alpic 0.0.0-dev.f2f58a6 → 0.0.0-dev.f330b89

package/dist/lib/auth/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/lib/auth/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,EAAE,YAAY,CAAC;IAEnG,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,wBAAwB,GAAG,SAAS,EAAE,CAAC;IAC7C,IAAI,wBAAwB;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,uBAAuB,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC5D,IAAI,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAEzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,mBAAmB;IAChC,OAAO,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,KAAK,IAAI,CAAC;AAC5D,CAAC"}

package/dist/lib/auth/oauth/client.d.ts

@@ -0,0 +1,28 @@
+import * as openid from "openid-client";
+import { type Credentials } from "../../global-store.js";
+export declare class OAuthClient {
+    private config;
+    initialize: Promise<void>;
+    constructor();
+    getValidAccessToken(): Promise<Credentials | null>;
+    fetchUserInfo(credentials: Credentials): Promise<openid.UserInfoResponse>;
+    refreshAccessToken(credentials: Credentials): Promise<Credentials>;
+    prepareOAuthConfig(): Promise<{
+        authorizeUrl: URL;
+        state: string;
+        nonce: string;
+        codeVerifier: string;
+    }>;
+    exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }: {
+        url: URL;
+        codeVerifier: string;
+        state: string;
+        nonce: string;
+    }): Promise<openid.TokenEndpointResponse & openid.TokenEndpointResponseHelpers>;
+    getExpiresAt(expires_in: number): number;
+    private loadConfig;
+    private fetchOAuthProtectedResourceConfig;
+    private getConfig;
+    private isAccessTokenExpired;
+}
+export declare const oAuthClient: OAuthClient;

package/dist/lib/auth/oauth/client.js

@@ -0,0 +1,110 @@
+import * as openid from "openid-client";
+import { env } from "../../../env.js";
+import { globalStore } from "../../global-store.js";
+import { LOOPBACK_HOST, LOOPBACK_PORT } from "./constants.js";
+const SCOPES = ["openid", "email", "profile"];
+export class OAuthClient {
+    config = null;
+    initialize;
+    constructor() {
+        this.initialize = this.loadConfig();
+    }
+    async getValidAccessToken() {
+        await this.initialize;
+        const stored = globalStore.getCredentials();
+        if (!stored) {
+            return null;
+        }
+        if (this.isAccessTokenExpired(stored)) {
+            try {
+                return await this.refreshAccessToken(stored);
+            }
+            catch {
+                return null;
+            }
+        }
+        return stored;
+    }
+    async fetchUserInfo(credentials) {
+        return openid.fetchUserInfo(await this.getConfig(), credentials.access_token, credentials.sub);
+    }
+    async refreshAccessToken(credentials) {
+        if (!credentials.refresh_token) {
+            throw new Error("No refresh token available");
+        }
+        const response = await openid.refreshTokenGrant(await this.getConfig(), credentials.refresh_token);
+        const refreshed = {
+            access_token: response.access_token,
+            refresh_token: response.refresh_token ?? credentials.refresh_token,
+            expires_at: this.getExpiresAt(response.expires_in ?? 0),
+            sub: credentials.sub,
+        };
+        globalStore.saveCredentials(refreshed);
+        return refreshed;
+    }
+    async prepareOAuthConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        const codeVerifier = openid.randomPKCECodeVerifier();
+        const codeChallenge = await openid.calculatePKCECodeChallenge(codeVerifier);
+        const state = openid.randomState();
+        const nonce = openid.randomNonce();
+        const callbackUrl = new URL(`http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/callback`);
+        const authorizeUrl = openid.buildAuthorizationUrl(this.config, {
+            redirect_uri: callbackUrl.toString(),
+            scope: SCOPES.join(" "),
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256",
+            state,
+            nonce,
+        });
+        return { authorizeUrl, state, nonce, codeVerifier };
+    }
+    async exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }) {
+        return await openid.authorizationCodeGrant(await this.getConfig(), url, {
+            pkceCodeVerifier: codeVerifier,
+            expectedState: state,
+            expectedNonce: nonce,
+        });
+    }
+    getExpiresAt(expires_in) {
+        return expires_in !== undefined ? Math.floor(Date.now() / 1000) + expires_in : Date.now() / 1000 + 3600;
+    }
+    async loadConfig() {
+        const protectedResourceConfig = await this.fetchOAuthProtectedResourceConfig();
+        const issuer = protectedResourceConfig.authorization_servers[0];
+        if (!issuer) {
+            throw new Error("No authorization server in OAuth protected resource config");
+        }
+        const issuerUrl = new URL(issuer);
+        try {
+            this.config = await openid.discovery(issuerUrl, env.ALPIC_COGNITO_CLIENT_ID);
+        }
+        catch {
+            throw new Error("Failed to discover OAuth config");
+        }
+    }
+    async fetchOAuthProtectedResourceConfig() {
+        const baseUrl = env.ALPIC_API_BASE_URL;
+        const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);
+        if (!response.ok) {
+            throw new Error(`Failed to load service config from ${baseUrl} (${response.status} ${response.statusText})`);
+        }
+        return (await response.json());
+    }
+    async getConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        return this.config;
+    }
+    isAccessTokenExpired(credentials) {
+        const EXPIRATION_WINDOW_IN_SECONDS = 300;
+        return Date.now() / 1000 + EXPIRATION_WINDOW_IN_SECONDS >= credentials.expires_at;
+    }
+}
+export const oAuthClient = new OAuthClient();
+//# sourceMappingURL=client.js.map

