alpic 0.0.0-dev.f91105e → 0.0.0-dev.fa013bb

package/dist/env.js

@@ -3,8 +3,7 @@ import { z } from "zod";
 export const env = createEnv({
     server: {
         ALPIC_API_BASE_URL: z.string().default("https://api.alpic.ai"),
-        ALPIC_COGNITO_CLIENT_ID: z.string().default("1023dpimab488tfv4sh4bdk2r"),
-        ALPIC_FRONTEND_BASE_URL: z.string().default("https://app.alpic.ai"),
+        ALPIC_COGNITO_CLIENT_ID: z.string().default("h9nqsttp8ddb40ddi1aoni91h"),
     },
     runtimeEnv: process.env,
 });

package/dist/env.js.map

@@ -1 +1 @@
-{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE;QACN,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC;QAC9D,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC;QACxE,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC;KACpE;IACD,UAAU,EAAE,OAAO,CAAC,GAAG;CACxB,CAAC,CAAC"}
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE;QACN,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC;QAC9D,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC;KACzE;IACD,UAAU,EAAE,OAAO,CAAC,GAAG;CACxB,CAAC,CAAC"}

package/dist/lib/alpic-command.d.ts

@@ -1,4 +1,6 @@
 import { Command } from "@oclif/core";
 export declare abstract class AlpicCommand extends Command {
     catch(error: unknown): Promise<void>;
+    ensureAuthenticated(): Promise<void>;
+    protected exitWithErrorMessage(message: string): void;
 }

package/dist/lib/alpic-command.js

@@ -1,17 +1,27 @@
 import * as p from "@clack/prompts";
 import { Command } from "@oclif/core";
 import { ORPCError } from "@orpc/client";
+import { isAuthenticated } from "./auth/auth.js";
 export class AlpicCommand extends Command {
     async catch(error) {
         if (error instanceof ORPCError) {
-            p.cancel(`An error occurred while connecting to Alpic: ${error.message}`);
+            this.exitWithErrorMessage(`An error occurred while connecting to Alpic: ${error.message}`);
             return;
         }
         if (error instanceof Error) {
-            p.cancel(error.message);
+            this.exitWithErrorMessage(error.message);
             return;
         }
-        p.cancel(String(error));
+        this.exitWithErrorMessage(String(error));
+    }
+    async ensureAuthenticated() {
+        if (!(await isAuthenticated())) {
+            this.exitWithErrorMessage("Not authenticated. Run `alpic login` or set ALPIC_API_KEY. Get an API key from Team settings in the Alpic dashboard.");
+        }
+    }
+    exitWithErrorMessage(message) {
+        p.cancel(message);
+        this.exit(1);
     }
 }
 //# sourceMappingURL=alpic-command.js.map

package/dist/lib/alpic-command.js.map

@@ -1 +1 @@
-{"version":3,"file":"alpic-command.js","sourceRoot":"","sources":["../../src/lib/alpic-command.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,MAAM,OAAgB,YAAa,SAAQ,OAAO;IACvC,KAAK,CAAC,KAAK,CAAC,KAAc;QACjC,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,CAAC,CAAC,MAAM,CAAC,gDAAgD,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACxB,OAAO;QACT,CAAC;QACD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1B,CAAC;CACF"}
+{"version":3,"file":"alpic-command.js","sourceRoot":"","sources":["../../src/lib/alpic-command.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,MAAM,OAAgB,YAAa,SAAQ,OAAO;IACvC,KAAK,CAAC,KAAK,CAAC,KAAc;QACjC,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,oBAAoB,CAAC,gDAAgD,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3F,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,mBAAmB;QACvB,IAAI,CAAC,CAAC,MAAM,eAAe,EAAE,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,oBAAoB,CACvB,sHAAsH,CACvH,CAAC;QACJ,CAAC;IACH,CAAC;IAES,oBAAoB,CAAC,OAAe;QAC5C,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACf,CAAC;CACF"}

