char = byte.toString("utf8");
+            if (char === "\n" || char === "\r") {
+                break;
+            }
+        }
+    }
+    finally {
+        closeSync(tty);
+    }
+}
+export async function fetchAccountTier(token, env, fetchImpl) {
+    let apiBase;
+    try {
+        apiBase = loadUserConfig(env).api.baseUrl.replace(/\/$/, "");
+    }
+    catch {
+        return null;
+    }
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 5_000);
+    try {
+        const response = await fetchImpl(`${apiBase}/v1/auth/status`, {
+            headers: { Authorization: `Bearer ${token}` },
+            signal: controller.signal
+        });
+        if (!response.ok) {
+            return null;
+        }
+        const body = (await response.json());
+        if (typeof body.tier !== "string" || body.tier.length === 0) {
+            return null;
+        }
+        return body.tier.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+export async function runDeviceLogin(io = {}) {
+    const env = io.env ?? process.env;
+    const fetchImpl = io.fetchImpl ?? fetch;
+    const stderr = io.stderr ?? process.stderr;
+    const open = io.open ?? openBrowser;
+    const confirm = io.confirm ?? waitForEnter;
+    const now = io.now ?? Date.now;
+    const sleep = io.sleep ?? delay;
+    const webBase = resolveWebBase(env);
+    const theme = createTheme(resolvePresentation().color);
+    const accent = (text) => theme.paint("accent", text);
+    const muted = (text) => theme.paint("muted", text);
+    let session;
+    try {
+        session = await createAuthSession(webBase, fetchImpl);
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `dg login: ${error instanceof Error ? error.message : "could not start login"}.\n`
+        };
+    }
+    stderr.write(`\n  Sign in at:\n  ${accent(session.verifyUrl)}\n\n  ${muted("Press Enter to open it in your browser…")}`);
+    confirm();
+    open(session.verifyUrl);
+    stderr.write(`\n  ${muted("Waiting for you to approve in the browser…")}\n\n`);
+    const deadline = now() + POLL_TIMEOUT_MS;
+    for (;;) {
+        const result = await pollAuthSession(webBase, session.sessionId, fetchImpl);
+        if (result.status === "complete" && result.apiKey) {
+            const tier = await fetchAccountTier(result.apiKey, env, fetchImpl);
+            writeAuthState({ token: result.apiKey, email: result.email, tier: tier ?? undefined });
+            const who = result.email ? ` as ${result.email}` : "";
+            return {
+                exitCode: 0,
+                stdout: `✓ Logged in${who}${tier ? ` ${muted(`(${displayTier(tier)} plan)`)}` : ""}.\n`,
+                stderr: ""
+            };
+        }
+        if (result.status === "expired") {
+            return { exitCode: 1, stdout: "", stderr: "dg login: that login link expired. Run 'dg login' again.\n" };
+        }
+        if (now() >= deadline) {
+            return { exitCode: 1, stdout: "", stderr: "dg login: timed out waiting for browser approval. Run 'dg login' again.\n" };
+        }
+        await sleep(POLL_INTERVAL_MS);
+    }
+}
+export async function maybeDeviceLogin(args) {
+    const noop = { exitCode: 0, stdout: "", stderr: "" };
+    if (args[0] !== "login") {
+        return { handled: false, result: noop };
+    }
+    const rest = args.slice(1);
+    if (rest.some((arg) => arg === "--token" || arg.startsWith("--token=") || arg === "--help" || arg === "-h")) {
+        return { handled: false, result: noop };
+    }
+    if (!process.stdin.isTTY || !process.stderr.isTTY) {
+        return { handled: false, result: noop };
+    }
+    const { resolvePresentation } = await import("../presentation/mode.js");
+    if (resolvePresentation().mode === "rich") {
+        const { runDeviceLoginTui } = await import("./login-app.js");
+        const exitCode = await runDeviceLoginTui();
+        return { handled: true, result: { exitCode, stdout: "", stderr: "" } };
+    }
+    return { handled: true, result: await runDeviceLogin() };
+}

package/dist/auth/env-token.js

@@ -0,0 +1,6 @@
+// DG_API_KEY is the documented public name for the CI auth token (every docs page,
+// the settings UI, and the CLI reference use it); DG_API_TOKEN is the historical
+// alias kept for back-compat. Accept either so CI that follows the docs works.
+export function envAuthToken(env) {
+    return env.DG_API_KEY || env.DG_API_TOKEN || undefined;
+}