package/dist/lib/auth/oauth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAExC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAoB,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE9D,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAU9C,MAAM,OAAO,WAAW;IACd,MAAM,GAAgC,IAAI,CAAC;IACnD,UAAU,CAAgB;IAE1B;QACE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,mBAAmB;QACvB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,MAAM,MAAM,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,WAAwB;QAC1C,OAAO,MAAM,CAAC,aAAa,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,WAAwB;QAC/C,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,aAAa,CAAC,CAAC;QAEnG,MAAM,SAAS,GAAgB;YAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa;YAClE,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,CAAC;YACvD,GAAG,EAAE,WAAW,CAAC,GAAG;SACrB,CAAC;QAEF,WAAW,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,sBAAsB,EAAE,CAAC;QACrD,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,aAAa,IAAI,aAAa,WAAW,CAAC,CAAC;QAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE;YAC7D,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE;YACpC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,MAAM;YAC7B,KAAK;YACL,KAAK;SACN,CAAC,CAAC;QAEH,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,EAC9B,GAAG,EACH,YAAY,EACZ,KAAK,EACL,KAAK,GAMN;QACC,OAAO,MAAM,MAAM,CAAC,sBAAsB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE;YACtE,gBAAgB,EAAE,YAAY;YAC9B,aAAa,EAAE,KAAK;YACpB,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,UAAkB;QAC7B,OAAO,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1G,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,MAAM,uBAAuB,GAAG,MAAM,IAAI,CAAC,iCAAiC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAG,uBAAuB,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iCAAiC;QAC7C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uCAAuC,CAAC,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sCAAsC,OAAO,KAAK,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC;QAC/G,CAAC;QACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,oBAAoB,CAAC,WAAwB;QACnD,MAAM,4BAA4B,GAAG,GAAG,CAAC;QACzC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,4BAA4B,IAAI,WAAW,CAAC,UAAU,CAAC;IACpF,CAAC;CACF;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/lib/auth/oauth/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const LOOPBACK_HOST = "127.0.0.1";
+export declare const LOOPBACK_PORT = 38472;

package/dist/lib/auth/oauth/constants.js

@@ -0,0 +1,3 @@
+export const LOOPBACK_HOST = "127.0.0.1";
+export const LOOPBACK_PORT = 38472;
+//# sourceMappingURL=constants.js.map

package/dist/lib/auth/oauth/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,aAAa,GAAG,WAAW,CAAC;AACzC,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,CAAC"}