package/dist/lib/auth/auth.d.ts

@@ -1,2 +1,2 @@
-export declare function getApiToken(): Promise<string | import("../global-store.js").Credentials | null>;
+export declare function getApiToken(): Promise<string | undefined>;
 export declare function isAuthenticated(): Promise<boolean>;

package/dist/lib/auth/auth.js

@@ -1,6 +1,7 @@
-import { getValidAccessToken } from "./oauth/client.js";
+import { oAuthClient } from "./oauth/client.js";
 export async function getApiToken() {
-    return process.env.ALPIC_API_KEY ?? getValidAccessToken();
+    const token = process.env.ALPIC_API_KEY ?? (await oAuthClient.getValidAccessToken())?.access_token;
+    return token;
 }
 export async function isAuthenticated() {
     const isAuthenticatedViaApiKey = hasApiKey();
@@ -15,6 +16,6 @@ function hasApiKey() {
     return process.env.ALPIC_API_KEY !== undefined;
 }
 async function hasValidAccessToken() {
-    return (await getValidAccessToken()) !== null;
+    return (await oAuthClient.getValidAccessToken()) !== null;
 }
 //# sourceMappingURL=auth.js.map

package/dist/lib/auth/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/lib/auth/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,mBAAmB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,wBAAwB,GAAG,SAAS,EAAE,CAAC;IAC7C,IAAI,wBAAwB;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,uBAAuB,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC5D,IAAI,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAEzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,mBAAmB;IAChC,OAAO,CAAC,MAAM,mBAAmB,EAAE,CAAC,KAAK,IAAI,CAAC;AAChD,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/lib/auth/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,EAAE,YAAY,CAAC;IAEnG,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,wBAAwB,GAAG,SAAS,EAAE,CAAC;IAC7C,IAAI,wBAAwB;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,uBAAuB,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC5D,IAAI,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAEzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,mBAAmB;IAChC,OAAO,CAAC,MAAM,WAAW,CAAC,mBAAmB,EAAE,CAAC,KAAK,IAAI,CAAC;AAC5D,CAAC"}

package/dist/lib/auth/oauth/client.d.ts

@@ -1,12 +1,28 @@
 import * as openid from "openid-client";
 import { type Credentials } from "../../global-store.js";
-export declare function fetchUserInfo(credentials: Credentials): Promise<openid.UserInfoResponse>;
-export declare function getValidAccessToken(): Promise<Credentials | null>;
-export declare function getExpiresAt(expires_in: number): number;
-export declare function prepareOAuthConfig(): Promise<{
-    authorizeUrl: URL;
-    state: string;
-    nonce: string;
-    codeVerifier: string;
-    config: openid.Configuration;
-}>;
+export declare class OAuthClient {
+    private config;
+    initialize: Promise<void>;
+    constructor();
+    getValidAccessToken(): Promise<Credentials | null>;
+    fetchUserInfo(credentials: Credentials): Promise<openid.UserInfoResponse>;
+    refreshAccessToken(credentials: Credentials): Promise<Credentials>;
+    prepareOAuthConfig(): Promise<{
+        authorizeUrl: URL;
+        state: string;
+        nonce: string;
+        codeVerifier: string;
+    }>;
+    exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }: {
+        url: URL;
+        codeVerifier: string;
+        state: string;
+        nonce: string;
+    }): Promise<openid.TokenEndpointResponse & openid.TokenEndpointResponseHelpers>;
+    getExpiresAt(expires_in: number): number;
+    private loadConfig;
+    private fetchOAuthProtectedResourceConfig;
+    private getConfig;
+    private isAccessTokenExpired;
+}
+export declare const oAuthClient: OAuthClient;

