agent-messenger 2.17.0 → 2.18.0

package/src/platforms/webex/commands/auth.test.ts

@@ -12,6 +12,8 @@ describe('auth commands', () => {
   let consoleErrorSpy: ReturnType<typeof spyOn>
   let execSpy: ReturnType<typeof spyOn>
   const protoSpies: ReturnType<typeof spyOn>[] = []
+  let originalStdinTTY: boolean | undefined
+  let originalStdoutTTY: boolean | undefined
   const mockPerson = {
     id: 'person-1',
     displayName: 'Test User',
@@ -27,10 +29,19 @@ describe('auth commands', () => {
     return s
   }
 
+  function setTTY(value: boolean | undefined): void {
+    Object.defineProperty(process.stdin, 'isTTY', { value, writable: true, configurable: true })
+    Object.defineProperty(process.stdout, 'isTTY', { value, writable: true, configurable: true })
+  }
+
   beforeEach(() => {
     consoleSpy = spyOn(console, 'log').mockImplementation(() => {})
     consoleErrorSpy = spyOn(console, 'error').mockImplementation(() => {})
     execSpy = spyOn(childProcess, 'exec').mockImplementation((() => {}) as any)
+    originalStdinTTY = process.stdin.isTTY
+    originalStdoutTTY = process.stdout.isTTY
+    // Default to interactive TTY for existing tests; non-interactive tests override.
+    setTTY(true)
   })
 
   afterEach(() => {
@@ -39,6 +50,12 @@ describe('auth commands', () => {
     execSpy.mockRestore()
     for (const s of protoSpies) s.mockRestore()
     protoSpies.length = 0
+    setTTY(originalStdinTTY)
+    Object.defineProperty(process.stdout, 'isTTY', {
+      value: originalStdoutTTY,
+      writable: true,
+      configurable: true,
+    })
   })
 
   describe('loginAction with --token', () => {
@@ -151,6 +168,143 @@ describe('auth commands', () => {
     })
   })
 