package/dist/lib/auth/oauth/server/assets/authorize.html

@@ -0,0 +1,195 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        background-image: url("/assets/alpic-mountain.png");
+        background-repeat: no-repeat;
+        background-position: right bottom;
+        background-size: auto;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        width: 50%;
+        min-height: calc(100vh - 128px);
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      h1 {
+        font-family: "Mozilla Text", system-ui, sans-serif;
+        font-weight: 400;
+        font-size: 48px;
+        color: var(--midnight);
+        margin-bottom: 8px;
+      }
+
+      .subtitle {
+        font-size: 20px;
+        color: var(--midnight);
+        margin-bottom: 32px;
+      }
+
+      .buttons {
+        display: flex;
+        flex-direction: column;
+        gap: 12px;
+      }
+
+      .btn {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        gap: 8px;
+        height: 48px;
+        width: 256px;
+        padding: 0 16px;
+        border-radius: 2px;
+        border: 1px solid var(--midnight);
+        font-family: "Inter", system-ui, sans-serif;
+        font-size: 16px;
+        font-weight: 500;
+        cursor: pointer;
+        transition: background 0.15s;
+      }
+
+      .btn:focus-visible {
+        outline: none;
+        box-shadow: 0 0 0 2px var(--midnight);
+      }
+
+      .btn svg {
+        width: 20px;
+        height: 20px;
+        flex-shrink: 0;
+      }
+
+      .btn-github {
+        background: var(--midnight);
+        color: #fff;
+      }
+      .btn-github svg {
+        fill: #fff;
+      }
+      .btn-github:hover {
+        background: rgba(5, 20, 19, 0.9);
+      }
+
+      .btn-google {
+        background: #fff;
+        color: var(--midnight);
+      }
+      .btn-google svg {
+        fill: var(--midnight);
+      }
+      .btn-google:hover {
+        background: rgba(5, 20, 19, 0.1);
+      }
+
+      .btn-loading {
+        opacity: 0.7;
+        pointer-events: none;
+        cursor: default;
+        transition: opacity 0.2s;
+      }
+      .spinner {
+        width: 20px;
+        height: 20px;
+        animation: spin 0.8s linear infinite;
+      }
+      @keyframes spin {
+        to {
+          transform: rotate(360deg);
+        }
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+        h1 {
+          font-size: 36px;
+        }
+        .subtitle {
+          font-size: 18px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Welcome to Alpic</h1>
+      <p class="subtitle">Sign in to use Alpic CLI</p>
+      <div class="buttons">
+        <button class="btn btn-github" onclick="login('Github', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>GitHub</title>
+            <path
+              d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"
+            />
+          </svg>
+          Sign in with GitHub
+        </button>
+        <button class="btn btn-google" onclick="login('google', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>Google</title>
+            <path
+              d="M12.48 10.92v3.28h7.84c-.24 1.84-.853 3.187-1.8 4.133-1.147 1.147-2.933 2.4-6.04 2.4-4.827 0-8.6-3.893-8.6-8.72s3.773-8.72 8.6-8.72c2.6 0 4.507 1.027 5.907 2.347l2.307-2.307C18.747 1.44 16.133 0 12.48 0 5.867 0 .307 5.387.307 12s5.56 12 12.173 12c3.573 0 6.267-1.173 8.373-3.36 2.16-2.16 2.84-5.213 2.84-7.667 0-.76-.053-1.467-.173-2.053H12.48z"
+            />
+          </svg>
+          Sign in with Google
+        </button>
+      </div>
+    </div>
+    <script>
+      var loaderSvg =
+        '<svg class="spinner" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2v4"/><path d="m16.2 7.8 2.9-2.9"/><path d="M18 12h4"/><path d="m16.2 16.2 2.9 2.9"/><path d="M12 18v4"/><path d="m4.9 19.1 2.9-2.9"/><path d="M2 12h4"/><path d="m4.9 4.9 2.9 2.9"/></svg>';
+      // biome-ignore lint/correctness/noUnusedVariables: The function is used within the buttons onclick handlers
+      function login(provider, btn) {
+        const icon = btn.querySelector("svg");
+        const wrap = document.createElement("div");
+        wrap.innerHTML = loaderSvg;
+        icon.replaceWith(wrap.firstChild);
+        btn.classList.add("btn-loading");
+        btn.disabled = true;
+        const url = new URL("%AUTH_BASE_URL%");
+        url.searchParams.set("identity_provider", provider);
+        window.location.href = url.toString();
+      }
+    </script>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/assets/callback.html