package/dist/lib/auth/oauth/client.js

@@ -1,66 +1,110 @@
 import * as openid from "openid-client";
+import { env } from "../../../env.js";
 import { globalStore } from "../../global-store.js";
-import { getIssuer, getOAuthConfig } from "./config.js";
 import { LOOPBACK_HOST, LOOPBACK_PORT } from "./constants.js";
 const SCOPES = ["openid", "email", "profile"];
-export async function fetchUserInfo(credentials) {
-    const issuer = await getIssuer();
-    const config = await getOAuthConfig(issuer);
-    return openid.fetchUserInfo(config, credentials.access_token, credentials.sub);
-}
-export async function getValidAccessToken() {
-    const stored = globalStore.getCredentials();
-    if (!stored) {
-        return null;
+export class OAuthClient {
+    config = null;
+    initialize;
+    constructor() {
+        this.initialize = this.loadConfig();
+    }
+    async getValidAccessToken() {
+        await this.initialize;
+        const stored = globalStore.getCredentials();
+        if (!stored) {
+            return null;
+        }
+        if (this.isAccessTokenExpired(stored)) {
+            try {
+                return await this.refreshAccessToken(stored);
+            }
+            catch {
+                return null;
+            }
+        }
+        return stored;
+    }
+    async fetchUserInfo(credentials) {
+        return openid.fetchUserInfo(await this.getConfig(), credentials.access_token, credentials.sub);
+    }
+    async refreshAccessToken(credentials) {
+        if (!credentials.refresh_token) {
+            throw new Error("No refresh token available");
+        }
+        const response = await openid.refreshTokenGrant(await this.getConfig(), credentials.refresh_token);
+        const refreshed = {
+            access_token: response.access_token,
+            refresh_token: response.refresh_token ?? credentials.refresh_token,
+            expires_at: this.getExpiresAt(response.expires_in ?? 0),
+            sub: credentials.sub,
+        };
+        globalStore.saveCredentials(refreshed);
+        return refreshed;
+    }
+    async prepareOAuthConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        const codeVerifier = openid.randomPKCECodeVerifier();
+        const codeChallenge = await openid.calculatePKCECodeChallenge(codeVerifier);
+        const state = openid.randomState();
+        const nonce = openid.randomNonce();
+        const callbackUrl = new URL(`http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/callback`);
+        const authorizeUrl = openid.buildAuthorizationUrl(this.config, {
+            redirect_uri: callbackUrl.toString(),
+            scope: SCOPES.join(" "),
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256",
+            state,
+            nonce,
+        });
+        return { authorizeUrl, state, nonce, codeVerifier };
+    }
+    async exchangeAuthorizationCode({ url, codeVerifier, state, nonce, }) {
+        return await openid.authorizationCodeGrant(await this.getConfig(), url, {
+            pkceCodeVerifier: codeVerifier,
+            expectedState: state,
+            expectedNonce: nonce,
+        });
     }
-    if (isAccessTokenExpired(stored)) {
+    getExpiresAt(expires_in) {
+        return expires_in !== undefined ? Math.floor(Date.now() / 1000) + expires_in : Date.now() / 1000 + 3600;
+    }
+    async loadConfig() {
+        const protectedResourceConfig = await this.fetchOAuthProtectedResourceConfig();
+        const issuer = protectedResourceConfig.authorization_servers[0];
+        if (!issuer) {
+            throw new Error("No authorization server in OAuth protected resource config");
+        }
+        const issuerUrl = new URL(issuer);
         try {
-            return await refreshAccessToken(stored);
+            this.config = await openid.discovery(issuerUrl, env.ALPIC_COGNITO_CLIENT_ID);
         }
         catch {
-            return null;
+            throw new Error("Failed to discover OAuth config");
         }
     }
-    return stored;
-}
-async function refreshAccessToken(credentials) {
-    if (!credentials.refresh_token) {
-        throw new Error("No refresh token available");
+    async fetchOAuthProtectedResourceConfig() {
+        const baseUrl = env.ALPIC_API_BASE_URL;
+        const response = await fetch(`${baseUrl}/.well-known/oauth-protected-resource`);
+        if (!response.ok) {
+            throw new Error(`Failed to load service config from ${baseUrl} (${response.status} ${response.statusText})`);
+        }
+        return (await response.json());
+    }
+    async getConfig() {
+        await this.initialize;
+        if (!this.config) {
+            throw new Error("Config not loaded");
+        }
+        return this.config;
+    }
+    isAccessTokenExpired(credentials) {
+        const EXPIRATION_WINDOW_IN_SECONDS = 300;
+        return Date.now() / 1000 + EXPIRATION_WINDOW_IN_SECONDS >= credentials.expires_at;
     }
-    const issuer = await getIssuer();
-    const config = await getOAuthConfig(issuer);
-    const response = await openid.refreshTokenGrant(config, credentials.refresh_token);
-    const refreshed = {
-        access_token: response.access_token,
-        refresh_token: response.refresh_token ?? credentials.refresh_token,
-        expires_at: getExpiresAt(response.expires_in ?? 0),
-        sub: credentials.sub,
-    };
-    globalStore.saveCredentials(refreshed);
-    return refreshed;
-}
-export function getExpiresAt(expires_in) {
-    return expires_in !== undefined ? Math.floor(Date.now() / 1000) + expires_in : Date.now() / 1000 + 3600;
-}
-function isAccessTokenExpired(credentials) {
-    const EXPIRATION_WINDOW_IN_SECONDS = 300;
-    return Date.now() / 1000 + EXPIRATION_WINDOW_IN_SECONDS >= credentials.expires_at;
-}
-export async function prepareOAuthConfig() {
-    const issuer = await getIssuer();
-    const config = await getOAuthConfig(issuer);
-    const codeVerifier = openid.randomPKCECodeVerifier();
-    const codeChallenge = await openid.calculatePKCECodeChallenge(codeVerifier);
-    const state = openid.randomState();
-    const nonce = openid.randomNonce();
-    const authorizeUrl = openid.buildAuthorizationUrl(config, {
-        redirect_uri: `http://${LOOPBACK_HOST}:${LOOPBACK_PORT}/callback`,
-        scope: SCOPES.join(" "),
-        code_challenge: codeChallenge,
-        code_challenge_method: "S256",
-        state,
-        nonce,
-    });
-    return { authorizeUrl, state, nonce, codeVerifier, config };
 }
+export const oAuthClient = new OAuthClient();
 //# sourceMappingURL=client.js.map