+  describe('loginAction non-interactive (no TTY)', () => {
+    const device = {
+      deviceCode: 'webex-device-code-abc123',
+      userCode: 'USER-CODE',
+      verificationUri: 'https://webex.com/verify',
+      verificationUriComplete: 'https://webex.com/verify?user_code=USER-CODE',
+      expiresIn: 300,
+      interval: 1,
+    }
+
+    it('first call (no --device-code): requests device code and returns it in JSON', async () => {
+      setTTY(false)
+      const requestSpy = protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode').mockResolvedValue(device)
+      const exchangeSpy = protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode')
+      const pollSpy = protoSpy(WebexCredentialManager.prototype, 'pollDeviceToken')
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ pretty: false })
+
+      expect(requestSpy).toHaveBeenCalled()
+      expect(exchangeSpy).not.toHaveBeenCalled()
+      expect(pollSpy).not.toHaveBeenCalled()
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.next_action).toBe('authorize_in_browser')
+      expect(output.verification_uri).toBe(device.verificationUri)
+      expect(output.verification_uri_complete).toBe(device.verificationUriComplete)
+      expect(output.user_code).toBe(device.userCode)
+      expect(output.device_code).toBe(device.deviceCode)
+      expect(output.message).toContain('--device-code')
+      expect(exitSpy).toHaveBeenCalledWith(0)
+    })
+
+    it('does not open a browser on the first non-interactive call', async () => {
+      setTTY(false)
+      protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode').mockResolvedValue(device)
+      protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ pretty: false })
+
+      expect(execSpy).not.toHaveBeenCalled()
+    })
+
+    it('second call (--device-code, pending): returns still_pending and echoes back the device_code', async () => {
+      setTTY(false)
+      protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode').mockResolvedValue({ status: 'pending' })
+      const requestSpy = protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode')
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+
+      expect(requestSpy).not.toHaveBeenCalled()
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.next_action).toBe('still_pending')
+      expect(output.device_code).toBe('webex-device-code-abc123')
+      expect(exitSpy).toHaveBeenCalledWith(0)
+    })
+
+    it('second call (--device-code, success): saves token and returns authenticated=true', async () => {
+      setTTY(false)
+      const exchangeSpy = protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode').mockResolvedValue({
+        status: 'success',
+        config: { accessToken: 'at', refreshToken: 'rt', expiresAt: Date.now() + 3_600_000 },
+      })
+      const saveConfigSpy = protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({
+        deviceCode: 'webex-device-code-abc123',
+        clientId: 'my-id',
+        clientSecret: 'my-secret',
+        pretty: false,
+      })
+
+      expect(exchangeSpy).toHaveBeenCalledWith('webex-device-code-abc123', 'my-id', 'my-secret')
+      const savedConfig = saveConfigSpy.mock.calls[0][0] as { tokenType: string; clientId: string }
+      expect(savedConfig.tokenType).toBe('oauth')
+      expect(savedConfig.clientId).toBe('my-id')
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.user.displayName).toBe('Test User')
+    })
+
+    it('second call (--device-code, expired): returns next_action=restart, exits 1', async () => {
+      setTTY(false)
+      protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode').mockResolvedValue({ status: 'expired' })
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.next_action).toBe('restart')
+      expect(output.error).toContain('expired')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+
+    it('--device-code works even with a TTY (interactive sessions can also resume)', async () => {
+      setTTY(true)
+      const exchangeSpy = protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode').mockResolvedValue({
+        status: 'success',
+        config: { accessToken: 'at', refreshToken: 'rt', expiresAt: Date.now() + 3_600_000 },
+      })
+      const requestSpy = protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode')
+      const pollSpy = protoSpy(WebexCredentialManager.prototype, 'pollDeviceToken')
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+
+      expect(exchangeSpy).toHaveBeenCalled()
+      expect(requestSpy).not.toHaveBeenCalled()
+      expect(pollSpy).not.toHaveBeenCalled()
+    })
+
+    it('still allows --token login when non-interactive (bot/PAT path)', async () => {
+      setTTY(false)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await loginAction({ token: 'bot-token-123', pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.user.displayName).toBe('Test User')
+    })
+  })
+
   describe('statusAction', () => {
     it('shows authenticated status when token is valid', async () => {
       protoSpy(WebexCredentialManager.prototype, 'loadConfig').mockResolvedValue(null)

package/src/platforms/webex/commands/auth.ts

@@ -2,6 +2,7 @@ import { Command } from 'commander'
 
 import { collectBrowserProfileOption } from '@/shared/chromium'
 import { handleError } from '@/shared/utils/error-handler'
+import { isInteractive } from '@/shared/utils/interactive'
 import { formatOutput } from '@/shared/utils/output'
 import { info, debug } from '@/shared/utils/stderr'
 
@@ -43,12 +44,15 @@ async function resolveClientCredentials(options: {
   return getWebexAppCredentials()
 }
 
-export async function loginAction(options: {
+interface LoginOptions {
   token?: string
+  deviceCode?: string
   clientId?: string
   clientSecret?: string
   pretty?: boolean
-}): Promise<void> {
+}
+
+export async function loginAction(options: LoginOptions): Promise<void> {
   try {
     const credManager = new WebexCredentialManager()
 
@@ -73,6 +77,16 @@ export async function loginAction(options: {
       return
     }
 
+    if (options.deviceCode) {
+      await finishDeviceGrant(credManager, options)
+      return
+    }
+
+    if (!isInteractive()) {
+      await startNonInteractiveDeviceGrant(credManager, options)
+      return
+    }
+
     const { clientId, clientSecret } = await resolveClientCredentials(options)
 
     const device = await credManager.requestDeviceCode(clientId)
@@ -110,6 +124,81 @@ export async function loginAction(options: {
   }
 }
 