package/dist/auth/login-app.js

@@ -0,0 +1,156 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useEffect, useRef, useState } from "react";
+import { Box, Text, useApp, useInput } from "ink";
+import { Spinner } from "../scan-ui/components/Spinner.js";
+import { displayTier, writeAuthState } from "./store.js";
+import { POLL_INTERVAL_MS, POLL_TIMEOUT_MS, createAuthSession, fetchAccountTier, openBrowser, pollAuthSession, resolveWebBase } from "./device-login.js";
+const SUCCESS_MIN_MS = 600;
+const SUCCESS_MAX_MS = 2500;
+function useLogin(webBase, env) {
+    const [state, setState] = useState({ phase: "creating", verifyUrl: "", email: "", plan: "", message: "" });
+    const sessionId = useRef("");
+    const started = useRef(false);
+    const cancelled = useRef(false);
+    const tierSettled = useRef(false);
+    const pollTimer = useRef(undefined);
+    useEffect(() => {
+        let sessionCancelled = false;
+        createAuthSession(webBase, fetch)
+            .then((session) => {
+            if (sessionCancelled)
+                return;
+            sessionId.current = session.sessionId;
+            setState((prev) => ({ ...prev, phase: "ready", verifyUrl: session.verifyUrl }));
+        })
+            .catch((error) => {
+            if (sessionCancelled)
+                return;
+            const message = error instanceof Error ? error.message : "could not start login";
+            setState((prev) => ({ ...prev, phase: "error", message }));
+        });
+        return () => {
+            sessionCancelled = true;
+        };
+    }, [webBase]);
+    useEffect(() => {
+        return () => {
+            cancelled.current = true;
+            if (pollTimer.current) {
+                clearTimeout(pollTimer.current);
+                pollTimer.current = undefined;
+            }
+        };
+    }, []);
+    const openAndPoll = () => {
+        if (started.current)
+            return;
+        started.current = true;
+        openBrowser(state.verifyUrl);
+        setState((prev) => ({ ...prev, phase: "waiting" }));
+        void (async () => {
+            const deadline = Date.now() + POLL_TIMEOUT_MS;
+            while (!cancelled.current) {
+                const result = await pollAuthSession(webBase, sessionId.current, fetch);
+                if (cancelled.current)
+                    return;
+                if (result.status === "complete" && result.apiKey) {
+                    const apiKey = result.apiKey;
+                    const email = result.email ?? "";
+                    writeAuthState({ token: apiKey, email: result.email });
+                    setState((prev) => ({ ...prev, phase: "success", email }));
+                    void fetchAccountTier(apiKey, env, fetch)
+                        .then((tier) => {
+                        if (tier) {
+                            writeAuthState({ token: apiKey, email: result.email, tier });
+                            if (!cancelled.current) {
+                                setState((prev) => ({ ...prev, plan: tier }));
+                            }
+                        }
+                    })
+                        .finally(() => {
+                        tierSettled.current = true;
+                    });
+                    return;
+                }
+                if (result.status === "expired") {
+                    setState((prev) => ({ ...prev, phase: "expired" }));
+                    return;
+                }
+                if (Date.now() >= deadline) {
+                    setState((prev) => ({ ...prev, phase: "error", message: "timed out waiting for browser approval" }));
+                    return;
+                }
+                await new Promise((resolve) => {
+                    pollTimer.current = setTimeout(resolve, POLL_INTERVAL_MS);
+                });
+            }
+        })();
+    };
+    return { state, tierSettled, openAndPoll };
+}
+const LoginApp = ({ webBase, env }) => {
+    const { state, tierSettled, openAndPoll } = useLogin(webBase, env);
+    const { exit } = useApp();
+    useEffect(() => {
+        if (state.phase === "expired" || state.phase === "error") {
+            process.exitCode = 1;
+            const timer = setTimeout(() => exit(), 0);
+            return () => clearTimeout(timer);
+        }
+        if (state.phase === "success") {
+            process.exitCode = 0;
+            const start = Date.now();
+            let poll;
+            let cap;
+            const tick = () => {
+                if (tierSettled.current && Date.now() - start >= SUCCESS_MIN_MS) {
+                    exit();
+                    return;
+                }
+                poll = setTimeout(tick, 50);
+            };
+            poll = setTimeout(tick, SUCCESS_MIN_MS);
+            cap = setTimeout(() => exit(), SUCCESS_MAX_MS);
+            return () => {
+                if (poll)
+                    clearTimeout(poll);
+                if (cap)
+                    clearTimeout(cap);
+            };
+        }
+        return undefined;
+    }, [state.phase, exit, tierSettled]);
+    useInput((_input, key) => {
+        if (state.phase === "ready" && key.return) {
+            openAndPoll();
+        }
+        else if (state.phase === "success") {
+            exit();
+        }
+    });
+    switch (state.phase) {
+        case "creating":
+            return (_jsx(Box, { paddingLeft: 1, paddingTop: 1, children: _jsx(Spinner, { label: "Creating login session\u2026" }) }));
+        case "ready":
+            return (_jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingTop: 1, children: [_jsx(Text, { children: "Sign in at:" }), _jsx(Text, { color: "cyan", children: state.verifyUrl }), _jsx(Text, { children: " " }), _jsx(Text, { dimColor: true, children: "Press Enter to open it in your browser\u2026" })] }));
+        case "waiting":
+            return (_jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingTop: 1, children: [_jsx(Text, { children: "Sign in at:" }), _jsx(Text, { color: "cyan", children: state.verifyUrl }), _jsx(Text, { children: " " }), _jsx(Spinner, { label: "Waiting for you to approve in the browser\u2026" })] }));
+        case "success":
+            return (_jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingTop: 1, children: [_jsxs(Text, { color: "green", bold: true, children: ["\u2713 Logged in", state.email ? ` as ${state.email}` : "", state.plan ? ` (${displayTier(state.plan)} plan)` : ""] }), _jsx(Text, { children: " " }), _jsx(Text, { dimColor: true, children: "Run `dg scan` to check your dependencies." })] }));
+        case "expired":
+            return (_jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingTop: 1, children: [_jsx(Text, { color: "yellow", children: "That login link expired." }), _jsx(Text, { dimColor: true, children: "Run `dg login` to try again." })] }));
+        case "error":
+            return (_jsx(Box, { flexDirection: "column", paddingLeft: 1, paddingTop: 1, children: _jsxs(Text, { color: "red", children: ["dg login: ", state.message, "."] }) }));
+    }
+};
+export async function runDeviceLoginTui(env = process.env) {
+    const ci = process.env.CI;
+    if (ci === "" || ci === "0" || ci === "false") {
+        delete process.env.CI;
+    }
+    const { render } = await import("ink");
+    const webBase = resolveWebBase(env);
+    const instance = render(_jsx(LoginApp, { webBase: webBase, env: env }), { exitOnCtrlC: true });
+    await instance.waitUntilExit();
+    return Number(process.exitCode ?? 0);
+}