package/dist/lib/auth/oauth/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAExC,OAAO,EAAoB,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE9D,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAE9C,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAwB;IAC1D,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,OAAO,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,WAAwB;IACxD,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;IAE5C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,MAAM,EAAE,WAAW,CAAC,aAAa,CAAC,CAAC;IAEnF,MAAM,SAAS,GAAgB;QAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,aAAa,EAAE,QAAQ,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa;QAClE,UAAU,EAAE,YAAY,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,CAAC;QAClD,GAAG,EAAE,WAAW,CAAC,GAAG;KACrB,CAAC;IAEF,WAAW,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACvC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,OAAO,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAC1G,CAAC;AAED,SAAS,oBAAoB,CAAC,WAAwB;IACpD,MAAM,4BAA4B,GAAG,GAAG,CAAC;IACzC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,4BAA4B,IAAI,WAAW,CAAC,UAAU,CAAC;AACpF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,MAAM,CAAC,sBAAsB,EAAE,CAAC;IACrD,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEnC,MAAM,YAAY,GAAG,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE;QACxD,YAAY,EAAE,UAAU,aAAa,IAAI,aAAa,WAAW;QACjE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACvB,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,KAAK;QACL,KAAK;KACN,CAAC,CAAC;IAEH,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;AAC9D,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAExC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAoB,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE9D,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAU9C,MAAM,OAAO,WAAW;IACd,MAAM,GAAgC,IAAI,CAAC;IACnD,UAAU,CAAgB;IAE1B;QACE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,mBAAmB;QACvB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,MAAM,MAAM,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,WAAwB;QAC1C,OAAO,MAAM,CAAC,aAAa,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,WAAwB;QAC/C,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC,aAAa,CAAC,CAAC;QAEnG,MAAM,SAAS,GAAgB;YAC7B,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,aAAa,EAAE,QAAQ,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa;YAClE,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,CAAC;YACvD,GAAG,EAAE,WAAW,CAAC,GAAG;SACrB,CAAC;QAEF,WAAW,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,sBAAsB,EAAE,CAAC;QACrD,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,aAAa,IAAI,aAAa,WAAW,CAAC,CAAC;QAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE;YAC7D,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE;YACpC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,MAAM;YAC7B,KAAK;YACL,KAAK;SACN,CAAC,CAAC;QAEH,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,EAC9B,GAAG,EACH,YAAY,EACZ,KAAK,EACL,KAAK,GAMN;QACC,OAAO,MAAM,MAAM,CAAC,sBAAsB,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE;YACtE,gBAAgB,EAAE,YAAY;YAC9B,aAAa,EAAE,KAAK;YACpB,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,UAAkB;QAC7B,OAAO,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1G,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,MAAM,uBAAuB,GAAG,MAAM,IAAI,CAAC,iCAAiC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAG,uBAAuB,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iCAAiC;QAC7C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uCAAuC,CAAC,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sCAAsC,OAAO,KAAK,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC;QAC/G,CAAC;QACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,IAAI,CAAC,UAAU,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,oBAAoB,CAAC,WAAwB;QACnD,MAAM,4BAA4B,GAAG,GAAG,CAAC;QACzC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,4BAA4B,IAAI,WAAW,CAAC,UAAU,CAAC;IACpF,CAAC;CACF;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/lib/auth/oauth/server/assets/authorize.html