+async function startNonInteractiveDeviceGrant(
+  credManager: WebexCredentialManager,
+  options: LoginOptions,
+): Promise<void> {
+  const { clientId } = await resolveClientCredentials(options)
+  const device = await credManager.requestDeviceCode(clientId)
+  const expiresAt = Date.now() + device.expiresIn * 1000
+
+  console.log(
+    formatOutput(
+      {
+        next_action: 'authorize_in_browser',
+        verification_uri: device.verificationUri,
+        verification_uri_complete: device.verificationUriComplete,
+        user_code: device.userCode,
+        device_code: device.deviceCode,
+        expires_at: expiresAt,
+        message:
+          'Show the user `verification_uri` and `user_code` (or just `verification_uri_complete`) and ask them to approve access in any browser. After they approve, run `agent-webex auth login --device-code <device_code>` to retrieve the token. The device code expires at `expires_at`. If you passed `--client-id`/`--client-secret`, pass them again on the second call.',
+      },
+      options.pretty,
+    ),
+  )
+  process.exit(0)
+}
+
+async function finishDeviceGrant(credManager: WebexCredentialManager, options: LoginOptions): Promise<void> {
+  const { clientId, clientSecret } = await resolveClientCredentials(options)
+  const result = await credManager.exchangeDeviceCode(options.deviceCode!, clientId, clientSecret)
+
+  if (result.status === 'success') {
+    await credManager.saveConfig({ ...result.config, clientId, clientSecret, tokenType: 'oauth' })
+    const client = await new WebexClient().login({ token: result.config.accessToken })
+    const person = await client.testAuth()
+    console.log(
+      formatOutput(
+        {
+          authenticated: true,
+          user: { id: person.id, displayName: person.displayName, emails: person.emails },
+        },
+        options.pretty,
+      ),
+    )
+    return
+  }
+
+  if (result.status === 'pending') {
+    console.log(
+      formatOutput(
+        {
+          next_action: 'still_pending',
+          device_code: options.deviceCode,
+          message:
+            'User has not approved access yet. Confirm with the user that they completed authorization in the browser, then run `agent-webex auth login --device-code <device_code>` again to retry.',
+        },
+        options.pretty,
+      ),
+    )
+    process.exit(0)
+    return
+  }
+
+  console.log(
+    formatOutput(
+      {
+        next_action: 'restart',
+        error: result.status === 'expired' ? 'Device code expired.' : `Device code exchange failed: ${result.message}`,
+        message: 'This device code is no longer valid. Run `agent-webex auth login` to start a new login.',
+      },
+      options.pretty,
+    ),
+  )
+  process.exit(1)
+}
+
 export async function statusAction(options: { pretty?: boolean }): Promise<void> {
   try {
     const credManager = new WebexCredentialManager()
@@ -276,8 +365,18 @@ export const authCommand = new Command('auth')
   .description('Authentication commands')
   .addCommand(
     new Command('login')
-      .description('Login to Webex')
+      .description(
+        'Log in to Webex. In a TTY this opens a browser and waits for approval. ' +
+          'When non-interactive (AI agents, CI/CD): first call starts the OAuth Device Grant flow ' +
+          'and returns a verification URL, user code, and device code. After the user approves in a ' +
+          'browser, call again with --device-code to exchange it for a token. Pass --token for ' +
+          'fully unattended auth.',
+      )
       .option('--token <token>', 'Use a bot token or personal access token directly')
+      .option(
+        '--device-code <code>',
+        'OAuth Device Grant code returned from a previous non-interactive `auth login` call',
+      )
       .option('--client-id <id>', 'Webex Integration client ID')
       .option('--client-secret <secret>', 'Webex Integration client secret')
       .option('--pretty', 'Pretty print JSON output')