package/dist/auth/store.js

@@ -0,0 +1,147 @@
+import { existsSync, mkdirSync, readFileSync, renameSync, rmSync, unlinkSync, writeFileSync } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { dirname, join } from "node:path";
+import { loadUserConfig, saveUserConfig } from "../config/settings.js";
+import { resolveDgPaths } from "../state/index.js";
+import { envAuthToken } from "./env-token.js";
+export class AuthError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "AuthError";
+    }
+}
+export function authPath(paths) {
+    return join(paths.configDir, "auth.json");
+}
+export function readAuthState(env = process.env) {
+    const paths = resolveDgPaths(env);
+    const path = authPath(paths);
+    if (!existsSync(path)) {
+        return undefined;
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf8"));
+        if (parsed.version !== 1 || !parsed.token || !parsed.apiBaseUrl || parsed.loggedInAt === undefined) {
+            throw new AuthError("unsupported auth state");
+        }
+        const email = typeof parsed.email === "string" && parsed.email.length > 0 ? parsed.email : undefined;
+        const tier = typeof parsed.tier === "string" && parsed.tier.length > 0 ? parsed.tier : undefined;
+        return {
+            version: 1,
+            token: parsed.token,
+            tokenPreview: parsed.tokenPreview ?? redactToken(parsed.token),
+            apiBaseUrl: parsed.apiBaseUrl,
+            orgId: parsed.orgId ?? "",
+            loggedInAt: parsed.loggedInAt,
+            ...(email ? { email } : {}),
+            ...(tier ? { tier } : {})
+        };
+    }
+    catch (error) {
+        throw new AuthError(`Malformed dg auth state at ${path}: ${error instanceof Error ? error.message : "unknown error"}`);
+    }
+}
+export function writeAuthState(options, env = process.env) {
+    const token = options.token.trim();
+    if (token.length < 8) {
+        throw new AuthError("token must be at least 8 characters");
+    }
+    const config = loadUserConfig(env);
+    const apiBaseUrl = options.apiBaseUrl ?? config.api.baseUrl;
+    const orgId = options.orgId ?? config.org.id;
+    const email = typeof options.email === "string" && options.email.length > 0 ? options.email : undefined;
+    const tier = typeof options.tier === "string" && options.tier.length > 0 ? options.tier : undefined;
+    const state = {
+        version: 1,
+        token,
+        tokenPreview: redactToken(token),
+        apiBaseUrl,
+        orgId,
+        loggedInAt: (options.now ?? new Date()).toISOString(),
+        ...(email ? { email } : {}),
+        ...(tier ? { tier } : {})
+    };
+    const paths = resolveDgPaths(env);
+    writeJsonAtomic(authPath(paths), state);
+    saveUserConfig({
+        ...config,
+        api: {
+            baseUrl: apiBaseUrl
+        },
+        org: {
+            id: orgId
+        }
+    }, env);
+    return state;
+}
+export function clearAuthState(env = process.env) {
+    const path = authPath(resolveDgPaths(env));
+    if (!existsSync(path)) {
+        return false;
+    }
+    unlinkSync(path);
+    return true;
+}
+export function authStatus(env = process.env) {
+    const config = loadUserConfig(env);
+    const envToken = envAuthToken(env);
+    if (envToken) {
+        return {
+            authenticated: true,
+            source: "env",
+            tokenPreview: redactToken(envToken),
+            apiBaseUrl: config.api.baseUrl,
+            orgId: config.org.id
+        };
+    }
+    const state = readAuthState(env);
+    if (state) {
+        return {
+            authenticated: true,
+            source: "file",
+            tokenPreview: state.tokenPreview,
+            apiBaseUrl: state.apiBaseUrl,
+            orgId: state.orgId,
+            ...(state.email ? { email: state.email } : {}),
+            ...(state.tier ? { tier: state.tier } : {})
+        };
+    }
+    return {
+        authenticated: false,
+        source: "none",
+        tokenPreview: "",
+        apiBaseUrl: config.api.baseUrl,
+        orgId: config.org.id
+    };
+}
+export function displayTier(tier) {
+    return tier.charAt(0).toUpperCase() + tier.slice(1);
+}
+export function redactToken(token) {
+    const trimmed = token.trim();
+    if (trimmed.length <= 8) {
+        return "<redacted>";
+    }
+    return `${trimmed.slice(0, 4)}...${trimmed.slice(-4)}`;
+}
+function writeJsonAtomic(path, value) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: 0o700
+    });
+    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+    try {
+        writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, {
+            encoding: "utf8",
+            flag: "wx",
+            mode: 0o600
+        });
+        renameSync(tempPath, path);
+    }
+    catch (error) {
+        rmSync(tempPath, {
+            force: true
+        });
+        throw error;
+    }
+}