@@ -0,0 +1,195 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        background-image: url("/assets/alpic-mountain.png");
+        background-repeat: no-repeat;
+        background-position: right bottom;
+        background-size: auto;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        width: 50%;
+        min-height: calc(100vh - 128px);
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      h1 {
+        font-family: "Mozilla Text", system-ui, sans-serif;
+        font-weight: 400;
+        font-size: 48px;
+        color: var(--midnight);
+        margin-bottom: 8px;
+      }
+
+      .subtitle {
+        font-size: 20px;
+        color: var(--midnight);
+        margin-bottom: 32px;
+      }
+
+      .buttons {
+        display: flex;
+        flex-direction: column;
+        gap: 12px;
+      }
+
+      .btn {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        gap: 8px;
+        height: 48px;
+        width: 256px;
+        padding: 0 16px;
+        border-radius: 2px;
+        border: 1px solid var(--midnight);
+        font-family: "Inter", system-ui, sans-serif;
+        font-size: 16px;
+        font-weight: 500;
+        cursor: pointer;
+        transition: background 0.15s;
+      }
+
+      .btn:focus-visible {
+        outline: none;
+        box-shadow: 0 0 0 2px var(--midnight);
+      }
+
+      .btn svg {
+        width: 20px;
+        height: 20px;
+        flex-shrink: 0;
+      }
+
+      .btn-github {
+        background: var(--midnight);
+        color: #fff;
+      }
+      .btn-github svg {
+        fill: #fff;
+      }
+      .btn-github:hover {
+        background: rgba(5, 20, 19, 0.9);
+      }
+
+      .btn-google {
+        background: #fff;
+        color: var(--midnight);
+      }
+      .btn-google svg {
+        fill: var(--midnight);
+      }
+      .btn-google:hover {
+        background: rgba(5, 20, 19, 0.1);
+      }
+
+      .btn-loading {
+        opacity: 0.7;
+        pointer-events: none;
+        cursor: default;
+        transition: opacity 0.2s;
+      }
+      .spinner {
+        width: 20px;
+        height: 20px;
+        animation: spin 0.8s linear infinite;
+      }
+      @keyframes spin {
+        to {
+          transform: rotate(360deg);
+        }
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+        h1 {
+          font-size: 36px;
+        }
+        .subtitle {
+          font-size: 18px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Welcome to Alpic</h1>
+      <p class="subtitle">Sign in to use Alpic CLI</p>
+      <div class="buttons">
+        <button class="btn btn-github" onclick="login('Github', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>GitHub</title>
+            <path
+              d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"
+            />
+          </svg>
+          Sign in with GitHub
+        </button>
+        <button class="btn btn-google" onclick="login('google', this)" type="button">
+          <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+            <title>Google</title>
+            <path
+              d="M12.48 10.92v3.28h7.84c-.24 1.84-.853 3.187-1.8 4.133-1.147 1.147-2.933 2.4-6.04 2.4-4.827 0-8.6-3.893-8.6-8.72s3.773-8.72 8.6-8.72c2.6 0 4.507 1.027 5.907 2.347l2.307-2.307C18.747 1.44 16.133 0 12.48 0 5.867 0 .307 5.387.307 12s5.56 12 12.173 12c3.573 0 6.267-1.173 8.373-3.36 2.16-2.16 2.84-5.213 2.84-7.667 0-.76-.053-1.467-.173-2.053H12.48z"
+            />
+          </svg>
+          Sign in with Google
+        </button>
+      </div>
+    </div>
+    <script>
+      var loaderSvg =
+        '<svg class="spinner" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2v4"/><path d="m16.2 7.8 2.9-2.9"/><path d="M18 12h4"/><path d="m16.2 16.2 2.9 2.9"/><path d="M12 18v4"/><path d="m4.9 19.1 2.9-2.9"/><path d="M2 12h4"/><path d="m4.9 4.9 2.9 2.9"/></svg>';
+      // biome-ignore lint/correctness/noUnusedVariables: The function is used within the buttons onclick handlers
+      function login(provider, btn) {
+        const icon = btn.querySelector("svg");
+        const wrap = document.createElement("div");
+        wrap.innerHTML = loaderSvg;
+        icon.replaceWith(wrap.firstChild);
+        btn.classList.add("btn-loading");
+        btn.disabled = true;
+        const url = new URL("%AUTH_BASE_URL%");
+        url.searchParams.set("identity_provider", provider);
+        window.location.href = url.toString();
+      }
+    </script>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/assets/callback.html