@@ -0,0 +1,88 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      .message {
+        text-align: center;
+      }
+
+      .message-title {
+        font-size: 28px;
+        color: var(--midnight);
+        display: block;
+      }
+
+      .message-sub {
+        display: block;
+        margin-top: 0.5em;
+        color: #6b7280;
+      }
+
+      .message.error .message-title {
+        color: #b91c1c;
+      }
+
+      .message.error .message-sub {
+        display: none;
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <p class="message __CALLBACK_STATUS__">
+        <span class="message-title">__CALLBACK_TITLE__</span>
+        <span class="message-sub">__CALLBACK_SUB__</span>
+      </p>
+    </div>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/index.d.ts

@@ -0,0 +1,8 @@
+import type { Credentials } from "../../../global-store.js";
+export declare const getLoginPageUrl: () => string;
+export declare const listenToOAuthCallback: ({ state, nonce, codeVerifier, authorizeUrl, }: {
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    authorizeUrl?: string;
+}) => Promise<Credentials>;

package/dist/lib/auth/oauth/server/index.js

@@ -0,0 +1,105 @@
+import { readFile } from "node:fs/promises";
+import { createServer } from "node:http";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import * as p from "@clack/prompts";
+import { oAuthClient } from "../client.js";
+import { LOOPBACK_HOST, LOOPBACK_PORT } from "../constants.js";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ASSETS_DIR = path.join(__dirname, "assets");
+const createCallbackServer = ({ state, nonce, codeVerifier, authorizeUrl, onSuccess, onError, }) => createServer(async (req, res) => {
+    const url = req.url ?? "/";
+    const pathname = url.split("?")[0] ?? "/";
+    if (pathname === "/login") {
+        try {
+            const htmlPath = path.join(ASSETS_DIR, "authorize.html");
+            let html = await readFile(htmlPath, "utf-8");
+            if (authorizeUrl) {
+                html = html.replace(/%AUTH_BASE_URL%/g, authorizeUrl);
+            }
+            res.writeHead(200, {
+                "Content-Type": "text/html",
+                Connection: "close",
+            });
+            res.end(html);
+            return;
+        }
+        catch (e) {
+            p.log.error(e instanceof Error ? e.message : String(e));
+            res.writeHead(500).end();
+            return;
+        }
+    }
+    if (pathname === "/assets/alpic-mountain.png") {
+        const filePath = path.join(ASSETS_DIR, "alpic-mountain.png");
+        const content = await readFile(filePath);
+        res.writeHead(200, { "Content-Type": "image/png", Connection: "close" });
+        res.end(content);
+        return;
+    }
+    if (!url.startsWith("/callback")) {
+        res.writeHead(404).end();
+        return;
+    }
+    try {
+        const tokens = await oAuthClient.exchangeAuthorizationCode({
+            url: new URL(url, `http://${req.headers.host}`),
+            codeVerifier,
+            state,
+            nonce,
+        });
+        const sub = tokens.claims()?.sub;
+        if (!sub || !tokens.refresh_token) {
+            throw new Error("ID token did not contain sub");
+        }
+        const stored = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_at: oAuthClient.getExpiresAt(tokens.expires_in ?? 0),
+            sub,
+        };
+        p.log.success("✅ Authentication successful");
+        const successHtmlPath = path.join(ASSETS_DIR, "callback.html");
+        let html = await readFile(successHtmlPath, "utf-8");
+        html = html
+            .replace(/__CALLBACK_STATUS__/g, "success")
+            .replace(/__CALLBACK_TITLE__/g, "You are logged in")
+            .replace(/__CALLBACK_SUB__/g, "You can close this page.");
+        res.writeHead(200, { "Content-Type": "text/html", Connection: "close" });
+        res.end(html);
+        onSuccess(stored);
+    }
+    catch (e) {
+        p.log.error(e instanceof Error ? e.message : String(e));
+        const callbackHtmlPath = path.join(ASSETS_DIR, "callback.html");
+        let html = await readFile(callbackHtmlPath, "utf-8");
+        html = html
+            .replace(/__CALLBACK_STATUS__/g, "error")
+            .replace(/__CALLBACK_TITLE__/g, "An error occurred. You can close this page.")
+            .replace(/__CALLBACK_SUB__/g, "");
+        res.writeHead(500, { "Content-Type": "text/html", Connection: "close" });
+        res.end(html);
+        onError(e instanceof Error ? e : new Error(String(e)));
+    }
+});
+export const getLoginPageUrl = () => `http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/login`;
+export const listenToOAuthCallback = ({ state, nonce, codeVerifier, authorizeUrl, }) => {
+    return new Promise((resolve, reject) => {
+        const callbackServer = createCallbackServer({
+            state,
+            nonce,
+            codeVerifier,
+            authorizeUrl,
+            onSuccess: (storedToken) => {
+                callbackServer.close();
+                resolve(storedToken);
+            },
+            onError: (err) => {
+                callbackServer.close();
+                reject(err);
+            },
+        });
+        callbackServer.listen(LOOPBACK_PORT, LOOPBACK_HOST);
+    });
+};
+//# sourceMappingURL=index.js.map