package/dist/bin/dg.js

@@ -0,0 +1,71 @@
+#!/usr/bin/env node
+import { assertCurrentNode } from "../runtime/node-version.js";
+assertCurrentNode();
+const EXIT_TOOL_ERROR = 70;
+function exitOnFatal(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    try {
+        process.stderr.write(`dg: unexpected error — ${message}\nRun 'dg doctor' to check your installation; remove ~/.dg/config.json if it is corrupted.\n`);
+    }
+    catch {
+        // stderr is gone; nothing left to report to.
+    }
+    process.exit(EXIT_TOOL_ERROR);
+}
+process.on("uncaughtException", (error) => {
+    if (error.code === "EPIPE") {
+        process.exit(process.exitCode ?? 0);
+    }
+    exitOnFatal(error);
+});
+process.on("unhandledRejection", exitOnFatal);
+process.stdout.on("error", (error) => {
+    if (error.code === "EPIPE") {
+        process.exit(process.exitCode ?? 0);
+    }
+    exitOnFatal(error);
+});
+process.stderr.on("error", () => { });
+const { runCli, writeCliResult } = await import("../runtime/cli.js");
+const { maybeShowFirstRun } = await import("../runtime/first-run.js");
+const { maybePreflightInstallPrompt } = await import("../launcher/preflight-prompt.js");
+const args = process.argv.slice(2);
+maybeShowFirstRun(args);
+const { maybeDeviceLogin } = await import("../auth/device-login.js");
+const { maybeVerifyPackage } = await import("../verify/package-check.js");
+const { maybeAudit } = await import("../commands/audit.js");
+const notHandled = { handled: false };
+const deviceLogin = await maybeDeviceLogin(args);
+const verifyPackage = deviceLogin.handled ? notHandled : await maybeVerifyPackage(args);
+const audit = deviceLogin.handled || verifyPackage.handled ? notHandled : await maybeAudit(args);
+if (deviceLogin.handled) {
+    writeCliResult(deviceLogin.result);
+}
+else if (verifyPackage.handled) {
+    writeCliResult(verifyPackage.result);
+}
+else if (audit.handled) {
+    writeCliResult(audit.result);
+}
+else {
+    const preflight = await maybePreflightInstallPrompt(args);
+    if (preflight.handled) {
+        writeCliResult(preflight.result);
+    }
+    else {
+        const { maybeRunLiveInstall } = await import("../launcher/live-install.js");
+        const liveInstall = await maybeRunLiveInstall(args);
+        if (liveInstall.handled) {
+            writeCliResult(liveInstall.result);
+        }
+        else {
+            writeCliResult(await runCli(args));
+        }
+    }
+}
+// The auth flows (browser login, paid-verify gate, deep audit upload) already
+// tell the user exactly what to do; the throttled nudges would just be noise.
+if (!deviceLogin.handled && !verifyPackage.handled && !audit.handled) {
+    const { maybeShowNudges } = await import("../runtime/nudges.js");
+    maybeShowNudges(args);
+}