@@ -0,0 +1,88 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Sign in to Alpic</title>
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Mozilla+Text:wght@200..700&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      *,
+      *::before,
+      *::after {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+
+      :root {
+        --midnight: #051413;
+      }
+
+      body {
+        font-family: "Inter", system-ui, sans-serif;
+        background-color: var(--midnight);
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 64px;
+      }
+
+      .card {
+        background: #fff;
+        border-radius: 2px;
+        padding: 48px;
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        justify-content: center;
+      }
+
+      .message {
+        text-align: center;
+      }
+
+      .message-title {
+        font-size: 28px;
+        color: var(--midnight);
+        display: block;
+      }
+
+      .message-sub {
+        display: block;
+        margin-top: 0.5em;
+        color: #6b7280;
+      }
+
+      .message.error .message-title {
+        color: #b91c1c;
+      }
+
+      .message.error .message-sub {
+        display: none;
+      }
+
+      @media (max-width: 768px) {
+        body {
+          padding: 16px;
+        }
+        .card {
+          width: 100%;
+          height: auto;
+          padding: 24px;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <p class="message __CALLBACK_STATUS__">
+        <span class="message-title">__CALLBACK_TITLE__</span>
+        <span class="message-sub">__CALLBACK_SUB__</span>
+      </p>
+    </div>
+  </body>
+</html>

package/dist/lib/auth/oauth/server/index.d.ts

@@ -0,0 +1,8 @@
+import type { Credentials } from "../../../global-store.js";
+export declare const getLoginPageUrl: () => string;
+export declare const listenToOAuthCallback: ({ state, nonce, codeVerifier, authorizeUrl, }: {
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    authorizeUrl?: string;
+}) => Promise<Credentials>;