package/dist/lib/auth/oauth/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/lib/auth/oauth/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AACpF,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAGpC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE/D,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAElD,MAAM,oBAAoB,GAAG,CAAC,EAC5B,KAAK,EACL,KAAK,EACL,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,OAAO,GAQR,EAAE,EAAE,CACH,YAAY,CAAC,KAAK,EAAE,GAAoB,EAAE,GAAmB,EAAE,EAAE;IAC/D,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;IAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;IAE1C,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;YACzD,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC7C,IAAI,YAAY,EAAE,CAAC;gBACjB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,YAAY,CAAC,CAAC;YACxD,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjB,cAAc,EAAE,WAAW;gBAC3B,UAAU,EAAE,OAAO;aACpB,CAAC,CAAC;YACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACd,OAAO;QACT,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACxD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,4BAA4B,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;QACzB,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,yBAAyB,CAAC;YACzD,GAAG,EAAE,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/C,YAAY;YACZ,KAAK;YACL,KAAK;SACN,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,GAAG,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,MAAM,MAAM,GAAgB;YAC1B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,WAAW,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;YAC5D,GAAG;SACJ,CAAC;QACF,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC;QAC7C,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAC/D,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACpD,IAAI,GAAG,IAAI;aACR,OAAO,CAAC,sBAAsB,EAAE,SAAS,CAAC;aAC1C,OAAO,CAAC,qBAAqB,EAAE,mBAAmB,CAAC;aACnD,OAAO,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;QAC5D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACd,SAAS,CAAC,MAAM,CAAC,CAAC;IACpB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAChE,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACrD,IAAI,GAAG,IAAI;aACR,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC;aACxC,OAAO,CAAC,qBAAqB,EAAE,6CAA6C,CAAC;aAC7E,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACpC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACd,OAAO,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,EAAE,CAAC,UAAU,aAAa,IAAI,aAAa,QAAQ,CAAC;AAEtF,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,EACpC,KAAK,EACL,KAAK,EACL,YAAY,EACZ,YAAY,GAMb,EAAE,EAAE;IACH,OAAO,IAAI,OAAO,CAAc,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAClD,MAAM,cAAc,GAAG,oBAAoB,CAAC;YAC1C,KAAK;YACL,KAAK;YACL,YAAY;YACZ,YAAY;YACZ,SAAS,EAAE,CAAC,WAAW,EAAE,EAAE;gBACzB,cAAc,CAAC,KAAK,EAAE,CAAC;gBACvB,OAAO,CAAC,WAAW,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACf,cAAc,CAAC,KAAK,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;SACF,CAAC,CAAC;QACH,cAAc,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/lib/auth/whoami.d.ts