package/src/platforms/webex/credential-manager.test.ts

@@ -373,4 +373,82 @@ describe('WebexCredentialManager', () => {
     expect(loaded?.clientId).toBeUndefined()
     expect(loaded?.clientSecret).toBeUndefined()
   })
+
+  describe('exchangeDeviceCode', () => {
+    let originalFetch: typeof globalThis.fetch
+
+    beforeEach(() => {
+      originalFetch = globalThis.fetch
+    })
+
+    afterEach(() => {
+      globalThis.fetch = originalFetch
+    })
+
+    it('returns success with config on 200', async () => {
+      globalThis.fetch = mock(() =>
+        Promise.resolve(
+          new Response(JSON.stringify({ access_token: 'at', refresh_token: 'rt', expires_in: 3600 }), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+      ) as unknown as typeof globalThis.fetch
+
+      const result = await credManager.exchangeDeviceCode('dc', 'cid', 'csec')
+      expect(result.status).toBe('success')
+      if (result.status === 'success') {
+        expect(result.config.accessToken).toBe('at')
+        expect(result.config.refreshToken).toBe('rt')
+      }
+    })
+
+    it('returns pending on 428', async () => {
+      globalThis.fetch = mock(() =>
+        Promise.resolve(new Response('', { status: 428 })),
+      ) as unknown as typeof globalThis.fetch
+      const result = await credManager.exchangeDeviceCode('dc', 'cid', 'csec')
+      expect(result.status).toBe('pending')
+    })
+
+    it('returns pending when error description includes authorization_pending', async () => {
+      globalThis.fetch = mock(() =>
+        Promise.resolve(
+          new Response(JSON.stringify({ errors: [{ description: 'authorization_pending' }] }), {
+            status: 400,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+      ) as unknown as typeof globalThis.fetch
+      const result = await credManager.exchangeDeviceCode('dc', 'cid', 'csec')
+      expect(result.status).toBe('pending')
+    })
+
+    it('returns expired when error description signals expiry', async () => {
+      globalThis.fetch = mock(() =>
+        Promise.resolve(
+          new Response(JSON.stringify({ errors: [{ description: 'expired_token' }] }), {
+            status: 400,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+      ) as unknown as typeof globalThis.fetch
+      const result = await credManager.exchangeDeviceCode('dc', 'cid', 'csec')
+      expect(result.status).toBe('expired')
+    })
+
+    it('returns error on other failures', async () => {
+      globalThis.fetch = mock(() =>
+        Promise.resolve(
+          new Response(JSON.stringify({ errors: [{ description: 'access_denied' }] }), {
+            status: 403,
+            headers: { 'Content-Type': 'application/json' },
+          }),
+        ),
+      ) as unknown as typeof globalThis.fetch
+      const result = await credManager.exchangeDeviceCode('dc', 'cid', 'csec')
+      expect(result.status).toBe('error')
+      if (result.status === 'error') expect(result.message).toContain('access_denied')
+    })
+  })
 })

package/src/platforms/webex/credential-manager.ts

@@ -212,6 +212,65 @@ export class WebexCredentialManager {
     throw new Error('Device authorization timed out')
   }
 
+  async exchangeDeviceCode(
+    deviceCode: string,
+    clientId: string,
+    clientSecret?: string,
+  ): Promise<
+    | { status: 'success'; config: Pick<WebexConfig, 'accessToken' | 'refreshToken' | 'expiresAt'> }
+    | { status: 'pending' }
+    | { status: 'expired' }
+    | { status: 'error'; message: string }
+  > {
+    const basicAuth = btoa(`${clientId}:${clientSecret ?? ''}`)
+
+    const response = await fetch(OAUTH_DEVICE_TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${basicAuth}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+        device_code: deviceCode,
+        client_id: clientId,
+      }),
+    })
+
+    if (response.ok) {
+      const data = (await response.json()) as {
+        access_token: string
+        refresh_token: string
+        expires_in: number
+      }
+      return {
+        status: 'success',
+        config: {
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          expiresAt: Date.now() + data.expires_in * 1000,
+        },
+      }
+    }
+
+    if (response.status === 428) return { status: 'pending' }
+
+    const errorBody = (await response.json().catch(() => null)) as {
+      errors?: Array<{ description: string }>
+    } | null
+    const errorDesc = errorBody?.errors?.[0]?.description ?? ''
+
+    if (errorDesc.includes('authorization_pending') || errorDesc.includes('slow_down')) {
+      return { status: 'pending' }
+    }
+
+    if (errorDesc.includes('expired_token') || errorDesc.includes('expired')) {
+      return { status: 'expired' }
+    }
+
+    return { status: 'error', message: errorDesc || `http_${response.status}` }
+  }
+
   async clearCredentials(): Promise<void> {
     if (existsSync(this.credentialsPath)) {
       await rm(this.credentialsPath)

package/src/platforms/whatsapp/commands/auth.ts

@@ -3,6 +3,7 @@ import { rm } from 'node:fs/promises'
 import { Command } from 'commander'
 
 import { handleError } from '@/shared/utils/error-handler'
+import { isInteractive } from '@/shared/utils/interactive'
 import { formatOutput } from '@/shared/utils/output'
 import { displayQR } from '@/shared/utils/qr'
 import { info } from '@/shared/utils/stderr'
@@ -22,10 +23,6 @@ interface StatusOptions {
   pretty?: boolean
 }
 
-function isInteractiveSession(): boolean {
-  return Boolean(process.stdin.isTTY && process.stdout.isTTY)
-}
-
 async function loginWithPairingCode(options: LoginOptions & { phone: string }): Promise<void> {
   const manager = new WhatsAppCredentialManager()
   const accountId = createAccountId(options.phone)
@@ -95,7 +92,7 @@ async function loginWithQR(options: LoginOptions): Promise<void> {
   await rm(existingPaths.auth_dir, { recursive: true, force: true })
   const paths = await manager.ensureAccountPaths(accountId)
   const client = await new WhatsAppClient().login({ authDir: paths.auth_dir })
-  const interactive = isInteractiveSession()
+  const interactive = isInteractive()
 
   let waitForAuth: () => Promise<void>
   let browserOpened = false

package/src/shared/utils/interactive.test.ts

@@ -0,0 +1,55 @@
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test'
+
+import { hasTTY, isInteractive } from './interactive'
+
+describe('isInteractive', () => {
+  let originalStdinTTY: boolean | undefined
+  let originalStdoutTTY: boolean | undefined
+
+  beforeEach(() => {
+    originalStdinTTY = process.stdin.isTTY
+    originalStdoutTTY = process.stdout.isTTY
+  })
+
+  afterEach(() => {
+    Object.defineProperty(process.stdin, 'isTTY', { value: originalStdinTTY, writable: true, configurable: true })
+    Object.defineProperty(process.stdout, 'isTTY', { value: originalStdoutTTY, writable: true, configurable: true })
+  })
+
+  function setTTY(stdin: boolean | undefined, stdout: boolean | undefined): void {
+    Object.defineProperty(process.stdin, 'isTTY', { value: stdin, writable: true, configurable: true })
+    Object.defineProperty(process.stdout, 'isTTY', { value: stdout, writable: true, configurable: true })
+  }
+
+  it('returns true when both stdin and stdout are TTY', () => {
+    setTTY(true, true)
+    expect(isInteractive()).toBe(true)
+  })
+
+  it('returns false when stdin is not a TTY (piped input)', () => {
+    setTTY(undefined, true)
+    expect(isInteractive()).toBe(false)
+  })
+
+  it('returns false when stdout is not a TTY (piped output)', () => {
+    setTTY(true, undefined)
+    expect(isInteractive()).toBe(false)
+  })
+
+  it('returns false when neither is a TTY', () => {
+    setTTY(undefined, undefined)
+    expect(isInteractive()).toBe(false)
+  })
+
+  it('returns false when stdin/stdout isTTY is explicitly false', () => {
+    setTTY(false, false)
+    expect(isInteractive()).toBe(false)
+  })
+})
+
+describe('hasTTY', () => {
+  it('returns a boolean reflecting whether a controlling TTY can be opened', () => {
+    const result = hasTTY()
+    expect(typeof result).toBe('boolean')
+  })
+})

package/src/shared/utils/interactive.ts

@@ -0,0 +1,15 @@
+export function isInteractive(): boolean {
+  return Boolean(process.stdin.isTTY && process.stdout.isTTY)
+}
+
+export function hasTTY(): boolean {
+  try {
+    const { openSync, closeSync } = require('node:fs') as typeof import('node:fs')
+    const ttyDevice = process.platform === 'win32' ? 'CONIN$' : '/dev/tty'
+    const fd = openSync(ttyDevice, 'r')
+    closeSync(fd)
+    return true
+  } catch {
+    return false
+  }
+}