@@ -0,0 +1 @@
+export declare function getWhoamiInfoMessage(): Promise<string>;

package/dist/lib/auth/whoami.js

@@ -0,0 +1,41 @@
+import chalk from "chalk";
+import { api } from "../../api.js";
+import { oAuthClient } from "./oauth/client.js";
+export async function getWhoamiInfoMessage() {
+    const info = (await getWhoamiInfoFromApiKey()) ?? (await getWhoamiInfoFromOAuth());
+    if (info === null) {
+        return "Not logged in. Run `alpic login` or set ALPIC_API_KEY.";
+    }
+    if (info.method === "api_key") {
+        return `Authenticated via API key — Team: ${chalk.green(info.team?.name ?? "unknown")}`;
+    }
+    return `Authenticated as ${chalk.green(info.name)} (${chalk.cyan(info.email)})`;
+}
+async function getWhoamiInfoFromApiKey() {
+    if (process.env.ALPIC_API_KEY === undefined) {
+        return null;
+    }
+    const team = await getApiKeyTeam();
+    return {
+        method: "api_key",
+        team,
+    };
+}
+async function getWhoamiInfoFromOAuth() {
+    const token = await oAuthClient.getValidAccessToken();
+    if (!token)
+        return null;
+    const userInfo = await oAuthClient.fetchUserInfo(token);
+    if (!userInfo)
+        return null;
+    return {
+        method: "oauth",
+        email: userInfo.email ?? "unknown",
+        name: userInfo.name ?? "unknown",
+    };
+}
+async function getApiKeyTeam() {
+    const teams = await api.teams.list.v1();
+    return teams[0];
+}
+//# sourceMappingURL=whoami.js.map

package/dist/lib/auth/whoami.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"whoami.js","sourceRoot":"","sources":["../../../src/lib/auth/whoami.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAahD,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,MAAM,IAAI,GAAG,CAAC,MAAM,uBAAuB,EAAE,CAAC,IAAI,CAAC,MAAM,sBAAsB,EAAE,CAAC,CAAC;IAEnF,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,wDAAwD,CAAC;IAClE,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,qCAAqC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,SAAS,CAAC,EAAE,CAAC;IAC1F,CAAC;IAED,OAAO,oBAAoB,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;AAClF,CAAC;AAED,KAAK,UAAU,uBAAuB;IACpC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;IACnC,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,IAAI;KACL,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC;IACtD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO;QACL,MAAM,EAAE,OAAO;QACf,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,SAAS;QAClC,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,SAAS;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;IACxC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/lib/base-workflow.d.ts

@@ -0,0 +1,10 @@
+import * as p from "@clack/prompts";
+export type Flags = {
+    "non-interactive"?: boolean;
+};
+export declare abstract class BaseWorkflow<F extends Flags = Flags> {
+    readonly flags: F;
+    constructor(flags: F);
+    protected confirm(options: p.ConfirmOptions, defaultValue?: boolean): Promise<boolean | symbol>;
+    protected isNonInteractive(): boolean;
+}

package/dist/lib/base-workflow.js

@@ -0,0 +1,22 @@
+import * as p from "@clack/prompts";
+import * as ci from "ci-info";
+export class BaseWorkflow {
+    flags;
+    constructor(flags) {
+        this.flags = flags;
+    }
+    confirm(options, defaultValue = true) {
+        if (this.isNonInteractive()) {
+            return Promise.resolve(defaultValue);
+        }
+        return p.confirm(options);
+    }
+    isNonInteractive() {
+        if (this.flags["non-interactive"])
+            return true;
+        if (process.env.VITEST)
+            return false;
+        return ci.isCI ?? false;
+    }
+}
+//# sourceMappingURL=base-workflow.js.map

package/dist/lib/base-workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-workflow.js","sourceRoot":"","sources":["../../src/lib/base-workflow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AACpC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAM9B,MAAM,OAAgB,YAAY;IACJ;IAA5B,YAA4B,KAAQ;QAAR,UAAK,GAAL,KAAK,CAAG;IAAG,CAAC;IAE9B,OAAO,CAAC,OAAyB,EAAE,eAAwB,IAAI;QACvE,IAAI,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;YAC5B,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAES,gBAAgB;QACxB,IAAI,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAErC,OAAO,EAAE,CAAC,IAAI,IAAI,KAAK,CAAC;IAC1B,CAAC;CACF"}